Chapter 7 Access Control Lists
Chapter 7 Access Control Lists
Purpose of ACLs
What is an ACL?
An ACL is a
series of IOS commands
that control whether a router forwards or drops packets based on information found in the packet header.
When an ACL is applied to an interface, the router performs the additional task of evaluating all network packets as they pass through the interface to determine if the packet can be forwarded.
In addition, ACLs can be used to classify traffic to enable
ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router.
ACLs do not act on packets that originate from the router itself. text
ACLs can be configured to apply to
Incoming packets are routed to the outbound interface
They are processed through the outbound ACL.
1 more item...
Incoming packets are processed before they are routed to the outbound interface.
It saves the overhead of routing lookups if the packet is discarded
If the packet is permitted by the ACL, it is then processed for routing.
Inbound ACLs are best used to filter packets when the network attached to an inbound interface is the only source of packets that need to be examined.
Use the R1#
show access-lists [numer | name]
(if there is only one access list, the number/names it is not necessarily)to lists the access lists on the router. And
to see the interface that is assigned to that access lists
Use the R1(config-if)#
no ip access-group
command to remove an access list from a interface. And the R1(config)#
command to to remove an ACL
Wildcard Masks in ACLs
Introducing ACL Wildcard Masking
(Access control Entries) include the use of
. A wildcard mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match.
Wildcard masks use binary 1s and 0s to filter individual IPv4 addresses or groups of IPv4 addresses to permit or deny access to resources.
Wildcard mask bit 0 - Match the corresponding bit value in the address.
Wildcard mask bit 1 - Ignore the corresponding bit value in the address.
IPv6 ACLs do not use wildcard masks. Instead, the prefix-length is used to indicate how much of an IPv6 source or destination address should be matched. IPv6
Calculating the Wildcard Mask
Consider an example in which you need to match networks in the range between 192.168.16.0/24 to 192.168.31.0/24. These networks would summarize to 192.168.16.0/20. In this case, 0.0.15.255 is the correct wildcard mask to configure one efficient ACL statement, as shown below:
access-list 10 permit 192.168.16.0 0.0.15.255
assume you wanted to match only networks 192.168.10.0 and 192.168.11.0. Again, you take the 255.255.255.255 and subtract the regular subnet mask which in this case would be 255.255.254.0. The result is 0.0.1.255.
You could accomplish the same result with statements like the two shown below:
R1(config)# access-list 10 permit 192.168.10.0
R1(config)# access-list 10 permit 192.168.11.0
but it is far more efficient to configure the wildcard mask in the following way:
R1(config)# access-list 10 permit 192.168.10.0 0.0.1.255
Wildcard Mask Keywords
help identify the most common uses of wildcard masking.
These keywords eliminate entering wildcard masks when identifying a specific host or an entire network
keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match to filter just one host address.
option substitutes for the IPv4 address and 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept any addresses.
Guidelines for ACL Creation
General Guidelines for Creating ACLs
Rules for Applying ACLs
You can configure one ACL per protocol, per direction, per interface:
One ACL per protocol - To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface.
One ACL per direction - ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic.
One ACL per interface - ACLs control traffic for an interface, for example, GigabitEthernet 0/0.
ACL Best Practices
Guidelines for ACL Placement
Where to Place ACLs
Standard IPv4 ACLs
Configure Standard IPv4 ACLs
Numbered Standard IPv4 ACL Syntax
You must first
create the standard ACL
activate the ACL on an interface
global configuration command defines a standard ACL with a number in the range of
1 through 99.
Cisco IOS Software Release 12.0.1 extended these numbers by allowing
1300 to 1999
to be used for standard ACLs.
This allows for a maximum of
possible standard ACLs.
These additional numbers are referred to as
expanded IPv4 ACLs.
to ensure that the administrator and others recall the purpose of a statement, remarks should be included. The
keyword is used for documentation and makes access lists a great deal easier to understand (limited to 100 characters)
When reviewing the ACL in the configuration using the
command, the remark is also displayed.
remove the ACL
, the global configuration R1(config)#
command is used.
command confirms that access list 10 has been removed.
Applying Standard IPv4 ACLs to Interfaces
from an interface
, first enter the
no ip access-group
command on the interface
Recall that there is an implicit deny all statement that is equivalent to adding the line
access-list 1 deny 0.0.0.0 255.255.255.255
access-list deny any
to the end of the ACL.
Named Standard IPv4 ACL Syntax
Modify IPv4 ACLs
Method 1 - Use a Text Editor
Method 2 - Use Sequence Numbers
Editing Standard Named ACLs
The counters can be cleared using the clear access-list counters command. This command can be used alone or with the number or name of a specific ACL
Securing VTY ports with a Standard IPv4 ACL
The access-class Command
Verifying the VTY Port is Secured
Processing Packets with ACLs
The Implicit Deny Any
At least one permit ACE must be configured in an ACL or all traffic is blocked.
The Order of ACEs in an ACL
ACEs are processed sequentially; therefore, the order in which ACEs are entered is important.
Cisco IOS Reorders Standard ACLs
The order in which standard ACEs are entered may not be the order that they are stored, displayed, or processed by the router.
The host statements are all valid statements because their host IPv4 addresses are not part of the previously entered range statements.
Notice that the statements are listed in a different order than they were entered.
The sequence number indicates the order that the statement was entered, not the order the statement will be processed.
The IOS puts
in an order using a special hashing function. The resulting order optimizes the search for a host ACL entry.
The hashing function is only applied to host statements in an IPv4 standard access list.
The range statements are displayed after the host statements.
These statements are listed in the order in which they were entered.
Recall that standard and numbered ACLs can be edited using sequence numbers. When inserting a new ACL statement, the sequence number will only affect the location of a range statement in the list. Host statements will always be put in order using the hashing function.
after saving the running-configuration, the router is reloaded. the show access-lists command displays the ACL in the same order, however the statements have been renumbered. The sequence numbers are now in numerical order.
Common IPv4 Standard ACL Errors
The most common errors are entering ACEs in the wrong order and not specifying adequate ACL rules. Other common errors include applying the ACL using the wrong direction, the wrong interface, or the wrong source addresses. use
in these cases
the show run command filtered to view the interface configurations reveals that ACL 20 was applied to the wrong interface and in the wrong direction.