Configuring ACLs
This section describes the steps to configure named and numbered, standard and extended ACLs. This section also explains how to verify that the ACLs function properly and discusses some common configuration errors to avoid.
Standard IPv4 ACLs, numbered 1 to 99 and 1300 to 1999 or named, filter packets based on a source address and mask, and they permit or deny the entire TCP/IP protocol suite. This standard ACL filtering may not provide the filtering control you require. You may need a more precise way to filter your network traffic. Figure 6-12 illustrates that standard access lists check only the source address in the IPv4 packet header.
Figure 6-12 Standard IPv4 Access Lists
Configuring Numbered Standard IPv4 ACLs
To configure numbered standard IPv4 ACLs on a Cisco router, you must create a standard IPv4 ACL and activate an ACL on an interface. The access-list command creates an entry in a standard IPv4 traffic filter list.
The ip access-group command links an existing ACL to an interface. Only one ACL per protocol, per direction, and per interface is allowed.
NOTE To remove an IP ACL from an interface, first enter the no ip access-group name/ number [in|out]command on the interface; then enter the global no access-list name/number command to remove the entire ACL.
The following provides an example of the steps that are required to configure and apply a numbered standard ACL on a router:
Step 1 Use the access-list global configuration command to create an entry in a standard IPv4 ACL.
RouterX(config)# access-list 1 permit 1 72. 1 6. 0. 0 0. 0. 255. 255
Enter the global no access-list access-list-number command to remove the entire ACL. The example statement matches any address that starts with 172.16.x.x. You can use the remark option to add a description to your ACL.
Step 2 Use the interface configuration command to select an interface to which to apply the ACL.
RouterX(config)# interface ethernet 1 After you enter the interface command, the command-line interface (CLI) prompt changes from (config)# to (config-if)#. Step 3 Use the ip access-group interface configuration command to activate the existing ACL on an interface. RouterX(config-if)# ip access-group 1 out To remove an IP ACL from an interface, enter the no ip access-group access-list-number command on the interface.
This step activates the standard IPv4 ACL 1 on the interface as an outbound filter.
Example: Numbered Standard IPv4 ACL—Permit My Network Only
For the network shown in Figure 6-13, you want to create a list to prevent traffic that is not part of the internal networks (172.16.0.0/16) from traveling out either of the Ethernet interfaces.
Figure 6-13 Standard ACL Permitting a Specific Network
The configuration in Example 6-2 provides a solution for this example.
Example 6-2 Access List Preventing All Non-172.16.0.0 Traffic
RouterX(config)# access- list 1 permit 1 72. 1 6. 0. 0 0. 0. 255. 255 (implicit deny all - not visible in the list) (access-list 1 deny 0.0.0.0 255.255.255.255) RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access- group 1 out RouterX(config)# interface ethernet 1 RouterX(config-if)# ip access- group 1 out
Table 6-2 describes the command syntax that is presented in Example 6-2.
Table 6-2 Numbered Standard IPv4 ACL Example Permitting a Specific Network
This ACL allows only traffic from source network 172.16.0.0 to be forwarded out on E0 and E1.
Traffic from networks other than 172.16.0.0 is blocked.
Example: Numbered Standard IPv4 ACL—Deny a Specific Host
For the network shown in Figure 6-14, you want to create a list to prevent traffic that originates from host 172.16.4.13 from traveling out Ethernet interface E0.
Figure 6-14 Standard ACL Denying a Specific Host
The configuration in Example 6-3 provides a solution for this example.
Example 6-3 Access List Preventing Traffic Originating from a Specific Host
RouterX(config)# access- list 1 deny 1 72. 1 6. 4. 1 3 0. 0. 0. 0 RouterX(config)# access- list 1 permit 0. 0. 0. 0 255. 255. 255. 255 (implicit deny all) (access-list 1 deny 0.0.0.0 255.255.255.255) RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access- group 1 out
Table 6-3 describes the command syntax that is presented in Example 6-3.
