Access Control Lists

1. Access Control Lists (ACLs) in Detail

An Access Control List (ACL) is a list of permit and deny statements that define how traffic flows in and out of a network. It acts as a filter at a network device’s interface (router, firewall, etc.) to control the flow of traffic and restrict access to and from various network segments. ACLs are widely used for improving security, managing traffic, and applying network policies.

1.1 Purpose of ACLs

The primary purpose of ACLs is to control network traffic and enhance network security. ACLs are used to:

Limit access to network resources: Only authorized devices or users can access certain parts of the network.
Control traffic flow: ACLs filter traffic, ensuring that unwanted or malicious traffic is blocked.
Prioritize traffic: Specific ACLs can prioritize traffic for certain services, like voice or video traffic, to ensure quality of service.
Define security policies: ACLs help enforce security policies by permitting or denying traffic based on predefined criteria.

1.2 How ACLs Work

An ACL is a series of sequential rules applied to network traffic. These rules define whether the network device should forward or block packets based on criteria such as IP address, protocol type, or port number. The process involves the following steps:

When a packet arrives at an interface, it is compared to the ACL rules sequentially, starting from the top.
Each rule contains permit or deny conditions for specific traffic types, based on source or destination IP address, protocols, and port numbers.
If a match is found, the action (permit or deny) is applied to the packet, and no further rules are evaluated.
If no match is found and the end of the list is reached, the default action (implicit deny) is applied, meaning the packet is denied.

1.3 ACL Components

ACLs consist of the following components:

Access list number or name: ACLs can be identified by numbers or names. For example, standard ACLs use numbers between 1 and 99, while extended ACLs use numbers between 100 and 199.
Permit/Deny statement: Each rule specifies whether to permit or deny a packet that matches the criteria.
Source IP address: The IP address from which the packet originates. ACLs can filter traffic based on specific IP addresses or entire ranges (subnets).
Destination IP address: The IP address to which the packet is being sent. Similar to source IP addresses, ACLs can filter based on the destination IP or subnet.
Protocol: Specifies which protocol to filter (e.g., TCP, UDP, ICMP, etc.). Extended ACLs support filtering by protocol.
Port number: ACLs can filter traffic based on specific port numbers (e.g., port 80 for HTTP, port 443 for HTTPS). This is only applicable in extended ACLs.
Wildcard mask: A mask used to specify which bits in the IP address should be matched. Wildcard masks work like subnet masks but use "0" for exact matches and "1" to ignore bits.

1.4 Types of ACLs

There are two primary types of ACLs: Standard and Extended.

1.4.1 Standard ACLs

Standard ACLs filter traffic based only on the source IP address. They are simple and less granular in control.

Standard ACLs are numbered between 1 and 99.
They are usually placed close to the destination, as they only filter based on the source IP address.
Example configuration of a standard ACL:


Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 10 deny any

1.4.2 Extended ACLs

Extended ACLs provide more control by allowing traffic filtering based on multiple criteria, such as source and destination IP addresses, protocols, and port numbers.

Extended ACLs are numbered between 100 and 199.
They should be placed close to the source to prevent unwanted traffic from traversing the network.
Example configuration of an extended ACL:


Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 80
Router(config)# access-list 100 deny ip any any

1.5 Wildcard Masks

Wildcard masks are used in ACLs to specify which bits in the IP address should be matched. The mask works as follows:

0: The bit in the IP address must match exactly.
1: The bit in the IP address can be ignored.

For example, a wildcard mask of 0.0.0.255 means that the first three octets of the IP address must match exactly, while the last octet can be any value. This allows you to filter a range of IP addresses.

1.6 ACL Placement

The placement of an ACL in a network topology is critical to its effectiveness. Here are the general guidelines:

Standard ACL: Place as close to the destination as possible, as it filters only based on the source IP address.
Extended ACL: Place as close to the source as possible, as it filters based on both source and destination IP addresses, protocols, and ports.

