14 Working Principle of ACL

Advanced Network Technology
Working Principle of ACL

Main Content
Working Principle of ACL

Common Technology Courses
• Recently, a customer requested to reconstruct its network. The financial system of the customer had undergone IT-based
reconstruction, and basically all services were accessed via networks. Such reconstruction had improved the customer's
work efficiency. However, since the current system was connected via networks, the director of the financial department
worried that the company would suffer huge losses if unauthorized users listened to or accessed information of the
financial department. The customer sought help from Ruijie to solve the problem.
Layer-3 switch
Server
1 2
Layer-2 switch 24 24 Layer-2 switch
1 3 1 3
2 2
Technical Financial Technical Financial

department department department department
• Seeing the topology, Tom remembered a similar project with similar requirements. Because he had not learned layer-3
switches at that time, VLANs and trunk ports were configured to implement isolation.
• In the current topology, the layer-3 switch implements interconnection of networks isolated using VLANs. How to solve
this problem?
• Tom did not follow up that project and did not know the final solution. He then asked the manager for details about the
implementation of isolation in that project.
Layer-3 switch
Server
1 2
1 3 1 3
2 2

• The manager praised Tom for his clear analysis and told Tom that ACLs were configured to
implement isolation.
• The manager gave a slide document to Tom and asked Tom to talk about his study the next day.
The manager always provided Tom with guidance. Tom felt confident and promised to learn the
document.
Layer-3 switch
Server
1 2
1 3 1 3
2 2

Principle and Configuration of ACL
• Access Control List (ACL)
• Switches and routers forward data according to forwarding rules by default. If some data needs to be
controlled specially, an ACL can be used.
• In this project, PCs of the technical department and financialdepartment can access each other
through the layer-3 switch by default. An ACL can be configured to control the data forwarding.
Layer-3 switch
1 2
1 3 1 3
2 2

• ACL Implementation
• An ACL matches data via wildcard masks. ACLs can be configured to forward or discard
matched data. For example, to prohibit access from 192.168.1.10 to 192.168.3.10, define the
following ACL:
Ruijie(config)#ip access-list extended 101
Ruijie(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
• The ACL is described as follows:

ACL type ACL name
ip access-list extended 101

No. 10 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ACL action Type of matched data flow
Subnet of the source Subnet mask, Subnet of the destination Subnet mask,
IP address configured in the form IP address configured in the form
of wildcard mask of wildcard mask
• Common ACL Types
• ACLs can be further classified based on matchable data:
• Standard ACL: Only the source IP address in IP headers is matched.
• The "standard" keyword is used in ACL matching.
• Extended ACL: The source IP address/destination IP address, protocol (TCP/IP), and protocol
information are matched.
• The "extended" keyword is used in ACL matching.

• ACL Naming
• No.
• The No. ranges of standard and extended ACLs are different.
• User-defined name
• You are advised to define a name for an ACL. For example, if PCs in VLAN 10 are prohibited from accessing
VLAN 30, name the ACL DENY_VLAN10_TO_VLAN30. In this way, the ACL name can clearly reflect the service
requirement on the ACL.
Ruijie(config)#ip access-list standard ?
<1-99> IP standard acl
<1300-1999> IP standard acl (expanded range)
WORD Acl name
Ruijie(config)#ip access-list extended ?

<100-199> IP extended acl
<2000-2699> IP extended acl (expanded range)
WORD Acl name
• ACL Actions
• There are two ACL actions: permit and deny.
• Permit: Data flows that match the ACL statement are permitted.
• Deny: Data flows that match the ACL statement are denied.
ip access-list extended 101

10 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
• Configuring Subnets and wildcard Masks in ACLs
• An wildcard mask is often used to match data of an IP address range. We have caught a glimpse of the wildcard mask
when learning route distribution by OSPF.
Ruijie(config)#ip access-list standard 13
Ruijie(config-std-nacl)#permit 192.168.1.0 0.0.0.255
It indicates the IP address range of 192.168.1.0 to 192.168.1.255.
• In this ACL, "standard" indicates that the ACL is a standard ACL, that is, data matching is performed based on only the source IP
address. This ACL indicates that data with the source IP address in the range of 192.168.1.0 to 192.168.1.255 is permitted.
• Two wildcards of ACLs

• host: Indicates that only this IP address is permitted.
• Any: Indicates that all data is permitted.

