Access Control List (ACL)

Cisco Access Control Lists are the set of conditions grouped together by name or
number. These conditions are used in filtering the traffic passing from router. Through
these conditions we can filter the traffic; either when it enters in router or when it exits
from router.

Basically ACL is the integrated feature of IOS software that is used to filter the network
traffic passing through the IOS devices. Network traffic flows in the form of packets. A
packet contains small piece of data and all necessary information which are required to
deliver it.

By default, when a router receives a packet in interface, it takes following actions:

 Grab destination address from the packet

 Find an entry for destination address in routing table
 If match found, forwards the packet from associate interface
 If no match found, discard the packet immediately.

This default behavior does not provide any security. Anyone who know the correct
destination address can send his packet through the router. 

In this network, no security policy is applied on router. So router will not be able to
distinguish between user’s packet and bad element’s packet. From router’s point of
view, both packets have correct destination address so they should be forwarded from
exit interface.

Suppose we tell the router that only 172.16.64.66 has the right to access the
172.16.0.100. To match with this condition router will take following actions:

 Grab source and destination address from the packet.

 Match both addresses with given condition.
 If packet is not arrived from 172.16.64.66, drop the packet immediately.
 If packet is not intended to 172.16.64.1, drop the packet immediately.
 If both conditions match, find an entry for destination address in routing table.
 If match found, forward the packet from associated interface.
 If no match found, discard the packet immediately.

Now only the packets from 172.16.64.66 are allowed to pass from router. With this
condition, bad elements/hackers will not be able to access the server. We can create as
much conditions as we want. Technically these conditions are known as ACLs. Besides
filtering unwanted traffic, ACLs are used for several other purposes such as prioritizing
traffic for QoS (Quality of Services), triggering alert, restricting remote access,
debugging, VPN and much more.

Direction and location of ACLs

A packet interacts with three locations during its journey to and from a router:

1. Packet arrives in interface (Entrance)

2. Router makes forward decision
3. Packet outs from interface (Exit)

We cannot filter the packet in the middle of router where it makes forward decision.
Decision making process has its own logic and should not be interfered for filtering
purpose. After excluding/coming out of this location, we have two locations – entrance
and exit. We can apply our ACL conditions on these locations.

ACL conditions applied on entrance work as inbound filter. ACL conditions applied on

exit work as outbound filter.

Inbound ACLs filter the traffic before router makes forward decision. Outbound ACLs
filter the traffic after the router makes forward decision.

An ACL filter condition has to two actions; permit and deny. We can permit certain types
of traffic while blocking rest or we can block certain types of traffic while allowing rest.
 Key points

 We must have to apply ACLs on interface which process the packet.

 ACLs must be applied in data flow direction. Inbound ACLs must be placed in entrance
interface. Outbound ACLs must be placed in exit interface.

 Once applied, ACL will filter every packet passing through the interface.

Types of ACLs
There are two types of ACLs:

1. Standard ACLs (1 – 99 and 1300 - 1999) 1500/78

2. Extended ACLs (100 – 199 and 2000 - 2699) 150

Standard ACLs (1 – 99 and 1300 - 1999)

ACLs are the part of Cisco IOS from its beginning. In earlier days simple filtering was
sufficient. Standard ACLs are used for normal filtering. Standard ACLs filter the packet
based on its source IP address.

Extended ACLs (100 – 199 and 2000 - 2699)

Over the time security becomes more challenging. To mitigate current security threats,
advance filtering is required. Extended ACLs takes this responsibility. Extended ACLs can
filter a packet based on its sources address, destination address, port number, protocol
and much more.

Named ACLs
Named ACLs are the extended version of existing ACLs. Named standard ACL is the
extended version of standard ACL. Named extended ACL is the enhanced version of
extended ACL. Existing ACLs (Standard and Extended) assign a unique number among
all the ACLs. While Named ACLs assign a unique name among all the ACLs.

General guide line for ACL

 ACLs are always processed from top to down in sequential order.

 A packet is compared with ACL conditions until it finds a match.
 Once a match is found for packet, no further comparison will be done for that packet.
 Interface will take action based on match condition. There are two possible actions;
permit and deny.
 If permit condition match, packet will be allowed to pass from interface.
 If deny condition match, packet will be destroyed immediately.
 Every ACL has a default deny statement at end of it.
 If a packet does not meet with any condition, it will be destroyed (by the last deny
condition).
 Empty ACL will permit all traffic by default. Implicit deny condition will not work with
empty ACL.
 Implicit (default last deny) condition would work only if ACL has at least one user defined
condition.
 ACL can filter only the traffic passing from interface. It cannot filter the traffic originated
from router on which it has been applied.
 Standard ACL can filter only the source IP address.
 Standard ACL should be placed near the destination devices.
 Extended ACL should be placed near the source devices.
 Each ACL needs a unique number or name.
 We can have only one ACL applied to an interface in each direction; inbound and
outbound.

