What is Access Control List (ACL)

Access Control List

What is Access Control List (ACL)

Access Control List (ACLs) are sets of rules that allow or deny traffic under certain conditions.
There are two main purposes of ACLs:

  • To filter the traffic
  • To identify the traffic

Additionally, ACLs provide specific conditions where a permit statement indicates to allow the traffic and a deny statement stops the traffic. Likewise, the permit statement shows to include the traffic, and the deny statement is used to exclude the traffic. Filtering is a key feature of ACLs, as they are utilized to bring up desired traffic on an ISDN link, identify routes to filter from routing updates, and identify traffic for QOS purposes.

Furthermore, ACLs are used only once per interface, per protocol, per direction, and they traverse line by line to match the exact packet. They pass through from the top to the bottom line. The deny all command is always used at the bottom of every ACL, indicating that all traffic will be denied if no rules are set on the upper portion. You cannot remove a single line from an ACL; to perform this action, you have to delete and recreate the ACL completely.

Types of Access Control List

There are two categories of access lists:

  • Numbered
  • Named

Numbered ACLs are divided into several ranges which depict specific protocols. We will discuss the main two ranges which are normally used:

  • 1 – 99: IP standard access list
  • 100 – 199: IP extended access list

In standard conditions, any line in ACLs cannot be removed, but Named ACLs have the flexibility to remove the name access list.

There are two types of Named ACLs:

  • IP standard named access list
  • IP extended named access list

Wild Card Masks

IP access-lists use wildcard masks to determine two things:

  • What matches exactly the same
  • What matches any number

This is the opposite mask of the subnet mask where one part is the network address and the second part is the host address. Consider the following address to understand the wildcard mask:

  • Address: 172.16.0.0
  • Wildcard mask: 0.0.255.255

Two golden rules to understand the wildcard mask are as follows:

  • If the bit is 0 in the wildcard mask, then the corresponding address must match exactly.
  • If the bit is 1 in the wildcard mask, then the corresponding address can match any number.

Further understanding of the wildcard mask can be achieved by converting it into binary:

  • Address: 10101100.00010000.00000000.00000000
  • Wildcard mask: 00000000.00000000.11111111.11111111

Any 0 bits will match exactly the same in the corresponding address, showing as:

  • 10101100.00010000 = 172.16

Any 1 bits in the wildcard mask will match any number.

If it is needed to match the specific address with a wildcard mask:

  • Address: 172.16.1.1
  • Wildcard mask: 0.0.0.0

We can match the specific address in two ways:

  • Using the wildcard mask set to 0: 172.16.1.1 0.0.0.0
  • Using the keyword ‘host’: host 172.16.1.1

If it is necessary to match all addresses with a wildcard mask:

  • Address: 0.0.0.0
  • Wildcard mask: 255.255.255.255

We can match all addresses in two ways:

  • Using the wildcard mask with all bits set to 1: 0.0.0.0 255.255.255.255
  • Using the keyword ‘any’: any

Standard IP Access List

A standard IP access list is written as follows:

Access-list [1-99] [permit/deny] [source address] [wildcard mask] [log]

Let’s understand the standard access list with the following diagram. Using this simple diagram, we will block the network 172.18.0.0 from accessing the 172.16.0.0 network.

ACL Configuration on Router A

Router(config)# access-list 10 deny 172.18.0.0 0.0.255.255 
Router(config)# access-list 10 permit any

The first command is used to block the specific network, and the second line is used to permit all other traffic.

To apply this access list

Router(config)# int s0
Router(config-if)# ip access-group 10 in

To view all access lists

Router# show ip access-list

Command to view the access list on an interface:

Router# show ip interface 
Router# show running-config

Extended IP Access List

An extended IP access list is based on the source address, destination address, and TCP or UDP port number. It is placed closest to the source network. Again, consider the above example.

Assume the web server is on the 172.16.0.0 network with the IP address 172.16.10.10. To block traffic from 172.18.0.0 accessing the web server on the 172.16.0.0 network except for HTTP port:

Configuration of Extended IP Access List on Router B:

Router(config)# access-list 101 permit tcp 172.18.0.0 0.0.255.255 host 172.16.10.10 eq 80
Router(config)# access-list 101 deny ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255
Router(config)# access-list 101 permit ip any any

The first line allows traffic from the 172.18.0.0 network to access port 80 on the web server. The second line blocks all other traffic, and the third line permits anything else.

To apply this access list

Router(config)# int e0 
Router(config)# ip access-group 101 in

Extended IP Access List Port Operators

In an extended IP access list, several operators are used for port numbers:

  • eq: Match a specific port
  • gt: Match all ports greater than the specified port
  • lt: Match all ports less than the specified port
  • neq: Match all ports except for the specified port
  • range: Match all specific ports within inclusive ranges

Access List Logging

We can keep a log record of access lists by adding the log keyword at the end of the access list:

Router(config)# access-list 101 permit tcp 172.18.0.0 0.0.255.255 host 172.16.10.10 eq 80 log
Router(config)# access-list 101 deny ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255 log
Router(config)# access-list 101 permit ip any any log

Router# show access-list 101

Each packet that is permitted or denied will be sent to the syslog server.

Router(config)# logging in 
Router(config)# logging 172.18.1.50

ICMP Access List

In an access list, we can restrict the use of ping to a specified network by using the keyword echo at the end of the access list.

What is BGP (Border Gateway Protocol)? Simple and Easy Guide Explained – 2024

Named Access Control List

A named access list has two advantages over the numbered access list. In this ACL, we can apply an identifiable name for our documentation and can remove individual lines.

To create the Standard Named ACL:
Router(config)# ip access-list standard NAME
Router(config-std-nacl)# deny 172.18.0.0 0.0.255.255
Router(config-std-nacl)# permit any
To create an Extended Named ACL:
Router(config)# ip access-list extended NAME
Router(config-ext-nacl)# permit tcp 172.18.0.0 0.0.255.25 host 172.16.10.10 eq 80
Router(config-ext-nacl)# deny ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255
Router(config-ext-nacl)# permit ip any any

We can also create a time-based access list, where we can set the time to block HTTP traffic for specified durations.

Tags: , , , , , ,

This Post Has One Comment

Leave a Reply