The Quick Definition: Access lists, also known as access control lists, are configured on routers and used to regulate traffic entering and exiting networks. Access lists can be configured for all routed network protocols such as IP. Extended Access Control Lists [ACLs] act as the gatekeeper of your network. They either permit or deny traffic based on protocol, port number, source, destination, and time range. The range of customization is massive. In this example, you'll learn to use ACLs to block a specific source from accessing a targeted computer via specific ports. Imagine a computer [192.168.1.50 in the illustration] attempting unauthorized access of 192.168.2.50 via HTTP and HTTPS — and you want to stop that activity. You don't want to stop all traffic between these two IP addresses. That will cause a network outage. Instead, you want to restrict traffic only between the ports. HTTP is port 80. HTTPS is port 443.What is an extended access list?
How to Set Up an ACL
The first thing you want to do is define the source IP address, which in this case is the unauthorized 192.168.1.50. You'll first want to block all traffic from that IP address, which you can do with a wildcard mask, which acts as the filter within that source subgroup.
You can read all about how wildcard masks work in another post. In this example, you should know that entering 0.0.0.0 here will block every octet of the IP address. In this case, that would deny every access attempt from the 192.168.1 subnet. The illustrated example above only has one host, though. If you enter "host", there's no mask request, and instead asks for a destination.
Setting the Destination
Now that the target is identified, it's time to input the restricted destination. In its current form, this ACL will deny all TCP traffic between 192.168.1.50 and 192.168.2.50. But you don't want to do that. This is where the port-specific functionality becomes important.
With these statements, you'll deny the ports access to your network.
Router1# conf t
Router1[config]# access-list 150 deny tcp host 192.168.1.15 host 192.168.2.50 eq 80
Router1[config]# access-list 150 deny tcp host 192.168.1.15 host 192.168.2.50 eq 443
The first statement blocks the target at port 80 of the destination. The second statement repeats the process for HTTPS, which is port 443. The keyword "EQ", meaning equal to, will allow for entry of specific ports.
To check the list, call up the list ["Show Access List"], which will return the two new statements.
Router1[config]#do sh access-list 150
Extended IP access list 150
10 deny tcp host 192.168.1.50 host 192.168.2.50 eq www
20 deny tcp host 192.168.1.50 host 192.168.2.50 eq 443
The first denies the first host from connecting with the second using port 80 [HTTP] and the second statement denies the same using port 443 [HTTPS]. The ACL now includes the necessary instructions. But the configuration isn't over, yet, and is not ready to be applied to an interface.
Negating the "Deny All"
At the end of every ACL, there is an 'Implicit DENY ALL' statement. This statement does not show up in the configuration or when you run the 'show access-list' command. But, it is ALWAYS there. " So, if you only add the two deny statements covered above, that implicit deny statement will block all access and cause a total network outage. To fix this, the ACL needs a permit statement, as well.
Bring up Access List 150 [the number assigned to this list] and add "Permit". Configure the permit to include IP from any source to any destination address. By allowing all variations within the statement, the "deny all" function is overruled and no longer causes that outage. Instead, only the two deny statements you created will now apply, and all other traffic will now be permitted.
Router1[config]#access-list 150 permit ip any any
Router1[config]#do sh access-list 150
Extended IP access list 150
10 deny tcp host 192.168.1.50 host 192.168.2.50 eq www
20 deny tcp host 192.168.1.50 host 192.168.2.50 eq 443
30 permit ip any any
Applying the ACL and Determining Direction
Cisco best practices indicate that this list should be applied as early in the sequence as possible. In this case, that's at Router 1. In the console, enter "int fa0/0" for the FastEthernet 0/0 interface and then the command "ip access-group". Then enter the relevant list number, which in this case is 150.
The console will then query "in" [inbound package] or "out" [outbound package], which requires determining the direction. The best possible advice here: be the router. Imagine each of your arms is an interface, one FastEthernet 0/0 and one serial 0/0, and ask which direction the traffic is coming from. In this case, the traffic is coming in the interface, which in this example indicates that the final entry of applying the access list should be "in".
Router1[config]# int fa0/0
Router1[config-if]#ip access-group 150 in
With the access list applied, host 192.168.1.50 will no longer be able to reach host 192.168.2.50 using either port 80 or 443, and your work is done!
CBT Nuggets ACL Courses
The following CBT Nuggets training course by trainer Jeremy Cioara contains two videos [66 and 67] that cover access lists in further detail.
- Cisco CCENT/CCNA 100-105 ICND1
Want to learn more about access lists on Cisco routers? Here's Jeremy with more on the topic!
Technology: Network Security
Area: ACL
Vendor: Cisco
Software: IOS 12.X , 15.X
Platform: ISR, ASR, Catalyst Switches
Access lists provides basic traffic filtering capabilities. Access lists can be configured for all routed network protocols to filter the packets of those protocols as the packets pass through a router or switch. The main rule is that access list is analyzed top down. First match applies and there is no need to check the rest ACEs [Access List Entries]. At the end of ACL there is implicit deny statement.
