Access Control List (ACLs) can be used for two purposes:
- To filter traffic
- To identity traffic
Access lists are set of rules, organized in a rule table. Each rules or line in an access-list provides a condition, either permit or deny.
Uses of access lists are filtering unwanted packets when implementing security policies. Access lists can be used to permit or deny packets moving through the router, permit or deny Telnet access to or from a router.
When we apply an access list on an interface it doesn’t stop routing advertisements, it just controls their content. Once lists are built, they can be applied to either inbound or outbound traffic on any interface.
- There are a few important rules that a packet follows when it’s being compared with an access list-It’s always compared with each line of the access list in sequential order-i.e.; it’s always start with the first line of the access-list, then go to line 2, then line 3, and so on.
- It’s compared with lines of the access list only until a match is made. Once the packet matches the condition on a line of the access list, the packet is acted upon, and no further comparisons take place.
- There is an implicit “deny” at the end of each access-list – this means that if a packet doesn’t match the condition on any of the lines in the access list, the packet will be discarded.
When activating an ACL on an interface, you must specify in which direction the traffic should be filtered:
Inbound Access Lists
When an access list is applied to inbound packets on an interface, those packets are processed through the access list before being routed to the outbound interface. Any packet that are denied won’t be routed because they’re discarded before the routing process is invoked.
Outbound Access Lists
When an access list is applied to outbound packets on an interface, those packets are routed to the outbound interface and then processed through the access list before being queued.
Universal Facts About Access Control List:
- ACLs come in two varieties: Numbered and Named.
- Each of these references to ACLs supports two types of filtering: standard and extended.
- Standard IP ACLs can filter only on the source IP address inside a packet.
- Whereas an extended IP ACLs can filter on the source and destination IP addresses in the packet.
- There are two actions an ACL can take: permit or deny.
- Statements are processed top-down.
- Once a match is found, no further statements are processed—therefore, order is important.
- If no match is found, the imaginary implicit deny statement at the end of the ACL drops the packet.
- An ACL should have at least one permit statement; otherwise, all traffic will be dropped because of the hidden implicit deny statement at the end of every ACL.
Access List Ranges
|IP Standard Expanded Range||1300–1999|
|IP Extended Expanded Range||2000–2699|
Placement of ACLs
- Standard ACLs should be placed as close to the destination devices as possible.
- Extended ACLs should be placed as close to the source devices as possible.
There are some general access-lists guidelines:
- We can assign only one access list per interface, per protocol, per direction. This means that when creating IP access lists, we can only have one inbound access list and one outbound access list per interface.
- Organize your access lists so that the more specific tests are at the top of the access list.
- Any time a new entry is added to the access list, it will be placed at the bottom of the list. Using a text editor for access lists is highly suggested.
- You cannot remove one line from an access list. If you try to do this, you will remove the entire list. It is best to copy the access list to a text editor before trying to edit the list. The only exception is when using named access list.
- Unless your access list ends with a permit any command, all packets will be discarded if they do not meet any of the lists. Every list should have at least one permit statement, or it will deny all traffic
- Create access lists and then apply them to an interface. Without applying on any interface access list won’t work.
- Access lists are designed to filter traffic going through the router. They will not filter traffic that has originated from the router.
- Place IP standard access lists as close to the destination as possible. This is the reason we don’t really want to use standard access list in our networks. We cannot put a standard access list close to the source host or network because we can only filter based on source address and nothing would be forwarded.
- Place Ip extended access lists as close to the source as possible. Since extended access lists can filter on very specific addresses and protocols, you don’t want your traffic to traverse the entire network and then be denied. By placing this list as close to the source address as possible, you can filter traffic before it uses up your precious bandwidth.
There are two types of access lists:
Standard Access List
These use only the source IP address in an IP packet as the condition test. All decisions are made based on source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. They don’t distinguish between any of the many of IP traffic such as WWW, Telnet and UDP etc.
You are telling the router that you want to create a standard IP access list, so the router will expect syntax specifying only the source IP address in the test lines.
Router (config)#access-list 10 ?
Deny – Specify packets to reject
Permit – Specify packets to forward
Router (config)#access-list 10 deny ?
