Networking, Routers and Routing


  •  

     Chapter 11


    Access Control Lists

    These notes guide you through the basics of Access Control Lists.

    Introduction

    Access Control Lists (ACLs)  

    Standard Access Control Lists  
            Creating Standard ACLs
            Viewing ACLs
            Removing ACls

    Shortcut Statments  
            Implicit Deny
            Any Statement
            Host Statement

    Extended Access Control Lists 
            Creating Extended ACLs
            Established Traffic

    Summary

     
     

    Introduction

    Most routers come with basic traffic filtering capabilities that allow you to regulate traffic flowing in and out of your network and secure your network at its access points. To set up a router to filter traffic, you must specify a list of rules for the router to follow so it can determine if traffic is allowed through or not. The list is called an Access Control List (ACL.)

    ACLs filter network traffic by controlling whether routed packets are forwarded or blocked at a router's interfaces. An ACL enabled router examines each packet to determine whether to forward or drop the packet, based on the criteria you specified within the access list.

    One of the most important reasons to configure ACLs is to provide security for your network.

     

    Access Control Lists (ACLs)

    Access Control Lists are used to:

    • Prioritize traffic
    • Provide basic security
    • Block particular types of traffic

    Access Control List Types:

    Cisco ACLs are divided into different types as the table below shows. We can have ACL's for Standard IP, Extended IP, Appletalk, IPX, etc. We will just be looking at standard and extended ACL's. The number ranges define the type of ACL you want.

    Range
    Protocol
    1-99
    IP
    100-199
    Extended IP
    600-699
    Appletack
    800-899
    IPX
    900-999
    Extended IPX
    1000-1099
    IPX SAP

    So, when you create an ACL you have to assign a number to the list so that the router knows which type of ACL you want to work with. For example, look at the ACL command fragment below:-

    Router(config)# access-list 1

    The number 1 tells the router that you want to create a standard ACL. Here is another example:-

    Router(config)# access-list 101

    The number 101 tells the router that you want to create an extended ACL.

     

    Standard Access Control Lists

    A Standard Access Control List is probably the most commonly used object in the IOS. Standard ACLs are relatively simple to set define since they are concerned with just the source of the traffic you wish to permit or deny.


    Creating Standard ACLs

    Standard ACLs only allows you to permit or deny traffic from specific source IP address ranges. The destination of the packet and the ports involved do not matter. Here is an example:

    access-list 1 permit 192.168.20.0  0.0.0.255

    This list allows traffic from all addresses in the range 192.168.20.0 to 192.168.20.255

    Now, although the last entry of 0.0.0.255 looks similar to a subnet mask it is NOT. Irritatingly, with Cisco ACLs you have to use inverse subnet masks - which are also known as wildcard masks. We will look at wildcard masks a bit later. For now, you can remember the following:-

    A standard Class A network wildcard mask is - 0.255.255.255

    A standard Class B network wildcard mask is - 0.0.255.255

    A standard Class C network wildcard mask is - 0.0.0.255

    Here are another couple of ACL examples:-

    access-list 1 permit 200.200.10.0  0.0.0.255

    access-list 1 deny 145.95.5.0  0.0.255.255

    This first statement in the list allows traffic from network 200.200.10.0/24. The second statement denies traffic from network 145.95.5.0/16.


    Viewing ACLs

    It is always a good idea to view an ACL after you have created it, to check that it is correct. You may also want to view other ACLs that may have been configured previously. The commands are:-

    show access-lists      shows all access lists.
    show access-list 1     shows access list 1
    show ip interface      find out which ACLs are on which interfaces


    Removing ACLs

    It is extremely simple to remove an ACL, just use the 'no' command with the appropriate access list number:-

    no access-list 1

    Painless huh!

    That is unless you remove the list by mistake. You should note that removing an ACL permanently deletes it from the router configuration. You should also be aware that when you delete an access-list that is currently being applied to an interface, all traffic entering through the interface will be allowed in until you apply a new access to the interface.

