Professional Documents
Culture Documents
ACL
When we need to restrict access from one network to another we use ACL. Access control list is a list of permissions attached to router interface to permit or deny network traffic. In this document we will explain basic of standard, extended and named ACL. We also going to explain on which interface we need to set up ACL and in which direction. Before we start with examples of ACL lets describe them one by one.
In standard ACL we can only deny or permit by source address, nothing more nothing less. Because we use only source address in standard ACL we don't know where is the destination of the packets so this type of ACL are applied as closer to destination. If we apply close to source we can permit or deny too much. Because of this standard ACL are used in NAT, telnet, VPN. In configuration of standard ACL we use numbers from 1 to 99.
Extended ACL are more powerful type of ACL. What I mean with that more powerful? They can deny or permit traffic based on source, destination, protocol, port number and more like time of day. This type of ACL must have source and destination address so the right place where we need to set up is as much closer to source. When some packet is trying to access some network, that packet contain source and destination IP address. If access list is closer to source it can examine that packet at the beginning without making extra network traffic. For configuration of extended ACL we use numbers from 100 to 199.
Named ACL are most powerful and most used ACL today. The main reason about this is because they allow you to use the same filtering like extended but they also use sequences numbers and replace numbers in configuration with names. Sequences numbers allow to add or delete some line from ACL without deleting hole ACL. Just like extended ACL named ACL are placed closer to source.
Now when we know different types of ACL we can continue with solving some examples and see how ACL actually work. Before we start with examples we need to know that ACL can be placed in router interfaces in two directions, in and out. The way to figure out in which direction to place is maybe the most difficult part because if you place ACL in wrong direction it will block everything because of implicit deny all at the end of ACL. We will also see this when we come down to placing ACL in router.
D&T Team
Our fist example is to set up standard ACL who will block network 192.168.1.0/24 to reach network 192.168.4.0/24 and all other traffic is allowed. Now we go step by step, first we are going to block 192.168.1.0/24 to reach 192.168.4.0/24 and for this we will use this commands:
Router(config-std-nacl)#permit any
We are now done with our ACL and hole configuration looks like this:
D&T Team
In this example we need to allow network 192.168.1.0 to have http, ftp and telnet access to the server. All other traffic from 192.168.1.0 to server should be denied. All other traffic from any other source to any other destination should be allowed. We starting this with creating extended ACL.
Then we need to allow http, ftp and telnet from network 192.168.1.0 to server with IP address 192.168.5.200.
Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 80 Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 21 Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 23
D&T Team
So with this 3 commands we allow tcp traffic from network 192.168.1.0 to access server. As we mention before, extended ACL can block traffic based on protocol, that is why we set that tcp in configuration. We can also use udp but if we want to create ACL line who will support tcp and udp protocol then we use ip. Next we need to block all other traffic from network 192.168.1.0/24 to access server.
Router(config)#ip access-list extended 150 Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 80 Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 21 Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 23 Router(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 host 192.168.5.200 Router(config-ext-nacl)#permit ip any any
This ACL is extended and we need to place much closer to source, so that will be router R1 interface fa0/0. We can see the direction of packets traveling to rich server so they coming in to interface fa0/0 and our ACL direction will be in.
For this example we will take our extended ACL we just created but we will use name instead of number. Note: Packet Tracer still haven't implemented sequence numbers.
D&T Team
Router(config)#ip access-list extended TEST Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 80 Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 21 Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 23 Router(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 host 192.168.5.200 Router(config-ext-nacl)#permit ip any any
now lets see what will be the output from command
Router#show access-list TEST 10 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 80 20 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 21 30 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 23 40 deny ip 192.168.1.0 0.0.0.255 host 192.168.5.200 50 permit ip any any
You can notice the difference, that number before each line are sequences numbers. Good thing about this sequences numbers is this: What if we forgot to add line to allow traffic from network 192.168.1.0/24 to host 192.168.5.200 on port 443(https) bellow 1 st line? When we use extended ACL we can add this line only at the end of the ACL, but then ACL isn't going to work like we want to. With named ACL we can add this line where we want, for example
permit
tcp
192.168.1.0
0.0.0.255
host
10 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 80 15 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 443 20 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 21 30 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 23 40 deny ip 192.168.1.0 0.0.0.255 host 192.168.5.200 50 permit ip any any
D&T Team
With named ACL we can also delete some line just using command no followed by the sequence number
Router(config-ext-nacl)#no 40 Router(config-ext-nacl)#do show access-list TEST 10 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 80 15 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 443 20 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 21 30 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 23 50 permit ip any any
When you have two lines in your ACL 8 and 9 and you want to add new line between then, Cisco has solution for that too. With command
With this command you tell the router to re sequence your ACL starting with sequence number 10 for first line and using step of 10 for next lines. If we use this command on last ACL it will look like this
10 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 80 20 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 443 30 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 21 40 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 23 50 permit ip any any