The Quick Definition: Access lists, also known as access control lists, are configured on routers and used to regulate traffic entering and exiting networks. Access lists can be configured for all routed network protocols such as IP. Extended Access Control Lists [ACLs] act as the gatekeeper of your network. They either permit or deny traffic based on protocol, port number, source, destination, and time range. The range of customization is massive. In this example, you'll learn to use ACLs to block a specific source from accessing a targeted computer via specific ports. Imagine a computer [192.168.1.50 in the illustration] attempting unauthorized access of 192.168.2.50 via HTTP and HTTPS — and you want to stop that activity. You don't want to stop all traffic between these two IP addresses. That will cause a network outage. Instead, you want to restrict traffic only between the ports. HTTP is port 80. HTTPS is port 443.What is an extended access list?
How to Set Up an ACL
The first thing you want to do is define the source IP address, which in this case is the unauthorized 192.168.1.50. You'll first want to block all traffic from that IP address, which you can do with a wildcard mask, which acts as the filter within that source subgroup.
You can read all about how wildcard masks work in another post. In this example, you should know that entering 0.0.0.0 here will block every octet of the IP address. In this case, that would deny every access attempt from the 192.168.1 subnet. The illustrated example above only has one host, though. If you enter "host", there's no mask request, and instead asks for a destination.
Setting the Destination
Now that the target is identified, it's time to input the restricted destination. In its current form, this ACL will deny all TCP traffic between 192.168.1.50 and 192.168.2.50. But you don't want to do that. This is where the port-specific functionality becomes important.
With these statements, you'll deny the ports access to your network.
Router1# conf t
Router1[config]# access-list 150 deny tcp host 192.168.1.15 host 192.168.2.50 eq 80
Router1[config]# access-list 150 deny tcp host 192.168.1.15 host 192.168.2.50 eq 443
The first statement blocks the target at port 80 of the destination. The second statement repeats the process for HTTPS, which is port 443. The keyword "EQ", meaning equal to, will allow for entry of specific ports.
To check the list, call up the list ["Show Access List"], which will return the two new statements.
Router1[config]#do sh access-list 150
Extended IP access list 150
10 deny tcp host 192.168.1.50 host 192.168.2.50 eq www
20 deny tcp host 192.168.1.50 host 192.168.2.50 eq 443
The first denies the first host from connecting with the second using port 80 [HTTP] and the second statement denies the same using port 443 [HTTPS]. The ACL now includes the necessary instructions. But the configuration isn't over, yet, and is not ready to be applied to an interface.
Negating the "Deny All"
At the end of every ACL, there is an 'Implicit DENY ALL' statement. This statement does not show up in the configuration or when you run the 'show access-list' command. But, it is ALWAYS there. " So, if you only add the two deny statements covered above, that implicit deny statement will block all access and cause a total network outage. To fix this, the ACL needs a permit statement, as well.
Bring up Access List 150 [the number assigned to this list] and add "Permit". Configure the permit to include IP from any source to any destination address. By allowing all variations within the statement, the "deny all" function is overruled and no longer causes that outage. Instead, only the two deny statements you created will now apply, and all other traffic will now be permitted.
Router1[config]#access-list 150 permit ip any any
Router1[config]#do sh access-list 150
Extended IP access list 150
10 deny tcp host 192.168.1.50 host 192.168.2.50 eq www
20 deny tcp host 192.168.1.50 host 192.168.2.50 eq 443
30 permit ip any any
Applying the ACL and Determining Direction
Cisco best practices indicate that this list should be applied as early in the sequence as possible. In this case, that's at Router 1. In the console, enter "int fa0/0" for the FastEthernet 0/0 interface and then the command "ip access-group". Then enter the relevant list number, which in this case is 150.
The console will then query "in" [inbound package] or "out" [outbound package], which requires determining the direction. The best possible advice here: be the router. Imagine each of your arms is an interface, one FastEthernet 0/0 and one serial 0/0, and ask which direction the traffic is coming from. In this case, the traffic is coming in the interface, which in this example indicates that the final entry of applying the access list should be "in".
Router1[config]# int fa0/0
Router1[config-if]#ip access-group 150 in
With the access list applied, host 192.168.1.50 will no longer be able to reach host 192.168.2.50 using either port 80 or 443, and your work is done!
CBT Nuggets ACL Courses
The following CBT Nuggets training course by trainer Jeremy Cioara contains two videos [66 and 67] that cover access lists in further detail.
- Cisco CCENT/CCNA 100-105 ICND1
Want to learn more about access lists on Cisco routers? Here's Jeremy with more on the topic!
