Access Control Lists

Mark Clements
 This Week – Access Control Lists

 What are ACLs?

 What are they for?
 How do they work?
 Standard ACLs
 Extended ACLs
 Where to place them
2 17 March 2009 ITCN
 Reasons for ACLs

 Limit network traffic to where we define and

increase network performance
 Provide traffic flow control
– ACLs can restrict or reduce the contents of routing
updates
 Provide a basic level of security for network
access
 Decide which types of traffic are forwarded or
blocked at router interfaces
3 17 March 2009 ITCN
 Consider an arbitrary Network

4 17 March 2009 ITCN

 Routers and ACLs

 Router can read packets

 Packets contain much data
 We can choose to act upon this data
 Permits us to allow or deny whichever part of
this data we wish
 ACLs implement this policy

5 17 March 2009 ITCN

 The task of ACLs

 An ACL is a group of statements that define

how or whether packets:
 Enter inbound interfaces
 Exit outbound interfaces of the router
 Relay through the router or not

6 17 March 2009 ITCN

 The Order of ACLs is important

 IOS tests the packet against each condition

statement in the order in which the statements
were created
 Note: After a match is found, no more condition
statements are checked
 If you create a condition statement that permits
all traffic, no statements added later will ever be
checked
 If all the ACL statements are unmatched, an
implicit "deny any" statement is imposed
7 17 March 2009 ITCN
 ACL Statement Order

 Implicit ‘last statement’ denies all traffic

 Must make statements preceding this allow
the permitted traffic to flow
 Construct statements carefully
 Anything not explicitly permitted will be
denied

8 17 March 2009 ITCN

 Standard ACLs

 You use standard ACLs when you :

 want to block all traffic from a network
 allow all traffic from a specific network
 deny entire protocol suites e.g. www or icmp

Standard ACLs check the source address of

packets that could be routed across your network
 Standard ACLs are not used very often

9 17 March 2009 ITCN

 Extended ACLs

 These are used whenever we want to be

more specific about the type of traffic to block
 e.g. a certain host or an entire protocol e.g.
www or ftp or icmp (ping)
 These are used very frequently

10 17 March 2009 ITCN

 Creating ACLs

 Enter global configuration mode i.e.

Router(config)#
 Enter the command
 ip access-list [standard|extended]
number (to identify it)
 Router prompt changes accordingly

11 17 March 2009 ITCN

 Using Notepad

 Create ACLs in Notepad (or other text editor)

 They can be easily manipulated and
reordered
– This is not possible on a router – it is necessary to
delete the entire list and start again
 Once the ACL is correct, it can be pasted into
the router’s CLI

12 17 March 2009 ITCN

 Standard and Extended ACLs

 ACL 1 to 99 are for standard ACL statements

 Router(config-std-nacl)#
 ACL 100 to 199 are for extended ACL statements
 Router(config-ext-nacl)#
 Logically order the ACL
 Permitted IP protocols must be specified
– all other protocols should be denied

13 17 March 2009 ITCN

 Which Interface to place the ACL?

 ACLs assigned to one or more interfaces

 Can filter inbound or outbound traffic
 Outbound ACLs are generally more efficient
than inbound
– Only checks packets on that interface
 Inbound ACLs must check all packets before
switching packet to outbound interface

14 17 March 2009 ITCN

 Wildcard Mask

 This identifies a host or range of addresses

 It is the binary inversion of the subnet mask
 i.e. in a ‘class C’ address range we use the
subnet mask 255.255.255.0
 To specify the same range with a wildcard
mask we use 0.0.0.255 (all 1s are now 0s
and all 0s are now 1s)

15 17 March 2009 ITCN

 Wildcard Mask Bits

•Sometimes we need to specify a range of IP

addresses
•Wild card mask is 32-bit quantity divided into four
octets
• Each octet contains 8 bits
• Wildcard mask bit 0 means "check corresponding
bit value"
• Wildcard mask bit 1 means "do not check (ignore)
16 that corresponding bit
17 March value"
2009 ITCN
17 17 March 2009 ITCN
 Example

 What is the dotted decimal wildcard mask

you would use to check for all traffic from
hosts in the range 193.60.64.1 to
193.60.64.31 ?
 Hint – convert to binary first
 Write first and last addresses to compare like
and unlike bits
 Convert back to decimal afterwards

18 17 March 2009 ITCN

 Quad Zero Address

 0.0.0.0
is known as the Quad Zero
address and it is ‘shorthand’ for
any IP address.

19 17 March 2009 ITCN

 Useful Commands – ANY

 To specify that any source address will be

permitted to pass
Router(config-std-nacl)# access-list 1
permit 0.0.0.0 255.255.255.255
 Is the same as (but shorter)
Router(config-std-nacl)# access-list 1
permit any

20 17 March 2009 ITCN

 HOST Command
 A specific IP host address will be denied
in an ACL test
Router(config-std-nacl)# access-
list 1 deny 172.30.16.29 0.0.0.0
 Is the same as (but this is shorter)
Router(config-std-nacl)# access-
list 1 deny host 172.30.16.29

21 17 March 2009 ITCN

 Examples of ACLs

 access-list 33 permit 192.168.0.0 0.0.255.255

(permits all traffic in the range 192.168.0.0 to
192.168.255.255)
 access-list 44 deny 192.168.13.7 0.0.0.0
(denies traffic from only the host 192.168.13.7)
 access-list 55 permit 0.0.0.0 any (permits all
traffic from any network )

22 17 March 2009 ITCN

 Extended ACLs

 Provide a greater range of control than standard ACLs

 E.g. we can allow Web traffic but deny File Transfer
Protocol (FTP) or TELNET or other traffic
 Extended ACLs check for both source and destination
packet addresses.
 Specific protocols, port numbers and other parameters
can be checked for
 Packets can be permitted or denied output based on
where the packet originated and based on its
destination

23 17 March 2009 ITCN

 Extended ACL example

chatham(config)#ip access-list extended 150

chatham(config-ext-nacl)#?
default Set a command to its defaults
deny Specify packets to reject
exit Exit from access-list configuration
mode
no Negate a command or set its defaults
permit Specify packets to forward
remark Access list entry comment
chatham(config-ext-nacl)#permit tcp 192.168.1.1
0.0.0.255 192.168.2.3 0.0.0.255

24 17 March 2009 ITCN

 Well-known Port numbers

Some ports are commonly used

Their numbers are well-known
PC can be configured by a hacker to use a different port !

25 17 March 2009 ITCN

26 17 March 2009in ITCN
 Placing Standard and Extended ACLs

 Put the Extended ACLs as close as possible to

the source machine or range (on your
network) for the traffic type denied
 Standard ACLs do not specify destination
addresses, so you have to put the standard
ACL as near to the destination machine (or
range) we want to deny as possible
27 17 March 2009 ITCN
 Applying ACLs to an interface

 Once you have written an ACL, you need to apply it

to an interface either IN or OUT
 If we have written access-list 101, we could
apply it to the Fa0/0 interface inbound

int fa0/0
ip access-group 101 in
 ACLs can also be placed on an interface in the
outbound direction

28 17 March 2009 ITCN

 Placing ACLs

 Imagine you are standing INSIDE the router

 The direction of the ACL for an interface will
be the same as our perspective standing
INSIDE the router

29 17 March 2009 ITCN

 Conclusion

 ACLs will check packets for certain conditions

 Standard ACLs test simple conditions
 Extended ACLs test for more rigorous
conditions
 Define ACL – Apply to interface
 Place ACLs sensibly
 Be sure to order ACLs sensibly too!

30 17 March 2009 ITCN