Host Name or A.B.C.D Address to match
Any any source host
Host A single host addresses
The next step requires a more detailed explanation. There are three options available. You can use the any parameter to permit or deny any host or network. You can use an IP address to specify either a single host or range of them. Or you can use the host command to specify a specific host only. The any command is pretty obvious – any source address matches the statement, so every packet compared against this line will match. The host command is relatively simple.
Router (config)#access-list 10 deny host 18.104.22.168
This tells the list to deny any packets from host 172.16.30.2. The default parameter is host. In other words if you type access-list 10 deny 172.16.30.2 the router assumes you mean host 172.16.30.2
But there’s another way to specify either a particular host or a range of hosts – you can use wild card masking.
Wild cards are used with access lists to specify an individual host, a network or a certain range of a network or networks. Some of the different block sizes available are 64,32,16,8 and 4.
Wild cards are used with the host or network address to tell the router a range of available addresses to filter. To specify a host, the address would look like this.
The four zeros represent each octet of the address. Whenever a zero is present, it means that octet in the address must match exactly. To specify that an octet can be any value, the value of 255 is used. As an example here’s how a /24 subnet is specified with a wildcard:
This tells the router to match up the first three octets exactly, but the fourth octet can be any value. Let’s say that you want to block access to part of network that is range from 172.16.8.0 through 172.16.15.0.
That is a bloc size of 8. Your network number would be 172.16.8.0, and the wild card would be 0.0.7.255. Woh!
What is that ? The 7.255 is what the router uses to determine the block size. The network and wild card tell the router to start at 172.16.8.0 and go up a block size of eight addresses to network 172.16.15.0
Router (config)#access-list 10 deny 172.16.10.0 0.0.0.255
The following example tells the router to match first three octets exactly but that the fourth octet can be anything.
Router (config)#access-list 10 deny 172.16.0.0 0.0.255.255
This example tells the router to match the first two octets and that the last two octets can be any value.
Router (config)#access-list 10 deny 172.16.16.0 0.0.3.255
The above configuration tells the router to start at network 172.16.16.0 and use a block size of 4. The range would them be 172.16.16.0 through 172.16.19.0.
Router (config)#access-list 10 deny 172.16.16.0 0.0.7.255
The example below shows an access list starting at 172.16.16.0 and going up a block size of 8 to 172.16.23.0
Access-list 10 deny 172.16.32.0 0.0.15.255
This example starts at network 172.16.32.0 and goes up a block size of 16 to 172.16.47.0
Router (config)#access-list 10 deny 172.16.64.0 0.0 63.255
This example starts at network 172.16.64.0 and goes up a block size of 64 to 172.16.127.0
Router (config)#access-list 10 deny 192.168.160.0 0.0.31.255
This example starts at network 192.168.160.0 and goes up a block size of 32 to 192.168.191.255.
Block size range
0 to 7, 8 to 15, 16 to 23, 0 to 31, 32 to 63, 64 to 95
The command any is the same thing as writing our the wild card
Extended Access List
Extended Access Lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the protocol field in the Network layer header, and port number at the Transport layer header. This gives extended access lists the ability to make much more granular decisions when controlling traffic.
By using extended access lists, you can effectively allow user’s access to a physical LAN and stops them from accessing specific hosts or even specific services on those hosts.
Router (config) #access-list 110 deny tcp ?
Router (config) #access-list 110 deny tcp any host 172.16.30.2 ?
Router (config) #access-list 110 deny tcp any host 172.16.30.2 eq ?
You can choose a port number or use the application or protocol name. At this point, let’s block Telnet (Port -23) to host 172.16.30.2 only. If the users want to FTP, fine, that’s allowed. The log command is used to log message every time the access list is hit. This can be an extremely cool way to monitor inappropriate access attempts.
Router (config) #access-list 110 deny tcp any host 172.16.30.2 eq 23 log
You need to keep in mind that the next line is an implicit deny any by default. If you apply this access list to an interface, you might as well just shut the interface down, since by default there is an implicit deny all at the end of every access list you’ve got to follow up the access list with the following command.
Router (config) #access-list 110 permit ip any any
Once the access list is created, you need to apply it to an interface
Router (config-if) #ip access-group in
Router (config-if) #ip access-group out
One of the disadvantages of using IP standard and IP extended ACLs is that you reference them by number, which is not too descriptive of its use. With a named ACL, this is not the case because you can name your ACL with a descriptive name. The ACL named DenyMike is a lot more meaningful than an ACL simply numbered 1. There are both IP standard and IP extended named ACLs.
