Access Control Lists

Access Control Lists

In Computer Networks, Access Control Lists (ACL) or Access List is basically a list of command(s) or rule(s) that control the flow of packets to and from the networking device like router, switch or firewall. However the implementation may be slightly different but their main purpose and behavior is same across different platforms.

Access-list is something like programmatic statements which takes the specific decision when some specific condition is met. One of the most common use of access control lists is filtering unwanted traffic when implementing security policies in computer networks. Once the access-list is built, it can be applied on any interface to either inbound or outbound traffic. Applying an access list causes the network device to analyze each and every packet crossing that interface in the specified direction and take the appropriate action.

Rules to Create Effective ACLs
  • Access-list is always processed in sequential order that is from top (first line) to bottom (ending line). It means every packet received in or out of interface will be processed by every line of access-list until a match occurs.
  • Once the match occurred, the packet will not be processed by remaining statements of access-list and it will be forwarded or dropped according to condition specified.
  • At the end of each access list, there is an implicit “deny” statement which means if a packet does not match the condition in any of the access list lines, the packet will be dropped finally.
  • Create the access lists in such an order so that the more specific tests are at the top.
  • You can only apply one access list per interface per direction. Means when applying access lists, you can have only one inbound access list and one outbound access list per interface.
  • After creating an access-list, always remember to apply that on any interface. It wont work if you forget to apply it on any interface after creating.
  • Access-lists do not filter the traffic originating from device (switch, router or firewall). They work on the traffic passing through the device.
  • Always try to apply standard access-lists as close to the destination as possible because standard access-lists can only filter based on source address.
  • Always try to apply extended access-lists as close to the source as possible because extended access-lists can filter on the basis of source and destination addresses as well as protocols. By placing extended access-list close to the source address, you can filter traffic before it eats up your network’s bandwidth.

Types of Access Lists

According to behavior or working, there are mainly two types of access lists:

  1. Standard IP Access Lists: Standard IP access lists use only the source IP address in an IP packet as the condition test. All decisions are made on the basis of source IP address.
  2. Extended IP Access Lists: Extended IP access lists can filter traffic on the basis of  source and destination IP addresses, protocol, and the port number. This is the reason that extended access lists have ability to make much granular decisions as compared to standard access-lists.

According to placement direction, access lists are of two types:

  1. Inbound access lists: An access list which is applied to filter inbound packets on an interface, the packets are processed through the access list before being actually routed to the outbound interface. Any packets that are denied won’t be routed because they are dropped before the routing process takes place.
  2. Outbound access lists: An access list which is applied to filter outbound packets on an interface, packets are routed to the outbound interface and
    then processed through the access list before being sent over media.

There were two major problems with default Standard or Extended IP access lists:

First, You have to reference them by number, which does not make the access-list  descriptive about its work. The range of both Standard and Extended IP access lists is given below:

TypeRange
IP Standard1–99
IP Extended100–199
IP Standard (Expanded Range)1300–1999
IP Extended (Expanded Range)2000–2699

Second, Whenever you want to remove individual lines out of an access-list, with numbered access-list, you can not delete individual line. Instead, you have to delete your existing access list and re-create the entire list.

This is where Named Access Control Lists come handy.

Named Access Control Lists: With NACL, you can create either standard or extended access list with some descriptive name such as NAT-Traffic or VPN-Traffic which can give the idea of their work from their name. ACL name is descriptive in itself. Secondly, Named access-lists allow you to remove any particular statement while leaving the whole access-list intact.

Before going into access list configuration, I want to discuss about the concept of Wildcard Masking.

Wildcard Mask

Access Control Lists use Wildcard Mask to specify an individual host, a network, or a certain range of a network or networks. For better understanding of wildcard, you need to understand the block size (which we have already discussed in subnetting section). Block size is used to specify a range of addresses like 4, 8, 16, 32, 64, 128. If you need to specify 12 hosts, you will choose block size of 16 and if you want to specify 40 hosts, you need to choose 64 block size.

Wildcard mask is just opposite of subnet mask. The easy way to calculate the wildcard mask is to subtract the subnet mask from 255.255.255.255.

Quick example to calculate wildcard mask:

For subnet mask 255.255.255.224 (/27), the wildcard mask is 0.0.0.31. See how?

Simply subtract each octet value from 255.

