Defining an access control list may seem a challenging and complex task, especially to those that have just delved into the world of computer networking and network security. The aim of this article is to explain the role of access control lists and basic concepts used to understand them. The article also teaches you how to configure them on a Cisco router.
Access control list (in further text: ACL) is a set of rules that controls network traffic and mitigates network attacks. More precisely, the aim of ACLs is to filter traffic based on a given filtering criteria on a router or switch interface.
Why use access control lists (ACL)
Initially, ACLs were the only means of providing firewall protection. Even though there are many other types of firewalls and alternatives to ACLs in existence, they are still used today, even in combination with other technologies (like in virtual private networks to define which traffic should be encrypted and sent via VPN tunnel) and you should master them in order to achieve success at the CCNA level and beyond.
Reasons why you should use ACLs:
- Limit network traffic to increase network performance
- Provide traffic flow control
- Provide a basic level of security for network access by defining which part of the network/server/service can be accessed by a host and which cannot
- Granular control over traffic entering or existing the network
Types of Access Control Lists
ACLs are primarily divided into two types: standard and extended. We also differentiate between numbered and named ACLs.
Standard ACLs allow filtering traffic solely based on Layer 3 source address written in the header of the IP (Internet Protocol) packet.
The command syntax for configuring a standard numbered ACL:
The first value {1-99 or 1300-1999} specifies the standard ACL number range.
The second value specifies whether to permit or deny the configured source IP address traffic.
The third value is the source IP address that must be matched.
The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the range.
Extended ACLs filter traffic based on Layer 3 and 4 source and destination information thus giving greater flexibility and control over network access than standard ACLs. The Cisco Extended ACL command guide can be found here.
The command syntax for configuring an extended numbered ACL:
The first value {100-199 or 2000-2699} specifies the extended ACL number range.
The second value specifies whether to permit or deny traffic according to the criteria that follows.
The third value indicates protocol type, that is, IP, TCP, UDP, ICMP or other IP-sub protocol
The source and destination IP address and their associated wildcard masks determine where traffic originates and its final destination, respectively.
As already mentioned, it is also possible to create a named ACL, which must be specified as either standard or extended.
The command syntax for configuring a named standard or extended ACL:
Router(config)# ip access-list [standard | extended] ACL_name
Upon executing this command, a user is placed into subconfiguration mode where permit and deny commands are entered:
An extended named ACLs offer additional parameters:
After creating the standard or extended ACL, you must apply it to the appropriate interface (or to a VTY line). The command to apply the ACL to an interface:
ACL Configuration Guidelines
When working with ACL or preparing the CCNA exam, it’s important to remember the following guidelines:
- Only one ACL per interface, per protocol, per direction is allowed.
- ACLs are processed top-down; the most specific statements must go at the top of the list. Once a packet meets the ACL criteria, the ACL processing stops and the packet is either permitted or denied.
- ACLs are created globally and then applied to interfaces.
- An ACL can filter traffic going through the router, or traffic to and from the router.
- All ACLs have an implicit “deny all” statement at the end. Therefore, every ACL must have at least one permit statement to allow any traffic to pass.
ACL Example
The idea of this example is to demonstrate the usage of standard and extended numbered ACLs.
On this network, you want to block all remote access to the routers except from PC C2.
First, you should create a numbered ACL on all three routers and then apply it to incoming traffic on the VTY lines as follows:
R1(config)# access-list 10 permit 192.168.3.10 0.0.0.0
R2(config)# access-list 10 permit 192.168.3.10 0.0.0.0
R3(config)# access-list 10 permit 192.168.3.10 0.0.0.0R1(config-line)# access-class 10 in
R2(config-line)# access-class 10 in
R3(config-line)# access-class 10 in
Then suppose you want to block all packets containing the source IP address from the following pool of addresses on R1: any RFC 1918 private addresses and 127.0.0.0/8. The solution is as follows:
R1(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any
R1(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any
R1(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any
R1(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any
R1(config)# access-list 100 permit ip any anyR1(config)# interface s0/0/0
R1(config-if)# ip access-group 100 in
I hope this was enough to get you started with ACL or refresh some important notions when preparing for a Cisco Exam.
Is there anything related with ACL that you’d like us to dig into?
9 Responses
Hi Arif
standard access-list and name access list both are same concept only difference is command .
both are apply near destination .
1.standard access-list number ranges 1 – 99
2. can block a Network, Host and Subnet
3. All services are Blocked
4. Filtering is done based on only source Ip address
# . Name Access List we cant use Number , Use Name
For Example :- ip access-list standard permit/deny X.X.X.X
Standard Excess-list :- access-list 50 permit/deny X.X.X.X
Hi mate,
im being hacked into by other tennants where live when i browse the internet. They can also see what im doing in my room and can only assume by means of my smart TV as they seem to know exactky what im looking at when i change channels. When i look into my echo life 520 router and if go the DHCP table i see other hosts i think the term is that show an iPhone and Samsung which i dont use! Is this right that my router should record this on the table and if not can i do anything about it ? Is there any thing more i can do to my router as i have changed my encryption pass but it made any difference as i pressume Log in on my router is my encription? Any useful info would be helpful like which router might be the best to buy in this situation?
Regards,
Peter.
I am confused in Named and Standard ACL, Please guide me.
there is no diff between named and number acl.
in number acl we can give acl no and in named acl we can assine name to acl which is easy to recognition.
Can you discuss about time based access lists
Yes, of course. You can expect the article during the next week.
Hi Jith,
The article is now live:
https://routerfreak.com/time-based-access-control-lists/
Cheers!
I wish I had seen this years ago. The way the network masks are defined always confused me. Thanks for sharing this.