Another advantage to Named ACLs is that they allow you to remove individual lines out of an ACL. With numbered ACLs, you cannot delete individual statements. Instead, you will need to delete your existing access list and re-create the entire list.
Named access list are just another way to create standard and extended list.
Router (config) #ip access-list?
Notice that I started IP access-list, not access-list. This allows me to enter a named access list.
Router (config) #ip access-list standard block sales
I’ve specified a standard access list, and then added a name: Block sales. Notice that I could’ve used a number for a standard access list, but intend, I chose to use a descriptive name.
#deny 172.16.40.0 0.0.0.255
#ip access-group block sales out
Commands used to verify access list configuration
show access-list: Display all access lists and their parameters configured on the router. This command does not show you which interface the list is set on.
show access-list 110: Shows only the parameters for the access list 110. This command does not show you the interface the list is set on.
show ip access list: shows only the ip access list configured on the router.
show ip interface: Shows which interface have access lists set.
show-run-config: shows the access lists and which interface have access lists set.
- Remarks: The remark keyword is really important because it arms you with the ability to include comments, or rather remarks, regarding the entries you’ve made in both your IP standard and extended ACLs. Even though you have the option of placing your remarks either before or after a permit or deny statement, I totally recommend that you chose to position them consistently so you don’t get confused about which remark is relevant to which one of your permit or deny statements.
Router (config) #access-list 110 remark permit Bob from sales only to finance
Router (config) #access-list 110 permit ip host 172.16.40.1 172.16.30.0 0.0.0.255
- Blocking SNMP Packets
Router (config) #access-list 110 deny udp any any eq snmp
Router (config) #int s0/0
Router (config-if) #access-group 110 in
- Disabling Echo
Router (config) #no service tcp-small-servers
Router (config) #no service udp-small-servers
- Turning off BootP and Auto-Config
Router (config) #no ip boot server
Router (config) #no service config
- Disabling HTTP Interface
Router (config) #no ip http server
- Disabling Ip Source Routing
Router (config) #no ip source-route
- Disabling Proxy ARP
Router (config) #int fa0/0
Router (config-if) #no ip proxy-arp
- Disabling redirect Message
Router (config) #int s0/0
Router (config-if) #no Ip redirects
- Disabling the Generation of ICMP Unreachable Messages
Router (config) #int s0/0
Router (config-if) #no ip unreachables
- Disabling Multicast Route Caching
Router (config) #int s0/0
Router (config-if) #no ip mroute-cache
- Disabling the Maintenance Operation Protocol (MOP)
Router (config) #int s0/0
Router (config-if) #no mop enabled
- Turning off the x.25 PAD Service
Router (config) #no service pad
- Enabling the Nagle TCP congestion Algorithm
Router (config) #service nagle
- Logging Every Event
Router (config) #logging trap debugging
Router (config) #logging 192.168.254.251
Router #sh logging
- Disabling Cisco Discovery Protocol
Router (config) #no cdp run
Router (config-if) #no cdp enable
- Disabling the Default Forwarded UDP Protocols When you use the ip helper-address command as follows on an interface, your router will forward UDP broadcasts to the listed server/servers:
Router (config) #int fa0/0
Router (config-if) #ip helper-address 192.168.254.251
You would generally use the ip helper-address command when you want to forward DHCP client requests to a DHCP server. The problem is that not only does this forward port 67 (BOOTP server request), it forwards seven other ports by default as well. To disable the unused ports, use the following commands.
Router (config) #no ip forward-protocol udp 69
Router (config) #no ip forward-protocol udp 53
Router (config) #no ip forward-protocol udp 37
Router (config) #no ip forward-protocol udp 137
Router (config) #no ip forward-protocol udp 138
Router (config) #no ip forward-protocol udp 68
Router (config) #no ip forward-protocol udp 49
Now, only the BOOTP server request (67) will be forwarded to the DHCP server. If you want to forward a certain port—say, TACACS+, for example—use the following command:
Router (config) #ip forward-protocol udp 49
- Cisco’s Auto Secure
Router #auto secure