    255   255   255   255
-   255 . 255 . 255 . 224
   -----------------------
     0  .  0  .  0  .  31 
How wildcard works with Access Control Lists
Access Lists use wildcard with the host or network address to tell the router a range of addresses to filter.
To specify a host, the wildcard mask will be used as:192.168.0.50 0.0.0.0
The four zeros represent each octet of the address. Whenever a zero is present, it means that octet in the address must exactly match the corresponding reference octet .
To specify that an octet can be any value, the value of 255 is used. For example, a 192.168.0.0/24 subnet is specified with a wildcard mask as: 192.168.0.0 0.0.0.255
This tells the router to match up the first three octets exactly, but the fourth octet can be any value.
To specify 192.168.0.0/30 subnet, the wildcard mask would look like: 192.168.0.0 0.0.0.3
This tells the router to filter the address range from 192.168.0.1 to 192.168.0.3.

Standard Access Control List Configuration

Standard IP access lists filter network traffic by examining the source IP address in a packet. Standard IP access list is created by using the access-list numbers 1–99 or 1300–1999 (expanded range). Access-list types are generally differentiated using a number. Based on the number used when the access list is created, the router knows which type of syntax to expect as the list is entered. Numbers 1–99 or 1300–1999, tells the router that you want to create a standard IP access list and the router will expect syntax requiring only the source IP address as test condition.

I am going to use below network diagram to demonstrate the access control lists.

Access Control List

I have done basic network configuration and both PC1 and PC2 can reach 8.8.8.8 which is loopback0 on R2.

You know that PC1 and PC2 belong to different IP subnets.

Question 1: Only Allow network 192.168.0.0 to reach R2, while blocking every other network.

Solution: First step is to decide where you need to create the access list and second step is to decide which interface the access list should be applied upon and which direction.

You can see both of the above said networks are connected to R1. So, you need to create the access list on R1.

Creating standard access list

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#access-list ?
  <1-99>            IP standard access list
  <100-199>         IP extended access list
  <1000-1099>       IPX SAP access list
  <1100-1199>       Extended 48-bit MAC address access list
  <1200-1299>       IPX summary address access list
  <1300-1999>       IP standard access list (expanded range)
  <200-299>         Protocol type-code access list
  <2000-2699>       IP extended access list (expanded range)
  <300-399>         DECnet access list
  <600-699>         Appletalk access list
  <700-799>         48-bit MAC address access list
  <800-899>         IPX standard access list
  <900-999>         IPX extended access list
  compiled          Enable IP access-list compilation
  dynamic-extended  Extend the dynamic ACL absolute timer
  rate-limit        Simple rate-limit specific access list

The access-list command is used to create access list. You can see I have used ?  to list various possible values after access-list command and router IOS presented me a bunch of options. I can use value 1 – 99 for standard access list and 100 – 199 for extended access list. But since we are creating standard ACL, I will choose any number from 1 to 99, let’s choose 10.

R1(config)#access-list 10 ?
  deny    Specify packets to reject
  permit  Specify packets to forward
  remark  Access list entry comment

Again after choosing 10, I have 3 options to go. Deny, permit and remark. As the name suggests deny statement will reject the packets, permit statement will permit the packets and remark statement will just add comment to access list.

Rule to remember is that there is always an implicit deny statement at the end of every access list. Therefore, you need not to use deny statement until and unless it is asked in question. Reminding the question, you are asked to only permit the network 192.168.0.0 to reach R2 and block every other network.

R1(config)#access-list 10 permit ?
  Hostname or A.B.C.D  Address to match
  any                  Any source host
  host                 A single host address

R1(config)#access-list 10 permit 192.168.0.0 ?
  A.B.C.D  Wildcard bits
  log      Log matches against this entry
  <cr>

R1(config)#access-list 10 permit 192.168.0.0 0.0.0.255
R1(config)#end

You can see above that I have added only one condition to our access-list since we are asked to allow only one network 192.168.0.0. everything else will be blocked by implicit deny statement at end.

Applying standard access list

Now that we have created our first standard ACL, it is time to apply it on appropriate interface. Remember the rule that always try to apply standard access-lists as close to the destination as possible because standard access-lists can only filter based on source address. Since access-list 10 we have just created is a standard ACL. The best place on router R1 which is close to destination is interface fastEthernet1/0. We are asked to control the traffic destined toward R2. So, you can determine that for R1 to reach R2, access-list should be applied for outbound traffic on interface fastEthernet1/0.

