ACLs

Access Control Lists

110/08/03 1
 What are ACLs?
• ACLs are lists of instructions you apply to a
router's interface.
• These lists tell the router what kinds of packets to
accept and what kinds of packets to deny.
• Acceptance and denial can be based on certain
specifications, such as
– Protocol,
– source address,
– destination address,
– port number.

110/08/03 2
 Packet Filtering
• Packet filtering, sometimes called static
packet filtering, controls access to a
network by analyzing the incoming and
outgoing packets and passing or halting
them based on stated criteria.

110/08/03 3
 Packet Filtering

110/08/03 4
 Fields of packet to be checked

110/08/03 5
 What are ACLs?

110/08/03 6
 What are ACLs?
• ACLs enable you to manage traffic and
scan specific packets by applying the ACL
to a router interface. 
• Any traffic going through the interface is
tested against certain conditions that are
part of the ACL.

110/08/03 7
 ACLs on a Router

110/08/03 8
 ACLs on Router’s Interfaces

110/08/03 9
 Inbound or Outbound ACLs
• Inbound ACLs-Incoming packets are
processed before they are routed to the
outbound interface
• Outbound ACLs-Incoming packets are
routed to the outbound interface, and then
they are processed through the outbound
ACL

110/08/03 10
 Inbound ACLs
• An inbound ACL is efficient because it
saves the overhead of routing lookups if the
packet is discarded. If the packet is
permitted by the tests, it is then processed
for routing.

110/08/03 11
 How ACLs Work (Inbound)

110/08/03 12
 How ACLs Work (Outbound)

110/08/03 13
 Routing & ACLs on Routers - 1

110/08/03 14
 Routing & ACLs on Routers - 2

110/08/03 15
 Implied "Deny All Traffic"
• At the end of every access list is an implied
"deny all traffic" criteria statement.
– "implicit deny any" statement.
– If a packet does not match any of the ACL
entries, it is automatically blocked.

110/08/03 16
 Access List Grouping
• ACLs must be defined on a per-protocol,
per direction, or per port basis

110/08/03 17
 Steps in Enforcing ACL
• Step 1 : 設定 ACL 條件
– Configuring Standard, Extended & Named ACLs
• Step 2 : 將 ACL 應用於 Router 的某個介面
– Config)# int serial 0
Config-if)# ip access-group 1 in (or out)
– Outbound ACLs are generally more efficient than
inbound, and are therefore preferred. A router with an
inbound ACL must check every packet to see whether
it matches the ACL condition before switching the
packet to an outbound interface.

110/08/03 18
 Command syntax in applying ACL
to router interface
• Router(config-if)#ip access-group {access-
list-number | access-list-name} {in | out}

110/08/03 19
 Types of ACL
• Numbered ACL
– Standard ACL
– Extended ACL
• Named ACL

110/08/03 20
 ACL Examples
router(config)#access-list 1 permit 172.16.0.0 0.0.255.255 log

Global config
ACL number
Wildcard Mask
判決 (deny/permit or
remark) Source Address

This is so called Standard ACL …

…. Any other ACLs?

110/08/03 21
 Wildcard Mask
• Wildcard = 外卡
– What’s 外卡 ?
• Wildcard mask is NOT Subnet Mask
– Wildcard mask 的 1 代表 “不檢查與該 bit
同樣位置的 IP address”

110/08/03 22
 Wild Card

110/08/03 23
 Wild Card Mask Examples

110/08/03 24
 Standard ACL
• Check only source address
• Syntax
– Router (config) # access-list access-list-number
{deny | permit | remark} source [source-
wildcard ] [log]
• access-list-number = [1~99] & [1300~1999] in
recent IOS
• Check only IP packets
• Router(config)#access-list access-list-number deny/permit
remarksource [source-wildcard] [log]

110/08/03 25
 Remark keyword
• The remark keyword is used for
documentation and makes access lists a
great deal easier to understand.

110/08/03 26
 Examples of Standard ACL

110/08/03 27
110/08/03 28
110/08/03 29
110/08/03 30
 host

110/08/03 31
 Host & any

110/08/03 32
 Extended ACL
• Check the following 4 parameters
– Protocol (of routing packet)
– Source
– Destination
– Port number (Transport layer header)
• Syntax
– Router (config) # access-list access-list-number
{permit | deny | remark} protocol source [source-
wildcard] [operator operand] [port port-number or
name] destination [destination-wildcard] [operator
operand] [port port-number or name] [established]

110/08/03 33
 Examples of Extended ACL

110/08/03 34
 Extended ACL Examples

110/08/03 35
110/08/03 36
110/08/03 37
 established
• This parameter allows responses to traffic that
originates from the 192.168.10.0 /24 network to
return inbound on the s0/0/0.
– A match occurs if the TCP datagram has the ACK or
reset (RST) bits set, which indicates that the packet
belongs to an existing connection.
– Without the established parameter in the ACL statement,
clients could send traffic to a web server, but would not
receive traffic from the web server.
– 使內網能主動訪問外網，而外網不能主動訪問內網

110/08/03 38
110/08/03 39
110/08/03 40
 Other ACL numbering
• Numbers 200 to 1299 are skipped, it is
because those numbers are used by other
protocols.
– For example, numbers 600 to 699 are used by
AppleTalk, and numbers 800 to 899 are used by
IPX
• This course focuses only on IP ACLs

110/08/03 41
 Verifying ACL
• Show access-lists

110/08/03 42
 Named ACLs
• There are cases that …
– You have more than 99 (+699) simple and 100
(+699) extended ACLs to be configured in a
router for a given protocol
• This is less likely now …
– You want to intuitively identify ACLs using an
alphanumeric name.

