ACCESS

CONTROL LISTS
What is an ACL?

An ACL is a series of IOS commands that are used to filter

packets based on information found in the packet header

-to secure data of organization we use ACL.

-ACL restrict unauthorized users from accessing business-

sensitive information

ACL 2
Packet Filtering
Packet filtering controls access to a
network by analyzing the incoming
and/or outgoing packets and
forwarding them or discarding them
based on given criteria. Packet
filtering can occur at Layer 3 or
Layer 4. Cisco routers support
standard and extended ACLs.
ACCESS CONTROL LISTS
Task Example
Limit network traffic to increase network performance • A corporate policy prohibits video traffic on the network to reduce the network load.

• A policy can be enforced using ACLs to block video traffic.

Provide traffic flow control • A corporate policy requires that routing protocol traffic be limited to certain links only.

• A policy can be implemented using ACLs to restrict the delivery of routing updates to only those that come from a known source.

Provide a basic level of security for network access • Corporate policy demands that access to the Human Resources network be restricted to authorized users only.

• A policy can be enforced using ACLs to limit access to specified networks.

Filter traffic based on traffic type • Corporate policy requires that email traffic be permitted into a network, but that Telnet access be denied.

• A policy can be implemented using ACLs to filter traffic by type.

Screen hosts to permit or deny access to network • Corporate policy requires that access to some file types (e.g., FTP or HTTP) be limited to user groups.
services
• A policy can be implemented using ACLs to filter user access to services.

Provide priority to certain classes of network traffic • Corporate traffic specifies that voice traffic be forwarded as fast as possible to avoid any interruption.

• A policy can be implemented using ACLs and QoS services to identify voice traffic and process it immediately.

P r e s e n t a t i o n Ti t l e 9/8/20XX 4
Numbered and Named ACLs
Numbered ACLs - ACLs number 1 to 99, or 1300 to 1999 are standard ACLs while ACLs number 100 to 199, or 2000 to 2699
are extended ACLs, as shown in the output.

P r e s e n t a t i o n Ti t l e 9/8/20XX 5
Numbered and Named ACLs
Named ACLs - Named ACLs is the preferred method to use when configuring ACLs. Specifically, standard and extended
ACLs can be named to provide information about the purpose of the ACL. The ip access-list global configuration command is
used to create a named ACL.

P r e s e n t a t i o n Ti t l e 9/8/20XX 6
ACL Operation
ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the
router, and packets that exit outbound interfaces of the router.

An inbound ACL filters packets before they are routed to the outbound interface. If the packet is permitted by the ACL, it is
then processed for routing. Inbound ACLs are best used to filter packets when the network attached to an inbound interface
is the only source of packets that need to be examined.
An outbound ACL filters packets after being routed, regardless of the inbound interface. Incoming packets are routed to the
outbound interface and then they are processed through the outbound ACL. Outbound ACLs are best used when the same
filter will be applied to packets coming from multiple inbound interfaces before exiting the same outbound interface.

P r e s e n t a t i o n Ti t l e 9/8/20XX 7
 Wildcard Masking

A wildcard mask is like a subnet mask in that it uses the

ANDing process to identify which bits in an IPv4
address to match. However, they differ in the way they
match binary 1s and 0s. Unlike a subnet mask, in which
binary 1 is equal to a match and binary 0 is not a match,
in a wildcard mask, the reverse is true.

P r e s e n t a t i o n Ti t l e 9/8/20XX 8
WILD CARD
Wildcard Mask Last Octet Meaning (0 - match, 1 - ignore)
(in Binary)

0.0.0.0 00000000 Match all octets.

0.0.0.63 00111111 • Match the first three octets

• Match the two left most bits of the last octet

• Ignore the last 6 bits

0.0.0.15 00001111 • Match the first three octets

• Match the four left most bits of the last octet

• Ignore the last 4 bits of the last octet

0.0.0.252 11111100 • Match the first three octets

• Ignore the six left most bits of the last octet

• Match the last two bits

0.0.0.255 11111111 • Match the first three octet

• Ignore the last octet

P r e s e n t a t i o n Ti t l e 9/8/20XX 9
Wildcard Mask to Match a Host

Wildcard Mask to Match an IPv4 Subnet

Wildcard Mask Types

P r e s e n t a t i o n Ti t l e 9/8/20XX 10
Wildcard Mask to Match an IPv4 Address Range

