Network Defence – Access Control List ( ACL)
In the gated residential area where your grandparents reside, certain regulations govern the entry and exit procedures. To gain access to the community, the security personnel will only raise the gate once your presence has been verified against an authorized visitor list. Similarly, when it comes to network traffic traversing an interface set up with an access control list (ACL), there are provisions for permitting or denying traffic. How can you go about configuring these ACLs? Furthermore, what steps should you take if they are not functioning as intended or need adjustments for other reasons? Begin exploring this module to acquire a deeper understanding.
Introduction to Access Control Lists
Routers play a critical role in making routing decisions based on information contained in the packet header. When traffic enters a router interface, the routing decision is primarily guided by the data within the routing table. Specifically, the router conducts a comparison between the destination IP address and the routes stored in the routing table to identify the most suitable match. Subsequently, the packet is forwarded based on the determined best-match route. This same mechanism can be harnessed for the purpose of traffic filtration through the utilization of an access control list (ACL).
An ACL is essentially a series of IOS (Internetwork Operating System) commands designed to filter packets by examining details within the packet header. By default, a router does not have any ACLs in place. However, when an ACL is applied to a specific interface, the router assumes an additional responsibility: it evaluates all incoming network packets as they traverse the interface to ascertain whether a packet can be forwarded.
The structure of an ACL consists of a sequential list of statements, known as access control entries (ACEs). It is worth noting that ACEs are often referred to as ACL statements.
When network traffic passes through an interface configured with an ACL, the router assesses the information contained within each packet against the ACEs, one after the other in sequence. This process, known as packet filtering, aims to determine if the packet aligns with any of the ACEs.
Routers frequently employ ACLs for various tasks, relying on them to identify specific types of traffic. The table below provides some examples of these tasks:
- Traffic Permitting – Permitting certain traffic types while denying others.
- Security Measures – Enhancing network security by controlling access.
- Quality of Service (QoS) – Prioritizing traffic based on service requirements.
- Traffic Accounting – Keeping track of data usage for billing or monitoring.
- Network Address Translation (NAT) – Managing the translation of private IP addresses to a public one for internet access.
By skillfully configuring ACLs, network administrators can effectively manage and secure their network traffic to meet specific operational requirements.
Packet Filtering
Packet filtering serves as a mechanism for managing network access by scrutinizing incoming and/or outgoing packets and making decisions about whether to allow or discard them according to predefined criteria. This process of packet filtering can be implemented at either Layer 3 or Layer 4 of the network protocol stack, as illustrated in the diagram.
Numbered and Named ACLs
Named ACLs
ACLs are categorized into two main types: standard and extended. Standard ACLs are numbered from 1 to 99 or from 1300 to 1999, while extended ACLs are numbered from 100 to 199 or from 2000 to 2699. This categorization of ACLs are following:-
- 1-99 IP standard access list
- 100-199 IP extended access list
- 1100-1199 Extended 48-bit MAC address access list
- 1300-1999 IP standard access list (expanded range)
- 200-299 Protocol type-code access list
- 2000-2699 IP extended access list (expanded range)
- 700-799 48-bit MAC address access list
- rate-limit Simple rate-limit specific access list
- template Enable IP template acls
Named ACLs
Using named ACLs is the recommended approach when configuring Access Control Lists (ACLs). With named ACLs, you can provide descriptive names that convey the purpose of the ACL, which makes it easier to understand and manage. For instance, naming an extended ACL “FTP-FILTER” is much more informative than using a numeric identifier like ACL 100.
To create a named ACL, you can use the “ip access-list” global configuration command. This allows you to define ACLs with meaningful names, enhancing clarity and organization in your network configuration, as shown in the following example.
- permit tcp 192.168.10.0 0.0.0.255 any eq ftp
- permit tcp 192.168.10.0 0.0.0.255 any eq ftp-data
Here is a summary of the rules to adhere to when working with named ACLs:
- Assign a Descriptive Name: Choose a name that clearly identifies the purpose of the ACL, making it easy to understand its role in network security or traffic management.
- Alphanumeric Characters: Use only alphanumeric characters (letters and numbers) in the ACL name. Avoid using spaces or punctuation marks.
- Consider Uppercase: While not mandatory, it’s often recommended to write the name in CAPITAL LETTERS for consistency and visibility in network configurations.
- Dynamic Editing: Keep in mind that you can add or remove entries within the ACL as needed, allowing for flexibility in managing access control based on changing network requirements.
ACL Operation
Access Control Lists (ACLs) serve as a set of rules that provide additional control over packets as they interact with a router. ACLs can be configured to apply to inbound and outbound traffic, as depicted in the figure.
The figure illustrates inbound and outbound traffic on a router. In the center is a router, and on the left, there’s an orange arrow pointing toward the router, accompanied by the label “Inbound ACL.” On the right, another orange arrow starts at the router and points away, accompanied by the label “Outbound ACL.”
Important Notes: ACLs do not impact packets originating from the router itself.
Inbound ACLs are responsible for filtering packets before they are routed to the outbound interface. This approach is efficient because it prevents unnecessary routing lookups if a packet is to be discarded. If the ACL permits the packet, it proceeds to the routing process. Inbound ACLs are ideal when you need to examine packets originating exclusively from the network attached to an inbound interface.
Outbound ACLs, on the other hand, filter packets after they have been routed, irrespective of the inbound interface. Incoming packets are first routed to the outbound interface and then subjected to the outbound ACL. Outbound ACLs are suitable when the same filtering criteria must be applied to packets arriving from multiple inbound interfaces before exiting via the same outbound interface.
When an ACL is applied to an interface, it follows a specific sequence of operations. For instance, here are the steps involved when traffic enters a router interface with an inbound standard IPv4 ACL configured:
- The router extracts the source IPv4 address from the packet header.
- The router commences at the top of the ACL, comparing the source IPv4 address to each Access Control Entry (ACE) in a sequential manner.
- When a match is identified, the router executes the specified action (permit or deny), and the remaining ACEs in the ACL are not examined.
- If the source IPv4 address doesn’t match any ACE in the ACL, the packet is discarded because there is an implicit deny ACE that applies to all ACLs by default.
- The final ACE statement in an ACL is always an implicit deny, blocking all traffic. This statement is automatically included at the end of every ACL, even though it isn’t displayed in the configuration.
Note: An ACL must contain at least one permit statement; otherwise, all traffic will be denied due to the implicit deny ACE statement.