To configure access list e that denies telnet traffic and allows the rest traffic, use the following command:
Router#configure terminal
Router[config]#ip access-list extended 101
Router[config-ext-nacl]#5 deny tcp any any eq telnet
Router[config-ext-nacl]#10 permit ip any any
Router[config-ext-nacl]#exit
Router[config]#exit
Router#show access-list
To verify access list configuration use:
Extended IP access list 101 5 deny tcp any any eq telnet
10 permit ip any any
Author: Marcin Bialy
This tutorial explains how to configure Cisco access control lists. Learn Cisco ACLs configuration commands with their arguments, options, and parameters.
There are eight types of ACLs. These types are standard-numbered, standard-named, standard-numbered with the sequence editing feature, standard-named with the sequence editing feature, extended-numbered, extended-named, extended-numbered with the sequence editing feature, and extended-named with the sequence editing feature.
To create and configure these access lists, we have two commands. These commands are 'access-list' and 'ip access-list'. The main difference between both commands is the first command supports only the standard-numbered and extended-numbered while the second command supports all eight types.
In this part, we will discuss the meaning of the arguments, options, and parameters of the 'access-list' command. We will also learn how to use the 'access-list' command to create and manage access lists. We will discuss the 'ip access-list' command in the next part of this article.
The 'access-list' command
This is a global configuration mode command. This command allows us to create a standard-numbered ACL and an extended-numbered ACL. This command uses the following syntax.
Router[config]# access-list ACL_# permit|deny conditions
ACL_#: - It is a numerical argument. The router uses this number for the following purposes.
- To identify the type of protocol
- To identify the type of ACL
- To group all the statements in the ACL
Each network layer protocol is assigned a range of numbers. For the IP protocol, the following ranges are defined. 1-99, 100-199, 1300-1999, and 2000-2699. From these ranges, the ranges 1-99 and 1300-1999 are used for standard access lists, and the ranges 100-199 and 2000-2699 are used for extended access lists.
To create an IP access list, you must specify a number from the above pre-defined number ranges. For example, to create a standard IP access list, you can choose any number between 1-99 and 1300-1999. Similarly, to create an extended IP access list, you can select any number between 100-199 and 2000-2699.
While selecting a number for the ACL, you must follow the following two principles.
- To create a new ACL, use an unused number from the range. If you use an existing number, the router will append the ACL related to the specified number.
- To update an existing ACL, specify the number of the ACL. If you use a new number, the router will create a new ACL.
Permit|deny
It is an option with two values. If you use the permit option, the router will allow the packet that matches the condition defined next to it. If you use the deny option, the router will block the packet that matches the condition defined next to it.
Conditions
These are the condition that the router uses to match the packet. A standard ACL and an extended ACL use different criteria to match a packet. The available options in this section depend on the value of the ACL_# argument.
Standard ACL conditions
If you have specified a number that belongs to the standard ACL, the command will use the following syntax.
Router[config]# access-list 1-99|1300-1999 permit|deny source_IP_address [wildcard_mask] [log]
We have already discussed the options and arguments till the action option. Now, let's discuss the remaining arguments and options.
source_IP_address
It is an argument. It accepts the source address. You can use a host address or a network address. If you use a host address, the router will match that particular host. Or if you use a network address, the router will match all hosts of the specified network.
wildcard_mask
It is also an argument. It allows us to define the type of source address. You can define a particular IP address or a range of IP addresses. I have already explained wildcard masks in the previous part of this article. You can check that article to learn what wildcard masks are and how they are used.
log
It is an optional parameter. If you specify this parameter, the router will print any match of this statement on the console port. By default, the router does not print log messages on a non-console connection. For example, if you use a VTY connection, you will not see log messages on the console port. If you want to see log messages on a non-console connection, you must use the following command.
This command works on the current session only. It means you have to execute this command each time to see logging messages on your VTY or TTY session. For debugging and security purposes, you can also forward these messages to a Syslog server.
Extended ACL conditions
If you have specified a number that belongs to the extended ACL, the command will use the following syntax.
Router[config]# access-list 100-199|2000-2699 permit|deny IP_protocol source_address source_wildcard_mask [protocol_information] destination_address destination_wildcard_mask [protocol_information] [log]
We have already discussed the syntax till the action option. Let's discuss the rest of the syntax.
Unlike a standard ACL that supports only the source address, an extended ACL supports many options in the condition field. An extended ACL allows you to filter traffic based on supported IP protocols. The supported IP protocols are ICMP, TCP, GRE, UDP, IGRP, EIGRP, IGMP, IPINP, NOS, and OSPF.
The options available after this argument depend on the protocol you select. For example, if you select the 'ip' protocol, you will see the options for the 'ip' protocol. Or if you select the 'tcp' protocol, you will see the options for the 'tcp' protocol.
CCNA exam syllabus includes four IP protocols. These protocols are ip, tcp, udp, and icmp.
Before we discuss the options of these protocols, let's understand the type of filtering.
There are two types of filtering: host-level filtering and application-level filtering. Host-level filtering is used to filter all the traffic from the host. Application-level filtering is used to filter specific traffic from the host.