Wildcard Mask Types

P r e s e n t a t i o n Ti t l e 9/8/20XX 11
Calculating wildcard masks can be challenging. One shortcut method is to subtract the subnet mask from
255.255.255.255.
Assume you wanted an ACE in ACL 10 to permit access to all users in the 192.168.3.0/24 network. To
calculate the wildcard mask, subtract the subnet mask (i.e., 255.255.255.0) from 255.255.255.255, as
shown in the table.
The solution produces the wildcard mask 0.0.0.255. Therefore, the ACE would be access-list 10 permit
192.168.3.0 0.0.0.255.

Wildcard Mask Calculation

P r e s e n t a t i o n Ti t l e 9/8/20XX 12
Keywords reduce ACL keystrokes and make it easier to read the ACE:
 host - This keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match to
filter just one host address.
 any - This keyword substitutes for the 255.255.255.255 mask. This mask says to ignore the entire IPv4 address
or to accept any addresses.
For example, these ACL commands

can be rewritten as follows:

Wildcard Mask Keywords

P r e s e n t a t i o n Ti t l e 9/8/20XX 13
CONFIGURE
ACCESS
CONTROL LISTS
When configuring a complex ACL, it is suggested that you:
 Use a text editor and write out the specifics of the policy to be implemented.
 Add the IOS configuration commands to accomplish those tasks.
 Include remarks to document the ACL.
 Copy and paste the commands onto the device.
 Always thoroughly test an ACL to ensure that it correctly applies the desired policy.
Numbered Standard IPv4 ACL Syntax
To create a numbered standard ACL, use the following global configuration command:

Use the no access-list access-list-number global configuration command to remove a numbered standard ACL.

Create an ACL

P r e s e n t a t i o n Ti t l e 9/8/20XX 15
Numbered Standard IPv4 ACL Syntax (Cont.)
This table provides a detailed explanation of the syntax for a standard ACL.
Parameter Description
access-list-number • This is the decimal number of the ACL.

• Standard ACL number range is 1 to 99 or 1300 to 1999.

deny This denies access if the condition is matched.
permit This permits access if the condition is matched.
remark text • (Optional) This adds a text entry for documentation purposes.

• Each remark is limited to 100 characters.

source • This identifies the source network or host address to filter.

• Use the any keyword to specify all networks.

• Use the host ip-address keyword or simply enter an ip-address (without the host keyword) to identify a specific IP address.

source-wildcard (Optional) This is a 32-bit wildcard mask that is applied to the . If omitted, a default 0.0.0.0 mask is assumed.

log • (Optional) This keyword generates and sends an informational message whenever the ACE is matched.

• Message includes ACL number, matched condition (i.e., permitted or denied), source address, and number of packets.{`{"
"}`}

• This message is generated for the first matched packet.

• This keyword should only be implemented for troubleshooting or security reasons.

Create an ACL

P r e s e n t a t i o n Ti t l e 9/8/20XX 16
Named Standard IPv4 ACL Syntax
ACL names are alphanumeric, case sensitive, and must be unique. Capitalizing ACL names is recommended. To
create a named standard ACL, use the following global configuration command:

In the example, a named standard IPv4 ACL called NO-ACCESS is created. Notice that the prompt changes to
named standard ACL configuration mode. Use the help facility to view all the named standard ACL ACE options.

Create an ACL

P r e s e n t a t i o n Ti t l e 9/8/20XX 17
Numbered Extended IPv4 ACL Syntax
The procedural steps for configuring extended ACLs are the same as for standard ACLs. The extended ACL is
first configured, and then it is activated on an interface. However, the command syntax and parameters are more
complex to support the additional features provided by extended ACLs.
To create a numbered extended ACL, use the following global configuration command:

The command to apply an extended IPv4 ACL to an interface is the same as the command used for standard IPv4
ACLs.

Create an ACL

P r e s e n t a t i o n Ti t l e 9/8/20XX 18
The table provides a detailed explanation of the syntax for an extended ACL.
Parameter Description
access-list-number This is the decimal number of the ACL.

Extended ACL number range is 100 to 199 and 2000 to 2699.

deny This denies access if the condition is matched.
permit This permits access if the condition is matched.
remark text • (Optional) Adds a text entry for documentation purposes.

