extended access control list

How to Configure standard ACLs

September 9, 2019

Standard ACLs permit or deny traffic based on source addresses. They differentiate routes on a network using the IP address. The port and destination of the packet are not evaluated. Standard ACLs only contain a list of addresses or address ranges and a statement as to whether access to or from that address is permitted or denied.

The range of the standard ACLs is from 1 to 99. Cisco IOS Release 12.0.1 extended the range of standard ACLs by allowing 1300 to 1999. This means that we can configure a maximum of 798 standard ACLs.

To Configure and use numbered standard ACLs on a Cisco router. We must first create the standard ACL and then activate the ACL on a specific interface. The “access-list” global configuration command defines a standard ACL. The full syntax of the standard ACL command is as follows:

Router(config)# access-list access-list-number { deny | permit | remark }source [ source-wildcard ][ log ]

The detailed explanation of the syntax for a standard ACL.is follows:-

access-list-number – This is a decimal number from 1 to 99 or 1300 to 1999 for standard ACL.

deny – This should deny the traffic if the condition is matched.

Permit – This should permit traffic if the condition matches.

remark – Add a remark about entries in an IP access list to make it easier to understand and scan.

source – There are two ways to specify the source of the packet

Use of 32-bit IP address in dotted-decimal format
Use of keyword “any” as an abbreviation for source and source wildcard of 0.0.0.0 255.255.255.255.

Wildcard –Wildcard is an optional 32-bit value. It is applied to the source. It should be “one” in the bit position, which we want to ignore.

log-log is an optional value. It presents the information logging message about the packet that matches the entry to be sent to the console. The level of the message can be controlled using the logging console command.

The log message includes the number of ACLs, the source address, and the number of the packet. It is generated for the first packet that matches and then it is guaranteed after the interval of each 5 minutes included the packets permitted in the previous 5 minutes.

The Access Control Entry (ACE) is responsible for denying or permitting an individual host or a range of host addresses. To create a host statement in numbered ACL 1 that permits a specific host with the IP address 192.168.1.10, you would enter:

Router(config)# access-list 1 permit host 192.168.1.10

To create a statement that will permit a range of IPv4 addresses in a numbered ACL 1 that permits all IPv4 addresses in the network 192.168.1.0/24, the command would be like this:

Router(config)# access-list 2 permit 192.168.10.0 0.0.0.255

We can remove the ACL using the no access-list <access-list-number> command in global configuration mode. We can verify the access list using the show access-list command.

Before entering and creating an ACL, it is necessary to understand the purpose of each statement. However, the statement and remarks should be included to recall and understand the purpose of the ACL. The remark keyword is also used to document ACLs. Each remark is limited to 100 characters

The logic of Standard ACLs

Packets that enter the router through interface any interface are checked for their source addresses based on the entries of access control entries, for example:

access-list 1 deny 192.168.10.10

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 deny 192.168.0.0 0.0.255.255

access-list 1 permit 192.0.0.0 0.255.255.255

If packets are permitted, they are routed through the router to an output interface. If packets are denied, they are dropped at the incoming interface.

Cisco IOS processed standard Access Control Entries sequentially. Therefore, the order in which Access Control Entries (ACEs) are entered is significant. For example, in Figure below ACL 2 contains two ACEs. The first ACE denies a range of addresses with the help of wildcard mask, The ACE denies hosts in the 192.168.11.0/24 network. The second ACE is for a specific host.

The statement examines a specific host: 192.168.11.10. The host is also in the range of the first entry. In other words, 192.168.11.10 is a host in the 192.168.11.0/24 network. So, the internal logic for standard access lists rejects the second statement and returns an error message because it is a subset of the previous statement. This is a conflict of the ACL statement.

Now look at the figure below. The configuration contains the same two statements but in reverse order. This is a valid sequence of statements because the first statement refers to a specific host, not a range of hosts. So, now the host 192.168.11.10 can access the network outside where the access-list 2 has applied.

Now look to ACL Configured with a host statement that is not in the range of a previous statement. The 192.168.30.10 host address is not a member of the 192.168.11.0/24 network, so this is a valid statement because there is no conflict between these two statement addresses.