R1(config)#interface fastEthernet 1/0
R1(config-if)#ip access-group ?
  <1-199>      IP access list (standard or extended)
  <1300-2699>  IP expanded access list (standard or extended)
  WORD         Access-list name

R1(config-if)#ip access-group 10 ?
  in   inbound packets
  out  outbound packets

R1(config-if)#ip access-group 10 out
R1(config-if)#end
R1#

In order to apply the access-list, go to interface config mode selecting specific interface id and use ip access-group command followed by access-list number and then direction as shown above.

Now, access-list 10 is applied, it will be listed under interface name in running-config as shown below.

 R1#show running-config interface fastEthernet 1/0
Building configuration...

Current configuration : 160 bytes
!
interface FastEthernet1/0
 ip address 202.164.42.2 255.255.255.0
 ip access-group 10 out
 ip virtual-reassembly
 duplex auto
 speed auto
end

And the status can be checked using show access-lists 10 command on R1.

R1#show access-lists 10
Standard IP access list 10
    10 permit 192.168.0.0, wildcard bits 0.0.0.255
R1#

To verify that access-list is doing its job, run the ping to 8.8.8.8 from PC1 and PC2 respectively (remember we are simulating whole subnets using PC1 and PC2).

PC1#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 60/68/76 ms
PC1#

Ping from PC1 to R2 loopback0 is successful as expected.

PC2#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
PC2#

You can see that ping from PC2 (subnet 192.168.1.0) says destination unreachable (U).

Now, verify the status of access-list 10 on R1 using show access-lists 10 command as shown below.

R1#show access-lists 10
Standard IP access list 10
    10 permit 192.168.0.0, wildcard bits 0.0.0.255 (5 matches)
R1#

Did you notice 5 matches at the end? This proves that access-list has been hit by source IP. This count will keep increasing when you ping 8.8.8.8 from PC1 but it does not increase when you run ping to 8.8.8.8 from PC2 because there is permit statement and access-list will keep the counter of permit statement.

To see access-list in action, you can use debug ip packet command but I would not recommend it if you are working on production network.

R1#debug ip packet
IP packet debugging is on
R1#
*Jul  3 11:42:52.875: IP: tableid=0, s=192.168.1.50 (FastEthernet0/1), d=8.8.8.8 (FastEthernet1/0), routed via FIB
*Jul  3 11:42:52.875: IP: s=192.168.1.50 (FastEthernet0/1), d=8.8.8.8 (FastEthernet1/0), len 100, access denied
*Jul  3 11:42:52.879: IP: tableid=0, s=192.168.1.1 (local), d=192.168.1.50 (FastEthernet0/1), routed via FIB
*Jul  3 11:42:52.879: IP: s=192.168.1.1 (local), d=192.168.1.50 (FastEthernet0/1), len 56, sending
*Jul  3 11:42:52.947: IP: tableid=0, s=192.168.1.50 (FastEthernet0/1), d=8.8.8.8 (FastEthernet1/0), routed via FIB
*Jul  3 11:42:52.947: IP: s=192.168.1.50 (FastEthernet0/1), d=8.8.8.8 (FastEthernet1/0), len 100, access denied
*Jul  3 11:42:52.951: IP: tableid=0, s=192.168.1.1 (local), d=192.168.1.50 (FastEthernet0/1), routed via FIB
*Jul  3 11:42:52.951: IP: s=192.168.1.1 (local), d=192.168.1.50 (FastEthernet0/1), len 56, sending
*Jul  3 11:42:53.019: IP: tableid=0, s=192.168.1.50 (FastEthernet0/1), d=8.8.8.8 (FastEthernet1/0), routed via FIB
*Ju
R1#l  3 11:42:53.019: IP: s=192.168.1.50 (FastEthernet0/1), d=8.8.8.8 (FastEthernet1/0), len 100, access denied
*Jul  3 11:42:53.023: IP: tableid=0, s=192.168.1.1 (local), d=192.168.1.50 (FastEthernet0/1), routed via FIB
*Jul  3 11:42:53.023: IP: s=192.168.1.1 (local), d=192.168.1.50 (FastEthernet0/1), len 56, sending
*Jul  3 11:42:53.055: IP: tableid=0, s=192.168.1.50 (FastEthernet0/1), d=8.8.8.8 (FastEthernet1/0), routed via FIB
*Jul  3 11:42:53.055: IP: s=192.168.1.50 (FastEthernet0/1), d=8.8.8.8 (FastEthernet1/0), len 100, access denied
*Jul  3 11:42:53.059: IP: tableid=0, s=192.168.1.1 (local), d=192.168.1.50 (FastEthernet0/1), routed via FIB
*Jul  3 11:42:53.059: IP: s=192.168.1.1 (local), d=192.168.1.50 (FastEthernet0/1), len 56, sending
*Jul  3 11:42:53.095: IP: tableid=0, s=192.168.1.50 (FastEthernet0/1), d=8.8.8.8 (FastEthernet1/0), routed via FIB
*Jul  3 11:42:53.095: IP: s=192.168.1.50 (FastEthernet0/1), d=8.8.8.8 (FastEthernet1/0), len 100, access denied
*Jul  3 11:
R1#42:53.099: IP: tableid=0, s=192.168.1.1 (local), d=192.168.1.50 (FastEthernet0/1), routed via FIB
*Jul  3 11:42:53.099: IP: s=192.168.1.1 (local), d=192.168.1.50 (FastEthernet0/1), len 56, sending
R1#