• Each remark is limited to 100 characters.

protocol • Name or number of an internet protocol.

• Common keywords include ip, tcp, udp, and icmp.

• The ip keyword matches all IP protocols.

source • This identifies the source network or host address to filter.

• Use the any keyword to specify all networks.

• Use the host ip-address keyword or simply enter an ip-address (without the host keyword) to identify a specific IP address.

source-wildcard (Optional) A 32-bit wildcard mask that is applied to the source.

destination • This identifies the destination network or host address to filter.

• Use the any keyword to specify all networks.

• Use the host ip-address keyword or ip-address.

destination-wildcard (Optional) This is a 32-bit wildcard mask that is applied to the destination.

operator • (Optional) This compares source or destination ports.

• Some operators include lt (less than), gt (greater than), eq (equal), and neq (not equal).
port (Optional) The decimal number or name of a TCP or UDP port.
established • (Optional) For the TCP protocol only.

• This is a 1st generation firewall feature.

log • (Optional) This keyword generates and sends an informational message whenever the ACE is matched.

• This message includes ACL number, matched condition (i.e., permitted or denied), source address, and number of packets.

Create an ACL •

•
This message is generated for the first matched packet.

This keyword should only be implemented for troubleshooting or security reasons.

P r e s e n t a t i o n Ti t l e 9/8/20XX 19
Protocol Options - The four highlighted protocols are the most popular options. Use the ? to get help when
entering a complex ACE. If an internet protocol is not listed, then the IP protocol number could be specified. For
instance, the ICMP protocol number 1, TCP is 6, and UDP is 17.

Protocols and Port Numbers

P r e s e n t a t i o n Ti t l e 9/8/20XX 20
Port Keyword Options - Selecting a protocol influences port options. For instance, selecting the:
 tcp protocol would provide TCP related ports options
 udp protocol would provide UDP specific ports options
 icmp protocol would provide ICMP related ports (i.e., message) options
The highlighted ports are popular options

Protocols and Port Numbers

P r e s e n t a t i o n Ti t l e 9/8/20XX 21
Extended ACLs can filter on different port number and port name options. This example configures an
extended ACL 100 to filter HTTP traffic. The first ACE uses the www port name. The second ACE uses the
port number 80. Both ACEs achieve exactly the same result.

Configuring the port number is required when there is not a specific protocol name listed such as SSH (port
number 22) or an HTTPS (port number 443)

Protocols and Port Numbers Configuration Examples

P r e s e n t a t i o n Ti t l e 9/8/20XX 22
TCP Established Extended ACL

P r e s e n t a t i o n Ti t l e 9/8/20XX 23
In this example, ACL 120 is configured to only permit returning web traffic to the inside hosts. The new ACL is then
applied outbound on the R1 G0/0/0 interface. The show access-lists command displays both ACLs. Notice from the
match statistics that inside hosts have been accessing the secure web resources from the internet.

TCP Established Extended ACL

P r e s e n t a t i o n Ti t l e 9/8/20XX 24
Named Extended IPv4 ACL Syntax
Naming an ACL makes it easier to understand its function. This command enters the named extended configuration
mode. Recall that ACL names are alphanumeric, case sensitive, and must be unique. To create a named extended
ACL, use the following global configuration command:

In the example, a named extended ACL called NO-FTP-ACCESS is created and the prompt changed to named
extended ACL configuration mode. ACE statements are entered in the named extended ACL sub configuration
mode.

TCP Established Extended ACL

P r e s e n t a t i o n Ti t l e 9/8/20XX 25
Named Extended IPv4 ACL Example
Named extended ACLs are created in essentially the same way that named standard ACLs are created. The
topology in the figure is used to demonstrate configuring and applying two named extended IPv4 ACLs to an
interface:
 SURFING - This will permit inside HTTP and HTTPS traffic to exit to the internet.
 BROWSING - This will only permit returning web traffic to the inside hosts while all other traffic exiting the
R1 G0/0/0 interface is implicitly denied.

TCP Established Extended ACL

P r e s e n t a t i o n Ti t l e 9/8/20XX 26
Named Extended IPv4 ACL Example (Cont.)

