ACL

access control list

 Purpose of ACL

How ACL works

Types of ACL
Outline
ACL component

Wildcard mask

How to implement ACL

Purpose of ACL
• Access control lists are used for controlling
permissions to a computer system or computer
network.
• They are used to filter traffic in and out of a specific
device.
• Those devices can be network devices that act as
network gateways or endpoint devices that users
access directly.
• Access control lists can help organize traffic to
improve network efficiency and to give network
administrators granular control over users on their
computer systems and networks.
• ACLs can also be used to improve network security by
keeping out malicious traffic.
How ACL works
• Networking ACLs are installed in routers or
switches, where they act as traffic filters.
Each networking ACL contains predefined
rules that control which packets or routing
updates are allowed or denied access to a
network.
• Routers and switches with ACLs work like
packet filters that transfer or deny packets
based on filtering criteria. As a Layer 3 device,
a packet-filtering router uses rules to see if
traffic should be permitted or denied access.
It decides this based on source and
destination IP addresses, destination port and
source port, and the official procedure of the
packet.
Types of ACL
There are two basic types of ACLs:
1. File system ACLs : manage access to files and directories. They give OSes the
instructions that establish user access permissions for the system and their
privileges once the system has been accessed.
2. Networking ACLs : manage network access by providing instructions to network
switches and routers that specify the types of traffic that are allowed to
interface with the network

ACLs can also be categorized by the way they identify traffic:

1. Standard ACLs
ACLs only filter at Layer 3 using the source IPv4 address only. These access
control lists allow or block the entire protocol suite. They don’t differentiate
between IP traffic such as UDP, TCP, and HTTPS. They use numbers 1-99 or 1300-
1999 so the router can recognize the address as the source IP address.
2. Extended ACLs
ACLs filter at Layer 3 using the source and / or destination IPv4 address. They can
also filter at Layer 4 using TCP, UDP ports, and optional protocol type information
for finer control . You can also specify which IP traffic should be allowed or
denied. They use the numbers 100-199 and 2000-2699.
 • The Sequence number identifies the ACL entry.
• The Name provides a descriptive identification for an ACL.
• The Statement is the main part of the ACL. Using statements, the
user permits or denies access to an IP address or IP range. An ACL
uses a sequential list of permit or deny statements, known as
access control entries (ACEs). ACEs are also commonly called ACL
statements
• The Network protocol component allows or denies access to
ACL’s component specific network protocols, such as IP, TCP, UDP, etc.
• The Source or destination component defines source or
destination IP addresses or ranges.
• Logs, to keep track of ACL events.
• Remarks, to provide space for additional comments about the
purpose of the ACL.
• Complex ACLs have components for more granular network
traffic control based on the ToS (type of service) or DSCP priority.
 • A wildcard mask is like a subnet mask in that it uses
the ANDing process to identify which bits in an IPv4
address to match. Unlike a subnet mask, in which
binary 1 is equal to a match and binary 0 is not a
Wildcard mask match, in a wildcard mask, the reverse is true.
• Wildcard mask bit 0 - Match the
corresponding bit value in the address
• Wildcard mask bit 1 - Ignore the
corresponding bit value in the address
 Overview

Wildcard Mask Last Octet (in Binary) Meaning (0 - match, 1 - ignore)

0.0.0.0 00000000 Match all octets.
•Match the first three octets
0.0.0.63 00111111 •Match the two left most bits of the last octet
•Ignore the last 6 bits
•Match the first three octets
0.0.0.15 00001111 •Match the four left most bits of the last octet
•Ignore the last 4 bits of the last octet
•Match the first three octets
0.0.0.248 11111100 •Ignore the six left most bits of the last octet
•Match the last two bits
•Match the first three octet
0.0.0.255 11111111
•Ignore the last octet
 Example
• The wildcard mask for 255.255.224.0 is 0.0.31.255 (invert the bits so zero=1 and
one=0) noted with the following example.
11111111.11111111.111 00000.00000000 = subnet mask
(255.255.224.0)
00000000.00000000.000 11111.11111111 = wildcard mask (0.0.31.255)

