CCNA (ICND-2) IP Access Control Lists, key points

IP Access Control Lists (ACL’s) notes from  the CCNA ICND-2 Official Exam Certification Guide, by Wendell Odom.

Standard IP Access Control Lists

IP ACLs cause a router to discard some packets based on criteria defined by the network engineer.  They can also be used to filter routing updates, to match packets for prioritization, VPN tunneling, and implementing quality of service (QOS) features. Standard ACLs use simpler logic than extended ACLs. You can filter packets by creating and enabling access lists for both incoming and outgoing packets on each interface.

  • Packets can be filtered as they enter an interface, before the routing decision
  • Packets can be filtered before they exit an interface, after the routing decision.
  • Deny is the term used in Cisco IOS software to imply that the packet will be filtered.
  • Permit is the term used in Cisco IOS software to imply that the packet will not be filtered
  • the filtering logic is configured in the access list
  • at the end of every access list is an implied “deny all traffic” statement. Therefore, if a packet does not match any of your access list statements, it is blocked.

Access lists have tow major steps in their logic; matching and action.

The logic that IOS uses with a multiple-entry ACL can be summarized;

  1. The matching parameters of the access-list statement are compared to the packet.
  2. If a match is made, the action defined in this access-list statement (permit or deny) is performed
  3. If a match is not made in Step 2, repeat Steps 1 & 2 using each successive statement in the ACL until a match is made.
  4. If no match is made with an entry in the access list, the deny action is performed.

wildcard masks

Cisco wildcard masks define the portion of the IP address that should be examined. The wildcard mask’s 0 bits tell the router that those corresponding bits in the address must be compared when performing the matching logic. The binary 1s in the wildcard mask tell the router that those bits do not need to be compared.

sample access list wildcard masks

wildcard mask — binary version of the mask — description

0.0.0.0 — 00000000.00000000.00000000.00000000 — the entire IP address must match
0.0.0.255 — 00000000.00000000.00000000.11111111 — just the first 24 bits must match
0.0.255.255 — 00000000.00000000.11111111.11111111 — just the first 16 bits must match
0.255.255.255 — 00000000.11111111.11111111.11111111 — just the first 8 bits must match
255.255.255.255 — 11111111.11111111.11111111.11111111 — automatically considered to match any and all addresses.
0.0.15.255 — 00000000.00000000.00001111.11111111 — just the first 20 bits must match
0.0.3.255 — 00000000.00000000.00000011.11111111 — just the first 22 bits must match

In many cases, an ACL needs to match all hosts in a particular subnet. To match a subnet with an ACL, you can use the following shortcut;

  • Use the subnet number as the address value in the access-list command.
  • Use a wildcard mask found by subtracting the subnet mask from 255.255.255.255

for example, for subnet 172.16.8.0 255.255.252.0, use the subnet number (172.16.8.0) as the address parameter, and then do the following math to find the wildcard mask;

255.255.255.255
-255.255.252.0
———————–
0.0.3.255

If you have mastered sub-netting math using any of the decimal shortcuts, avoiding binary math, another shortcut can be used to analyze each existing address/wildcard pair in each ACL command. To do so:

  1. Use the address in the access-list command as if it were a subnet number.
  2. Use the number found by subtracting the wildcard mask from 255.255.255.255 as a subnet mask.
  3. Treat the values from the first two steps as a subnet number and subnet mask, and find the broadcast address for the subnet. The ACL matches the range of addresses between the subnet number and broadcast address, inclusively.

standard IP access list configuration

  1. Plan the location (router and interface) and direction (in or out) on that interface:
    a. Standard ACLs should be placed near to the destination of the packets so that is does not unintentionally discard packets that should not be discarded.
    b. Because standard ACLs can only match a packet’s source IP address, identify the source IP addresses of packets as they go in the direction that the ACL is examining.
  2. Configure one or more access-list global configuration commands to create the ACL, keeping the following in mind:
    a. The list is searched sequentially, using first-match logic. In other words, when a packet matches one of the access-list statements, the search is over, even if the packet would match subsequent statements.
    b. The default action, if a packet does not match any of the access-list commands, is to deny (discard) the packet.
  3. Enable the ACL on the chosen router interface, in the correct direction, using the ip access-group number {in | out} interface subcommand.

extended IP access control lists

The one key difference between standard and extended ACLs is the variety of fields in the packet that can be compared for matching by extended ACLs. A single extended ACL statement can examine multiple parts of the packet headers, requiring that all parameters be matched correctly to match that one ACL statement.

standard and extended IP access lists: matching

Both standard and extended ACLs — Source IP address, Portions of the source IP address using a wildcard mask.

only extended ACLs — Destination IP address, Portions of the destination IP address using a wildcard mask, Protocol type (TCP, UDP, ICMP, IGRP, IGMP, and others), Source port, Destination port, All TCP flows except the first, IP TOS, IP precedence.

matching tcp and udp port numbers

  • The access-list command must use protocol keyword tcp to be able to match TCP ports and the udp keyword to be able to match UDP ports. The ip keyword does not allow for matching the port numbers
  • The source port and destination port parameters on the access-list command are positional. In other words, their location in the command determines if the parameter examines the source or destination port.
  • Remember that ACLs can match packets sent to a server by comparing the destination port to the well-known port number. However, ACLs need to match the source port for packets sent by the server.
  • It is useful to memorize the most popular TCP and UDP applications, and their well-known ports.

