In this article I will talk about one technology used especially for restricting and securing access throughout a network, ACLs (Access Control Lists). This is one of the most important lesson that you need to learn in order to pass the CCNA exam. As a network administrator you’ll have to know how to create and modify ACLs because you’ll probably use them on a daily basis. You’ve probably used ACLs in different technologies without knowing it, to secure access to a file, computer, application etc. Firewalls are hardware devices that use ACLs to restrict network access based on source and destination IPs, port numbers, protocol, etc. Even permissions on Windows shared folders can be seen as layer 7 ACLs because users are restricted/granted access to that resource. I will talk about ACLs used only to restrict network traffic, because you will need to know them very good for your exam.
We will talk about different types of ACLs, how each one works and how you can use them to make your network more secure. At the base of the network layer sits the IP address, the element which provides the means of communication between devices. Before two devices (remember client-server model) can start forwarding data between them, a network connection must be established. This means that these devices must first determine the source/destination MAC address, the source/destination IP address and the ports that will provide the communication mechanisms. If you can’t remember or you haven’t studied my networking fundamentals tutorials, take a look again at the TCP connection establishment and at the TCP/IP network layer. I’ve written earlier that network traffic can be filtered using ACLs, these are nothing more than lists of rules that dictate what traffic is allowed or denied to enter or to exit a network. Packet filtering can be made based on source and destination IP address, protocol, or source and destination ports. Upon receiving a packet, the router will simply check each ACL from top to bottom and based on the information gathered from here, it will grant or deny access. As you can see, the logic behind this technology is pretty simple but effective (remember that the packet filtering is made at the network layer). ACLs can be configured on the inbound or outbound direction of an interface and by default routers will not have any ACL configured. You will have to remember that you can apply one ACL per-protocol (IP, TCP, UDP), per-direction (the ACL will filter traffic only in one direction, outbound/inbound) and per-interface (FastEthernet 0/1, Serial 0/0/0). But how do ACLs work? Each rule or statement from an access-list is tested against the received packet. ACLs are read from top to bottom line by line and if a match is made (the packet is denied or permitted by a rule) then rest of the lines are skipped. Remember that every access-list has an implicit deny all at the end of all statements. This means that if no permit rule is made, all traffic is denied by default (deny any any – you will understand this statement later in this article). For this reason, an ACL must have at least one permit rule. An inbound ACL will process packets before they are forwarded to the exit interface while an outbound ACL will process packets after they are routed to the exit interface. Now let’s talk a little bit about the types of ACLs that can be configured on Cisco routers:
– standard ACL – this type of access-list will filter traffic based on source IP address. A standard ACL is composed of the access-list statement, number, permit or deny flag, source IP address and wildcard mask. An example of a standard ACL is access-list 20 deny 172.16.0.0 0.0.255.255.
– extended ACLs – can filter traffic based on source and destination IP address, source and destination port (it could be a TCP or UDP port) and protocol. This is how an extended ACL would look like:
access-list 103 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255.
These are the two main ACL types used today, there are also special ACL types used, but we will talk about them later (reflexive ACL, dynamic ACL or time based ACL). The number of an ACL is simply used for identifying each access-list, newer versions of IOS offer support for named ACLs (you can assign a name/description to an access-list). To see the available numbers that you can assign to an ACL, type access-list ? from the global configuration mode of a router:
Normally, this command will display many options, but only these are implemented in my version of Packet Tracer. Named ACLs can use letters and numbers and each entry can be deleted or modified. It is recommended that you place ACLs where they have the biggest effect. Based on this rule, place standard ACLs as close as possible to the destination because they use source address. Extended ACLs have the best effect when they are configured as close as possible to the source where traffic is denied.
First, I will show you how to configure a standard ACL on a Cisco router. As I’ve told you earlier, standard ACLs make decisions based on the source IP address, no port, protocol or destination address can be used in a standard ACL. For best practice, always put the most used statement at the top of the ACL. By using this method, you reduce the time needed by the router to check each entry in the ACL.
