You are on page 1of 6

D&T Team

Author: Dimitar Krstevski

ACL

When we need to restrict access from one network to another we use ACL. Access control list is a list of permissions attached to router interface to permit or deny network traffic. In this document we will explain basic of standard, extended and named ACL. We also going to explain on which interface we need to set up ACL and in which direction. Before we start with examples of ACL lets describe them one by one.

In standard ACL we can only deny or permit by source address, nothing more nothing less. Because we use only source address in standard ACL we don't know where is the destination of the packets so this type of ACL are applied as closer to destination. If we apply close to source we can permit or deny too much. Because of this standard ACL are used in NAT, telnet, VPN. In configuration of standard ACL we use numbers from 1 to 99.

Extended ACL are more powerful type of ACL. What I mean with that more powerful? They can deny or permit traffic based on source, destination, protocol, port number and more like time of day. This type of ACL must have source and destination address so the right place where we need to set up is as much closer to source. When some packet is trying to access some network, that packet contain source and destination IP address. If access list is closer to source it can examine that packet at the beginning without making extra network traffic. For configuration of extended ACL we use numbers from 100 to 199.

Named ACL are most powerful and most used ACL today. The main reason about this is because they allow you to use the same filtering like extended but they also use sequences numbers and replace numbers in configuration with names. Sequences numbers allow to add or delete some line from ACL without deleting hole ACL. Just like extended ACL named ACL are placed closer to source.

Now when we know different types of ACL we can continue with solving some examples and see how ACL actually work. Before we start with examples we need to know that ACL can be placed in router interfaces in two directions, in and out. The way to figure out in which direction to place is maybe the most difficult part because if you place ACL in wrong direction it will block everything because of implicit deny all at the end of ACL. We will also see this when we come down to placing ACL in router.

D&T Team

Author: Dimitar Krstevski

Example 1 - Standard ACL

Our fist example is to set up standard ACL who will block network 192.168.1.0/24 to reach network 192.168.4.0/24 and all other traffic is allowed. Now we go step by step, first we are going to block 192.168.1.0/24 to reach 192.168.4.0/24 and for this we will use this commands:

Router(config)#ip access-list standard 10 Router(config-std-nacl)#deny 192.168.1.0 0.0.0.255


With first command we configure new standard ACL with number 10. As I mention before standard ACL can have numbers from 1 to 99. With second command we deny traffic from source address 192.168.1.0. In ACL we use wichard mask instead of subnetmask. For those who can't remember what was wichard mask, it is opposite of subentmask. If now we set up this ACL on some interface it will block hole traffic. You are asking why? Because there is no permit line in ACL and in the end of each ACL there is implicit deny all. So now we need to allow all other traffic to pass between router. For this we will continue configuring our ACL 10 with adding command:

Router(config-std-nacl)#permit any
We are now done with our ACL and hole configuration looks like this:

Router(config)#ip access-list standard 10 Router(config-std-nacl)#deny 192.168.1.0 0.0.0.255 Router(config-std-nacl)#permit any


Next step is to place this ACL on router interface, but question is which one? Because this is standard ACL and standard ACL must be closer to destination so they can't permit or deny too much. Right router to place this ACL is R3. In the topology picture we see that network 192.168.1.0 is left and packets going from left to right to rich network 192.168.4.0. That means that right place to place this ACL is interface fa0/0, and that is correct. Last is to determine direction of this ACL, in or out. If you look at the picture again you will see how packets travel to reach network 192.168.4.0 and if you know that right interface is fa0/0 then you know that right direction to place this standard ACL 10 is out.

D&T Team

Author: Dimitar Krstevski

We will place ACL with this command:

R3(config)#interface fa0/0 R3(config-if)#ip access-group 10 out


Example 2 - Extended ACL

In this example we need to allow network 192.168.1.0 to have http, ftp and telnet access to the server. All other traffic from 192.168.1.0 to server should be denied. All other traffic from any other source to any other destination should be allowed. We starting this with creating extended ACL.

Router(config)#ip access-list extended 150

Then we need to allow http, ftp and telnet from network 192.168.1.0 to server with IP address 192.168.5.200.

Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 80 Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 21 Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 23

D&T Team

Author: Dimitar Krstevski

So with this 3 commands we allow tcp traffic from network 192.168.1.0 to access server. As we mention before, extended ACL can block traffic based on protocol, that is why we set that tcp in configuration. We can also use udp but if we want to create ACL line who will support tcp and udp protocol then we use ip. Next we need to block all other traffic from network 192.168.1.0/24 to access server.

Router(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 host 192.168.5.200


Last traffic from any other source to any other destination should be allowed.

Router(config-ext-nacl)#permit ip any any


Our ACL is now done and it looks like this:

Router(config)#ip access-list extended 150 Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 80 Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 21 Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 23 Router(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 host 192.168.5.200 Router(config-ext-nacl)#permit ip any any
This ACL is extended and we need to place much closer to source, so that will be router R1 interface fa0/0. We can see the direction of packets traveling to rich server so they coming in to interface fa0/0 and our ACL direction will be in.

Router(config)#interface fa0/0 Router(config)#ip access-group 150 in


We can also apply this ACL to R1 s2/0 out, R2 s2/0 in and R2 fa0/0 out and we will have same effect but we will also have extra traffic until ACL deny it. That is why extended ACL are applied closer to source.

Example 3 - Named ACL

For this example we will take our extended ACL we just created but we will use name instead of number. Note: Packet Tracer still haven't implemented sequence numbers.

D&T Team

Author: Dimitar Krstevski

Router(config)#ip access-list extended TEST Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 80 Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 21 Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 23 Router(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 host 192.168.5.200 Router(config-ext-nacl)#permit ip any any
now lets see what will be the output from command

Router#show access-list TEST 10 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 80 20 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 21 30 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 23 40 deny ip 192.168.1.0 0.0.0.255 host 192.168.5.200 50 permit ip any any
You can notice the difference, that number before each line are sequences numbers. Good thing about this sequences numbers is this: What if we forgot to add line to allow traffic from network 192.168.1.0/24 to host 192.168.5.200 on port 443(https) bellow 1 st line? When we use extended ACL we can add this line only at the end of the ACL, but then ACL isn't going to work like we want to. With named ACL we can add this line where we want, for example

Router(config-ext-nacl)#15 192.168.5.200 eq 443


then our new ACL will look like this

permit

tcp

192.168.1.0

0.0.0.255

host

10 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 80 15 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 443 20 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 21 30 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 23 40 deny ip 192.168.1.0 0.0.0.255 host 192.168.5.200 50 permit ip any any

D&T Team

Author: Dimitar Krstevski

With named ACL we can also delete some line just using command no followed by the sequence number

Router(config-ext-nacl)#no 40 Router(config-ext-nacl)#do show access-list TEST 10 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 80 15 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 443 20 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 21 30 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 23 50 permit ip any any

When you have two lines in your ACL 8 and 9 and you want to add new line between then, Cisco has solution for that too. With command

Router(config)#ip access-list resequence TEST 10 10

With this command you tell the router to re sequence your ACL starting with sequence number 10 for first line and using step of 10 for next lines. If we use this command on last ACL it will look like this

10 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 80 20 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 443 30 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 21 40 permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.200 eq 23 50 permit ip any any

You might also like