    ~~Activity~~

     Activity A

    Question 1       Question 2       Question 3        Question 4

     

    Shortcut Statements

    There are a few shortcut commands you will find useful when creating ACLs.

    Any Statement

    The 'any' statement means just what you think it means. It mean any host or device regardless of its IP address. Another way of saying this is to use the 0.0.0.0 term. So,

    any   ==   0.0.0.0 255.255.255.255  ==    any IP address

    Thus, the following two statements have the same effect; they both mean allow anyone access.

    access-list 10 permit 0.0.0.0 255.255.255.255
    access-list 10 permit any


    Host Statement

    The host statement is effectively the opposite of the any statement. You use it when you want to specify one particular IP address. The following two statements have the same effect and mean allow access from the host with IP address 200.200.20.3:

    access-list 10 permit 200.200.20.3 0.0.0.0
    access-list 10 permit host 200.200.20.3

    The 0s in a wildcard mask mean that the binary digits of the corresponding octet in the IP address must be an 'EXACT MATCH'. For example, the statement 200.200.20.3 0.0.0.0 means that each octet of the source IP address of an incoming packet is examined to see if all the 1's and 0s match the binary 1s and 0s of 200.200.20.3. That is why the wildcard mask of 0.0.0.0 can be replaced by the host statement, since only one particular IP address in the universe will EXACTLY match.


    Implicit Deny

    Here is something you should always keep in mind! There is an implicit deny added to every access list by default . A deny command looks like this:-

    access-list 10 deny any

    The implicit part means that you do not have to add this to your access control list yourself, it will be added automatically to the end of your ACL.

    So if you entered the command:

    access-list 10 permit 192.168.9.0 0.0.0.255

    and then decide to view your ACL using the command:-

    show access-list 10

    The output would be:

    access-list 10 permit 192.168.9.0 0.0.0.255
    access-list 10 deny any

    ~~Activity~~

     Activity B

       Now answer the following questions:- 

    1. Write an ACL numbered 10 to deny access to host 200.30.1.3  Ans

    2. Write an ACL numbered 20 to permit access to host 172.16.4.40  Ans

    3. Write an ACL numbered 30 to permit access to anyone  Ans

    4. What is the hidden last statement of an ACL called?  Ans

     

    Extended Access Control Lists

    Extended ACLs are more flexible than standard ACLs. They allow you greater control over the incoming and outgoing traffic on your network. You can not only specify a source addresses but destination addresses too, as well as the type of traffic you want to permit or deny.


    Extended ACLs

    Extended ACLs, just like standard ACLs allow you to permit or deny traffic from specific source IP addresses. However, extended ACLs are more particular because you can also specify whether the destination IP address is allowed to receive the traffic or not.

    Even better , you can permit or deny traffic depending on the type of traffic; for example, TCP, UDP ICMP etc. Thus, extended ACLs are much more powerful than standard ACLs. In fact, the granularity of extended ACLs is such that you can use them as a packet filtering firewall to protect your network.

    Before proceeding further, let's freshen up on the standard TCP and UDP port numbers.

    TCP Port
    Protocol
     
    UDP Port
    Protocol
    21
    FTP
     
    53
    DNS
    23
    Telnet
     
    69
    TFTP
    25
    SMTP (mail)
     
    161
    SNMP
    80
    HTTP
               
    443
    Secure HTTP
         
    80
     Not equal to
         

    It is useful to know the standard port numbers when configuring ACL's, so try this activity to see how many you can remember.

    ~~Activity~~

     Activity C
    Flip Card activity on TCP and UDP port numbers.

    Typically, when securing a network you would allow outgoing traffic but block incoming traffic. Of course, you might want to block your users from accessing certain sites on the Internet or stop them using particular ports so that Kazaa, messenger services, FTP etc. are blocked. However, your main concern will be to stop anyone on the Internet or other networks being able to access your internal network. If you have servers that are meant to be accessed by users on the Internet, then you would block all incoming traffic from the Internet, except the specific traffic meant for your servers.

