Security

IP Access Control List

© 2006 - iPMAC Informatics Technology J.S.C

We’re going to attack the following:

9ACL concepts
9Standard and extended ACLs
9Named ACLs
9ACL efficiently & effectively use

IPMAC
Networking Academy
Preamble

ƒ Network administrators must figure out how to deny unwanted

access to the network while allowing internal users appropriate
access to necessary services.
ƒ Security tools, such as passwords, and physical security
devices, often lack basic traffic filtering and the specific controls
most administrators prefer.
ƒ For example, a network administrator may want to allow users
access to the Internet, but not permit external users telnet
access into the LAN.
ƒ Routers provide basic traffic filtering capabilities, such as
blocking Internet traffic, with access control lists (ACLs).

IPMAC
Networking Academy
What are Access Control Lists

ƒ An access list is a sequential series of commands or filters.

ƒ These lists tell the router what types of packets to:
ƒ accept or
ƒ deny
ƒ The router examines each packet to determine whether to
forward or drop it, based on the conditions specified in the
ACL.
ƒ Some ACL decision points are:
ƒ IP source address
ƒ IP destination addresses
ƒ UDP or TCP protocols

IPMAC
Networking Academy
Key features of Cisco access lists

ƒ Packets can be filtered as they enter an interface, before the

routing decision.
ƒ Packets can be filtered as they exit an interface, after the
routing decision.
ƒ Deny is the term used in Cisco IOS software to imply that the
packet will be filtered.
ƒ Permit is the term used in Cisco IOS software to imply that the
packet will not be filtered.
ƒ At the end of every access list is an implied “deny all traffic”
statement. Therefore, if a packet does not match any of your
access list statements, is is blocked.

IPMAC
Networking Academy
Before using ACLs
ƒ What needs to be filtered
ƒ Where to filter the traffic
ƒ Which interface of router is ACL placed
ƒ What direction of the interface ACL

IPMAC
Networking Academy
How ACLs work?
ƒ ACLs have two major steps in
their logic: matching and action.
ƒ Matching logic examines
packet and determines whether
it matches the access-list
statement.
ƒ An access list can have mutiple entries.
ƒ IOS searches the list sequentially until the first statement is
matched.
ƒ ACLs tells router to take one of two actions when a statement is
matched: deny and permit.
ƒ If all the ACL statements are unmatched, an implicit "deny
any" statement is placed at the end of the list by default. (not
visible)
IPMAC
Networking Academy
How ACLs work?(cont.)

ƒ Only one access-list is placed in one direction of a interface.

• Out - Traffic that has already been routed by the router and is
leaving the interface.
• In - Traffic that is arriving on the interface and which will be
routed by router.
ƒ There can be only one access list per protocol per interface.
ƒ In router, you can create many access-lists.

ACLs do not block packets that originate within the

router. (ie. pings, telnets, etc.)

IPMAC
Networking Academy
Something to remember …
ƒ New statements are added to the end of the list.
ƒ If no matches are found when the router reaches the end
of the list, the traffic is denied.
ƒ You should have the frequently hit entries at the top of
the list.
ƒ There is an "implied deny" for traffic that is not permitted.
ƒ A single-entry ACL with only one "deny" entry has the
effect of denying all traffic.
ƒ You must have at least one "permit" statement in an ACL
or all traffic will be blocked.

access-list 10 permit 10.1.1.1 0.0.0.255

access-list 10 deny ip any (implicit)
IPMAC
Networking Academy
Wildcard Masks

A wildcard mask address:

ƒ Tells how much of the packet’s source IP address (or
destination IP address) needs to match for this
condition to be true.
ƒ Define the portion of the IP address that should be
examined.
ƒ A wildcard mask is a 32-bit quantity that is divided
into four octets.
ƒ A wildcard mask is paired with an IP address.

IPMAC
Networking Academy
Wildcard Masks

ƒ The numbers one and zero in the mask are used to identify how to
treat the corresponding IP address bits.
ƒ Bit positions of binary 0 mean that the access list compares the
corresponding bit position in the IP address and makes sure it is
equal to the same bit position in the address configured in the
access-list statement. Bit positions of binary 1 are “don’t care”
bits – those bit positions are immediately considered to be a
match.
ƒ Wildcard masks have no functional relationship with subnet masks.
ƒ They are used for different purposes and follow different rules.