For example, if you want to filter all traffic from host 10.0.0.10/8, you would use host-level filtering. But if you want to filter only web traffic from host 10.0.0.10/8, you would use application-level filtering. In other words, host-level filtering checks "whether host A is allowed to access host B" while application-level filtering checks "how much host A is allowed to access host B?".
Let's discuss both types in detail.
Host level filtering
To filter all the traffic from the host, we use the IP address of the host. To use an IP address, we need to specify the 'IP' keyword after the action argument. The 'IP' keyword instructs the command that we want to filter the traffic based on the host address.
Unlike a standard access list that allows us to use only the source IP address, an extended access list allows us to use both the source and destination IP addresses. Since you can use both addresses, you can filter the exact traffic.
This feature makes extended access lists more flexible than standard access lists. To use host-level filtering, use the following syntax.
Router[config]#access-list 100-199|2000-2699 permit|deny ip source_address source_wildcard_mask destination_address destination_wildcard_mask [log]
After the 'ip' keyword, we have two fields to specify the source address and the destination address. We can specify a single host address or a range of IP addresses in both fields. We can use wildcard masks with both addresses.
Application-level filtering
To filter a specific type of traffic coming from a host or going to a host, we use the name of the protocol that transports the traffic. On an IP network, an application can send its traffic by using one of two protocols. These protocols are TCP and UDP.
Both protocols can simultaneously transport data of many applications. Both protocols use a unique number for each application to keep its data separate from other applications. These numbers are known as port numbers.
Both protocols use different port numbers for applications.
The following table lists some of the most common port numbers and their associated applications.
| TCP | UDP | ||||
| Port Number | Application | ACL Keyword | Port Number | Application | ACL Keyword |
| 20 | FTP [Data] | ftp-data | 53 | DNS | domain |
| 21 | FTP [Control] | ftp | 67,68 | DHCP | nameserver |
| 22 | SSH | 69 | TFTP | tftp | |
| 23 | Telnet | telnet | 123 | NTP | |
| 25 | SMTP | SMTP | 161 | SNMP | SNMP |
| 53 | DNS | domain | |||
| 80 | HTTP | www | |||
| 110 | POP3 | pop3 | |||
| 443 | SSL [HTTPs] |
To filter traffic based on an application, we use the following syntax.
Router[config]#access-list 100-199|2000-2699 permit|deny tcp|udp source_address source_wildcard_mask [operator source_port_#] destination_address destination_wildcard_mask [operator destination_port_#] [established] [log]
Operators
Operators allow us to match ports more specifically. You can use operators to define a range of ports or a particular port. Extended access lists support five operators. The following table lists them.
| Operator | Description |
| Lt | Less than |
| Gt | Greater than |
| Neq | Not equal to |
| Eq | equal to |
| Range | Range of port numbers |
Operators are optional. Only TCP/UDP uses operators. Other IP protocols do not use them.
EstablishedThe Established keyword allows traffic to pass through only if it is generated from inside. It is used only with TCP packets. With this keyword, we can control the direction of the data flow. If we use this keyword, the ACL will allow only those TCP packets which have the 'Established' flag bit set in their header.
LogThis keyword instructs the router to log a message every time an ACL entry is hit.
ICMP
Sending a packet is not a guarantee of the packet being delivered. Sometimes packets get lost on the way to the destination. In such a case, the nearest device sends the error message back to the sender. From the message, the sender can know about the undelivered packets and their possible reasons. Networking devices use the ICMP protocol to send error messages.
An adversary may use the ICMP protocol to reveal information about the network. Extended access lists allow us to control what error messages devices can send. To filter ICMP error messages, the command uses the following syntax.
Router[config]# access-list 100-199|2000-2699 permit|deny ICMP source_address source_wildcard_mask destination_address destination_wildcard_mask [icmp_message] [log]
If we do not specify a particular message type, ACL will match all message types.
The following table lists some of the most common ICMP messages.
| Message [Keyword] | Description |
| Echo | Used to check the status of destination [up/down] |
| echo-reply | Reply from the destination on echo request |
| host-unreachable | The network is reachable, but the particular host is not responding |
| net-unreachable | The network is not reachable |
| Traceroute | Filter traceroute information |
| administrativelyprohibited | Packet filtered by ACL |
Enabling an access list
An ACL does nothing until it is applied to an interface. To apply an ACL to an interface, use the following commands.
Router[config]#interface interface_number Router[config-if]#ip access-group ACL_# in|Out
To apply ACL, we need to enter the interface mode. The first command allows us to enter the interface mode. We use the second command to activate the ACLs on the interface. The second command accepts one argument and one option. Let's discuss them.
ACL_#:- It is the ACL that we want to activate on the interface. Specify the ACL number here as the argument.
in|out:- It is the direction in which we want to activate the ACL. If you want to filter incoming traffic, specify the keyword 'in' here. If you want to filter outgoing traffic, specify the keyword 'out' here.
Deleting access lists
To delete an access list, use the following global configuration command.
Router[config]#no access-list ACL_#
Replace the ACL_# with the number of ACL that you want to delete.
That's all for this tutorial. In the next tutorial, we will discuss the 'ip access-list' command.