The debug ip packet and debug ip packet detail command can help you troubleshoot issues but these commands are CPU intensive. So, use with caution.

Creating perfect access-lists require a lot of practice. So, the more you practice, the more you become expert. Let’s do another example of standard access list.

Question 2: Only block network 192.168.0.0 to reach R2, while allowing every other subnet in the network diagram given below:

ACL

Solution: This time we are asked to block only single subnet 192.168.0.0 while allowing every other network.

R1#config term
R1(config)#access-list 20 deny 192.168.0.0 0.0.0.255
R1(config)#access-list 20 permit any
R1(config)#end
R1#

This time I have create access-list 20 with two test conditions. Guess why?

Well ! This is because we have to deny a specific network 192.168.0.0/24 and then permit every other network. If I would not have added  access-list 20 permit any statement, the implicit deny statement would have blocked everything by default.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int fa1/0
R1(config-if)#ip access-group 20 out
R1(config-if)#end
R1#

Access-list 20 is now applied on interface fastEthernet1/0.

Let’s test it

PC1#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
PC1#

Ping from PC1 failed. We have been asked to do this.

 PC2#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/62/64 ms
PC2#

Ping from PC2 is successful, as expected.

PC3#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/72/96 ms
PC3#

Ping from PC3 is also successful. The access-list 20 will only block network 192.168.0.0 while every other network can reach R2.

 

Extended Access Control List Configuration

Extended access lists allow you to specify source and destination addresses as well as the protocol and port number that identify the type of traffic needed to filter. By using extended access lists, you can effectively allow users access to a physical LAN and stop them from accessing specific hosts or even specific services on those hosts.

Below is the sample network I will be using to demonstrate Extended Access Control List configuration.

Extended ACL Question 1: You are working as network admin in the company. You want to secure the telnet on R2 so that only PC1 (which is located in Network Admin Cabin) can telnet the Router R2 via 8.8.8.8 and 202.164.42.1 but none other. However everyone should be able to reach (ping) router R2.

Answer: Since we want to control telnet protocol, extended access-list gives you the option to specify source, destination, protocol and port. Therefore, you can achieve this by using Extended ACL.

Before creating ACL, let’s see if we can telnet R2 from every PC.

PC1#telnet 8.8.8.8
Trying 8.8.8.8 ... Open

User Access Verification

Username:

 

PC2#telnet 8.8.8.8
Trying 8.8.8.8 ... Open

User Access Verification

Username:

If you are able to see Trying 8.8.8.8 … Open, it means telnet is working.

