Tweet
Security: To Permit, or Not to Permit – Cisco IOS Access Control Lists (ACL). The Basics of Permission and Denial – Part 1
A Cisco IOS Access-List (ACL) is used to specify network traffic. Once you specify traffic with an ACL, you can then do a variety of things with it. For example, you could allow it, deny it, limit it, or use it to restrict routing updates. In this article, we will learn the basics of Cisco IOS Access-Lists.
Preparing for Cisco CCNP Exams? These are the videos you need to get certified...
Whether you are studying for the BCSI, BCMSN, ONT, ISCW or all four, Train Signal's Cisco CCNP Training Series is the best out there. The instructor uses a "hands-on" method for teaching complex technologies. Each video covers all the bases and gives you more than enough test prep to pass any of your CCNP exams!
Daniel Petri
Click Here to Watch the Cisco CCNP Training Videos!
What do ACL’s do?
A Cisco IOS Access-list is commonly abbreviated ACL. ACL is usually pronounced like A.C.L.; however, some people do pronounce it like “ankle”, but without the “n”. In other words, it can be pronounced “akkl”. My preference is to pronounce it A.C.L., as you would pronounce FBI or CIA, not as you would pronounce NASA or FEDEX.
As I stated before, an ACL is used to specify or define traffic. By just creating an ACL, you have made NO effect on anything. It is simply an unused definition of network traffic. Once it is defined, you can then use it for a wide-ranging list of purposes.
What are the types of ACL’s?
Access-lists can be one of two types: standard or extended. Numbered IP access-lists fall within the following numerical range:
- 1 to 99 Standard IP
- 100 to 199 Extended IP
- 1300 to 1999 Standard IP
- 2000 to 2699 Extended IP
A standard access-list can only define the SOURCE IP of the traffic. An extended IP access-list can define the source and destination IP address of traffic, along with source and destination port numbers. Also, while a standard access-list only defines IP traffic, an extended access-list can define TCP, UDP, ICMP, IP, AHP, EIGRP, IGRP, ESP, IGMP, OSPF, and PIM traffic.
Here is an example of the most basic standard IP access-list that can be defined:
This access-list was numbered “1” and it is permitting traffic from the source IP address of 1.1.1.1.
Since we brought up the numbering of access-lists, let me point out that these numbers are not like line numbers in a program. The access-list statements are not processed in the order of the numbers. The numbers on the access-lists are there to group those access-list statements together. In other words, all lines of an access-list that have the number 1 are in the same access-list and are used together.
Top down Processing
The lines of an access-list are processed from the top down, in the order that they are entered. When the network packet being processed through that access-list matches a statement in the access-list, all processing for that packet is stopped. Let’s look at an example. Say that I have this access-list:
Say that this access-list is being used to filter traffic in-bound to a router. A packet comes in with the source IP address of 1.1.1.1. Look at the access-list. Will that traffic be permitted or denied?
Because the access-list is processed from the top down, that traffic will be denied, even though it would have been permitted later down the list. This is because, when the traffic is denied, processing of the access-list is stopped. The important thing for you to know is that the order of the statements is crucial.
If you are using access-lists to filter traffic, you want to stop the traffic closest to the source of that traffic to conserve WAN bandwidth.
The three P’s of access-lists and filtering traffic
When it comes to filtering traffic, the rule of access-lists is the “three Per’s”. The rule goes like this:
“You can have one access-list per PROTOCOL, per DIRECTION, and per INTERFACE”.
So, you can have an access-list for each protocol (IP, IPX, Appletalk, bridging, etc). You can have an access-list for each direction- either IN, or OUT. You can have an access-list on each interface- FastEthernet0/0, Serial0/0, Serial1/0, etc.
In other words, you can’t have two IN-BOUND IP access-lists on the same interface. Those access-lists would need to be combined to use both of them.
Wildcard Mask
A very important thing to remember is that, when specifying a range of hosts on a network, or an entire network, ACL’s use something called a wildcard mask. The wildcard mask is an inverted subnet mask. In other words, take the subnet mask for the network (or range of hosts), turn it into binary, reverse the 0’s and 1’s, and turn it back into decimal. I won’t go into how to do that with a sub-netted range of hosts but, if your octets are all 255’s or all 0’s, you can just reverse these.
Here are some examples:
Subnet mask 255.255.255.0 = wildcard mask 0.0.0.255
Subnet mask 255.0.0.0 = wildcard mask 0.255.255.255
Subnet mask 255.255.0.0 = wildcard mask 0.0.255.255
Implied Deny
Another very important rule about access-lists is that there is always an “implied DENY” at the end of each ACL. What this means is that every access-list has the following statement at the end of it:
access-list X deny ANY
(if this is a standard access-list)
or
access-list X ip deny ANY ANY
(if this is an extended access-list)
So, if your traffic isn’t explicitly permitted by a statement in the ACL, then your traffic is DENIED. If you manually type the “deny any” statement in, it will appear but if you don’t type it in, it is still there.
Here is an example:
What traffic is allowed through this ACL?
The answer is that NO traffic is allowed through this access-list. That is because the only statement is a deny statement and, after that, there is the implied deny which denies everything.
Summary
Understanding how ACL’s work can be confusing at first. However, I hope this article has cleared up that confusion. The proper usage of Cisco IOS access-lists are essential knowledge for any network administrator. In Part 2 of this article, you will have a real-world demonstration of how to create and apply an access-list.
About the writer
David Davis (CCIE #9369, CWNA, MCSE, CISSP, Linux+, CEH) has been in the IT industry for 15 years. Currently, he manages a group of systems/network administrators for a privately owned retail company and authors IT-related material in his spare time. He has written over fifty articles, eight practice tests and three video courses and has co-authored one book. His website is at www.happyrouter.com.