Applying Standard ACLs to Interfaces

When standard ACL is configured, it is linked to an interface using the “ip access-group” command in interface configuration mode. The command syntax is the following:

Router(config-if)# ip access-group <access-list-number | access-list-name> <in | out>

To remove an ACL, enter the “no ip access-group” command on the interface, and then enter the “no access-list” command to remove the entire ACL.

Example 1 of Standard ACL

The figure below lists the steps and syntax to configure and apply a numbered standard ACL on a router. This ACL allows only traffic from source network 192.168.2.0 to be forwarded out of interface FastEthernet 0/0. Traffic from other networks is blocked.

The first line identifies the ACL as access-list 2. It permits traffic that matches the selected parameters. In this case, the 192.168.2.0 0.0.0.255 is allowed to access the network 192.168.4.0/24. The entry is an implicit deny all statement that is equivalent to adding the line access-list 2 deny 0.0.0.0 255.255.255.255 or access-list 2 deny any. The “ip access-group 2 out” interface configuration command links and ties ACL 2 to the FastEthernet 0/0 interface as an outbound filter.

So, ACL 2 only permits hosts from the 192.168.2.0/24 network to exit router R2. It denies any other network including the 192.168.2.0 network.

Example 2 of Standard ACL

The figure below illustrates an example of an ACL that permits a specific subnet except for a specific host on that subnet.

This ACL blocks traffic from all subnets, including specific addresses in the subnet that allow accessing the network. The first ACE denies the host 192.168.2.2 from accessing the network 192.168.3.0.

The second ACE permits all other hosts on the network 192.168.2.0/24 to access the network 192.168.3.0/24. Again, the implicit deny statement matches every other network. The ACL is applied and linked to the Fast Ethernet interface 0/0 in an outbound direction.

Example 3 of Standard ACL

The figure below is an example of an ACL that denies a specific host. This ACL replaces the previous example. This example still blocks traffic from host PC1 but permits all other traffic.

The first commands deny the host 192.168.2.2 from accessing the network 192.168.3.0/24. All other hosts are permitted to follow the following line. This means that all hosts from the 192.168.1.0/24, 192.168.2.0/24, and 192.168.4.0/24 networks will be allowed except host 192.168.2.2, which was denied in the first statement.

We have applied this ACL to interface FastEthernet 0/0 in the outbound direction. This ACL only affects network 192.168.2.0/24, So we can place this ACL inbound on interface FastEthernet 0/1 on Router3. I think this is the best place for this type of ACL.

Creating Named Standard ACLs

Naming an ACL is the best practice because naming makes ACL easier to understand. For example, an ACL configured to deny could be called NO_Telnet. The named ACL configuration mode and command syntax are slightly different then numbered ACL.

Use the ip access-list command in global configuration mode to create a named ACL. ACL names are alphanumeric, case-sensitive, and must be unique. The ip access-list standard <name> is used to create a standard named ACL, whereas the command ip access-list extended <name> is for an extended access list.

After entering the command, the router is in the named standard ACL configuration mode as indicated by the prompt. The difference between numbered and named ACLs is that the Numbered ACLs use the global configuration command access-list, whereas named IPv4 ACLs use the ip access-list command.

After entering the named ACL configuration mode, use permit or deny statements to specify one or more conditions for determining whether a packet is forwarded or dropped. Apply the ACL to an interface using the ip access-group <in | out> command.

Example of Named Standard ACL

The figure below illustrates the commands configuring a standard ACL on router R3, interface FE0/0, that denies host 192.168.2.2 access to the 192.168.4.0/24 network. The ACL is named NO_ACCESS_Net4. Recall that the name is case-sensitive.

Commenting ACLs

We can comment on the ACL using the remark keyword about the ACE in any IP standard or extended ACL. The remarks make the ACL easier to understand. Each remark line is restricted to 100 characters. We can enter the comment before or after a permit or deny statement. The command syntax for remarks is as:

access-list <access-list_number> remark <remark> in global configuration mode. We can remove the remark using the no access-list <access-list_number> remark <remark> command in global configuration mode.

