ACL Implementation Guide

ACL guide intro page14528796655631.jpg

If you find yourself in a situation where you need to filter traffic somewhere on your network, then knowing how to configure access control lists (ACLs) is an essential skill to have. An IP ACL can be configured on a specific interface in order to permit/deny traffic based on IP address and/or TCP/UDP port(s).

In this guide, you will learn how access control lists work, the two most commonly used ACL types and how to configure an ACL. We will also show you how to edit ACLs and discuss how they can be used for functions other than filtering IP traffic. This guide uses Cisco hardware and software in the configuration examples, although ACLs largely function the same across all enterprise network equipment.

ACL Rules

No matter what ACL type you are configuring, there are a few rules you must first understand before trying to configure your own. The two key rules to understand are how rules follow a top-down order and use an implicit deny rule at the end of each ACL.

Top-down

When configuring an ACL that has multiple entries, each entry is read in a top-down fashion. As soon as an ACL entry is matched, the device stops the matching process. Because of this, you want to make sure that your most specific access control entries are toward the top of the list so they can be matched first.

Implicit deny-all at the end of an ACL

At the end of every ACL, there is an implicit "deny-all" statement applied. So if you want to configure an ACL to block traffic from 10.0.0.0/8 and permit all other traffic, you must specify the permit entry. If you don't, the implicit deny-all at the end of the ACL will prevent any IP traffic from traversing the interface where the ACL is applied.

(Image: guitario/iStockphoto with modification)

Configuring the two most common ACLs

While there are many ACL types, the most common ACLs used for filtering IP traffic are standard and extended. Each type has slightly different capabilities depending on what level of packet matching granularity you need. Let’s look at the capabilities of both ACL types and how to configure them.

Standard ACL

The most basic of all IP ACLs is the standard ACL. These ACLs are designated by using the ACL number between 1 and 99 and 1300 to 1999. Besides numbering an ACL so it is designated as standard, admins will specify source IP networks, as well as whether the ACL should permit or deny those specified networks. Note that only the source network can be used to identify traffic to filter on.

As an example, let's say that we want to configure a standard IP ACL that will block (deny) traffic from 10.100.250.0/24,  which is a network with a subnet mask of 255.255.255.0. We want to permit all other IP traffic. To do that, we can use an ACL number between 1 and 99 that is unused. We can then specify the deny and permit statements as follows:

standard-acl.png

Note that ACLs use what is known as a wildcard mask to specify the subnetwork. So instead of using a mask of 255.255.255.0 for the 10.100.250.0/24 network, the wildcard mask configured in the ACL entry should be 0.0.0.255. Also, make sure you understand that we must have the permit statement on the second line of the ACL. Because each line of the ACL is read top down, the deny statement will identify any packets coming from 10.100.250.0 /24. If the packet is coming from any other source, it will match the permit any statement, and be allowed through. If we did not have a permit statement, the implicit deny-any statement at the end of all ACLs would block all IP traffic

Extended ACL

Extended ACLs are just like the standard ones with the exception that protocol and port information can be used and both the source and destination networks may be defined in the rules. Extended ACLs use designated numbers 100 through 199 and 2000 to 2699. Just like standard ACL's, the subnet mask uses wildcard masks when configuring the subnetwork. Extended ACLs can be configured to match an IP (which includes both TCP and UDP), TCP, UDP or any number of additional protocols as shown below.

extended-protocols.png

In this example, we will create an extended ACL that will match traffic with a source IP of 10.100.250.0/24, headed to a specific host destination of 172.16.25.100/32 on TCP port 80. This traffic will be denied. A second rule will specify that all other traffic will be permitted.

extended-acl.png

As you can see, when we specify both the source and destination networks, the source IP network is entered first, followed by the destination IP network. The eq 80 in the first access control entry is a match rule specifying that the port equals (eq) TCP port 80 exactly. There are many other match options such as ranges of ports, greater than, less than and quality of service (QoS) markings, among others. Here are all the options available:

match-options.png

Applying the ACL

Creating an ACL is the first step in a two-step packet filtering configuration process. The second step is to apply an ACL to a specific interface. To do so, you must apply the ACL number to the interface and then specify if the ACL should be applied to inbound traffic entering the interface or outbound traffic exiting the interface. Applying an ACL to an interface is the same no matter if you are using a standard or extended ACL type. This example shows  how to configure extended ACL # 101 inbound to interface Gigabit 1/0/5:

apply-acl.png

Editing an ACL

If you want to edit an ACL without completely deleting it, you can do so with sequence numbers. For example, let's say we want to add a second deny statement to our standard ACL #1. First, we can view the ACL in its current form by issuing the show ip access-list 1 command as follows:

edit-show.png

Notice the 10 and 20 numbers at the beginning of each access control entry? These are called sequence numbers. We can use them to add additional entries to the list and have them placed before or in between entries that already exist. In this example, we will add an entry that denies packets coming from the network 192.168.10.0 with a mask of 255.255.255.128. We want to place this entry between entries 10 and 20 so we will use sequence 15 as shown here:

edit-change.png

Now if we look at ACL #1 a second time, we see that our new entry with sequence 15 is placed between 10 and 20:

edit-show-after-change.png

Other uses for ACLs

Access control lists can be used for things other than filtering traffic. The lists are built the same way, but instead of applying them to an interface for filtering purposes, the lists can be used to identify certain traffic so they can be used for other purposes. Some real-world examples include identifying network traffic to NAT and encrypting or hiding traffic to prevent redistribution into routing protocols via route maps.