110/08/03 43
 Named ACLs

110/08/03 44
 Named ACL

110/08/03 45
 Named ACL Syntax

110/08/03 46
110/08/03 47
110/08/03 48
 Modifying Named ACL
• Named ACLs have a big advantage over numbered
ACLs in that they are easier to edit.
– Starting with Cisco IOS Software Release 12.3, named
IP ACLs allow you to delete individual entries in a
specific ACL.
– You can use sequence numbers to insert statements
anywhere in the named ACL.
– If you are using an earlier Cisco IOS software version,
you can add statements only at the bottom of the
named ACL.
– Because you can delete individual entries, you can
modify your ACL without having to delete and then
reconfigure the entire ACL.

110/08/03 49
 Modifying Named ACL

110/08/03 50
 ACL Best Practices

110/08/03 51
 Things to note with ACLs - 1
• Conditions in ACL are tested sequentially in the
order in which they were created
– The order in which you place ACL statements is
important.
– After a match is found, no more condition
statements are checked
– If you create a condition statement that permits all
traffic, no statements added later will ever be checked
– If all the ACL statements are unmatched, an
implicit "deny any" statement is imposed

110/08/03 52
 Things to note with ACLs - 2
• Try to minimize number of ACL statements as
long as possible
– by careful thinking
– Make good use of wildcard mask, see example below

110/08/03 53
 More to note … (any command)

110/08/03 54
 More to note … (host command)

OR
You can omit the wildcard if it is all zeros
access-list 2 permit 36.48.0.3
110/08/03
access-list 2 permit 36.48.0.3 0.0.0.0 55
 When Modifying standard/extended
ACLs …
• If you need additional statements in a ACL
you must delete the ACL and re-create it
with the new condition statements.
– This is why it's a good idea to edit router a
configuration on a PC using a text editor and
then Trivial File Transfer Protocol (TFTP) it to
the router.

110/08/03 56
 Placing ACLs
• The rule is to
– Put the extended ACLs as close as possible to
the source of the traffic denied
• Extended ACLs can filter using source and/or
destination addresses
– Put the standard ACLs as close as possible to
the destination.
• Standard ACLs do not specify destination addresses

110/08/03 57
 Example

Condition 1
Condition 2

Need to prevent FTP access from Router A’s FA0/1 subnet to Ruter D
Need to prevent all traffic from Router A’s FA0/1 subnet to Router D
110/08/03 58
 Firewall

1. Outside router direct all traffic to Application gateway

2. Inside router accept traffic from Application gateway only
3. ACLs should be used in firewall routers
110/08/03 59
 Complex ACLs

110/08/03 60
 Dynamic ACLs
• Dynamic ACL configuration starts with the
application of an extended ACL to block traffic
through the router.
– Users who want to traverse the router are blocked by the
extended ACL until they use Telnet to connect to the
router and are authenticated.
– The Telnet connection is then dropped, and a single-
entry dynamic ACL is added to the extended ACL that
exists.
– This permits traffic for a particular period; idle and
absolute timeouts are possible.

110/08/03 61
 Dynamic ACLs

110/08/03 62
 When to Use Dynamic ACLs
• When you want a specific remote user or
group of remote users to access a host
within your network, connecting from their
remote hosts via the Internet.
• When you want a subset of hosts on a local
network to access a host on a remote
network that is protected by a firewall.

110/08/03 63
 Dynamic ACL Examples

110/08/03 64
 Reflexive ACLs
• Network administrators use reflexive ACLs
to allow IP traffic for sessions originating
from their network while denying IP traffic
for sessions originating outside the network.

110/08/03 65
 Example

110/08/03 66
 Time-based ACLs
• Time-based ACLs are similar to extended
ACLs in function, but they allow for access
control based on time.
• To implement time-based ACLs, you create
a time range that defines specific times of
the day and week.

110/08/03 67
 Example

110/08/03 68
 Trouble-shooting ACL

Order of statements are essential…

110/08/03 69
 Trouble-shooting ACL

What protocol does TFTP use?

110/08/03 70
 Trouble-shooting ACL

Are you sure you have correct

syntax?

110/08/03 71
 Trouble-shooting ACL

1. IP address
2. Position of extended ACL

110/08/03 72
 Trouble-shooting ACL

Not sure where the error is…

110/08/03 73