Example 4 Using Remarks with Numbered ACL

The numbered ACL 5 denies the 192.168.2.2 PC from accessing the network 192.168.4.0/24 but permits all other devices. The remarks are used in the ACL.

Example 5 Using Remarks with Named ACL

In this example, you can see a standard named ACL configuration. The remarks indicate that PC1 is not authorized to access PC0, but devices from all other networks are permitted.

Verifying ACLs

Using the show ip interface command, we can verify the ACL on the interface. The output of this command displays the number or name of the access list and the direction in which the ACL was applied.

We can also verify the ACL by issuing the show access-lists command on the router. The output of the command displays all ACL output. We can also view an individual access list using the show access-lists command followed by the access list number or name. We can also verify the ACL from a starting-config file.

Finally, the video below is the answer to Cisco Routing Switching “9.2.1.10 Packet Tracer Configuring Standard ACLs.” The video is essential for the students of CCNA as well as for those who want to learn standard ACLs

https://youtu.be/tqEAn5R9owY

How to place Standard ACL and Extended ACL

Asad Ijaz / CCNA /

September 2, 2019

Are you often puzzled by the differences between standard and extended access lists? You’re not alone. Understanding these two types of access lists is crucial for network security management. In this article, we dive deep into the world of access lists to unravel the secrets behind their functionalities.

As the name suggests, standard access lists are basic filters that allow or deny traffic based on source IP addresses. On the other hand, extended access lists offer more advanced features, allowing you to filter traffic based on source and destination IP addresses and other parameters such as protocols and port numbers.

By delving into the intricacies of these access lists, you’ll understand how each works and how to implement them effectively in your network infrastructure. Whether you’re an IT professional or a networking enthusiast, this article will provide you with the knowledge you need to enhance your network security.

So, let’s get started and unlock the secrets of standard and extended access lists!

Standard ACLs Placement

As the name suggests, standard access lists are basic filters that allow or deny traffic based on source IP addresses. When configuring a standard access list, you can specify a range of source IP addresses you want to permit or deny access to certain network resources. The main advantage of using standard access lists is their simplicity and ease of implementation.

Unlike extended access lists, standard access lists do not consider the destination IP address, protocols, or port numbers, which limits their filtering capabilities. Standard access lists are generally used for simple filtering tasks, such as blocking specific IP addresses or allowing access from a specific range of IP addresses.

To create a standard access list, you must assign a number, typically 1 to 99 or 1300 to 1999. The lower the number, the higher the priority of the access list. Each access list entry consists of a permit or deny statement followed by the source IP address or a wildcard mask. The wildcard mask specifies the range of IP addresses you want to permit or deny.

We know that standard ACLs only filter traffic based on a source address. The basic rule of standard ACLs requires placement that is possibly close to the destination network. This allows the traffic to arrive at all other networks except those where the packets will be filtered. In the figure below, we want to prevent traffic from the 192.168.2.0/24 network from reaching the 192.168.4.0/24 network.

If we place the standard ACL on the inbound interface of Router0, this will stop the 192.168.2.0/24 network traffic from reaching any other network. If we place ACL on the outbound interface towards Router1, this will stop 192.168.2.0/24 traffic from reaching any network of Router1.

If we place the ACL on the router’s inbound or outbound interface, this will also prevent traffic from the 192.168.2.0/24 network from reaching any of Router1 and Router2’s networks. If we place the ACL inbound on interface Fa1/0 of Router2, this will also stop all traffic from the 192.168.2.0 network from reaching any of Router2’s networks.

So, the best place to place the ACL is Router 1’s Eth 1/0 interface. This is the closest interface to the destination. Therefore, we would apply a standard Ethernet 1/0 outbound interface ACL. This will prevent traffic from 192.168.2.0/24 from entering the Ethernet 1/0 interface and reaching 192.168.4.0/24 and all other networks reachable to the 192.168.4.0/24 network.

Extended ACLs Placement

On the other hand, extended access lists offer more advanced features. They allow you to filter traffic based on source and destination IP addresses and other parameters such as protocols and port numbers. Extended access lists provide a higher level of granularity and flexibility compared to standard access lists.