Creating extended access list

R1(config)#access-list ?
  <1-99>            IP standard access list
  <100-199>         IP extended access list
  <1000-1099>       IPX SAP access list
  <1100-1199>       Extended 48-bit MAC address access list
  <1200-1299>       IPX summary address access list
  <1300-1999>       IP standard access list (expanded range)
  <200-299>         Protocol type-code access list
  <2000-2699>       IP extended access list (expanded range)
  <300-399>         DECnet access list
  <600-699>         Appletalk access list
  <700-799>         48-bit MAC address access list
  <800-899>         IPX standard access list
  <900-999>         IPX extended access list
  compiled          Enable IP access-list compilation
  dynamic-extended  Extend the dynamic ACL absolute timer
  rate-limit        Simple rate-limit specific access list

This time we are creating extended ACL. So we can choose anything between 100 to 199.

R1(config)#access-list 100 ?
  deny     Specify packets to reject
  dynamic  Specify a DYNAMIC list of PERMITs or DENYs
  permit   Specify packets to forward
  remark   Access list entry comment

We want to permit at least one host for specific type of traffic. So, I will select permit keyword as shown below. Remember that the most specific test condition should be on top.

  R1(config)#access-list 100 permit ?
  <0-255>  An IP protocol number
  ahp      Authentication Header Protocol
  eigrp    Cisco's EIGRP routing protocol
  esp      Encapsulation Security Payload
  gre      Cisco's GRE tunneling
  icmp     Internet Control Message Protocol
  igmp     Internet Gateway Message Protocol
  ip       Any Internet Protocol
  ipinip   IP in IP tunneling
  nos      KA9Q NOS compatible IP over IP tunneling
  ospf     OSPF routing protocol
  pcp      Payload Compression Protocol
  pim      Protocol Independent Multicast
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

Because telnet is a TCP protocol, So I will select tcp as shown below

R1(config)#access-list 100 permit tcp ?
  A.B.C.D  Source address
  any      Any source host
  host     A single source host

At this stage you can either specify a source IP address range or just a single host using host keyword. Since we are going to permit only PC1 (192.168.0.50), I will select host and then type the source address.

R1(config)#access-list 100 permit tcp host 192.168.0.50 ?
  A.B.C.D  Destination address
  any      Any destination host
  eq       Match only packets on a given port number
  gt       Match only packets with a greater port number
  host     A single destination host
  lt       Match only packets with a lower port number
  neq      Match only packets not on a given port number
  range    Match only packets in the range of port numbers

For destination, I will select any keyword and then select protocol equal to telnet using eq telnet keywords.

R1(config)#access-list 100 permit tcp host 192.168.0.50 any eq telnet
R1(config)#access-list 100 deny tcp any any eq telnet
R1(config)#access-list 100 permit ip any any
R1(config)#end

In the second line, I have denied telnet traffic from every source to every destination and then in third line, I have permitted every IP traffic from every source to every destination because we are asked to allow everyone to reach (ping) R2.

Applying extended access list 100

Since this is an extended access-list, So we have to place it as close to source as possible so that we can conserve the network bandwidth as well as router’s resources like CPU cycles and memory.

Therefore, the best place to apply access-list 100 on R1 is interface fastEthernet1/0 and it should be placed for outbound traffic.

R1(config)#int fa1/0
R1(config-if)#ip access-group 100 ?
  in   inbound packets
  out  outbound packets

R1(config-if)#ip access-group 100 out
R1(config-if)#end
R1#

Now it is time to test if access-list is working as expected.

PC1#
PC1#telnet 8.8.8.8
Trying 8.8.8.8 ... Open

User Access Verification

Username: admin
Password:*********
R2#
R2#

Wow! you can see that I have connected to R2 from PC1 (Network Admin PC) as expected.

Now lets try to connect from PC2:

PC2#
PC2#telnet 8.8.8.8
Trying 8.8.8.8 ...
% Destination unreachable; gateway or host down

PC2#

OoOops! It said gateway or host down. But wait a minute. Can we ping that host?

PC2#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/69/92 ms
PC2#

Yes. We can ping the address 8.8.8.8, means we can reach R1 but can not telnet.

PC3#telnet  8.8.8.8
Trying 8.8.8.8 ...
% Destination unreachable; gateway or host down

PC3#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/70/92 ms
PC3#

Same status from PC3. Our access-list is working perfectly fine since it is only permitting telnet to host 192.168.0.50 while blocking telnet for everyone else. But all other IP based traffic is still permitted from everyone.

This is exactly what we were asked to do in question.

