ACL (Access Control List) can be used for:
- Packet security/filtering
- Defining “interesting” traffic for dial on demand routing (DDR) – only trigger dial line up in case of “interesting” traffic
- QoS – not in CCNA but in CCVP, CCIP and CCNP
- NAT
- Control routing advertisement, through filtering routing updates
Creation – types of ACLs
- Standard IP ACLs
- Only source IP address
- Predefined ranges: 1-99, 1300-1999
rt# configure terminal rt(config)# access list acl# permit|deny host rt(config)# access list 10 deny 172.16.0.15 rt(config)# access list 10 permit any rt(config)# access list 20 deny 10.0.0.55 0.0.0.0 rt(config)# access list 10 permit 10.0.0.0 0.255.255.255
Extended IP ACLs
- Filtering possible based on source host, destination host, protocol, source port, destination port, ICMP type of message if protocol is ICMP
- Predefined ranges: 100-199, 2000-2699
rt# configure terminal rt(config)# access list acl# permit|deny [ip|tcp|udp] [host] [source][/source][/source] [wildcard] [host] [destination] [wildcard] [eq|gt|lt|range port] [icmp-protocol]
- The followings are the same (specify host or a full comprehensive wildcard):
rt(config)# access list 100 deny tcp host 172.16.0.15 host 172.16.0.1 rt(config)# access list 100 deny tcp 172.16.0.15 0.255.255.255 host 172.16.0.1
- Forbids 172.16.0.1 to telnet to any host in the network 172.17.0.0/16:
rt(config)# access list 200 deny ip host 172.16.0.1 172.17.0.0 0.0.255.255 eq 23
Named ACLs
- Using names instead of numbers – more clarity
rt(config)# access list extended magnolia rt(config-ext-nacl)# deny tcp host 172.16.0.15 host 172.16.0.1 rt(config-ext-nacl)# permit ip any any
Apply ACLs on interfaces or lines
In case of interfaces:
router(config)# ip access-group acl# [in/out]
Examples:
router(config)# interface e1 router(config-if)# ip access-group 1 (apply ACL) router(config-if)# ip access-group 1 out router(config-if)# no ip access-group 1 (remove ACL) router(config-if)# ip access-group magnolia in (named ACL)
In case of console lines:
router(config)# access-class acl# [in/out]
On console lines, ACLs should always be applied inbound, or strange things can happen.
Examples:
router(config)# line vty 0 4 router(config-line)# access-class 1 in (apply ACL to line console)
Wildcard masks
- They define how much of an address needs to be looked at in order for there to be a match.
- Not a netmask.
rt(config)# access list 3 deny 10.0.0.55 0.0.0.0 (match the host exactly) rt(config)# access list 3 deny 10.0.0.0 0.255.255.255 (match the whole subnet)
Rule of thumb in creating/applying ACLs
- Standard ACLs must be as close as possible to the destination (since we can only specify the source)
- Extended ACLS should stay as close as possible to the source
- Use a text editor
- Only named ACLs allow removal of a specific statement
Troubleshoot
- show ip interface – tells if an ACL is applied to that interface, and the direction (in/out)
- show acls – shows configured ACLs in the router
- show ip acls – shows only IP ACLs in the router
- show access list – like above
- With ACLs order is important – order of ACLs is the order in which the router will process them
- Always look at the end for a permit any. By default, an ACL will deny all, if this is not specified.
