Access Control List

The Access Control List (ACL) has many different uses in the world of networking. Ranging from been used to set a metric within a route map, that can be applied to a Boarder Gateway Protocol (BGP) neighbour advertising its routes into your network. To been as simple as setting up a first line of defence for allowing or denying traffic entering or leaving your network.

I will be concentrating on the latter of the two for now. When we think of an ACL, we first think about security. We can have full control over who can enter and leave our network. We can also control how they will enter and leave our network. Access lists are a set of filters that the traffic is checked against as it hits an interface. So when traffic comes into an interface where an ACL is applied, it will be eider permitted or denied.

When working with ACL’s we have three types of ACL’s, Standard, Extended and Named ACL.

Standard: Router(config)#access-list 1 permit host 192.168.1.10   (Permits a specific IP address)

Extended: Router(config)#access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq telnet (23)

(Denies access from the 192.168.1.0/24 subnet to any other host if they are attempting to use telnet)

Named: Router(config)#ip access-list standard permit-ip (Creates a standard ACL named “permit-ip”)

Router(config)#permit host 192.168.2.10 (Allow access from IP address 192.168.2.10)

There are a few points to remember when working with these different types of ACL’s.

When you are working with a Standard ACL, you can only accept or deny packets based on the source IP address. These standard ACL’s are identified by the number assigned to the access list, ranging from 1 – 99 and also 1300 – 1999. Also it is best practice to place a standard ACLs as close to the destination as possible. If you place a standard ACL to close to the source address, you could block traffic that should be permitted from leaving or entering your network. Remember standard ACL’s only filter on source addresses and not on any type of destination addresses/traffic.

With the Extended ACL, you can preform your filtering with the following, source IP address, destination IP address, protocol, port numbers and even on MAC addresses. Like the standard ACL, the extended ACL can be identified by the number assigned to the access list, ranging from 100 – 199 and also 2000 – 2699. When you want to filter more complex traffic a standard ACL will not do the job, so this is when a extended ACL comes into play as it offers more control than the standard ACL. Extended ACL’s can filter the traffic not only on source addresses but also destination addresses. They can also be used for filtering not only at network layer, but also at the transport layer (port numbers). When placing a extended ACL it is best practice to have it as close to the source as possible. This is unlike the standard ACL which needs to be place as close to the destination as possible. By been able to look at both the source and destination addresses of a packet, the extended ACL can block traffic before it leaves the source router.

Finaly the Named ACL (NACL) can be either a Standard or Extended ACL. When creating a NACL, instead of using a number to distinguish from a standard or extended ACL, you will use the word “standard” or “extended” followed by a descriptive name to identify the ACL. All the rules for placing the ACL which have been discussed already will be applied. Standard – as close to the destination, Extended – as close to the source.

After creating your ACL, you must apply it to an interface for it to become effective. The ACL targets traffic that is either inbound or outbound through the interface.

A few other little things you should remember when working with ACL’s. When you are creating an ACL, just after you have entered in you IP address this is then followed by what is called a Wildcard Mask. Unlike the subnet mask you have come to love and understand. The wildcard mask specifies a host or range of addresses to be permitted or denied. The wildcard mask determines how many bits of the incoming IP address match the comparison address. Take the following example,

access-list 1 permit 192.168.1.0 0.0.0.255

The wildcard mask in the above example will tell the router that only the first three octets must mtach, anything after that (4th octet) is ok to pass. So any packet that hits the interface with a source IP address in the range of 192.168.1.1 – 192.168.1.255, will be matched against the address and wildcard mask in the ACL.

And finally for now. When you have created your ACL, you must remember there is a implicit deny statement at the end of every ACL. This statement is automatically inserted at the end of each ACL even though it is not physically present. The implicit deny blocks all traffic. This feature prevents the accidental entry of unwanted traffic. An ACL that does not have at least one permit statement will block all traffic. Therefore an ACL will deny all traffic not specifically permitted.