Table 6-3 Numbered Standard IPv4 ACL Example Denying a Specific Host
This ACL is designed to block traffic from a specific address, 172.16.4.13, and to allow all other traffic to be forwarded on interface Ethernet 0. The 0.0.0.0 255.255.255.255 IP address and wildcard mask combination permits traffic from any source. This combination can also be written using the keyword any.
Example: Numbered Standard IPv4 ACL—Deny a Specific Subnet In Figure 6-15, the goal is to create a list to prevent traffic that originates from the subnet 172.16.4.0/24 from traveling out Ethernet interface E0.
Figure 6-15 Standard ACL Denying a Specific Subnet
The configuration in Example 6-4 provides a solution for this example.
Example 6-4 Access List Preventing Traffic Originating from a Specific Subnet
RouterX(config)# access- list 1 deny 1 72. 1 6. 4. 0 0. 0. 0. 255 RouterX(config)# access- list 1 permit any (implicit deny all) (access-list 1 deny 0.0.0.0 255.255.255.255) RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access- group 1 out
Table 6-4 describes the command syntax that is presented in Example 6-4.
Table 6-4 Numbered Standard IPv4 ACL Example Denying a Specific Subnet
This ACL is designed to block traffic from a specific subnet, 172.16.4.0, and to allow all other traffic to be forwarded out E0.
Controlling Access to the Router Using ACLs
To control traffic into and out of the router (not through the router), you will protect the router virtual ports. A virtual port is called a vty. By default, there are five such virtual terminal lines, numbered vty 0 through vty 4. When configured, Cisco IOS Software images can support more than five vty ports.
Restricting vty access is primarily a technique for increasing network security and defining which addresses are allowed Telnet access to the router EXEC process.
Filtering Telnet traffic is typically considered an extended IP ACL function because it filters a higher-level protocol. Because you are filtering incoming or outgoing Telnet sessions by source addresses and applying the filter using the access-class command to the vty lines, you can use standard IP ACL statements to control vty access.
Example 6-5 demonstrates how to limit access to the Telnet process.
Example 6-5 Access List Preventing Telnet Activity
access-list 12 permit 192.168.1.0 0.0.0.255 (implicit deny any) ! line vty 0 4 access-class 12 in
In this example, you permit any device on network 192.168.1.0 0.0.0.255 to establish a virtual terminal (Telnet) session with the router. Of course, the user must know the appropriate passwords to enter user mode and privileged mode.
Notice that identical restrictions have been set on every vty line (0 to 4) because you cannot control on which vty line a user will connect. The implicit deny any statement still applies to the ACL when it is used as an access class entry.
Configuring Numbered Extended IPv4 ACLs
For more precise traffic-filtering control, use extended IPv4 ACLs, numbered 100 to 199 and 2000 to 2699 or named, which check for the source and destination IPv4 address. In addition, at the end of the extended ACL statement, you can specify the protocol and optional TCP or User Datagram Protocol (UDP) application to filter more precisely. Figure 6-16 illustrates the IP header fields that can be examined with an extended access list.
Figure 6-16 Extended IPv4 Access Lists
To specify an application, you can configure either the port number or the name of a well-known application. Table 6-5 shows an abbreviated list of some well-known port numbers of the various TCP applications.
Table 6-5 Well-Known Port Numbers and IP Protocols
To configure numbered extended IPv4 ACLs on a Cisco router, create an extended IPv4 ACL and activate that ACL on an interface. Use the access-list command to create an entry to express a condition statement in a complex filter. The full command follows:
access- list access-list-number {permit | deny} protocol source source-wildcard [ operator port] destination destination-wildcard [ operator port] [ established] [ log]
Table 6-6 Command Parameters for a Numbered Extended ACL
The syntax of the access-list command that is presented here is representative of the TCP protocol form. Not all parameters and options are given. For the complete syntax of all forms of the command, refer to the appropriate Cisco IOS Software documentation available at Cisco.com.