With extended access lists, you can specify the source IP address and the destination IP address. This allows you to control access to specific network resources based on source and destination. In addition, extended access lists consider the protocols and port numbers associated with the traffic, giving you even more control over the types of traffic allowed or denied.

To create an extended access list, you must assign it a number between 100 and 199 or 2000 and 2699. Similar to standard access lists, the lower the number, the higher the priority. Each entry in an extended access list consists of a permit or deny statement followed by the source and destination IP addresses, protocols, and port numbers.

It can filter traffic based on the source address, destination address, protocol type, and port number. Extended ACL gives more flexibility in filtering the kind of traffic and where to place the ACL. The basic rule for identifying an extended ACL is to put it close to the traffic’s source. Extended ACL filters unnecessary traffic from being sent across multiple networks.

The network administrator places extended ACLs on devices that they can easily control. In the figure, the administrator wants to control FTP and telnet traffic from the 192.168.1.0/24 and 192168.2.0/24 networks. At the same time, all other traffic from both networks must be permitted to leave Router3 without any restriction.

There are several ways to accomplish these goals. We can configure an extended ACL inbound to Router3 Fa0/0 and Fa0/1 networks. However, this is not a best practice because we should configure an extended ACL inbound for both ACLs.

A best practice is to place an extended ACL on Router3 interface Fa0/1 outbound. The extended ACL specifies both source and destination addresses and enforces the rule, “Telnet and FTP traffic from the 192.168.1.0/24 and 192.168.2.0/24 network is not allowed to go to the 192.168.3.0/24 network.

The above type of ACL may also depend on the following:

Ease of configuration– If we want to deny traffic coming from several networks, The first option is to use a single standard ACL on the closest to the destination. However, the main disadvantage of this ACL is the unnecessary use of bandwidth. So, we can configure an extended ACL on each router source router. This will save bandwidth by filtering the traffic at the source, but this requires creating extended ACLs for several routers.
The extent of the network administrator’s control– Placement of the ACL also depend on the network administrator. He can control both the source and destination networks using an ACLs.
The bandwidth of the networks – Filtering unwanted traffic at the source prevents consumption of the bandwidth. This is important in low bandwidth networks.
Entering Criteria Statements. Then router receives traffic, the traffic is compared to all the access control entries in the order that the entries listed. The router continues comparing the access control entries until it finds the first match. The router will process the packet based on the first match found, and it will terminate by comparing more access control entries.
If no matches are found in the access control entries and the router reaches the end of the list, the traffic is denied. This is because, by default, there is an implied deny at the end of all access control lists for traffic that was not matched to a configured entry. A single-entry access control list with only one denied entry has the effect of banning all traffic. So, one permit entry must be configured in an access control list.

Key Differences Between SACLs and EACLs

Now that we have a basic understanding of standard and extended access lists let’s explore their key differences.

The first major difference is that standard access lists only consider the source IP address, while extended access lists consider both the source and destination IP addresses. This means standard access lists are limited in controlling access to specific network resources based on the destination.

The second difference is that extended access lists provide more granular control over the types of traffic allowed or denied. With extended access lists, you can filter traffic based on protocols and port numbers, allowing you to have fine-grained control over the types of traffic that are permitted or denied.

Another important difference is the range of access list numbers that can be used. Standard access lists typically use numbers ranging from 1 to 99 or 1300 to 1999, while extended access lists use numbers ranging from 100 to 199 or 2000 to 2699. Choosing the appropriate range when creating access lists is important to avoid conflicts and ensure proper functionality.

Understanding the Syntax and Structure of SACLs

To effectively configure and implement standard access lists, it is crucial to understand their syntax and structure. Standard access lists are created using the access-list command, followed by the access list number and the permit or deny statement. The source IP address or wildcard mask is then specified to define the range of IP addresses allowed or denied.