Question 2: In the below network, Server is running a website. Only HR-PC and Admin-PC should be able to access the website while Sales-PC should not. However Sales-PC should be allowed to use the other services running on the same Server. Achieve this using Named Access Control List (NACL) with minimum configuration commands as possible.

Extended ACLSolution: We can do this similar to our previous example but since we are asked to achieve this with least possible commands. I will create the named access-list with least possible test conditions.

Router(config)#ip access-list extended Deny-Web-SalesPC
Router(config-ext-nacl)#deny tcp 192.168.1.30 0.0.0.0 192.168.0.254 0.0.0.0 eq www
Router(config-ext-nacl)#permit ip any any 
Router(config-ext-nacl)#end
Router#
Router#show ip access-lists 
Extended IP access list Deny-Web-SalesPC
    deny tcp host 192.168.1.30 host 192.168.0.254 eq www
    permit ip any any
Router#

The syntax of Named Access Control List is slightly different. The normal ACL is created using access-list command followed by any number and NACL is create by ip access-list followed by standard or extended and then any name. In above configuration, I have created extended NACL with the name Deny-Web-SalesPC. You can use any descriptive name which suites you the most. Once you hit enter, you will be taken to NACL config mode denoted by Router(config-ext-nacl)#. Then you can simply use permit or deny statements as per your requirement.

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#int fa0/0
Router(config-if)#ip access-group Deny-Web-SalesPC in
Router(config-if)#^Z
Router#

I have applied the ACL on interface fastEthernet0/0 inside.

Now, you can see that Sales-PC can ping the Server but can not access the website.

PC>ping 192.168.0.254

Pinging 192.168.0.254 with 32 bytes of data:

Reply from 192.168.0.254: bytes=32 time=94ms TTL=127
Reply from 192.168.0.254: bytes=32 time=94ms TTL=127
Reply from 192.168.0.254: bytes=32 time=93ms TTL=127
Reply from 192.168.0.254: bytes=32 time=94ms TTL=127

Sales-PC

There is timeout while opening webpage.

But you can check that the website is working on Admin-PC.

Admin-PC

How to Add or Remove Lines from Existing ACL without Deleting ACL

If the ACL is created using simple access-list command, you can not edit these access-lists. In this case what you can do is to copy the all lines into notepad or any other text editor and then modify the lines according to your need and then copy the entire list, quickly remove the existing access-list and paste the new lines into terminal. It can minimize the downtime required if you are working in live production environment.

That is why I will always prefer using Named Access Control Lists (NACL) since it gives you the ability to remove and add lines without having to delete the entire access-list and without affecting the production network.

Let’s create a sample NACL with the name TEST, just for demonstration purpose.

R1(config)#ip access-list standard TEST
R1(config-std-nacl)#deny   192.168.1.0 0.0.0.255
R1(config-std-nacl)#deny   192.168.10.0 0.0.0.255
R1(config-std-nacl)#deny   192.168.20.0 0.0.0.255
R1(config-std-nacl)#deny   192.168.30.0 0.0.0.255
R1(config-std-nacl)#deny   192.168.40.0 0.0.0.255
R1(config-std-nacl)#deny   192.168.50.0 0.0.0.255
R1(config-std-nacl)#deny   192.168.60.0 0.0.0.255
R1(config-std-nacl)#deny   10.1.1.0 0.0.0.255
R1(config-std-nacl)#permit any
R1(config-std-nacl)#end
R1#

Now if you see it using show access-list command, you will see something like

R1#show access-lists TEST
Standard IP access list TEST
    10 deny   192.168.1.0, wildcard bits 0.0.0.255
    20 deny   192.168.10.0, wildcard bits 0.0.0.255
    30 deny   192.168.20.0, wildcard bits 0.0.0.255
    40 deny   192.168.30.0, wildcard bits 0.0.0.255
    50 deny   192.168.40.0, wildcard bits 0.0.0.255
    60 deny   192.168.50.0, wildcard bits 0.0.0.255
    70 deny   192.168.60.0, wildcard bits 0.0.0.255
    80 deny   10.1.1.0, wildcard bits 0.0.0.255
    90 permit any
R1#

Did you notice that every line is beginning with a number like 10, 20, 30 and so on? These numbers are called sequence numbers and they are automatically added when you add a new line in NACL. Sequence number help us to remove or add new lines into access-list without having to remove complete access-list and build it up again.