Extended ACL with the established Parameter
In Example 6-6, the established parameter of the extended ACL allows responses to traffic that originate from the mail host, 128.88.1.2, to return inbound on the serial 0 interface. A match occurs if the TCP datagram has the ACK or reset (RST) bits set, which indicates that the packet belongs to an existing connection. Without the established parameter in the ACL statement, the mail host could only receive SMTP traffic but not send it.
Example 6-6 Access List Permitting Responses to an Originating Mail Host
access-list 102 permit tcp any host 128.88.1.2 established access-list 102 permit tcp any host 128.88.1.2 eq smtp interface serial 0 ip access-group 102 in
The ip access-group command links an existing extended ACL to an interface. Only one ACL per protocol, per direction, and per interface is allowed.
Table 6-7 defines the parameters of the ip access-group command.
Table 6-7 ip access-group Command Parameters
The following list shows the steps that are required to configure and apply an extended ACL on a router:
Step 1 Define an extended IPv4 ACL. Use the access-list global configuration command.
RouterX(config)# access-list 1 01 deny tcp 1 72. 1 6. 4. 0 0. 0. 0. 255 1 72. 1 6. 3. 0 0. 0. 0. 255 eq 21 Use the show access-lists command to display the contents of the ACL. In the example, access-list 101 denies TCP traffic from source 172.16.4.0, using the wildcard 0.0.0.255, to destination 172.16.3.0, using the wildcard 0.0.0.255 on port 21 (FTP control port) . Step 2 Select a desired interface to be configured. Use the interface global configuration command. RouterX(config)# interface ethernet 0. After the interface command is entered, the CLI prompt changes from (config)# to (config-if)#. Step 3 Link the extended IPv4 ACL to an interface. Use the ip access-group interface configuration command: RouterX(config-if)# ip access-group 1 01 in Use the show ip interfaces command to verify that an IP ACL is applied to the interface.
Numbered Extended IP ACL: Deny FTP from Subnets
For the network in Figure 6-17, you want to create a list to prevent FTP traffic that originates from the subnet 172.16.4.0/24, going to the 172.16.3.0/24 subnet, from traveling out Ethernet interface E0.
Figure 6-17 Extended ACL Denying FTP from One Subnet to Another
he configuration in Example 6-7 provides a solution for this example.
Example 6-7 Access List Preventing FTP Traffic from Specific Subnets
RouterX(config)# access- list 1 01 deny tcp 1 72. 1 6. 4. 0 0. 0. 0. 255 1 72. 1 6. 3. 0 0. 0. 0. 255 eq 21 RouterX(config)# access- list 1 01 deny tcp 1 72. 1 6. 4. 0 0. 0. 0. 255 1 72. 1 6. 3. 0 0. 0. 0. 255 eq 20 RouterX(config)# access- list 1 01 permit ip any any (implicit deny all) (access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255) RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access- group 1 01 out
Table 6-8 describes the command syntax presented in Example 6-7
Table 6-8 Numbered Extended IPv4 ACL Example Denying FTP Between Subnets
The deny statements deny FTP traffic from subnet 172.16.4.0 to subnet 172.16.3.0. The permit statement allows all other IP traffic out interface E0.
Numbered Extended ACL: Deny Only Telnet from Subnet
For the network in Figure 6-18, you want to create a list to prevent Telnet traffic that originates from the subnet 172.16.4.0/24 from traveling out Ethernet interface E0.
Figure 6-18 Extended ACL Denying Telnet from a Given Subnet
The configuration in Example 6-8 provides a solution for this example.
Example 6-8 Access List Preventing Telnet Traffic from a Specific Subnet
RouterX(config)# access- list 1 01 deny tcp 1 72. 1 6. 4. 0 0. 0. 0. 255 any eq 23 RouterX(config)# access- list 1 01 permit ip any any (implicit deny all) RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access- group 1 01 out
This example denies Telnet traffic from 172.16.4.0 that is being sent out interface E0. All other IP traffic from any other source to any destination is permitted out E0. Table 6-9 describes the command syntax that is presented in the example.
