How to Use Cisco IOS Access Lists – Part 1
A Cisco IOS Access-List (ACL) is used to specify network traffic. Once you specify traffic with an ACL, you can then do a variety of things with it. For example, you could allow it, deny it, limit it, or use it to restrict routing updates. In this article, we will learn the basics of Cisco IOS Access-Lists.
What do ACL’s do?
A Cisco IOS Access-list is commonly abbreviated ACL. ACL is usually pronounced like A.C.L.; however, some people do pronounce it like “ankle”, but without the “n”. In other words, it can be pronounced “akkl”. My preference is to pronounce it A.C.L., as you would pronounce FBI or CIA, not as you would pronounce NASA or FEDEX. As I stated before, an ACL is used to specify or define traffic. By just creating an ACL, you have made NO effect on anything. It is simply an unused definition of network traffic. Once it is defined, you can then use it for a wide-ranging list of purposes.
What are the types of ACL’s?
Access-lists can be one of two types: standard or extended. Numbered IP access-lists fall within the following numerical range: - 1 to 99 Standard IP - 100 to 199 Extended IP - 1300 to 1999 Standard IP - 2000 to 2699 Extended IP A standard access-list can only define the SOURCE IP of the traffic. An extended IP access-list can define the source and destination IP address of traffic, along with source and destination port numbers. Also, while a standard access-list only defines IP traffic, an extended access-list can define TCP, UDP, ICMP, IP, AHP, EIGRP, IGRP, ESP, IGMP, OSPF, and PIM traffic. Here is an example of the most basic standard IP access-list that can be defined:
This access-list was numbered “1” and it is permitting traffic from the source IP address of 220.127.116.11. Since we brought up the numbering of access-lists, let me point out that these numbers are not like line numbers in a program. The access-list statements are not processed in the order of the numbers. The numbers on the access-lists are there to group those access-list statements together. In other words, all lines of an access-list that have the number 1 are in the same access-list and are used together.
Top down Processing
The lines of an access-list are processed from the top down, in the order that they are entered. When the network packet being processed through that access-list matches a statement in the access-list, all processing for that packet is stopped. Let’s look at an example. Say that I have this access-list:
Say that this access-list is being used to filter traffic in-bound to a router. A packet comes in with the source IP address of 18.104.22.168. Look at the access-list. Will that traffic be permitted or denied? Because the access-list is processed from the top down, that traffic will be denied, even though it would have been permitted later down the list. This is because, when the traffic is denied, processing of the access-list is stopped. The important thing for you to know is that the order of the statements is crucial. If you are using access-lists to filter traffic, you want to stop the traffic closest to the source of that traffic to conserve WAN bandwidth.
The three P’s of access-lists and filtering traffic
When it comes to filtering traffic, the rule of access-lists is the “three Per’s”. The rule goes like this: “You can have one access-list per PROTOCOL, per DIRECTION, and per INTERFACE”. So, you can have an access-list for each protocol (IP, IPX, Appletalk, bridging, etc). You can have an access-list for each direction- either IN, or OUT. You can have an access-list on each interface- FastEthernet0/0, Serial0/0, Serial1/0, etc. In other words, you can’t have two IN-BOUND IP access-lists on the same interface. Those access-lists would need to be combined to use both of them.
A very important thing to remember is that, when specifying a range of hosts on a network, or an entire network, ACL’s use something called a wildcard mask. The wildcard mask is an inverted subnet mask. In other words, take the subnet mask for the network (or range of hosts), turn it into binary, reverse the 0’s and 1’s, and turn it back into decimal. I won’t go into how to do that with a sub-netted range of hosts but, if your octets are all 255’s or all 0’s, you can just reverse these. Here are some examples: Subnet mask 255.255.255.0 = wildcard mask 0.0.0.255 Subnet mask 255.0.0.0 = wildcard mask 0.255.255.255 Subnet mask 255.255.0.0 = wildcard mask 0.0.255.255
Another very important rule about access-lists is that there is always an “implied DENY” at the end of each ACL. What this means is that every access-list has the following statement at the end of it: access-list X deny ANY (if this is a standard access-list) or access-list X ip deny ANY ANY (if this is an extended access-list) So, if your traffic isn’t explicitly permitted by a statement in the ACL, then your traffic is DENIED. If you manually type the “deny any” statement in, it will appear but if you don’t type it in, it is still there. Here is an example: What traffic is allowed through this ACL?
