Standard ACLs
Standard Access Control Lists
Can be used to match packets for applying Quality of Service (QoS) features.
ACL location and direction
- inbound to the router, before the router makes its forwarding (routing) decision
- outbound, after the router makes its forwarding decision and has determined the exit interface to use.
- enable an ACL on an interface that processes the packet, in the direction the packet flows through that interface.
- the router then processes every inbound or outbound IP packet using that ACL
Actions when a match occurs
- deny or permit
Types of IP ACLs
- Standard numbered ACLs (1–99) or (1300-1999)
- Extended numbered ACLs (100–199) or (2000-2699)
Named ACLs
- Editing with sequence numbers
- configuration identifies the ACL either using a number or a name. ACLs will also be
- either standard or extended
Standard Numbered IPv4 ACLs
- matches only the source IP address
- identify the ACL using numbers rather than names (numbered)
- Looks at IPv4 packets.
List Logic with IP ACLs
- router takes the action listed in that line of the ACL and stops looking further in the ACL
- every IP ACL has a deny all statement implied at the end of the ACL
Matching Logic and Command Syntax
- Access list is one or more access-list commands with the same number.
- any number from the ranges shown in the preceding line of syntax.
- (One number is no better than the other.) IOS refers to each line in an ACL is an Access Control Entry (ACE engineers just call them ACL statements.
- each access-list command also lists the action (permit or deny), plus the matching logic.
Matching the Exact IP Address
-
permit if source = 10.1.1.1
-
access-list 1 permit 10.1.1.1
-
If you use Host keyword IOS will remove the keyword in the config
Matching Any/All Addresses
- access-list 1 permit any
ACL show commands list
- counters for the number of packets matched by each command in the ACL,
- no counter for that implicit deny any concept at the end of the ACL.
- Configure deny any command to see deny counts
Implementing Standard IP ACLs
# access-list access-list-number {deny | permit} source [source-wildcard]
-
Plan the location (router and interface) and direction (in or out) on that interface:
-
placed near to the destination of the packets so that they do not unintentionally discard packets that should not be discarded.
-
identify the source IP addresses of packets as they go in the direction that the ACL is examining.
-
Configure one or more access-list
-
# access-list access-list-number {deny | permit} source [source-wildcard]
-
Enable the ACL
-
(config-if)# ip access-group number {in | out}
Standard Numbered ACL Example 1
R2(config)# access-list 1 permit 10.1.1.1
R2(config)# access-list 1 deny 10.1.1.0 0.0.0.255
R2(config)# access-list 1 permit 10.0.0.0 0.255.255.255
R2(config-if)# ip access-group 1 in
# show ip access-lists
- details about IPv4 ACLs only
# show access-lists
- lists details about any configure ACL, not just IPv4
# show ip interface s0/0/1
- lists the number or name of any IP ACL enabled on the interface
Standard Numbered ACL Example 2
-
standard ACLs cannot check the destination IP address.
-
extended ACL lets you check both the source and destination IP address.
-
access-list remark parameter
-
to leave text documentation that stays with the ACL.
-
router checks packets that it routes against the ACL for outbound ACLs
-
a router does not filter packets that the router itself creates with an outbound ACL
Troubleshooting and Verification Tips
- IOS keeps statistics about the packets matched by each line of an ACL
log keyword
-
add to end of access-list command
-
IOS then issues log messages with occasional statistics about matches of that ACL line
-
Double check the ACL is enabled on the right interface, or for the right direction
Practice Building access-list Commands
Tips to consider when choosing matching parameters to any access-list command:
- To match a specific address, just list the address.
- To match any and all addresses, use the any keyword.
several practice problems (wildcard)
-
Packets from 172.16.5.4
-
0.0.0.0
-
Packets from hosts with 192.168.6
-
0.0.0.255
-
Packets from hosts with 192.168
-
0.0.255.255
-
Packets from any hosts
-
255.255.255.255
-
Packets from subnet 10.1.200.0/21
-
0.0.7.255
-
Packets from subnet 172.20.112.0/23
-
0.0.1.255
-
Packets from subnet 172.20.112.0/26
-
0.0.0.63
-
Packets from subnet 192.168.9.64/28
-
0.0.0.15
-
Packets from subnet 192.168.9.64/30
-
0.0.0.3
Reverse Engineering from ACL to Address Range (practice problems)
- one address
- 192.168.4.0 - 192.168.4.127
- 192.168.6.0 - 192.168.6. 31
- 172.30.96.0 - 172.30.96.255
- 172.30.96.0 - 172.30.96. 63
- 10.1.192.0 - 10.1.192..3
- 10.1.192.0 - 10.1.193.255
- 10.1.192.0 - 10.1.255.255