David Davis is also one of the Petri.co.il forum moderators.
A Cisco IOS Access-List (ACL) is used to specify network traffic. Once you specify traffic with an ACL, you can then do a variety of things with it. For example, you could allow it, deny it, limit it, or use it to restrict routing updates. In this article, we will learn the basics of Cisco IOS Access-Lists.
Preparing for Cisco CCNP Exams? These are the videos you need to get certified...
Whether you are studying for the BCSI, BCMSN, ONT, ISCW or all four, Train Signal's Cisco CCNP Training Series is the best out there. The instructor uses a "hands-on" method for teaching complex technologies. Each video covers all the bases and gives you more than enough test prep to pass any of your CCNP exams!
Daniel Petri
Click Here to Watch the Cisco CCNP Training Videos!
What do ACL’s do?
A Cisco IOS Access-list is commonly abbreviated ACL. ACL is usually pronounced like A.C.L.; however, some people do pronounce it like “ankle”, but without the “n”. In other words, it can be pronounced “akkl”. My preference is to pronounce it A.C.L., as you would pronounce FBI or CIA, not as you would pronounce NASA or FEDEX.
As I stated before, an ACL is used to specify or define traffic. By just creating an ACL, you have made NO effect on anything. It is simply an unused definition of network traffic. Once it is defined, you can then use it for a wide-ranging list of purposes.
What are the types of ACL’s?
Access-lists can be one of two types: standard or extended. Numbered IP access-lists fall within the following numerical range:
- 1 to 99 Standard IP
- 100 to 199 Extended IP
- 1300 to 1999 Standard IP
- 2000 to 2699 Extended IP
A standard access-list can only define the SOURCE IP of the traffic. An extended IP access-list can define the source and destination IP address of traffic, along with source and destination port numbers. Also, while a standard access-list only defines IP traffic, an extended access-list can define TCP, UDP, ICMP, IP, AHP, EIGRP, IGRP, ESP, IGMP, OSPF, and PIM traffic.
Here is an example of the most basic standard IP access-list that can be defined:
This access-list was numbered “1” and it is permitting traffic from the source IP address of 1.1.1.1.
Since we brought up the numbering of access-lists, let me point out that these numbers are not like line numbers in a program. The access-list statements are not processed in the order of the numbers. The numbers on the access-lists are there to group those access-list statements together. In other words, all lines of an access-list that have the number 1 are in the same access-list and are used together.
Top down Processing
The lines of an access-list are processed from the top down, in the order that they are entered. When the network packet being processed through that access-list matches a statement in the access-list, all processing for that packet is stopped. Let’s look at an example. Say that I have this access-list:
Say that this access-list is being used to filter traffic in-bound to a router. A packet comes in with the source IP address of 1.1.1.1. Look at the access-list. Will that traffic be permitted or denied?
Because the access-list is processed from the top down, that traffic will be denied, even though it would have been permitted later down the list. This is because, when the traffic is denied, processing of the access-list is stopped. The important thing for you to know is that the order of the statements is crucial.
If you are using access-lists to filter traffic, you want to stop the traffic closest to the source of that traffic to conserve WAN bandwidth.
The three P’s of access-lists and filtering traffic
When it comes to filtering traffic, the rule of access-lists is the “three Per’s”. The rule goes like this:
“You can have one access-list per PROTOCOL, per DIRECTION, and per INTERFACE”.
So, you can have an access-list for each protocol (IP, IPX, Appletalk, bridging, etc). You can have an access-list for each direction- either IN, or OUT. You can have an access-list on each interface- FastEthernet0/0, Serial0/0, Serial1/0, etc.
In other words, you can’t have two IN-BOUND IP access-lists on the same interface. Those access-lists would need to be combined to use both of them.
Wildcard Mask
A very important thing to remember is that, when specifying a range of hosts on a network, or an entire network, ACL’s use something called a wildcard mask. The wildcard mask is an inverted subnet mask. In other words, take the subnet mask for the network (or range of hosts), turn it into binary, reverse the 0’s and 1’s, and turn it back into decimal. I won’t go into how to do that with a sub-netted range of hosts but, if your octets are all 255’s or all 0’s, you can just reverse these.
Here are some examples:
Subnet mask 255.255.255.0 = wildcard mask 0.0.0.255
Subnet mask 255.0.0.0 = wildcard mask 0.255.255.255
Subnet mask 255.255.0.0 = wildcard mask 0.0.255.255
Implied Deny
Another very important rule about access-lists is that there is always an “implied DENY” at the end of each ACL. What this means is that every access-list has the following statement at the end of it:
access-list X deny ANY
(if this is a standard access-list)
or
access-list X ip deny ANY ANY
(if this is an extended access-list)
So, if your traffic isn’t explicitly permitted by a statement in the ACL, then your traffic is DENIED. If you manually type the “deny any” statement in, it will appear but if you don’t type it in, it is still there.
Here is an example:
What traffic is allowed through this ACL?
The answer is that NO traffic is allowed through this access-list. That is because the only statement is a deny statement and, after that, there is the implied deny which denies everything.
Summary
Understanding how ACL’s work can be confusing at first. However, I hope this article has cleared up that confusion. The proper usage of Cisco IOS access-lists are essential knowledge for any network administrator. In Part 2 of this article, you will have a real-world demonstration of how to create and apply an access-list.
About the writer
David Davis (CCIE #9369, CWNA, MCSE, CISSP, Linux+, CEH) has been in the IT industry for 15 years. Currently, he manages a group of systems/network administrators for a privately owned retail company and authors IT-related material in his spare time. He has written over fifty articles, eight practice tests and three video courses and has co-authored one book. His website is at www.happyrouter.com.
David Davis is also one of the Petri.co.il forum moderators.