The answer is that NO traffic is allowed through this access-list. That is because the only statement is a deny statement and, after that, there is the implied deny which denies everything.
Understanding how ACL’s work can be confusing at first. However, I hope this article has cleared up that confusion. The proper usage of Cisco IOS access-lists are essential knowledge for any network administrator. In Part 2 of this article, you will have a real-world demonstration of how to create and apply an access-list.
How to Use Cisco IOS Access Lists – Part 2
In Part 1 of this article, we explained how access-lists work. In this article, we’ll take a sample network and explain how to create and apply an access-list. Remember that an Access-List (ACL) is used to specify network traffic. Once you specify traffic with an ACL, you can then do a variety of things with it. For example, you could allow it, deny it, limit it, or use it to restrict routing updates. We will also explain how to filter traffic with an ACL because this is the most common use.
Example of Filtering with an Access-list
Now, let me provide an example of how to filter inbound traffic with access-list. Here is our sample network: Let’s say that we are on the Chicago router. We want to only allow inbound www traffic from the IP addresses on the San Diego LAN. Those IP addresses are the network 10.10.1.0, which has a subnet mask of 255.255.255.0. We want to log any traffic that is denied to our logging buffer. Let’s do this in two steps. First, create your access-list: Note that the second line of the access-list denied all traffic, and used the log-input keyword at the end to log all denied traffic. Also, note how the wildcard mask was used instead of the subnet mask. It is important to know the direction of the traffic (the ACL uses source, then destination), and how the traffic works (WWW or HTTP) traffic contacts the web server with a destination port on the server of port 80, or WWW. Second, apply your access-list: Note the direction of “IN” when we applied the access-list. This says that the ACL applies to IN-BOUND traffic, coming into the Serial interface from the T1 WAN circuit (in this case, from San Diego, CA). Finally, let’s see what the access-list looks like with our show command, and also where the ACL is applied to the Interface. Here is output from the show ip access-lists and show ip interface serial0 command. In the first command, you can see the access-list that we created. In the second command, you can see where the access-list was applied and in what direction. Of course, you can see both of these things with the show running-config command.
Example of Restricting Telnet access with an Access-list
Quickly, let me provide another example of using an ACL. Say that you are still on the Chicago router. You want to only allow your PC’s IP address (on the Chicago LAN) access to TELNET, to the router. Yes, you could do this with an ACL on the Interface but, instead, let’s do it by using the access-class statement on the vty lines. To do this, you only need a standard access-list. Say that your PC’s IP address is 10.10.2.100. First, create an access-list to specify traffic with that source, like this:
Next, apply this ACL to all 5 VTY lines using the vty range configuration, using the access-class statement, like this: By creating this ACL and applying it to all 5 VTY lines, we are saying that only IP address 10.10.2.100 can TELNET to this Cisco router. This is just another example of the many uses of an ACL.
The proper usage of Cisco IOS access-lists are essential knowledge for any network administrator. In Part 2 of these articles on Access-Lists, you saw a real-world network, and how to create and apply access-lists on that network. You saw how access-lists could be used to filter traffic that is flowing through the network, and also how an ACL can be used to specify what IP address can telnet to the router. If you haven’t read Part 1 of this series, please take a look. Part 1 covered the essentials of Access-List that everyone should know. Cisco IOS Access-lists have so many more options and uses than what we were able to explore in this short article. To learn more, go to your router and type access-list ?, or consult the Cisco IOS documentation on Access-lists.