IPMAC
Networking Academy
Wildcard Masks Test Condition

10101100.00010000.00000000.00000000
00000000.00000000.11111111.11111111
------------------------------------
Must Match No Match Necessary

10101100.00010000.any value.any value

Matching packets will look like this…

ƒ Wildcard mask used to identify how to treat the corresponding IP address bits.
ƒ 0 - “check the corresponding bit value.”
ƒ 1 - “do not check (ignore) that corresponding bit value.”
ƒ A zero in a bit position of the access list mask indicates that the corresponding
bit in the address must be checked and must match for condition to be true.
ƒ A one in a bit position of the access list mask indicates the corresponding bit in
the address is not “interesting”, does not need to match, and can be ignored.
IPMAC
Networking Academy
Wildcard Masks

ƒ Wildcard masks help matching based on the entire IP

addess or just a part of the IP address.
Wildcard
Binary version of the mask Description
Mask
The entire IP address
0.0.0.0 00000000 00000000 00000000 00000000
must match

Don’t even bother to

255.255.255.255 11111111 11111111 11111111 11111111
compare

Just the first 24 bits

0.0.0.255 00000000 00000000 00000000 11111111
must match

Just the first 20 bits

0.0.15.255 00000000 00000000 00001111 11111111
must match

IPMAC
Networking Academy
“any” keyword

R1(config)#access-list 11 deny 0.0.0.0 255.255.255.255

Or
R1(config)#access-list 11 deny any

ƒ any = 0.0.0.0 255.255.255.255

ƒ Simply put, the any option substitutes 0.0.0.0 for the

IP address and 255.255.255.255 for the wildcard
mask.
ƒ This option will match any address that it is
compared against.
IPMAC
Networking Academy
“host” keyword
R2(config)#access-list 10 permit 192.168.1.100 0.0.0.0
Or
R2(config)#access-list 10 permit host 192.168.1.100

ƒ The host option substitutes for the 0.0.0.0 mask.

ƒ This mask requires that all bits of the ACL address and the
packet address match.
ƒ The host keyword precedes the IP address.
ƒ This option will match just one address.

192.168.1.100 0.0.0.0 replaced by host 192.168.1.100

IPMAC
Networking Academy
Two types of ACLs

ƒ Standard IP ACLs
ƒ Can only filter on source IP addresses

ƒ Extended IP ACLs
ƒ Can filter on:
ƒ Source IP address
ƒ Destination IP address
ƒ Protocol (TCP, UDP, ICMP)
ƒ Port Numbers (Telnet – 23, http – 80, etc.)
ƒ and other parameters
IPMAC
Networking Academy
Standard IP Access Control Lists
ƒ Standard IP ACLs can examine only the source IP
address. So each standard ACL can match all, or
only part, of the packet’s source IP address

Command Configuration Mode and Description

Access-list access-list-number { deny | permit Global command for standard numbered
} source [source-wildcard] [log] access list. Use a number between 1 and 99
or 1300 and 1999, inclusive
Access-list access-list-number remark text Defines a remark that helps you remember
what the ACl is supposed to do

ip access-group { number | name [ in | out ] } Interface subcommand to enable access lists

Access-class { number | name [ in | out ] } Line subcommand to enable either standard

or extended access lists

IPMAC
Networking Academy
Extended IP Access Control Lists
ƒ Extended ACLs are used more often than standard ACLs
because they provide a greater range of control.
ƒ Extended ACLs check the source and destination
packet addresses as well as being able to check for
protocols and port numbers.
ƒ Extended ACLs use a number between 100 and 199 or 2000
and 2699
ƒ Packets can be permitted or denied access based on where
the packet originated and its destination as well as protocol
type and port addresses.
ƒ Remember that only one ACL per interface, per direction, per
protocol is allowed.

IPMAC
Networking Academy
Extended IP ACL configuration commands

IPMAC
Networking Academy
Creating ACLs – 2 steps

You can define

ACLs without
applying them.

However, the ACLs

will have no effect
until they are applied
to the router's
interface.