Ruijie(config-std-nacl)#permit 192.168.1.10 0.0.0.0 The two ACLs have the same meaning, that is, only data
with the source IP address 192.168.1.10 is permitted.
Ruijie(config-std-nacl)#permit host 192.168.1.10
• Configuring Multiple Statements in an ACL
• Requirements:
• The PC with the IP address 192.168.1.2 is allowed to access all PCs in the network segment 192.168.4.0/24.
• Other PCs in the network segment 192.168.1.0/24 are allowed to access none of the PCs in the network segment
192.168.4.0/24.
• PCs in the network segment 192.168.1.0/24 are allowed to access none of the PCs in the network segment 192.168.5.0/24.
• PCs in the network segment 192.168.2.0/24 are not allowed to access the Web service with the IP address 10.5.5.5.
• Other data is permitted.
• Configuration ideas:
• Determine to configure a standard or extended ACL.
• Configure an extended ACL as both the source and destination IP addresses need to be controlled.
• Write the ACL according to requirements.
• Analyze the requirements and write statements.

• Requirements:
• The PC with the IP address 192.168.1.2 is allowed to access all PCs in the network segment 192.168.4.0/24.
• Other PCs in the network segment 192.168.1.0/24 are allowed to access none of the PCs in the network segment
192.168.4.0/24.
• PCs in the network segment 192.168.1.0/24 are allowed to access none of the PCs in the network segment 192.168.5.0/24.
• PCs in the network segment 192.168.2.0/24 are not allowed to access the Web service with the IP address 10.5.5.5.
• Other data is permitted.
• Configuration:
Ruijie(config)#ip access-list extended safe
Ruijie(config-ext-nacl)#permit ip host 192.168.1.2 192.168.4.0 0.0.0.255
Ruijie(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 host 10.5.5.5 eq 80
Ruijie(config-ext-nacl)#permit ip any any
• Each statement in an ACL is called an Access Control Entry (ACE).
• ACEs are matched from top down, that is, ACEs are matched by No. in ascending order.
• Once an ACE is matched (regardless of whether the action is deny or permit), the ACL matching stops.
• If statements are configured in an ACL, there is an implicit default statement of ACL deny ip any any (not displayed) at the end.
Generally, an ACL must end with a permit statement.
ip access-list extended safe

10 permit ip host 192.168.1.2 192.168.4.0 0.0.0.255
20 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
30 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255 An ACL contains multiple ACEs.
40 deny tcp 192.168.2.0 0.0.0.255 host 10.5.5.5 eq 80
50 permit ip any any
20 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

No. Action Condition
• Function of ACL No.

• Auto-generated No. increases by 10 by default. It facilitates the addition and maintenance of ACEs in an ACL as an ACL requires
sequential ACEs.
10 permit ip host 192.168.1.2 192.168.4.0 0.0.0.255
20 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
30 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
40 deny tcp 192.168.2.0 0.0.0.255 host 10.5.5.5 eq 80
• For example, if an ACE that allows a PC with the IP address 192.168.1.2 to access PCs in the network segment 192.168.5.0/24,
this ACE needs to be added between ACE 20 and ACE 30.
Ruijie(config)#ip access-list extended safe
Ruijie(config-ext-nacl)#21 permit ip host 192.168.1.2 192.168.5.0 0.0.0.255

10 permit ip host 192.168.1.2 192.168.4.0 0.0.0.255
20 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
21 permit ip host 192.168.1.2 192.168.5.0 0.0.0.255
30 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
40 deny tcp 192.168.2.0 0.0.0.255 host 10.5.5.5 eq 80
• ACL Application Position
• An ACL takes effect only when it is called on an interface. It can be applied in two directions:
• In: Indicates that ACL matching is performed on data received by this interface.
• Out: Indicates that ACL matching is performed data sent from this interface.
Ruijie(config)#int f0/1
Ruijie(config-FastEthernet 0/1)#ip access-group safe in
• An ACL can be called on a physical port or SVI.
Layer-3 switch
SW 1
1 2
SW 2 SW 3
1 3 1 3
2 2
PC 1 PC 2
• ACL Application
• Requirement: PCs of the technical department need to be prohibited from accessing PCs of the financial department.
• ACL configuration steps (on SW 2):
• 1. Determine whether to configure a standard or extended ACL according to requirements.
• 2. Write ACL statements.
• 3. Call the ACL on an interface. Layer-3 switch