To configure a standard ACL on a Cisco router, use the access-list [number] [deny/permit] IP address wildcard. To add another statement in the same ACL use the same number when configuring the new entry. The following image displays a standard ACL configured with two entries:
In this access-list, I’ve granted access for packets that have the source IP address from the 192.168.0.0 network and denied access for those IPs originated from the 172.16.0.0 network. Remember that at the end of each ACL there is a deny all entry. You can configure the access-list 20 deny any any statement, but it is already configured by default. We can add the remark parameter to describe the functionality of the ACL:
To view the currently configured ACL, use the show running-config command:
I don’t know if I’ve ever talked about the wildcard mask (I think at OSPF). This element is used by ACLs to identify which portion of the IP address, stated in the ACL, must be tested. Wildcard mask is similar to network mask because it is composed of 32 bits (4 octets) of 0 and 1 with the following rules:
0 – the rule must match on that particular bit
1 – it will ignore that bit
Let’s take the following example:
to match all IPs that are part of 192.168.0.0 we use the 0.0.255.255 wildcard mask. If we want to match a single IP from this network we use the 0.0.0.0 wildcard mask (for example 192.168.1.6 0.0.0.0). To check the result of applying a wildcard mask, do an AND operation between the IP address and the wildcard mask. You will have to know how to use wildcard masks in ACLs statements so you should exercise a little bit, you can find a lot of examples over the Internet. As I’ve written earlier, you can apply an access-list to an interface in only one direction, in or out. To apply an access-list to an interface, use the ip access-group [ACL number] in/out. Now let’s apply our access-list to a fast Ethernet interface in the in direction:
To remove our access-list from from our router, type no access-list 20 from the global configuration mode. Access to VTY lines can be restricted using access-lists. To achieve this, use the access-class [ACL number] in/out command:
You’ve probably guessed the outcome of this configuration, the 192.168.0.0 network will be able to establish remote connections with the router while the 172.16.0.0 network will not have permissions to do this.
Named ACLs use the ip access-list standard/extended [ACL name] command. After typing this command, you will enter the ACL configuration mode as shown in the following image:
To apply a named ACL to an interface, use the ip access-group [ACL name] in/out as follows:
To troubleshoot access-lists configuration, use the show access-list command or show access-list [ACL name or number].
Extended ACLs are used to better control traffic filtering. These ACLs use numbers from 100 to 199 and 2000 to 2699. They enhance standard ACLs functionality because filtering can occur based on both source and destination IP address, source and destination port numbers and protocol. When building an extended access-list that uses port numbers to filter traffic you can choose between a TCP or UDP port number. The statement of an extended access-list is a little more complex, as follows:
access-list [number] [deny/permit/remark] protocol source IP address and wildcard [operator operand]
[operator] [port name/number] destination IP address and wildcard [operator] [destination port] [establish]
These are the options that can be used when configuring an extended access list. The establish option can be used only for the TCP protocol and it flags that the ACL is used to establish a connection. The host parameter indicates that the access-list must match the exact IP (something similar when using the 0.0.0.0 wildcard mask).
The following image displays an example of an extended ACL configuration:
The first line permits all traffic from host 10.0.0.1 to host 10.0.0.2, the second line denies web traffic from these two networks and the third one denies telnet connections from one host to another. To apply this access-list to an interface use the same ip access-group 100 in command from the interface configuration mode. Named access-lists are configured in a similar way of standard named ACLs:
ip access-list extended [name].
For the CCNA exam you will need to learn ACLs very good, this is why I suggest you should exercise them a lot. I remember that my CCNA exam had a lot of access-lists questions.
More complex ACLs can be configured on Cisco devices: Dynamic access-lists, Reflexive access-lists and Time-based access-lists. We will talk a little about each of these types of ACLs. Remember that for the CCNA exam you will not need to know all the aspects of complex ACLs.
