Access lists allow you to group network objects such as IP addresses, services or users and act upon that information. They are most commonly used to permit or deny certain types of traffic though they are used for a variety of other things (filtering out routes for example).
Cisco IOS routers and switches have two types of access control list:
Can only filter based on source IP address
Can filter based on source or destination IP address, or certain Layer-4 protocols such as TCP or UDP
When configuring access control lists (ACL’s) they can be configured as either numbered on named. Numbered ACL’s can not be edited once created. To alter a numbered ACL it must be removed and re-created. Named ACL’s can be modified after creation.
How ACL’s work
Whilst access control lists are used for filtering routes, controlling debug output and other things their primary use is to act as a basic firewall, restricting what traffic can pass through a device. Once enabled, the router will examine the IP header of each packet and compare it to the ACL. Any additional tasks that a router must undertake, such as NAT/PAT and processing ACL’s will reduce its performance, so it’s important to understand how rules are processed.
Access control lists consist of rules that (generally) either permit or deny traffic, each rule sits on its own line in the ACL. At the very end of all access control lists is a line that denies any unmatched traffic, referred to as an “implicit deny”.
As traffic is received it is compared to the ACL, when it reaches a line that permits traffic processing stops and the packet is sent on its way. This makes it important to put most frequently hit rules at the top of your ACL.
To view existing access lists we can use the “show ip access-list” command:
Router# sh ip access-lists Standard IP access list 1 10 permit 192.168.1.0, wildcard bits 0.0.0.255
Standard ACL’s can be created by using either names or numbers (1 through 99) using the “access-list #” command. For example, to block access for all traffic with a source address of 192.168.1.1 we would do the following:
Router(config)# access-list 1 deny 192.168.1.1 Router(config)# permit any
The final line is an important one, without it all traffic would denied rather than just 192.168.1.1. As a numbered access-list we cannot return to amend it at a later date. If we wanted to create the same ACL but with a name rather than a number we would do the following:
Router(config)# ip access-list standard DenyHost Router(config-std-nacl)# deny host 192.168.1.1 Router(config-std-nacl)# permit any
Notice here that the format of the command has changed slightly. Named ACL’s are created under the “ip” context, we also need to specify if it’s a standard ACL or an extended one (since there’s no number to determine that).
Extended ACL’s are much more flexible than standard ACL’s, allowing for filtering based on more than just the source IP. With extended ACL’s we can filter based on some layer 4 information, such as source or destination port. Just like standard ACL’s they can be created using numbers (100 through 199) or using names.
As an example lets assume we have a web-server running on 192.168.1.1, with a standard ACL we would only be able to permit traffic to the IP rather than only permitting port 80.
Router(config)# ip access-list extended WebTraffic Router(config-ext-nacl)# permit tcp any host 192.168.1.1 eq 80
The second line above specified that we’re going to permit TCP traffic, from any source address but only destined to 192.168.1.1 on port 80. All other traffic will be denied due to the implicit deny at the end of the ACL.
Once access control lists are created they do nothing until you apply them to something. ACL’s are applied on a per interface basis and to either inbound or outbound traffic. The key to working out where to place the ACL is to think of yourself as the router, is traffic being received or sent? Once you know that you can place the ACL. It’s also important to try and apply ACL’s as close to the traffic source as possible to reduce further processing. If an ACL is going to drop traffic, it makes no sense to filter it as it leaves the router – it’s more logical to filter it as soon as the router received it.
Access control lists are applied using the “access-group” command to an interface, for example:
Router(config)# int Fa0/0 Router(config-if)# ip access-group WebTraffic in
One further point to note is that if you apply an ACL to an interface that doesn’t exist yet, all traffic will be dropped (due to the implicit deny all at the end of ACL’s).