    Let's have an example:-

         access-list 101 permit tcp any host 200.200.9.1 eq 80

    This ACL permits traffic arriving from any source to reach a particular host with the IP address 200.200.9.0, provided the traffic type is TCP and it is destined for port 80 on the host. To remind you, typically web servers listen on port 80, so this ACL is probably meant to allow external traffic access to a web server. All other types of traffic would be denied due to the implicit deny statement at the end of every ACL.

    Let's have another example:-

         access-list 101 permit tcp 200.200.9.0 0.0.0.255 any eq 80

    This ACL permits traffic originating from the 200.200.9.0 network to communicate with any host, providing the traffic type is TCP and it is destined for port 80 on the destination host. You might use an ACL similar to this to allow users on your network access to web servers on the Internet. This would allow them to browse web pages and nothing else.

    A couple more examples:

         access-list 101 deny tcp 172.16.5.0 0.0.0.255 any eq 23
     
         access-list 101 deny tcp any host 200.200.10.5 lt 1025

    The first statement stops network 172.15.5.0/24 from receiving Telnet traffic.

    The second statement stops traffic from any network reaching host 200.200.20.5 if the destination port is less than 1025. The 'lt' means 'less than' . Here are two more examples:-

         access-list 101 permit tcp any host 200.200.10.5 neq 21
     
         access-list 101 deny tcp any 200.200.10.0 0.0.0.255 gt 25
         

    The first statement allows traffic from any network to host 200.200.10.5 provided it is not intended for destination port 21. The 'neq' means 'not equal to' .

    The second statement denies incoming traffic to network 200.200.20.0 from anywhere if the destination TCP port number is greater than 25. The 'gt' means 'greater than' .


    Established Traffic

    Do you recall the TCP three-way handshake? A host that initiates communication with another host first sends a packet with the SYN flag set. Then the receiving host sends a SYN-ACK back. The originating host then send a SYN-ACK to finalize the handshake.

    So the sequence is:-

    What do you suppose would happen if a rogue computer skipped the SYN part and sent a SYN-ACK packet first? A router running an ACL might think that the rogue computer was just responding to a communication from a host on the inside of the network and it might just allow the packet IN. In other words, the rogue computer would have initiated the communication from outside your network with a host or device inside your network.

    To stop this sort of activity you use the established command. Here's an example:-

     access-list 101 permit tcp any 200.200.9.0 0.0.0.255 established

    This only permits incoming traffic to the 200.200.9.0 network if the connection was first initiated from a host inside the network, such as when a website is replying to the host. Any external host that tries to initiate a connection into the network from outside is rejected.

    ~~Activity~~

     Activity D

    Question 1       Question 2       Question 3        Question 4

    More questions below if you still need the practice

    Question 5       Question 6       Question 7       Question 8

     

    Summary

    On completing these notes you should be understand the following points:-

    • ACLs allow a router to permit or deny packets based on rules that you define
    • Standard ACLs consider only the source IP address for matches
    • Extended ACLs consider both the source and destination of the packet, and can consider the port number as well.
    • The numerical range used for a standard ACLs are 1-99 and 1300-1399;
    • The numerical range used for an extended ACL are 100-199 and 2000 to 2699
    • If a packet enters or exits an interface with an ACL applied, the packet is compared against each statement in the ACL.
    • The ACL statements are examined from top to bottom.
    • If a match is found in the the ACL, the appropriate “permit” or “deny” action is taken.
    • If there is no match in the ACL, an implicit deny rule is applied..
    • There is an implicit deny at the end of every ACL. If packets are not expressly permitted, they are implicitly denied.
     
     

    Site Home

    Top

    Unit Home


       


      

     

     

       
    This Unit 

    Unit Information

    Assessment

    Syllabus

    Scheme of Work

    Learning Resources

    Notes & Lessons

    Assignments

    Quizzes

    Activities

    Resources

    Books & Things

    Links