Or

255.255.255.255
255.255.224. 0 –
0 .0 . 31.255  wildcard mask from subnet /19
Wildcard mask types
---wildcard to match a host---
• Assume ACL 10 needs an ACE that only permits the host with IPv4
address 192.168.1.1. Recall that “0” equals a match and “1” equals
ignore. To match a specific host IPv4 address, a wildcard mask
consisting of all zeroes (i.e., 0.0.0.0) is required.
• When the ACE is processed, the wildcard mask will permit only the
192.168.1.1 address.
• The resulting ACE in ACL 10 would be access-list 10 permit
192.168.1.1 0.0.0.0.
• Single ip address use /32  255.255.255.255
Wildcard mask types
---wildcard to match an ipv4 subnet---
• ACL 10 needs an ACE that permits all hosts in the 192.168.1.0/24 network. The
wildcard mask 0.0.0.255 stipulates that the very first three octets must match
exactly but the fourth octet does not.
• When processed, the wildcard mask 0.0.0.255 permits all hosts in the
192.168.1.0/24 network. The resulting ACE in ACL 10 would be access-list 10
permit 192.168.1.0 0.0.0.255.

255.255.255.255
255.255.255. 0 –
0. 0. 0.255 wildcard mask /24
192.168.1.0 0.0.0.255
Wildcard mask types
---wildcard to match an ipv4 address range--
The host address range from
192.168.1.1 - 192.168.1.14 will match
on wildcard mask 0.0.0.15 ?

Jumlah host 14  lihat table

subnetmask
255.255.255.255
255.255.255.240 –
0. 0. 0. 15

192.168.1.0 0.0.0.15
• host address range from 192.168.4.1
- 192.168.4.2 will match on wildcard
mask…?
• host address range from 172.16.1.33
- 172.16.1.38 will match on wildcard
mask..?
• Host address range from
192.168.10.0 – 192.168.11.0 will
match on wildcard …?
• Host address range from 192.168.16.0
- 192.168.31.0 will match on wildcard..?
Wildcard mask keyword
The Cisco IOS provides two keywords to identify the most common
uses of wildcard masking. The two keywords are:
• host - This keyword substitutes for the 0.0.0.0 mask. This mask states
that all IPv4 address bits must match to filter just one host address.
• any - This keyword substitutes for the 255.255.255.255 mask. This
mask says to ignore the entire IPv4 address or to accept any
addresses.
How to implement ACL
The router is the optimal place to apply ACL rules,
so knowing the router traffic flow is essential for
proper ACL implementation.
• Ingress traffic is the traffic flowing into the
router.
• Egress traffic is the traffic that leaves the router.
What is the Source if you want to Block Traffic
coming from the Internet?
• Remember that inbound traffic is coming from
the outside network to your router interface.
So, the source is an IP address from the Internet
(a web server public IP address) or everything
(wildcard mask of 0.0.0.0), and the destination
is an internal IP address.
What if you what to Block a Specific Host to
connect to the Internet?
• The inbound traffic is coming from the inside
network to your router interface and going out
to the Internet. So, the source is the IP from the
internal host, and the destination is the IP
address on the Internet.
• ACLs are often placed on the edge routers of a network because they border the public
internet. This gives the ACL a chance to filter traffic before it reaches the rest of the network.
• Edge routers with ACLs can be placed in the demilitarized zone (DMZ) between the public
internet and the rest of the network.
• DMZs may contain different network resources, like application servers, web servers, domain
name servers or virtual private networks. The configuration of the ACL on the routing device is
different, depending on the devices behind it and the categories of user that need access to
those devices.

The basic syntax used to create a standard numbered access control list on a Cisco router is as follows:
Router (config)# access-list (1-99 or 1300-1999) (permit | deny) source-addr (source-wildcard)
access-list 99 deny host 172.33.1.1 0.0.0.0
• https://community.cisco.com/t5/networking-knowledge-base/access-control-lists-acl-explained/ta-
p/4182349
• https://www.ittsystems.com/access-control-list-acl/#wbounce-modal
• https://phoenixnap.com/kb/acl-network
• ENSA Cisco Academy
• https://www.techtarget.com/searchnetworking/definition/access-control-list-
ACL#:~:text=Access%20control%20lists%20are%20used%20for%20controlling%20permissions%20to%20a,de
vices%20that%20users%20access%20directly.
• https://www.imperva.com/learn/data-security/access-control-list-
acl/#:~:text=Reasons%20to%20use%20an%20ACL,exiting%20and%20entering%20the%20system