For those of you who are familiar with access control lists, you’re probably aware that there are many different types of access control lists. We have access control lists for IP version 4, for IP version 6, for IPX, for DECnet, for AppleTalk and the list goes on and on and on. What are you responsible for? We are responsible for IP version 4 at this point, and that’s where our focus is, IP version 4. And we can break out IP version 4 access control lists into two different types, standard and extended. What’s the difference here?
- Standard ACL
- Checks ACL source address
- Permits or denies entire protocol suite
- Extended ACL
- Checks source and destination address
- Generally permits or denies specific protocols and applications
- Source and destination TCP and UDP ports
- Protocol type [IP, ICMP, UDP, TCP or protocol number]
Well it’s what parameters they look for and I want you to read standard, what does this standard look for here? What does it check? I want you to read that. And I am going to show a way to remember it. So you see standard does not look at destination, which practically speaking, is not very useful. The lack of being able to look for a destination is quite limiting, you usually want to look for where it’s coming from and going to. But a standard access list has something in common with source address, doesn’t it? It’s the letter S, it is a great way to remember that standard access lists only look for source.
Extended access control lists, or extended ACLs, on the other hand, they’re far more powerful, they can look at source and destination, they can look at transport layer protocols such as TCP and User Data Protocol, or UDP. They can look at application layer protocols over TCP and UDP, such as HTTP, FTP, Trivial File Transport Protocol, or TFTP, DNS, secure sockets layer, and secure shell. That sounds like a lot, so how do we remember that extended access lists can match for so much more than standard access control lists? Well when we were referring to our standard access control lists, we pointed out that it only checks the source address. Standard starts with S, source starts with S also.
So I remember it as standard, source only, S and S, whereas with extended, we have everything else. So the E helps us remember everything. Now there are certain things that we can’t match. We can’t match sequence numbers, acknowledgment numbers, we can’t match many of the flags in TCP for instance, we can match one of them and send bit. But it’s far more inclusive and so we are closer to everything. Bear in mind, when we enter these in, we have two sets of syntax, we have the old syntax and we have the new syntax. And we are going to expose you to both.
The old syntax is numbered, the new syntax is named, and the numbered syntax, it is kind of tricky. We don’t encounter numeric names all that often. In numbered standard access list, we have one through 99. There is an expanded range which we stay away from, there is no reason to use that anymore. The 1300 through 1999, we don’t use that, okay, steer clear. But one through 99 is standard, 100 through 199 is extended and the way to remember this range is they always end at 99s, every single range ends 99 something. And when we extend to a three digit value, when we jump from two digits to three digits, we extend and therefore we get the extended IP access list range.
| Numbered Standard | 1-99, 1300-1999 |
| Numbered Extended | 100-199, 2000-2699 |
| Named [Standard and Extended] | Name |
But that’s the syntax that quite frankly we’re more responsible for, but we’ve had for the better part of a decade now, named access control lists. In fact, it’s over a decade as we speak. What’s the benefit of a named access control list? Well named access control list, first of all, allows us to provide a descriptive name. So instead of our access control list being called 79 we can provide a descriptive name and that name can help us understand what the access control list is designed to accomplish. But what we really benefit from by using named access control lists is the ability to edit them, add and delete entries within that ACL.
You see, with numbered access control lists, if you need to add an entry, when you go to the command line interface and you want to add an entry, that will be looked at before an entry that you already have in there. Now you just can’t go in there and just put in there, there is no way to do that with the syntax for creating that. So you’re limited on your editing ability, what do you have to do? Erase it all, re-create it. So Notepad comes in handy. All right, but with named access control list, we have the ability to go into the named access control list syntax, add, move, delete, change those entries in the access control list, as we see fit.
So much more powerful, the named access control list syntax. But don’t get us wrong here. The numbered access control list identification such as 1, 2, 3, 4 or 100 or 150, that is still the name of the access control list. And you’ll see it later, utilize named access control list syntax to edit a numbered access control list. It’s pretty cool and we will give you the ability to edit and to fix your mistakes with your numbered access control list without having to blow the whole thing away and remove it. So a really great syntax and you will learn it and you’ll love it and we will see it all, all the syntax as we progress through this course together.
Standard numbered ACLs
Standard access list, what do they look for? I am asking you, what do they look for? They look for the source parameter and here we can see that. So they are going to not worry about the layer 2 frame header, they are going to look at the packet header, they are going to look at the source field in the packet header and match based on that exclusively. So they are not going to go deeper into the transport layer. And none of these go into the data, okay. You would have to use some advanced firewall features to filter based on data.
