Access Control List – ACL

December 12, 2016 by Neel Rao

Filed under Network

Last modified December 12, 2016

Cisco Access Control Lists are the set of conditions grouped together by name or number. These conditions are used in filtering the traffic passing from router. Through these conditions we can filter the traffic; either when it enters in router or when it exits from router. In this tutorial I will explain Cisco Access Control Lists in detail with examples.

What is access control list?

Basically ACL is the integrated feature of IOS software that is used to filter the network traffic passing through the IOS devices. Network traffic flows in the form of packets. A packet contains small piece of data and all necessary information which are required to deliver it. By default when a router receives a packet in interface, it takes following actions:-

  1. Grab destination address from the packet
  2. Find an entry for destination address in routing table
  3. If match found, forwards the packet from associate interface
  4. If no match found, discard the packet immediately.

This default behavior does not provide any security. Anyone who know the correct destination address can send his packet through the router. For example following figure illustrates a simple network.

access list

access list

In this network, no security policy is applied on router. So router will not be able to distinguish between user’s packet and adversary’s packet. From router’s point of view, both packets have correct destination address so they should be forwarded from exit interface.

Suppose we tell the router that only 10.0.0.10 has the right to access the 30.0.0.1. To match with this condition router will take following actions:-

  • Grab source and destination address from the packet
  • Match both addresses with given condition
  • If packet is not arrived from 10.0.0.10, drop the packet immediately.
  • If packet is not intended from 30.0.0.1, drop the packet immediately.
  • If both condition match find an entry for destination address in routing table
  • If match found, forwards the packet from associate interface
  • If no match found, discard the packet immediately.
access list 1

access list 1

Now only the packets from 10.0.0.10 are allowed to pass from router. With this condition adversary will not be able to access the server. We can create as much conditions as we want.

Technically these conditions are known as ACLs. Besides filtering unwanted traffic, ACLs are used for several other purposes such as prioritizing traffic for QoS (Quality of Services), triggering alert, restricting remote access, debugging, VPN and much more. Due to complexity, these uses of ACLs are not tested in CCNA level exams. CCNA level exams test only basic uses of ACLs such as filtering the traffic and blocking specific hosts.

Okay now we have basic understating of what ACLs are and what they do. In next section we will understand technical concept of ACLs.

Direction and location of ACLs

A packet interacts with three locations during its journey from router:-

  1. Packet arrives in interface (Entrance)
  2. Router makes forward decision
  3. Packet outs from interface (Exit)

We cannot filter the packet in the middle of router where it makes forward decision. Decision making process has its own logic and should not be interfered for filtering purpose. After excluding this location, we have two locations; entrance and exit. We can apply our ACLs conditions on these locations.

ACL conditions applied on entrance work as inbound filter. ACL conditions applied on exit work as outbound filter.

Inbound ACLs filter the traffic before router makes forward decision. Outbound ACLs filter the traffic after the router makes forward decision.

An ACL filter condition has to two actions; permit and deny. We can permit certain types of traffic while blocking rest or we can block certain types of traffic while allowing rest.

Key points

access list

Key points

  • We must have to apply ACLs on interface which process the packet.
  • ACLs must be applied in data flow direction. Inbound ACLs must be placed in entrance interface. Outbound ACLs must be placed in exit interface.Once applied, ACL will filter every packet passing through the interface

acl3

Types of ACLs

There are two types of ACLs:

  • Standard ACLs (1 – 99 and 1300 – 1999)
  • Extended ACLs (100 – 199 and 2000 – 2699)

Standard ACLs (1 – 99 and 1300 – 1999)

ACLs are the part of Cisco IOS from its beginning. In earlier days simple filtering was sufficient.  Standard ACLs are used for normal filtering. Standard ACLs filter the packet based on its source IP address.

Extended ACLs (100 – 199 and 2000 – 2699)

Over the time security becomes more challenging. To mitigate current security threats, advance filtering is required. Extended ACLs takes this responsibility. Extended ACLs can filter a packet based on its sources address, destination address, port number, protocol and much more.

Named ACLs

Named ACLs are the extended version of existing ACLs. Named standard ACL is the extended version of standard ACL. Named extended ACL is the enhanced version of extended ACL. Existing ACLs (Standard and Extended) assign a unique number among all the ACLs. While Named ACLs assign a unique name among all the ACLs.

General guide line for ACL

  • ACLs are always processed from top to down in sequential order.
  • A packet is compared with ACL conditions until it finds a match.
  • Once a match is found for packet, no further comparison will be done for that packet.
  • Interface will take action based on match condition. There are two possible actions; permit and deny.
  • If permit condition match, packet will be allowed to pass from interface.
  • If deny condition match, packet will be destroyed immediately.
  • Every ACL has a default deny statement at end of it.
  • If a packet does not meet with any condition, it will be destroyed (by the last deny condition).
  • Empty ACL will permit all traffic by default. Implicit deny condition will not work with empty ACL.
  • Implicit (default last deny) condition would work only if ACL has at least one user defined condition.
  • ACL can filter only the traffic passing from interface. It cannot filter the traffic originated from router on which it has been applied.
  • Standard ACL can filter only the source IP address.
  • Standard ACL should be placed near the destination devices.
  • Extended ACL should be placed near the source devices.
  • Each ACL needs a unique number or name.
  • We can have only one ACL applied to an interface in each direction; inbound and

 

Leave a Comment