Access Control Lists are used not only to permit and deny traffic but for marking only interested traffic also. They may be used in cases like : NAT, Quality of service, policy routing, route filtering and VPN. Besides, there is a few kinds of ACLs depends on what traffic and where we are going to block or mark.
Before we go over explanation different kinds of ACLs I have to underline some rules which are important regardless which one we are going to use .
Common rules for access lists:
– Access list is being read from the top to the bottom and stop at first match
– Invisible “DENY” statement is always added at the end, this is why we use “DENY” statement first in access lists always with “PERMIT ANY ANY” at the end. “DENY ANY ANY ” is being added automatically and if we wouldn’t add “PERMIT ANY ANY” at the end, the whole traffic would be blocked, regardless what our “DENY” statement says.
access-list 1 deny host 192.168.1.56
access-list 1 permit any any
access-list 1 deny ANY ANY – invisible, added automatically
– We may have 2 ACLs per interface (1 in each direction in/out). Outbound ACLs are applied after packets were sent to the outbound interface by the routing engine, but before they’re put in the outgoing queue.Inbound ACLs are applied before the routing engine gets them.
– “Wildcard mask” is being used. Wildcard mask is inverse of subnet mask, that’s mean if a standard mask is 255.255.255.192 then wildcard mask is 0.0.0.63 (we subtract 192 – 255). Wildcard mask uses “0 – don’t care bits” and “1 – care bits”” and marks traffic whether the traffic is interested for us or not.
– according to the wildcard mask in case of a single host, wildcard mask will be 0.0.0.0 but we may use a word “HOST” instead of and respectively for entire network wildcard mask will be 255.255.255.255 and we may use the word “ANY”
– where should we apply ACLs? Standard ACL we have to apply as close to destination as possible, because they based on source address only, Extended ACLs we should apply on our local router cause we have given source and destination addresses, and we don’t have to worry that we will block entire traffic, not only to the point of destination. Below picture illustrates this issue. If I put Standard ACL “access-list 1 deny host 172.16.0.58” on the place of Extended ACL then entire traffic would be blocked and User wouldn’t be able to get outside whatsoever. If I put Extended ACL in place of Standard ACL then I would waste routers resources unnecessary, cause I may block traffic on the first interface as I did and what is a better solution.
For Standard ACLs given ranges are reserved: from 1 to 99 and from 1300 to 1999, Standard ACLs work based on source IP address and have lower processor utilization.
Example of Standard ACL
We are going to reject traffic comes on interface fa0/1 from host 172.16.0.15 and allow the other traffic to our network.
access-list 50 deny host 172.16.0.15
access-list 50 permit any
access-list 50 deny any
ip access-group 50 out
Extended ACLs have got reserved numbers from 100 to 199 and 2000 to 2699. Extended ACL matches based on IP protocol number, source/destination address, protocol options (TCP/UDP ports), ICMP type code, TCP state (ACK/RST Flag) – “established” keyword which allows for returning traffic (reflexive ACLs described below)
Extended ACLs examples
Assuming, that we want to prevent host 188.8.131.52 to connect on any port with a server 184.108.40.206 on port 80 (http) we have to apply on our local router this rule.
access-list 150 deny tcp host 172.16.0.15 any host 220.127.116.11 eq 80
REFLEXIVE (extended) ACL
Allows returning traffic for internal requests. If we want to allow any of hosts from our internal network to initiate connection to any host outside, but deny to initiate connection from outside to inside we have to apply this exemplary rule.
access-list permit tcp any any gt 1023 established
Any connection from inside to outisde and returning traffic will be allowed on port 1023 and gt(greater) (below port 1023 we have well-known ports which are being used by services) and initial traffic which comes from outside to inside will be rejected. It happens because RACL (Reflexive ACL) based on 3 way handshake mechanism and based on TCP FLAGs knows very well who first wants to establish connection (ACK Flag – acknowledgement)
We don’t have to use numbers in order to name ACL. In case of extended ACLs we may use “Named ACL”. This type of access list begins from
ip access-list extended <name>
Gives us ability to have an ACL which takes affect during a certain time.
absolute start 13:00 23 Aug 2016 end 16:00 23 Aug 2016
periodic monday-friday 10:00 to 14:00
Access list doesn’t have to be applied to the physical interface, it may be applied to the terminal line, let’s apply our time-based ACL to VTY line
access-list 100 permit tcp any any eq telnet time-range <name>
line vty 0 4
access-class 100 in
IN / OUT Directions
Applying of access-lists in correct directions might be misleading, but is not hard to understand. Take a look on below topology that we will be using in our lab. We will be trying to reach www server with IP address 192.168.0.200 from the Client IP address 10.0.0.100 (ANY for simplicity). We will be also blocking traffic only on R1 router, moreover only on interface f0/0 in IN and OUT directions.
WWW server is listening on port 80. The port that Client is trying to establish connection is random. So far nothing fancy. Now, for better understanding of applying directions let’s have a look on R1.
As we see the same access list might be applied applied in 2 different directions IN and OUT, depends on interface that we are going apply given access list on!
ip access-list extended 100
deny tcp any 192.168.0.200 0.0.0.255 eq 80
permit ip any any
ip access-group 100 in
ip access-list extended 110
deny tcp 192.168.0.200 0.0.0.255 eq 80 any
permit ip any any
ip access-group 110 out
Vlan access list are applied on multilayer switches Ordinary ACL can filter traffic between VLANs but CAN’t filter traffic between hosts in particular VLAN! It happens cause CAM table (based on MAC addresses) is not used in that case, but TCAM table where switch also compares wildcard mask in order to redirect traffic and what is crucial based on the longest prefix what is not desirable in case of applying access lists within Vlans
First we mark interesting traffic with named ACL:
ip access-list extended BLOCK_3_HOSTS_TRAFFIC
permit ip 10.1.1.0 0.0.0.3 10.1.1.0 0.0.0.255
Then we have to create Vlan access map
vlan access-map VLAN_33_BLOCK
match ip address BLOCK_3_HOSTS_TRAFFIC
vlan access-map VLAN_33_BLOCK
action forward (counterpart of permit any any in Standard ACL)
And we have to apply vlan access map to interesting Vlan number
vlan filter VLAN_BLOCK vlan-list <vlan-number>