Now, consider that you are asked to remove the networks 192.168.40.0/24 and 192.168.60.0/24 from access-list and add the network 192.168.80.0/24 without causing any downtime. With NACL, it is pretty easy to do. Just look at the sequence number corresponding to networks you want to remove from list.

   50 deny   192.168.40.0, wildcard bits 0.0.0.255
   60 deny   192.168.50.0, wildcard bits 0.0.0.255
   70 deny   192.168.60.0, wildcard bits 0.0.0.255

and use the commands as shown below

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
R1(config)#ip access-list standard TEST
R1(config-std-nacl)#no 50
R1(config-std-nacl)#no 70
R1(config-std-nacl)#end
R1#

The commands no 50 and no 70 are used to remove the relevant lines from access-list.

Now before adding the network 192.168.80.0/24, I will look at my access-list once again.

R1#show access-lists TEST
Standard IP access list TEST
    10 deny   192.168.1.0, wildcard bits 0.0.0.255
    20 deny   192.168.10.0, wildcard bits 0.0.0.255
    30 deny   192.168.20.0, wildcard bits 0.0.0.255
    40 deny   192.168.30.0, wildcard bits 0.0.0.255
    60 deny   192.168.50.0, wildcard bits 0.0.0.255
    80 deny   10.1.1.0, wildcard bits 0.0.0.255
    90 permit any
R1#

You can see, networks 192.168.40.0/24 and 192.168.60.0/24 are gone. Now again look at the sequence numbers and try to figure out where the new network should be placed in the access-list so that it is actually denied. If you make a mistake here you could end up with something as shown below.

 R1#show access-lists TEST
Standard IP access list TEST
    10 deny   192.168.1.0, wildcard bits 0.0.0.255
    20 deny   192.168.10.0, wildcard bits 0.0.0.255
    30 deny   192.168.20.0, wildcard bits 0.0.0.255
    40 deny   192.168.30.0, wildcard bits 0.0.0.255
    60 deny   192.168.50.0, wildcard bits 0.0.0.255
    80 deny   10.1.1.0, wildcard bits 0.0.0.255
    90 permit any
    100 deny   192.168.80.0, wildcard bits 0.0.0.255

If your access-list looks like above, it will not work. Don’t get me wrong here, but it is true that the network 192.168.80.0/24 which you actually wanted to deny, will be permitted. Why? Because of the line with sequence number 90. Remember that ACL is always processed from top to bottom until a match is made and once the match occurs, no more comparison takes place.

To make it actually working, you have to add the deny statement with sequence number which is less than 90 and the best place would be between 60 and 80 because most specific tests should be on top. So, now let’s do it in correct way.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip access-list standard TEST
R1(config-std-nacl)#70 deny 192.168.80.0 0.0.0.255
R1(config-std-nacl)#end
R1#show access-lists TEST
Standard IP access list TEST
    10 deny   192.168.1.0, wildcard bits 0.0.0.255
    20 deny   192.168.10.0, wildcard bits 0.0.0.255
    30 deny   192.168.20.0, wildcard bits 0.0.0.255
    40 deny   192.168.30.0, wildcard bits 0.0.0.255
    60 deny   192.168.50.0, wildcard bits 0.0.0.255
    70 deny   192.168.80.0, wildcard bits 0.0.0.255
    80 deny   10.1.1.0, wildcard bits 0.0.0.255
    90 permit any
R1#

The ACL looks really nice now. I used sequence number 70 to actually inject the line between 60 and 80. You can use any number between 60 to 80. In this way we have modified the named access-list TEST without causing any downtime.

This concludes the access control lists section.

Applications of ACLs:
  • ACLs are primarily used for security and traffic filtering.
  • ACLs can also be used to filter routing updates using distribution lists.
  • ACLs are also used in route maps and Policy Based Routing (PBR).
  • ACLs are used in NAT for categorizing the traffic.
  • ACLs are also used in IPsec VPN tunnels.
  • ACLs are used in rate limit command to throttle down the specific type of traffic.
  • ACL can also be used for debugging the traffic using debug ip packet command.
  • ACLs can be used in Reflexive mode for IP Session Filtering. Reflexive ACL is generally used to allow outbound traffic originating from LAN and to deny inbound traffic which is initiated from outside of network (mostly internet).

 Back

Leave a Comment