SW 1
1 2
SW 2 SW 3
1 3 1 3
2 2
PC 1 PC 2
192.168.1.0/24 192.168.2.0/24
• ACL Application
• ACL configuration steps:
• Configure an extended ACL as both source and destination IP addresses are involved.

ip access-list extended safe Layer-3 switch
10 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 SW 1
1 2
• 3. Call the ACL on an interface. Layer-2 switch 24 24 Layer-2 switch
SW 2 SW 3
1 3 1 3
2 2
PC 1 PC 2
192.168.1.0/24 192.168.2.0/24
• ACL Application
• 3. Call the ACL on an interface (on the interface connected to PCs of the technical department).
SW2(config)#int f0/1
SW2(config-FastEthernet 0/1)#ip access-group safe in
• In this way, PCs of the technical department cannot access PCs of the financial department.
Layer-3 switch
SW 1
1 2
SW 2 SW 3
1 3 1 2 3
2
PC 1 PC 2
192.168.1.0/24 192.168.2.0/24
• ACL Application
• 3. Call the ACL on an interface (on the interface connected to PCs of the technical department).
• In this way, PCs of the technical department connected to SW 2 cannot access PCs of the financial department. The security policy needs to
be configured throughout the network. Therefore, complete similar configuration on SW 3.
Layer-3 switch
SW 1
1 2
SW 2 SW 3
1 2 3 1 2 3
PC 1 PC 2
192.168.1.0/24 192.168.2.0/24
• Time-based ACL
• Configure an ACE that takes effect only in a specific time range.
• For example, employees are allowed to access only Web pages during office hours (9:00–18:00)
and other applications are prohibited. Any applications are allowed out of office hours.
• 1. Correctly configure the current time for the device.
• In # mode, run the clock set command to set the time.
• 2. Define a time range.
• 3. Associate an ACE in the ACL with the defined time range.

• Time-based ACL
• 2. Define a time range.
• Use the absolute keyword to define an absolute time.
• Use the periodic keyword to define a periodic time.
• The following defines the time range from 9:00 to 18:00 on workdays.
Ruijie(config)#time-range WORK_TIME
Ruijie(config-time-range)#periodic ?
Daily Every day of the week
Friday Friday
Monday Monday
Saturday Saturday
Sunday Sunday
Thursday Thursday
Tuesday Tuesday
Wednesday Wednesday
Weekdays Monday through Friday
Weekend Saturday and Sunday
Ruijie(config-time-range)#periodic weekdays 9:00 to 18:00
• Time-based ACL
• 3. Associate an ACE in the ACL with the defined time range.
• When the current time is not within the time range defined by WORK_TIME, the two ACEs do not
take effect.
ip access-list extended OA
10 permit tcp any any eq www time-range WORK_TIME
20 deny ip any any time-range WORK_TIME
• ACL Configuration Position
• After learning, Tom mastered the ACL tool. He simulated the configuration in the company lab and found that the ACL
worked indeed. However, Tom found the following problem: The requirement of prohibiting PCs of the technical
department from accessing PCs of the financial department can be implemented on SW 2, SW 1, and SW 3, and the ACL can
be applied to the inbound and outbound directions. So, there are many configuration methods. Which one is optimal? Or
are all these configuration methods usable?
• Tom discussed with the manager on this problem. The manager then explained the ACL application position to Tom.
Layer-3 switch
SW 1
1 2
SW 2 SW 3
1 3 1 3
2 2
PC 1 PC 2
192.168.1.0/24 192.168.2.0/24
• Data flow analysis
• The following uses the access from PC 1 of the technical department to PC 2 of the financial department as an example to
analyze the data flow.
• If PC 1 needs to access PC 2 successfully, its data needs to flow through SW 2, SW 1, and SW 3, and finally reach PC 2.
• Complete access is two-way. Therefore, data of PC 2 must flow through SW 3, SW 1, and SW 2, and finally reach PC 1.
• The two-way communication is blocked if any step in between is interrupted.
Layer-3 switch
SW 1
1 2
SW 2 SW 3
1 3 1 3
2 2
PC 1 PC 2
• Since many positions are available for ACL configuration, which one is optimal?
• The access from PCs of the technical department to PCs of the financial department can be blocked on any of the three switches,
optimally, the inbound direction on SW 2. The data flow needs to blocked anyway. So, it is unnecessary to waste resources on
forwarding it on other devices.
• Tom felt enlightened. Then, the manager asked Tom a question: If only a standard ACL could be configured, where should the ACL be
applied?
• Tom could not figure out the difference between a standard ACL and an extended ACL.
Layer-3 switch
SW 1
1 2
SW 2 SW 3
1 3 1 3
2 2
PC 1 PC 2
192.168.1.0/24 192.168.2.0/24
• The manager told Tom that a standard ACL can match only source IP addresses. If an ACL is configured on SW 2 to block data packets
sourced from PCs of the technical department, PCs of the technical department cannot access each other.
• Therefore, standard ACLs are generally applied to interfaces close to destinations. In this project, the standard ACL can be applied to
the outbound direction of the interfaces connected to PCs of the financial department on SW 2 and SW 3, to block the access from
PCs of the technical department.
• Hearing the manager's words, Tom was shocked that ACLs were complicated and it was not easy to use it skillfully.
Layer-3 switch
SW 1
1 2
SW 2 SW 3
1 3 1 3
2 2
PC 1 PC 2
192.168.1.0/24 192.168.2.0/24
• Summary
• In this chapter, Tom mastered the purpose of ACLs and the difference between standard ACLs and extended ACLs.
Tom also mastered the matching basis of ACLs and practiced how to configure ACLs according to requirements. Tom
later learned time-based ACLs and realized the power of ACLs.
• At last, Tom discussed with the manager about the ACL application position. In short, ACLs could be flexibly applied.
• After solving the problems, Tom reported his experience in ACL learning to the manager.
• Exercises
• What is the difference between a standard ACL and an extended ACL?
• What is the relationship between ACL application direction on an interface and the interface?
• If an ACL contains many ACEs, what are the matching rules?
• Attempt to configure ACLs on different devices and in different directions to block PCs of the technical department
from accessing PCs of the financialdepartment.
THANKS
Ruijie Networks Co., Ltd.
Address: Floor 11, East Wing, Zhongyipengao Plaza, No. 29 Fuxing Road, Haidian District, Beijing, China
Post Code: 100036
Tel: (8610) 5171-5996
Fax: (8610) 5171-5872
www.ruijienetworks.com