The SURFING ACL permits HTTP and HTTPS traffic from inside users to exit the G0/0/1 interface connected to
the internet. Web traffic returning from the internet is permitted back into the inside private network by the
BROWSING ACL.
The SURFING ACL is applied inbound and the BROWSING ACL applied outbound on the R1 G0/0/0 interface.
Inside hosts have been accessing the secure web resources from the internet. The show access-lists command is
used to verify the ACL statistics.

TCP Established Extended ACL

P r e s e n t a t i o n Ti t l e 9/8/20XX 27
Named Extended IPv4 ACL Example (Cont.)

TCP Established Extended ACL

P r e s e n t a t i o n Ti t l e 9/8/20XX 28
Two Methods to Modify an ACL
After an ACL is configured, it may need to be modified. ACLs with multiple ACEs can be complex to configure.
Sometimes the configured ACE does not yield the expected behaviors. For these reasons, ACLs may initially
require a bit of trial and error to achieve the desired filtering result. There are two methods to use when
modifying an ACL:
 Use a Text Editor
 Use Sequence Numbers
1. Text Editor Method
ACLs with multiple ACEs should be created in a text editor. This allows you to plan the required ACEs, create the
ACL, and then paste it into the router interface. It also simplifies the tasks to edit and fix an ACL. To modify an
ACL using a text editor:
 Copy the ACL from the running configuration and paste it into the text editor.
 Make the necessary edits changes.
 Remove the previously configured ACL on the router otherwise, pasting the edited ACL commands will only
append (i.e., add) to the existing ACL ACEs on the router.
 Copy and paste the edited ACL back to the router.

Modify ACLs

P r e s e n t a t i o n Ti t l e 9/8/20XX 29
2. Sequence Number Method
An ACL ACE can also be deleted or added using the ACL sequence numbers. Sequence numbers are
automatically assigned when an ACE is entered. These numbers are listed in the show access-lists command. The
show running-config command does not display sequence numbers.
Use the ip access-list standard command to edit an ACL. Statements cannot be overwritten using the same
sequence number as an existing statement. Therefore, the current statement must be deleted first with the no 10
command. Then the correct ACE can be added using sequence number 10 as configured. Verify the changes using
the show access-lists command.

Modify ACLs

P r e s e n t a t i o n Ti t l e 9/8/20XX 30
ACL Configuration Guidelines
An ACL is made up of one or more access control entries (ACEs) or statements. When configuring and applying
an ACL, be aware of the guidelines summarized in this list:
 Create an ACL globally and then apply it.
 Ensure the last statement is an implicit deny any or deny ip any any.
 Remember that statement order is important because ACLs are processed top-down.
 As soon as a statement is matched the ACL is exited.
 Ensure that the most specific statements are at the top of the list.
 Remember that only one ACL is allowed per interface, per protocol, per direction.
 Remember that new statements for an existing ACL are added to the bottom of the ACL by default.
 Remember that router-generated packets are not filtered by outbound ACLs.
 Place standard ACLs as close to the destination as possible.
 Place extended ACLs as close to the source as possible.

Implement ACLs

P r e s e n t a t i o n Ti t l e 9/8/20XX 31
Apply an ACL

After creating an ACL, the administrator can apply it in a number of different ways. The following shows the
command syntax to apply an ACL to an interface or to the vty lines.

The figure below shows a named standard ACL applied to outbound traffic.

Implement ACLs

P r e s e n t a t i o n Ti t l e 9/8/20XX 32
Apply an ACL
This figure shows two named extended
ACLs. The SURFING ACL is applied to
inbound traffic and the BROWSING ACL
is applied to outbound traffic.

Implement ACLs

P r e s e n t a t i o n Ti t l e 9/8/20XX 33
 This example shows an ACL applied to the vty lines.

Implement ACLs

P r e s e n t a t i o n Ti t l e 9/8/20XX 34
Where to Place ACLs
Every ACL should be placed where it is the most efficient.
The figure illustrates where standard and extended ACLs should be located in an enterprise network. Assume the
objective is to prevent traffic that originates in the 192.168.10.0/24 network from reaching the 192.168.30.0/24
network.

Implement ACLs

P r e s e n t a t i o n Ti t l e 9/8/20XX 35
Standard ACL Placement Example
Following the guidelines for ACL placement, standard ACLs should be located as close to the destination as
possible. In the figure, the administrator wants to prevent traffic originating in the 192.168.10.0/24 network from
reaching the 192.168.30.0/24 network.

