Configuring ACLs

Configuring ACLs

This section describes the steps to configure named and numbered, standard and extended ACLs. This section also explains how to verify that the ACLs function properly and discusses some common configuration errors to avoid.

Standard IPv4 ACLs, numbered 1 to 99 and 1300 to 1999 or named, filter packets based on a source address and mask, and they permit or deny the entire TCP/IP protocol suite. This standard ACL filtering may not provide the filtering control you require. You may need a more precise way to filter your network traffic. Figure 6-12 illustrates that standard access lists check only the source address in the IPv4 packet header.

Figure 6-12 Standard IPv4 Access Lists
Configuring ACLsfig6.12

Configuring Numbered Standard IPv4 ACLs

To configure numbered standard IPv4 ACLs on a Cisco router, you must create a standard IPv4 ACL and activate an ACL on an interface. The access-list command creates an entry in a standard IPv4 traffic filter list.

The ip access-group command links an existing ACL to an interface. Only one ACL per protocol, per direction, and per interface is allowed.

NOTE To remove an IP ACL from an interface, first enter the no ip access-group name/ number [in|out]command on the interface; then enter the global no access-list name/number command to remove the entire ACL.

The following provides an example of the steps that are required to configure and apply a numbered standard ACL on a router:
Step 1 Use the access-list global configuration command to create an entry in a standard IPv4 ACL.

Enter the global no access-list access-list-number command to remove the entire ACL. The example statement matches any address that starts with 172.16.x.x. You can use the remark option to add a description to your ACL.
Step 2 Use the interface configuration command to select an interface to which to apply the ACL.

This step activates the standard IPv4 ACL 1 on the interface as an outbound filter.

Example: Numbered Standard IPv4 ACL—Permit My Network Only

For the network shown in Figure 6-13, you want to create a list to prevent traffic that is not part of the internal networks (172.16.0.0/16) from traveling out either of the Ethernet interfaces.
Figure 6-13 Standard ACL Permitting a Specific Network
Configuring ACLsfig6.13

The configuration in Example 6-2 provides a solution for this example.

Example 6-2 Access List Preventing All Non-172.16.0.0 Traffic

Table 6-2 describes the command syntax that is presented in Example 6-2.

Table 6-2 Numbered Standard IPv4 ACL Example Permitting a Specific Network
Configuring ACLstb6.2

This ACL allows only traffic from source network 172.16.0.0 to be forwarded out on E0 and E1.
Traffic from networks other than 172.16.0.0 is blocked.

Example: Numbered Standard IPv4 ACL—Deny a Specific Host

For the network shown in Figure 6-14, you want to create a list to prevent traffic that originates from host 172.16.4.13 from traveling out Ethernet interface E0.

Figure 6-14 Standard ACL Denying a Specific Host
Configuring ACLsfig6.14

The configuration in Example 6-3 provides a solution for this example.

Example 6-3 Access List Preventing Traffic Originating from a Specific Host

Table 6-3 describes the command syntax that is presented in Example 6-3.

Table 6-3 Numbered Standard IPv4 ACL Example Denying a Specific Host
Configuring ACLstb6.3

This ACL is designed to block traffic from a specific address, 172.16.4.13, and to allow all other traffic to be forwarded on interface Ethernet 0. The 0.0.0.0 255.255.255.255 IP address and wildcard mask combination permits traffic from any source. This combination can also be written using the keyword any.
Example: Numbered Standard IPv4 ACL—Deny a Specific Subnet In Figure 6-15, the goal is to create a list to prevent traffic that originates from the subnet 172.16.4.0/24 from traveling out Ethernet interface E0.

Figure 6-15 Standard ACL Denying a Specific Subnet
Configuring ACLsfig6.15

The configuration in Example 6-4 provides a solution for this example.

Example 6-4 Access List Preventing Traffic Originating from a Specific Subnet

Table 6-4 describes the command syntax that is presented in Example 6-4.

Table 6-4 Numbered Standard IPv4 ACL Example Denying a Specific Subnet

Configuring ACLstb6.4

This ACL is designed to block traffic from a specific subnet, 172.16.4.0, and to allow all other traffic to be forwarded out E0.