Dynamic ACLs (you will also hear about lock-and-key ACL) are used to control IP traffic by using Telnet connections to authenticate users. Dynamic ACLs can function only with the use of extended ACLs. Users are denied access by the extended access-list until they establish a Telnet connection with the router to be authenticated. This type of ACL can be used to allow a user to forward traffic through a firewall or authenticate using a TACACS+ server. You will have to remember that dynamic ACLs are used to authenticate users before allowing them to forward traffic. By using this type of access-lists, network security is enhanced, because of the authentication mechanism. To configure a dynamic access-list, you must take the following steps:
1. Configure the username and password used for authentication:
Router(config)#username admin password test
2. Configure an ACL with an entry allowing users to establish Telnet connections to the router:
Router(config)#access-list 110 permit tcp any host 192.168.0.1 eq 23
3. Another entry will be added to the access-list to allow traffic from one point to another. Let’s say we have 172.16.1.0 and 172.16.2.0 networks and we want to allow traffic to flow from one network to another:
Router(config)#access-list 110 dynamic networks timeout 10 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
the timeout statement will close the session after the time specified
4. Configure virtual lines to allow Telnet connections. After the user is authenticated, the Telnet session will close. If there is no activity in the time specified (in this case 10 minutes), the session will close :
Router(config)#line vty 0 15
Router(config-line)#autocommand access-enable host timeout 10
5. Apply the access-list to an interface:
Router(config)#interface fastEthernet 0/1
Router(config-if)#ip access-group 110 in
Reflexive ACLs – these type of access-lists can change their behavior based on some evaluation statements. Reflexive ACLs evaluate traffic based on its origin, they will allow traffic from the inside while denying traffic originated from the outside. These ACLs are included inside extended named access-lists and cannot be used with standard ones. They provide a higher level o security because they can detect and counter attacks like DoS or DDoS. To configure a reflexive ACL, you will have to take the following steps:
1. Create the rules which will allow traffic originated from the inside. Remember that reflexive ACLs can be used with TCP, UDP and even ICMP traffic:
Router(config)#ip access-list extended InsideTraffic
Router(config-ext-nacl)# permit icmp 172.16.1.0 0.0.0.255 any reflect ICMP
2. Create an access-list that will check to see if traffic was originated from the inside and based on the evaluation rules, it will allow or deny traffic:
Router(config)#ip access-list extended OutsideTraffic
3. Apply the ACLs:
Router(config)#interface fastEthernet 0/1
Router(config-if)#ip access-group InsideTraffic out
Router(config-if)#ip access-group OutsideTraffic in
This is a perfect example on how you can use reflexive ACLs. Imagine you want to be able to ping to an outside host and receive an answer, but you don’t want outside hosts to be able to ping your devices. A correctly configured reflexive ACL would allow traffic from the inside while blocking traffic from the outside.
Time-based ACLs – extended access-lists that allow access to network resources only in a specified interval. You can specify the time of the day or the week in which traffic will be allowed. These are best used when you want to log traffic only in certain moments of the day or the week. Imagine you want to monitor traffic only on Mondays and Fridays, it would not be appropriate to log all the traffic from the entire week. The following steps must be taken when configuring a time-based ACL:
1. Configure a time range in which traffic will be allowed:
Router(config-time-range)# periodic Monday Friday 0:00 to 23:59
2. Configure an extended ACL that will use the configured time interval to allow traffic:
Router(config)#access-list 110 permit ip 172.16.1.0 0.0.0.255 any time-range TIMEBASEDACL
3. Apply the ACL to an interface:
Router(config)#interface fastEthernet 0/1
Router(config-if)#ip access-group 110 out
Remember the differences between standard and extended ACLs, when you can apply reflexive, dynamic or time-based access-lists. Be careful when configuring access-lists, watch out for the wilcard mask and always place the access-list at the desired place. I recommend you configure all access-lists in a testing environment first before applying them in production because with one mistake you can block your entire traffic.
That’s it for this article, I hope I’ve included and described all the aspects of access-lists. Please leave a comment, share and rate it. I wish you all the best and enjoy your day.