IPMAC
Networking Academy
Verifing ACL configuration

IPMAC
Networking Academy
Placing ACLs

Source
10.0.0.0/8 Destination
172.16.0.0/16

The general rule:

ƒ Standard ACLs do not specify destination addresses, so they
should be placed as close to the destination as possible.
ƒ Put the extended ACLs as close as possible to the source of
the traffic denied.
IPMAC
Networking Academy
Ranges with Wildcard Masks

Wildcard masks can be used to define “some” ranges of IP address.

Match subnets 172.30.16.0 to 172.30.31.0

access-list 20 permit 172.30.16.0 0.0.15.255

What’s happening (we’ll see its easier than this):

ƒ The easiest way to see how we did this is to show it
in binary…

IPMAC
Networking Academy
Ranges with Wildcard Masks

Match subnets 172.30.16.0 to 172.30.31.0

access-list 20 permit 172.30.16.0 0.0.15.255

172.30.16.0 10101100 . 00011110 . 00010000 . 00000000

0.0.15.255 00000000 . 00000000 . 00001111 . 11111111
-----------------------------------------
172.30.16.0 10101100 . 00011110 . 00010000 . 00000000
172.30.16.1 10101100 . 00011110 . 00010000 . 00000001
through . . .
172.30.31.254 10101100 . 00011110 . 00011111 . 11111110
172.30.31.255 10101100 . 00011110 . 00011111 . 11111115

IPMAC
Networking Academy
Ranges with Wildcard Masks
Match subnets 172.30.16.0 to 172.30.31.0
access-list 20 permit 172.30.16.0 0.0.15.255

Must match Any Value

172.30.16.0 10101100 . 00011110 . 00010000 . 00000000
0.0.15.255 00000000 . 00000000 . 00001111 . 11111111
-----------------------------------------
172.30.16.0 10101100 . 00011110 . 00010000 . 00000000
172.30.16.1 10101100 . 00011110 . 00010000 . 00000001
through . . .
172.30.31.254 10101100 . 00011110 . 00011111 . 11111110
172.30.31.255 10101100 . 00011110 . 00011111 . 11111111
ƒ Using the first permitted subnet, 172.30.16.0, gives us
the address for our test condition.
IPMAC
Networking Academy
Miscellaneous ACL Topics

ƒ Named IP Access Lists

ƒ Controlling Telnet Access with ACLs
ƒ ACL Implementation Considerations

IPMAC
Networking Academy
Named Access Control Lists

ƒ IP named ACLs were introduced in Cisco IOS Software Release

11.2.
ƒ Allows standard and extended ACLs to be given names instead of
numbers.
ƒ The advantages that a named access list provides are:
ƒ Intuitively identify an ACL using an alphanumeric name.
ƒ Eliminate the limit of 798 simple and 799 extended ACLs.
ƒ Named ACLs provide the ability to modify ACLs without deleting
and then reconfiguring them.
ƒ It is important to note that a named access list will allow the
deletion of statements but will only allow for statements to be
inserted at the end of a list.

IPMAC
Networking Academy
Controlling Telnet Access with ACLs
Creating the standard access list :
R1(config)# access-list 3 permit 10.1.1.0
0.0.0.255

Applying the access list :

R1(config)# line vty 0 4
R1(config-line)# login
R1(config-line)# password cisco
R1(config-line)# access-class 3 in

ƒ Access into and out of the virtual terminal line (vty) ports of the Cisco
IOS software can be controlled by IP access lists
ƒ The purpose is increased network security.
ƒ Identical restrictions should be placed on all vty lines as it is not
possible to control which line a user will connect on.

IPMAC
Networking Academy
ACL Implementation Considerations
ƒ Create your ACLs using a text editor outside the router then
copy and paste the configurations into the router.
ƒ Place extended ACLs as close to the packet as possible to
discard the packets quickly.
ƒ Place standard ACLs as close to the packet’s destination as
possible, because standard ACLs often discard packets that you
do not want discarded when they are placed close to the
source.
ƒ Place more-specific statements early in the ACL.
ƒ Disable an ACL from its interface (using the no ip access-
group command) before making changes to it.

IPMAC
Networking Academy
Practice Example

IPMAC
Networking Academy
Summary

ƒ ACL definition
ƒ How ACL works
ƒ Wild-card mask
ƒ Standard numbered ACL configuration
ƒ Extended numbered ACL configuration
ƒ Named numbered ACL configuration
ƒ Where to place ACLs

IPMAC
Networking Academy
 Stop here !

Question?

IPMAC
Networking Academy