Here is what we’ve been waiting for, the syntax, and it is not overly complicated, make note of that. It’s not overly complicated. First and foremost, we configure numbered access control lists in global configuration mode. We type in access-list and then we specify the access list number. So these are standard IPv4 access control lists, what are the number ranges? 1 to 99 and 1300 to 1999. When we specify any number out of those possible values, our router automatically knows that we are creating a standard IPv4 access control list and it will provide you with the correct syntax to use.
It won’t let you put in parameters that are not acceptable to the standard IP version 4 access control list. So you put in the wrong number, if you put in a 101, where you are trying to create a standard IP version 4 access control list, it will give you the syntax for an extended access control list, right? So be careful with your numbering, pick the right numbers and then you’ll specify which you want to happen to this traffic. Do you want to permit it? Do you want to deny it? You can also put a remark, what is a remark? It’s just a description. So you can describe this access control list, so when you review the access control list later, you will know what it’s for.
R1[config]#access-list 1 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
R1[config]#access-list 1 permit ?
Hostname or A.B.C.D Address to match
host A single host address
R1[config]#access-list 1 permit 172.16.0.0 ?
/nn or A.B.C.D Wildcard bits
log Log matches against this entry
R1[config]#access-list 1 permit 172.16.0.0 0.0.255.255 ?
log Log matches against this entry
R1[config]#access-list 1 permit 172.16.0.0 0.0.255.255
Then we have our source, what is the source? Remember, earlier when we were looking at addresses and wildcard mask combinations… Well the source is the source address, that starting point that we want to use for that range comparison. So if we look at our example, we have 172.16.0.0 as the address, the source and then mask. What is the mask? Be careful here, it is not, I repeat, it’s not the subnet mask. It is the wildcard mask. This is where we put in the wildcard mask. So in our example 0.0.255.255, so what is the range of addresses that this access control list, that we just crafted, is going to check? 172.16.0.0 through 172.16.255.255.
So you see how important that wildcard mask is, and understanding what it does, it’ll help you craft them and read them. It says here that there’s a default wildcard mask, take that with a grain of salt, your operating system generally speaking will not accept the syntax anymore when you put in any entry inside of your access control list that lacks a wildcard mask. Okay, so that’s old behavior and not representative of anything that’s recent. When we put in an entry such as what we see in global configuration mode with access-list, that’s just one entry. Bear in mind, if we wanted to add another entry, we would still have access-list 1 and then we will build the next permit or deny sequence. access-list 1 again, access-list 1 again, if we want to build a larger and larger access control list. What’s the minimum size of an access control list?
A minimum size would be one permit statement. Yeah I guess there can’t just be one deny statement, that would be useless, unless you’re logging, but that wouldn’t let anything through. And the maximum is whatever you can dream up and whatever you have the endurance for. Once you perfect your access control list in global configuration mode as we see here, you can validate it. But to show access lists, command and that would in fact show all access lists, IPv4, IPv6, Mac address access list, IPX, AppleTalk, but usually we just have IPv4 and may be nowadays some IPv6.
Standard IP access list 1
10 permit 172.16.0.0, wildcard bits 0.0.255.255
And we can see the one entry. Now wait a minute, wait a minute, we put in permit 172.16 with that wildcard mask, what’s the 10 there? What is that 10 that just sprung to life inside of our access list? The 10 is an automatic sequence number that is added to the access list. It will be 10 by default. If we were to create another entry…so we type in access-list 1 permit 192.168.1.0 0.0.0.255, it would be automatically provided a sequence number. And it would be 20, the next one in the list and the next one will be 30 and 40 and 50, it’s how we keep track of them, the sequence number, the order we created them in.
And this is important, remember how we said, if we want to edit the access control list, we might want to add an entry here and there, but we can only do that with named syntax, we are unable to do that here with this standard numbering syntax, but those sequence numbers will be the defining factor of where our entry goes. If we add or move or delete or change and we will see that later on, we will see that later on only when we enter into the named access control list syntax of how these sequence numbers can be used and manipulated to our advantage.
Removing an access list is very easy, remember that powerful no command, type in no access-list and then the number of the access list you want to remove. Be careful, be careful. Let’s say you typed in no access-list 1 permit 172.16.0.0 0.0.255.255. So you want to remove a standard access list entry you created earlier. You type in no and you specify the whole command that you typed in before, will that remove just that one entry? I will repeat that, will that remove just the one entry? At first thought, yeah, that’s at first thought, but if you try that and you tested it? No, that is not what will happen. It won’t remove just that one entry, what will it do? It will get rid of the whole thing, so some of you out there have had exposure to this. It is really bizarre behavior in the IOS.
R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1[config]#no access-list 1 R1[config]#end R1#sh access-lists
R1#