1.7 ACL Best Practices

Order of rules: ACLs are processed top-down. Once a rule matches, further rules are not evaluated. Ensure that more specific rules are placed above broader rules.
Implicit deny: ACLs have an implicit “deny all” rule at the end. If no conditions are matched, the traffic is denied.
Test ACLs: Before applying ACLs in a production environment, test them in a lab environment to avoid unintentional traffic blocking.
Document ACLs: Always document the purpose and logic behind each ACL for future reference and troubleshooting.

1.8 Monitoring and Verifying ACLs

After configuring ACLs, it is important to verify and monitor their behavior. Use the following commands to check ACLs:

show access-lists: Displays the access lists and their rules.
show ip interface: Displays the interfaces and whether an ACL is applied.
debug ip packet: Enables debugging of packets to monitor how ACLs are handling traffic.

1.9 Numbered vs. Named ACLs

ACLs can be configured using either numbers or names. Each method has its advantages and specific use cases.

1.9.1 Numbered ACLs

Numbered ACLs use a predefined number range to identify different types of ACLs:

1-99: Standard numbered ACLs.
100-199: Extended numbered ACLs.

While easy to configure, numbered ACLs can become hard to manage and track when many ACLs are in place.

1.9.2 Named ACLs

Named ACLs allow more flexibility, as administrators can assign descriptive names to the ACLs, making them easier to manage and identify. This is particularly useful in complex networks with multiple ACLs.


Router(config)# ip access-list standard <ACL_NAME>
Router(config-std-nacl)# permit 192.168.1.0 0.0.0.255
Router(config-std-nacl)# deny any

1.10 Time-Based ACLs

Time-based ACLs allow network administrators to control traffic based on time periods, adding more granularity to network security policies.

For example, you can restrict access to certain resources during non-business hours. Time-based ACLs are defined using a time range that specifies when the rules should be active.


Router(config)# time-range <TIME_RANGE_NAME>
Router(config-time-range)# periodic weekdays 8:00 to 18:00
Router(config)# access-list 101 permit tcp any any eq 80 time-range <TIME_RANGE_NAME>

1.11 Reflexive ACLs

Reflexive ACLs provide additional security by dynamically creating temporary access list entries based on outbound traffic. These entries allow only response traffic to return, which enhances security against spoofing and unauthorized access.

Reflexive ACLs are mainly used in scenarios where outbound traffic needs to be tightly controlled and only the return traffic is permitted.

Example configuration:


Router(config)# ip access-list extended OUTBOUND
Router(config-ext-nacl)# permit tcp any any reflect TCP-TRAFFIC
Router(config)# ip access-list extended INBOUND
Router(config-ext-nacl)# evaluate TCP-TRAFFIC

1.12 ACLs and IPv6

IPv6 uses a similar approach to ACLs as IPv4 but includes some differences due to the larger address space and specific IPv6 features. IPv6 ACLs are used to control traffic in IPv6 networks.

IPv6 ACLs can filter based on source/destination IPv6 addresses, protocols, traffic types, and more.
IPv6 ACLs can be applied to both incoming and outgoing traffic on an interface.

Example configuration:


Router(config)# ipv6 access-list <ACL_NAME>
Router(config-ipv6-acl)# permit ipv6 2001:db8::/64 any
Router(config-ipv6-acl)# deny ipv6 any any
Router(config)# interface gigabitEthernet 0/1
Router(config-if)# ipv6 traffic-filter <ACL_NAME> in

1.13 ACL Logging

ACL logging is used to track ACL rule matches in real time. When a packet matches a rule with logging enabled, it generates a log entry. This is useful for monitoring network traffic and detecting potential security breaches.

Logging can be enabled on both permit and deny statements:


Router(config)# access-list 101 permit tcp any host 10.1.1.1 eq 80 log
Router(config)# access-list 101 deny ip any any log

Benefits: Helps detect unauthorized access attempts, monitor network traffic, and troubleshoot ACL configurations.
Considerations: Excessive logging can generate a large number of log messages, so use logging selectively.

