Access Control List
Access-list (ACL) is a set of rules defined for controlling the network traffic and reducing network attack. ACLs are used to filter traffic based on the set of rules defined for the incoming or out going of the network.
ACL features –
1) The set of rules defined are matched serial wise i.e matching starts with the first line, then 2nd, then 3rd and so on.
2) The packets are matched only until it matches the rule. Once a rule is matched then no further comparison takes place and that rule will be performed.
3) There is an implicit deny at the end of every ACL, i.e., if no condition or rule matches then the packet will be discarded.
ACL features –
1) The set of rules defined are matched serial wise i.e matching starts with the first line, then 2nd, then 3rd and so on.2) The packets are matched only until it matches the rule. Once a rule is matched then no further comparison takes place and that rule will be performed.
3) There is an implicit deny at the end of every ACL, i.e., if no condition or rule matches then the packet will be discarded.
Once the access-list is built, then it should be applied to inbound or outbound of the interface:
Inbound access lists – When an access list is applied on inbound packets of the interface then first the packets will processed according to the access list and then routed to the outbound interface.
Outbound access lists – When an access list is applied on outbound packets of the interface then first the packet will be routed and then processed at the outbound interface.
Types of ACL –
There are two main different types of Access-list namely:
Standard Access-list – These are the Access-list which are made using the source IP address only. These ACLs permit or deny the entire protocol suite. They don’t distinguish between the IP traffic such as TCP, UDP, Https etc. By using numbers 1-99 or 1300-1999, router will understand it as a standard ACL and the specified address as source IP address.
Extended Access-list – These are the ACL which uses both source and destination IP address. In these type of ACL, we can also mention which IP traffic should be allowed or denied. These use range 100-199 and 2000-2699.
Also there are two categories of access list:
Numbered access list – These are the access list which cannot be deleted specifically once created i.e if we want to remove any rule from an Access-list then this is not permitted in the case of numbered access list. If we try to delete a rule from access list then the whole access list will be deleted. The numbered access list can be used with both standard and extended access list.
Named access list – In these type of access list, a name is assigned to identify an access list. It is allowed to delete a named access list unlike numbered access list. Like numbered access list, these can be used with both standard and extended access list.
Rules for ACL –
1)The standard Access-list is generally applied close to the destination (but not always).
2)The extended Access-list is generally applied close to the source (but not always).
3)We can assign only one ACL per interface per protocol per direction, i.e., only one inbound and outbound ACL is permitted per interface.
4)We can’t remove a rule from an Access-list if we are using numbered Access-list. If we try to remove a rule then whole ACL will be removed. If we are using named access lists then we can delete a specific rule.
5)Every new rule which is added into the access list will be placed at the bottom of the access list therefore before implementing the access lists, analyses the whole scenario carefully.
6)As there is an implicit deny at the end of every access list, we should have at least a permit statement in our Access-list otherwise all traffic will be denied.
7)Standard access lists and extended access lists cannot have the same name.
Advantages of ACL –
1)Improve network performance.
2)Provides security as administrator can configure the access list according to the needs and deny the unwanted packets from entering the network.
3)Provides control over the traffic as it can permit or deny according to the need of network.
Command to Configure Access List
Standard IP Access List
access-list [1-99] [permit | deny] [source address] [wildcard mask] [log]
Standard IP access-lists are based upon the source host or network IP address, and should be placed closest to the destination network
Consider the following example:
In order to block network 172.18.0.0 from accessing the 172.16.0.0 network,
we would create the following access-list on Router A:
Router(config)# access-list 10 deny 172.18.0.0 0.0.255.255
Router(config)# access-list 10 permit any
Notice the wildcard mask of 0.0.255.255 on the first line. This will match (deny) all hosts on the 172.18.x.x network.
The second line uses a keyword of any, which will match (permit) any other address. Remember that you must have at least one permit statement in your access list.
To apply this access list, we would configure the following on Router A:
Router(config)# int s0
Router(config-if)#ip access-group 10 in
To view all IP access lists configured on the router:
Router#show ip access-list
To view what interface an access-list is configured on:
Router#show ip interface
Router# show running-config
Extended IP Access List
access-list [100-199] [permit | deny] [protocol] [source address] [wildcard mask] [destination address] [wildcard mask] [operator [port]] [log]
Extended IP access-lists block based upon the source IP address, destination IP address, and TCP or UDP port number. Extended access-lists should be placed closest to the source network.
Consider the following example:
Assume there is a webserver on the 172.16.x.x network with an IP address of 172.16.10.10. In order to block network 172.18.0.0 from accessing anything on the 172.16.0.0 network, EXCEPT for the HTTP port on the web server, we would create the following access-list on Router B:
Router(config)# access-list 101 permit tcp 172.18.0.0 0.0.255.255 host 172.16.10.10 eq 80
Router(config)# access-list 101 deny ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255
Router(config)# access-list 101 permit ip any any
The first line allows the 172.18.x.x network access only to port 80 on the web server. The second line blocks 172.18.x.x from accessing anything else on the 172.16.x.x network. The third line allows 172.18.x.x access to anything else.
We could have identified the web server in one of two ways:
Router(config)#access-list 101 permit tcp 172.18.0.0 0.0.255.255 host 172.16.10.10 eq 80
Router(config)#access-list 101 permit tcp 172.18.0.0 0.0.255.255 172.16.10.10 0.0.0.0 eq 80
To apply this access list, we would configure the following on Router B:
Router(config)#int e0
Router(config-if)#ip access-group 101 in
Extended IP Access List Port Operators
In the preceding example, we identified TCP port 80 on a specific host use the following syntax:
Router(config)# access-list 101 permit tcp 172.18.0.0 0.0.255.255 host 172.16.10.10 eq 80
We accomplished this using an operator of eq, which is short for equals. Thus, we are identifying host 172.16.10.10 with a port that equals 80.
We can use several other operators for port numbers:
eq Matches a specific port
gt Matches all ports greater than the port specified
lt Matches all ports less than the port specified
neq Matches all ports except for the port specified
range Match a specific inclusive range of ports
The following will match all ports greater than 100:
Router(config)# access-list 101 permit tcp any host 172.16.10.10 gt 100
The following will match all ports less than 1024:
Router(config)# access-list 101 permit tcp any host 172.16.10.10 lt 1024
The following will match all ports that do not equal 443:
Router(config)# access-list 101 permit tcp any host 172.16.10.10 neq 443
The following will match all ports between 80 and 88:
Router(config)# access-list 101 permit tcp any host 172.16.10.10 range 80 88