14 Working Principle of ACL

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

14 Working Principle of ACL

Uploaded by

Copyright:

Available Formats

Advanced Network Technology

Working Principle of ACL

Working Principle of ACL

Technical Financial Technical Financial

Technical Financial Technical Financial

Technical Financial Technical Financial

Technical Financial Technical Financial

• The ACL is described as follows:

ip access-list extended 101

ACL action Type of matched data flow

• ACLs can be further classified based on matchable data:

• Standard ACL: Only the source IP address in IP headers is matched.

• The "standard" keyword is used in ACL matching.

• The "extended" keyword is used in ACL matching.

• The No. ranges of standard and extended ACLs are different.

Ruijie(config)#ip access-list extended ?

ip access-list extended 101

• Two wildcards of ACLs

• Any: Indicates that all data is permitted.

Ruijie(config)#ip access-list standard 13

• Other data is permitted.

• Determine to configure a standard or extended ACL.

• Analyze the requirements and write statements.

• Other data is permitted.

ip access-list extended safe

20 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

• Function of ACL No.

ip access-list extended safe

• ACL configuration steps (on SW 2):

• 1. Determine whether to configure a standard or extended ACL according to requirements.

• 2. Write ACL statements.

• 3. Call the ACL on an interface. Layer-3 switch

• ACL configuration steps:

• 1. Determine whether to configure a standard or extended ACL according to requirements.

• 2. Write ACL statements.

• ACL configuration steps:

• 1. Determine whether to configure a standard or extended ACL according to requirements.

• 2. Write ACL statements.

• ACL configuration steps:

• 1. Determine whether to configure a standard or extended ACL according to requirements.

• 2. Write ACL statements.

• 1. Correctly configure the current time for the device.

• In # mode, run the clock set command to set the time.

• 2. Define a time range.

• 3. Associate an ACE in the ACL with the defined time range.

• Configure an ACE that takes effect only in a specific time range.

• Use the periodic keyword to define a periodic time.

• The two-way communication is blocked if any step in between is interrupted.

• What is the difference between a standard ACL and an extended ACL?

• If an ACL contains many ACEs, what are the matching rules?

You might also like