Controlling Access to the Router Using ACLs

To control traffic into and out of the router (not through the router), you will protect the router virtual ports. A virtual port is called a vty. By default, there are five such virtual terminal lines, numbered vty 0 through vty 4. When configured, Cisco IOS Software images can support more than five vty ports.

Restricting vty access is primarily a technique for increasing network security and defining which addresses are allowed Telnet access to the router EXEC process.

Filtering Telnet traffic is typically considered an extended IP ACL function because it filters a higher-level protocol. Because you are filtering incoming or outgoing Telnet sessions by source addresses and applying the filter using the access-class command to the vty lines, you can use standard IP ACL statements to control vty access.

Example 6-5 demonstrates how to limit access to the Telnet process.

Example 6-5 Access List Preventing Telnet Activity

In this example, you permit any device on network 192.168.1.0 0.0.0.255 to establish a virtual terminal (Telnet) session with the router. Of course, the user must know the appropriate passwords to enter user mode and privileged mode.

Notice that identical restrictions have been set on every vty line (0 to 4) because you cannot control on which vty line a user will connect. The implicit deny any statement still applies to the ACL when it is used as an access class entry.

Configuring Numbered Extended IPv4 ACLs

For more precise traffic-filtering control, use extended IPv4 ACLs, numbered 100 to 199 and 2000 to 2699 or named, which check for the source and destination IPv4 address. In addition, at the end of the extended ACL statement, you can specify the protocol and optional TCP or User Datagram Protocol (UDP) application to filter more precisely. Figure 6-16 illustrates the IP header fields that can be examined with an extended access list.

Figure 6-16 Extended IPv4 Access Lists
Configuring ACLsfig6.16

To specify an application, you can configure either the port number or the name of a well-known application. Table 6-5 shows an abbreviated list of some well-known port numbers of the various TCP applications.

Table 6-5 Well-Known Port Numbers and IP Protocols
Configuring ACLstb6.5

To configure numbered extended IPv4 ACLs on a Cisco router, create an extended IPv4 ACL and activate that ACL on an interface. Use the access-list command to create an entry to express a condition statement in a complex filter. The full command follows:

Table 6-6 Command Parameters for a Numbered Extended ACL
Configuring ACLstb6.6

The syntax of the access-list command that is presented here is representative of the TCP protocol form. Not all parameters and options are given. For the complete syntax of all forms of the command, refer to the appropriate Cisco IOS Software documentation available at Cisco.com.

Extended ACL with the established Parameter

In Example 6-6, the established parameter of the extended ACL allows responses to traffic that originate from the mail host, 128.88.1.2, to return inbound on the serial 0 interface. A match occurs if the TCP datagram has the ACK or reset (RST) bits set, which indicates that the packet belongs to an existing connection. Without the established parameter in the ACL statement, the mail host could only receive SMTP traffic but not send it.

Example 6-6 Access List Permitting Responses to an Originating Mail Host

The ip access-group command links an existing extended ACL to an interface. Only one ACL per protocol, per direction, and per interface is allowed.
Table 6-7 defines the parameters of the ip access-group command.

Table 6-7 ip access-group Command Parameters
Configuring ACLstb6.7

The following list shows the steps that are required to configure and apply an extended ACL on a router:
Step 1 Define an extended IPv4 ACL. Use the access-list global configuration command.

Numbered Extended IP ACL: Deny FTP from Subnets

For the network in Figure 6-17, you want to create a list to prevent FTP traffic that originates from the subnet 172.16.4.0/24, going to the 172.16.3.0/24 subnet, from traveling out Ethernet interface E0.

Figure 6-17 Extended ACL Denying FTP from One Subnet to Another
Configuring ACLsfig6.17

he configuration in Example 6-7 provides a solution for this example.
Example 6-7 Access List Preventing FTP Traffic from Specific Subnets

Table 6-8 describes the command syntax presented in Example 6-7

Table 6-8 Numbered Extended IPv4 ACL Example Denying FTP Between Subnets
Configuring ACLstb6.8

The deny statements deny FTP traffic from subnet 172.16.4.0 to subnet 172.16.3.0. The permit statement allows all other IP traffic out interface E0.