For example, to create a standard access list that denies access from a specific IP address, you would use the following syntax:

access-list <access-list-number> deny <source-ip-address>

To create a standard access list that permits access from a specific range of IP addresses, you would use the following syntax:

access-list <access-list-number> permit <source-ip-address> <wildcard-mask>

It’s important to note that standard access lists are processed top-down, meaning that the first match determines the outcome. Therefore, it’s crucial to carefully consider the order of the access list entries to ensure that they are applied correctly.

Common use cases for Standard Access Control Lists (SACLs)

Standard Access Control Lists (SACLs) are the simpler of the two types of access lists. They are used primarily for filtering traffic based on source IP addresses. Let’s explore some common use cases for SACLs:

1. Restricting access to internal resources

One main use case for SACLs is restricting access to internal resources within a network. For example, you may want to allow access to a specific server from only a certain range of IP addresses. By configuring a SACL with the appropriate source IP addresses, you can effectively control access to the server and prevent unauthorized access from other IP ranges.

2. Blocking specific IP addresses

Another common use case for SACLs is blocking specific IP addresses or ranges from accessing your network. This can be useful when dealing with known malicious IP addresses or when you want to block traffic from a specific country or region. By creating a SACL that denies traffic from the specified IP addresses, you can effectively block unwanted traffic and enhance the security of your network.

3. Prioritizing network traffic

SACLs can also prioritize network traffic based on source IP addresses. This can be particularly useful in scenarios where you have limited bandwidth and must ensure that critical traffic gets priority over non-critical traffic. By configuring a SACL that allows traffic from necessary IP addresses while denying or limiting traffic from other IP addresses, you can effectively manage your network resources and ensure optimal performance.

In summary, SACLs are primarily used to filter traffic based on source IP addresses. They can also restrict access to internal resources, block specific IP addresses, and prioritize network traffic. Now, let’s explore the common use cases for Extended Access Control Lists (EACLs).

Common use cases for Extended Access Control Lists (EACLs)

Extended Access Control Lists (EACLs) offer more advanced filtering capabilities than SACLs. In addition to source IP addresses, EACLs can filter traffic based on destination IP addresses, protocols, and port numbers. Let’s dive into some common use cases for EACLs:

1. Controlling traffic based on source and destination IP addresses

One of the key advantages of EACLs is the ability to filter traffic based on source and destination IP addresses. This allows for more granular control over network traffic. For example, you may want to allow traffic from a specific source IP address to a specific destination IP address while denying traffic from other combinations of source and destination IP addresses. EACLs can be configured to achieve this level of control and enhance network security.

2. Filtering traffic based on protocols and port numbers

EACLs also allow traffic to be filtered based on protocols and port numbers. This is particularly useful when dealing with specific applications or services that use well-known port numbers. For example, you may want to allow traffic on port 80 for web browsing but block traffic on port 23 for Telnet access. By configuring an EACL with the appropriate protocol and port number restrictions, you can effectively control the flow of network traffic and ensure the security of your network.

3. Implementing access control for different network segments

EACLs can be used to implement access control between different network segments. For example, if you have a network with multiple VLANs, you may want to allow communication between specific VLANs while blocking communication between others. By configuring EACLs on the router or switch connecting the VLANs, you can control traffic flow between the different segments and enforce network segmentation for improved security.

In summary, EACLs offer advanced filtering capabilities compared to SACLs. They can control traffic based on source and destination IP addresses, filter traffic based on protocols and port numbers, and implement access control between network segments. Now, let’s conclude our exploration of standard and extended access lists.

Conclusion

This article has unlocked the secrets behind standard and extended access lists (SACLs and EACLs). We have explored the everyday use cases for both and understand how each type of access list can enhance network security.

Standard access lists are primarily used for filtering traffic based on source IP addresses. In contrast, extended access lists offer more advanced features, such as filtering based on source and destination IP addresses, protocols, and port numbers. By understanding the differences between these two types of access lists, you can effectively implement access control measures in your network infrastructure.

Whether you’re restricting access to internal resources, blocking specific IP addresses, prioritizing network traffic, controlling traffic based on source and destination IP addresses, filtering traffic based on protocols and port numbers, or implementing access control for different network segments, access lists play a crucial role in network security management.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.