1.14 Access Control Lists and Network Address Translation (NAT)

ACLs can be used in conjunction with Network Address Translation (NAT) to filter traffic before or after it is translated.

Pre-NAT ACL: Applied before the translation process, matching the traffic by its original IP address.
Post-NAT ACL: Applied after NAT has translated the traffic, matching the traffic by the translated IP address.

Using ACLs with NAT helps to ensure that only specific traffic is allowed to be translated and passed through the network.

1.15 ACL and Quality of Service (QoS)

ACLs are often used with Quality of Service (QoS) policies to prioritize or limit network traffic based on specific criteria. By defining rules with ACLs, administrators can prioritize critical services like VoIP or video conferencing while controlling less critical traffic.

ACLs are used to classify traffic for QoS policies, allowing specific types of traffic to receive higher priority or bandwidth allocation.

2. Configure and Verify Access Control Lists (ACLs)

An Access Control List (ACL) is a set of rules applied to network traffic to control whether packets are allowed or denied passage through a network interface. ACLs help improve security by restricting access to sensitive resources and controlling the flow of data. Configuring and verifying ACLs is a fundamental task in network management and security.

2.1 Types of ACLs

There are two main types of ACLs:

Standard ACLs: Filter traffic based on the source IP address only. They are simpler but less granular.
Extended ACLs: Allow filtering based on multiple parameters, such as source and destination IP addresses, protocols, port numbers, and more, offering greater control over traffic.

2.2 Configuring Standard ACLs

Standard ACLs are applied based on the source IP address. These ACLs are usually applied close to the destination to minimize traffic through the network. The basic syntax for configuring a standard ACL on Cisco devices is:


Router(config)# access-list <ACL_NUMBER> {permit | deny} <source_IP>
Router(config)# interface <INTERFACE>
Router(config-if)# ip access-group <ACL_NUMBER> {in | out}

Example: To allow traffic from 192.168.1.0/24 and deny all others:


Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 10 deny any
Router(config)# interface gigabitEthernet 0/1
Router(config-if)# ip access-group 10 in

2.3 Configuring Extended ACLs

Extended ACLs offer more granularity by allowing filtering based on multiple criteria such as source and destination IP addresses, ports, and protocols. These ACLs are often applied close to the source to limit unwanted traffic early. The syntax for configuring an extended ACL is:


Router(config)# access-list <ACL_NUMBER> {permit | deny} <protocol> <source_IP> <source_wildcard> <destination_IP> <destination_wildcard> [eq <port_number>]
Router(config)# interface <INTERFACE>
Router(config-if)# ip access-group <ACL_NUMBER> {in | out}

Example: To allow HTTP traffic (port 80) from 192.168.1.0/24 to 10.1.1.0/24, but deny all other traffic:


Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 80
Router(config)# access-list 100 deny ip any any
Router(config)# interface gigabitEthernet 0/1
Router(config-if)# ip access-group 100 in

2.4 Verifying ACL Configuration

After configuring ACLs, it's crucial to verify their correct implementation to ensure the expected behavior. You can use the following commands to verify and monitor ACLs:


Router# show access-lists
Router# show ip interface <INTERFACE>

show access-lists: Displays the ACLs configured on the router and the rules within each ACL.
show ip interface: Shows if an ACL is applied to an interface and whether it is inbound or outbound.

2.5 Best Practices for ACL Configuration

Order matters: ACLs are processed from top to bottom. Once a match is found, no further rules are checked, so place more specific rules at the top.
Implicit deny: There is an implicit deny rule at the end of every ACL. If no rules match, the packet will be denied.
Test ACLs in a lab environment: Before deploying ACLs on a live network, test them in a controlled environment to avoid unintentional traffic disruption.