Numbered Extended ACL: Deny Only Telnet from Subnet

For the network in Figure 6-18, you want to create a list to prevent Telnet traffic that originates from the subnet 172.16.4.0/24 from traveling out Ethernet interface E0.

Figure 6-18 Extended ACL Denying Telnet from a Given Subnet
Configuring ACLsfig6.18

The configuration in Example 6-8 provides a solution for this example.

Example 6-8 Access List Preventing Telnet Traffic from a Specific Subnet

This example denies Telnet traffic from 172.16.4.0 that is being sent out interface E0. All other IP traffic from any other source to any destination is permitted out E0. Table 6-9 describes the command syntax that is presented in the example.

Table 6-9 Numbered Extended IPv4 ACL Example Denying Telnet from a Subnet
Configuring ACLstb6.9

Configuring Named ACLs

The named ACL feature allows you to identify standard and extended IP ACLs with an alphanumeric string (name) instead of the current numeric representations. Named IP ACLs allow you to delete individual entries in a specific ACL. If you are using Cisco IOS Release 12.3, you can use sequence numbers to insert statements anywhere in the named

ACL. If you are using a software version earlier than Cisco IOS Release 12.3, you can insert statements only at the bottom of the named ACL. Because you can delete individual entries with named ACLs, you can modify your ACL without having to delete and then reconfigure the entire ACL. Use named IP ACLs when you want to intuitively identify ACLs.

Creating Named Standard IP ACLs

The following list shows the steps that are required to configure and apply a named standard IP ACL on a router:
Step 1 Define a standard named IPv4 ACL. Use the ip access-list standard global configuration command.

Define the list using a unique name. A descriptive name can be helpful when examining the configuration of the router.
Step 2 Enter one of the following commands to establish test parameters:

Use the show ip interface command to verify that an IP ACL is applied to the interface.

Creating Named Extended IP ACLs

The steps required to configure and apply a named extended IP ACL on a router are as follows:
Step 1 Define a standard named IPv4 ACL. Use the ip access-list extended global configuration command.

Use the show ip interfaces command to verify that an IP ACL is applied to the interface.

You can take advantage of the sequence numbers in a named access list to add specific entries within an existing list. In Example 6-9, a new entry is added to a specified location within the access list.

Example 6-9 Confirming Added Entries to an Existing Access List

Using the number of a standard access list as the name, you can also use this feature to place an entry in a specific location of a numbered access list. In Example 6-10, a new entry is added to a specified access list.

Example 6-10 Placing an Entry in a Numbered List Using the Name Function

Named Extended ACL: Deny a Single Host from a Given Subnet For the network shown in Figure 6-19, you want to create a list named “troublemaker” to prevent traffic that originates from the host 172.16.4.13 from traveling out Ethernet interface E0.

Figure 6-19 Named Extended ACL Denying a Single Host
Configuring ACLsfig6.19

The configuration in Example 6-11 provides a solution for this example.

Example 6-11 Access List Preventing Traffic from a Specific Host

Table 6-10 describes the command syntax that is presented in Example 6-11.

Table 6-10 Named Extended IPv4 ACL Example Denying a Single Host
Configuring ACLstb6.10

Named Extended ACL—Deny a Telnet from a Subnet

Using Figure 6-19 again, this time you want to create a list named “badgroup” to prevent Telnet traffic that originates from the subnet 172.16.4.0/24 from traveling out Ethernet interface E0.

The configuration in Example 6-12 provides a solution.

Example 6-12 Access List Preventing Telnet Traffic from a Specific Subnet

Table 6-11 describes the command syntax that is presented in the figure.

Table 6-11 Named Extended IPv4 ACL Example Denying Telnet from a Subnet
Configuring ACLstb6.11

Adding Comments to Named or Numbered ACLs

Comments, also known as remarks, are ACL statements that are not processed. They are simple descriptive statements you can use to better understand and troubleshoot either named or numbered ACLs.

Each remark line is limited to 100 characters. The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so it is clear which remark describes which permit or deny statement. It would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements. To add a comment to a named IP ACL, use the command remark remark in access list configuration mode. To add a comment to a numbered IP ACL, use the command access-list

The following is an example of adding a comment to a numbered ACL:

More Resources

About the author

Prasanna

Leave a Comment