A standard ACL can be created in two ways:

1. Classical approach (numbered)

To create a standard numbered ACL following global configuration mode

command is used:-
Router(config)# access-list ACL_Identifier_number permit/deny matching-parameters

For example, we want to allow only one host address 20.0.0.10 255.0.0.0, blocking all
others. To meet with this requirement, we need to create two ACL conditions.

1. Permit 20.0.0.10 255.0.0.0.0

2. Block All

Router(config)#access-list 10 permit 20.0.0.10 0.0.0.0

Router(config)#access-list 10 deny any

Order of the rules/conditions plays big role in filtration. If we have created denied
condition first as shown below, then we would have blocked entire traffic from all hosts
including 20.0.0.10.

Router(config)#access-list 10 deny any

Router(config)#access-list 10 permit 20.0.0.10 0.0.0.0

This happens because the conditions are matched from top to bottom order and once a
match is found, no further conditions are matched. First condition in this ACL will match
all packets from all hosts including 20.0.0.10. First condition has a block action. In a
block action, packet will be dropped immediately. So all packets from all hosts will
dropped in first condition. No packets will remain to match the second condition.
IMPORTANT: The deny condition is not really required, as a block condition for all traffic
as it is already created and placed in the end of all ACLs. It is called Implicit deny
statement.

For this requirement we only need to create one condition.

Router(config)#access-list 10 permit 20.0.0.10 0.0.0.0

Or

Router(config)#access-list 10 permit host 20.0.0.10

For single host entry we can use both 0.0.0.0 wildcard mask or host keyword.

2. Modern approach (numbered or named)

Here, we create same condition with modern approach.

Modern approach (numbered or named)

Router(config)#ip access-list standard Secure_telnet
Router(config-std-nacl)#permit 20.0.0.10 0.0.0.0
Router(config-std-nacl)#exit
Router(config)#
Or

Router(config)#ip access-list standard 10

Router(config-std-nacl)#permit 20.0.0.10 0.0.0.0
Router(config-std-nacl)#exit
Router(config)#
In modern approach, configuration style is different from classical approach. In
modern style we start command with ip access-list instead of access-list. It tells
router that we are creating a modern ACL.

Advantages which modern approach provides over classic approach.

 In classic method we are allowed to insert new condition only at end of the ACL.
We cannot insert a new condition in the middle of ACL. The only way to insert new
line in middle is to delete existing ACL and create new ACL with modification. In
modern method we can insert new condition in ACL wherever we want without
recreating entire ACL.
 In classic method we are not allowed to remove a condition from ACL. The only
way to remove condition is delete entire ACL and recreate it. In modern method we
can delete any condition from ACL.
 Modern approach uses sequence numbers for conditions that we create. With
these sequence numbers we can modify an existing ACL without recreating it.

No matter which method we use to create a standard ACL, implanting process will be
same.

Enabling Standard IP ACL

Following commands are used to activate ACL in interface.

Router(config)#interface type [slot_#]port_#

Router(config-if)#ip access-group ACL_# in|out

First command is used to enter in interface configuration mode.

Second command is used to enable ACL. It accepts two parameters; first ACL_# and

second in or out.

Examples:

Following commands will activate Standard ACL number 10 on Serial 0/0/0 interface in
inbound direction.

Router(config)#interface serial 0/0/0

Router(config-if)#ip access-group 10 in

Following commands will activate Standard ACL name Secure_telnet on Serial 0/0/1
interface in outbound direction.

Router(config)#interface serial 0/0/0

Router(config-if)#ip access-group Secure_telnet out

Key points

 We can apply same ACL to multiple interfaces.

 We can enable same ACL twice on same interface in separate direction inbound and
outbound.
 We cannot enable same ACL twice on same interface in same direction.
 An empty ACL will permit all traffic.
 Implicit deny condition will work only if ACL has at least one user defined condition.
 We should place only one ACL on same interface, same direction and same type. For
example, there is no use of placing two standard ACLs on same interface in same direction.
1. Create the ACL
==============
For a host:
access-list Number deny Protocol host host_IP host server_ip eq echo (for ping)
For a full network:
access-list Number deny Protocol network_name wild_mask host server_ip eq www (for
web)

Ex: acce-list 102 deny tcp 192.168.1.0 0.0.0.255 host 172.16.0.100 eq www

DENY/PERMIT: access-list 102 permit/deny ip any any

2. APPLY THE ACL:

===============
Select the interface for INBOUND or OUTBOUND
Apply the list: ip access-group ACL_number IN or OUT
Ex: int fa0/0
ip access-group 102 in
View the list: do sh acc