Implement ACLs

P r e s e n t a t i o n Ti t l e 9/8/20XX 36
Mitigate Spoofing Attacks

IP address spoofing overrides the normal packet creation process by inserting a custom IP header with a different
source IP address. There are many well-known classes of IP addresses that should never be source IP addresses for
traffic entering an organization’s network. The S0/0/0 interface is attached to the internet and should never accept
inbound packets from the following addresses:
 All zeros addresses
 Broadcast addresses
 Local host addresses (127.0.0.0/8)
 Automatic Private IP Addressing (APIPA) addresses (169.254.0.0/16)
 Reserved private addresses (RFC 1918)
 IP multicast address range (224.0.0.0/4)

Mitigate Attacks with ACLs

P r e s e n t a t i o n Ti t l e 9/8/20XX 37
Mitigate Attacks with ACLs
P r e s e n t a t i o n Ti t l e 9/8/20XX 38
Permit Necessary Traffic through a Firewall
An effective strategy for mitigating attacks is to explicitly permit only certain types of traffic through a firewall.
For example, Domain Name System (DNS), Simple Mail Transfer Protocol (SMTP), and File Transfer Protocol
(FTP) are services that often must be allowed through a firewall. Secure Shell (SSH), syslog, and Simple Network
Management Protocol (SNMP) are examples of services that a router may need to include. The figure shows an
example topology with ACL configurations to permit specific services on the Serial 0/0/0 interface.

Mitigate Attacks with ACLs

P r e s e n t a t i o n Ti t l e 9/8/20XX 39
Mitigate ICMP Attacks

Both ICMP echo and redirect messages should be blocked inbound by the router. Several ICMP messages are
recommended for proper network operation and should be allowed into the internal network:
 Echo reply - Allows users to ping external hosts.
 Source quench - Requests that the sender decrease the traffic rate of messages.
 Unreachable - Generated for packets that are administratively denied by an ACL.
Several ICMP messages are required for proper network operation and should be allowed to exit the network:
 Echo - Allows users to ping external hosts.
 Parameter problem - Informs the host of packet header problems.
 Packet too big - Enables packet maximum transmission unit (MTU) discovery.
 Source quench - Throttles down traffic when necessary.
As a rule, block all other ICMP message types outbound.

Mitigate Attacks with ACLs

P r e s e n t a t i o n Ti t l e 9/8/20XX 40
Parameter Description
deny | permit Specifies whether to deny or permit the packet.
protocol Enter the name or number of an Internet protocol, or an integer representing an IPv6 protocol
number.
source-ipv6-prefix/prefix-length destination-ipv6- The source or destination IPv6 network or class of networks for which to set deny or permit
address/prefix-length conditions.
any Enter any as an abbreviation for the IPv6 prefix ::/0. This matches all addresses.
host For host source-ipv6-address or destination-ipv6-address , enter the source or destination IPv6 host
address for which to set deny or permit conditions.
operator (Optional) An operand that compares the source or destination ports of the specified protocol.
Operands are lt (less than), gt (greater than), eq (equal), neq (not equal), and range.
port-number (Optional) A decimal number or the name of a TCP or UDP port for filtering TCP or UDP, respectively.
dscp (Optional) Matches a differentiated services codepoint value against the traffic class value in the
Traffic Class field of each IPv6 packet header. The acceptable range is from 0 to 63.
fragments (Optional) Matches non-initial fragmented packets where the fragment extension header contains a
non-zero fragment offset. The fragments keyword is an option only if the operator [port-number ]
arguments are not specified. When this keyword is used, it also matches when the first fragment
does not have Layer 4 information.
log (Optional) Causes an informational logging message about the packet that matches the entry to be
sent to the console. (The level of messages logged to the console is controlled by the logging console
command.)
log input (Optional) Provides the same function as the log keyword, except that the logging message also
includes the input interface.
sequence value (Optional) Specifies the sequence number value for the access list statement. The acceptable range
is from 1 to 4294967295.
time-range name (Optional) Specifies the time range that applies to the permit statement. The name of the time range
and its restrictions are specified by the time-range and absolute or periodic commands, respectively.

IPv6 ACLs
P r e s e n t a t i o n Ti t l e 9/8/20XX 41
THANK YOU