popular applications and their well-known port numbers

port number(s) — Protocol — Application — Application Name Keyword in access-list Command Syntax
20 — TCP — Ftp data — ftp-data
21 — TCP — Ftp control — ftp
22 — TCP — SSH — —–
23 — TCP — Telnet — telnet
25 — TCP — SMTP — smtp
53 — UDP, TCP — DNS — domain
67,68 — UDP — DHCP — bootps(67) , bootpc(68)
69 — UDP — TFTP — tftp
80 — TCP — HTTP(WWW) — www
110 — TCP — POP3 — pop3
161 — UDP — SNMP — snmp
443 — TCP — SSL — —-
16,384-32,767 — UDP — RTP-based voice (VoIP) and video —  —-

the differences between configuring standard and extended ACLs

  • Extended ACLs should be placed as close as possible to the source of the packets to be filtered, because extended ACLs can be configured so that they do not discard packets that should not be discarded. So filtering close to the source of the packets saves some bandwidth.
  • All fields in one access-list command must match a packet for the packet to be considered to match that access-list statement.
  • The extended access-list command uses numbers between 100-199 and 2000-2699, with no number being inherently better than another.

operators used when matching port numbers

Operator in the access-list command — meaning
eq
— Equal to
neq — Not equal to
lt — Less than
gt — Greater than
range — Range of port numbers

Advances in Managing ACL Configuration

Named IP Access lists

Named ACLs can be used to match the same packets, with the same parameters, that can be matched with standard and extended IP ACLs. The most obvious difference is that IOS identifies named ACLs using names you make up, as opposed to numbers– and you have a better chance of remembering names. At the time named IP access lists were introduced another advantage was being able to delete a single line.

With IOS 12.3 Cisco expanded IOS to be able to delete individual lines in numbered ACLs, making IOS support for editing both named and numbered ACLs equivalent.

Editing ACLs Using Sequence Numbers

  • An individual ACL permit or deny statement can be deleted just by referencing the sequence number, without deleting the rest of the ACL
  • Newly added permit and deny commands can be configured with a sequence number, dictating the location of the statement within the ACL
  • Newly added permit and deny commands can be configured without a sequence number, with IOS creating a sequence number and placing the command at the end of the ACL

ACL Implementation Considerations

  • Create your ACLs using a text editor outside the router, and copy and paste the configurations into the router. (even with the ability to delete and insert lines into an ACL, creating the commands in an editor will still likely be an easier process.)
  • Place extended ACLs as close as possible to the source of the packet to discard the packets quickly.
  • Place standard ACLs as close as possible to the packet’s destination, because standard ACLs often discard packets that you do not want discarded when they are placed close to the source.
  • Place more-specific statements early in the ACL
  • Disable an ACL from its interface (using the no ip access-group command) before making changes to the ACL

Reflexive Access Lists

Reflexive ACLs also called IP session filtering, provides a way to prevent a class of security attacks by permitting each allowed TCP or UDP session on an individual basis. To do so, the router reacts when seeing the first packet in a new session between two hosts. It reacts to the packet to add a permit statement to the ACL, allowing the sessions traffic based on the source and destination IP address and TCP/UDP port.

Reflexive ACLs require some additional configuration, as well as the use of named extended ACL configuration.

Dynamic ACLs

Dynamic ACLs tie the ACL to a user authentication process. Instead of starting by trying to connect to the server, the users must be told to first telnet to a router. The router asks for a username/password combination. If it is authentic, the router dynamically changes its ACL, permitting traffic from the IP address of the host that just sent the authentication packets. After a period of inactivity, the router removes the dynamic entry in the ACL, closing the potential hole.

Time-Based ACLs

The term time-based ACL refers to a feature of normal IP ACLs (both numbered and named) in which a time constraint can be added to the configuration commands. This allows for users to log in during certain hours of the day, days of the week etc. IOS either keeps or removes the statements from the ACL during the appropriate times of day.

Command reference

access-list access-list-number [deny | permit] source [source-wildcard] [log] — Global command for standard numbered access lists. Use a number between 1 and 99 or 1300 and 1999, inclusive.

access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [log] — Global command for extended numbered access lists. Use a number between 100 and 199 or 2000 and 2699, inclusive.

access-list access-list-number {deny | permit} tcp source source-wildcard [operator [port]][log] — A version of the access-list command with TCP specific parameters.

access-list access-list-number remark text — Defines a remark that helps you remember what the ACL is supposed to do.

ip access-group {number | name [in | out]} — Interface subcommand to enable access lists.

access-class number | name [in | out] – Line subcommand to enable either standard or extended access lists.

ip access-list {standard | extended} name — Global command to configure a named standard or extended ACL and enter ACL configuration mode.

{deny | permit} source [source-wildcard] [log] — ACL mode subcommand to configure the matching details and action for a standard named ACL.

{deny | permit} protocol source source-wildcard destination destination-wildcard [log] — ACL mode subcommand to configure the matching details and action for an extended named ACL.

{deny | permit} tcp source source-wildcard [operator[port]] destination destination-wildcard [operator[port]] [log] — ACL mode subcommand to configure the matching details and action for a named ACL that matches TCP segments.

remark text — ACL mode subcommand to configure a description of a named ACL

show ip interface [type number] — Includes a reference to the access lists enabled on the interface

show access-lists [access-list-number access-list-name] — Shows details of configured access lists for all protocols

show ip access-list [access-list-number | access-list-name] — Shows IP access lists.

Leave a Reply