Table 6-9 Numbered Extended IPv4 ACL Example Denying Telnet from a Subnet
Configuring Named ACLs
The named ACL feature allows you to identify standard and extended IP ACLs with an alphanumeric string (name) instead of the current numeric representations. Named IP ACLs allow you to delete individual entries in a specific ACL. If you are using Cisco IOS Release 12.3, you can use sequence numbers to insert statements anywhere in the named
ACL. If you are using a software version earlier than Cisco IOS Release 12.3, you can insert statements only at the bottom of the named ACL. Because you can delete individual entries with named ACLs, you can modify your ACL without having to delete and then reconfigure the entire ACL. Use named IP ACLs when you want to intuitively identify ACLs.
Creating Named Standard IP ACLs
The following list shows the steps that are required to configure and apply a named standard IP ACL on a router:
Step 1 Define a standard named IPv4 ACL. Use the ip access-list standard global configuration command.
RouterX(config)# ip access-list standard name
Define the list using a unique name. A descriptive name can be helpful when examining the configuration of the router.
Step 2 Enter one of the following commands to establish test parameters:
RouterX(config-std-nacl)#[ sequence-number] deny {source [ source-wildcard] | any} RouterX(config-std-nacl)#[ sequence-number] permit {source [ sourcewildcard] | any} In access list configuration mode, specify one or more conditions permitted or denied. This determines whether the packet is passed or dropped. You can also use the sequence number to place the test parameter in a specific location within the list. Step 3 Exit from named access list configuration mode: RouterX(config-std-nacl)#exit RouterX(config)# Step 4 Select a desired interface to be configured. Use the interface global configuration command: RouterX(config)# interface ethernet 0 After you enter the interface command, the CLI prompt changes from (config)# to (config-if)#. Step 5 Link the extended IPv4 ACL to an interface. Use the ip access-group interface configuration command: RouterX(config-if)# ip access-group 101 in
Use the show ip interface command to verify that an IP ACL is applied to the interface.
Creating Named Extended IP ACLs
The steps required to configure and apply a named extended IP ACL on a router are as follows:
Step 1 Define a standard named IPv4 ACL. Use the ip access-list extended global configuration command.
RouterX(config)# ip access-list extended name Define the list using a unique name. A descriptive name can be helpful when examining the configuration of the router. Step 2 Enter the following command syntax to establish test parameters: RouterX(config-ext-nacl)# [sequence-number] {deny | permit} protocol source source-wildcard destination destination-wildcard [option] In access list configuration mode, specify the conditions allowed or denied. You can use the keyword any to abbreviate an address of 0.0.0.0 with a wildcard mask of 255.255.255.255 for the source address, destination address, or both. You can use the keyword host to abbreviate a wildcard mask of 0.0.0.0 for the source address or destination address. Place the keyword host in front of the address. Step 3 Exit from named access list configuration mode: RouterX(config-ext-nacl)#exit RouterX(config)# Step 4 Select a desired interface to be configured. Use the interface global configuration command: RouterX(config)# interface ethernet 0 After you enter the interface command, the CLI prompt changes from (config)# to (config-if)#. Step 5 Link the extended IPv4 ACL to an interface. Use the ip access-group interface configuration command: RouterX(config-if)# ip access-group 101 in
Use the show ip interfaces command to verify that an IP ACL is applied to the interface.
You can take advantage of the sequence numbers in a named access list to add specific entries within an existing list. In Example 6-9, a new entry is added to a specified location within the access list.
Example 6-9 Confirming Added Entries to an Existing Access List
RouterX# show ip access- list Standard IP access list MARKETING 2 permit 10.4.4.2, wildcard bits 0.0.255.255 5 permit 10.0.0.44, wildcard bits 0.0.0.255 10 permit 10.0.0.1, wildcard bits 0.0.0.255 20 permit 10.0.0.2, wildcard bits 0.0.0.255 RouterX(config)# ip access- list standard MARKETING RouterX(config-std-nacl)# 1 5 permit 1 0. 5. 5. 5 0. 0. 0. 255 RouterX# show ip access- list Standard IP access list MARKETING 2 permit 10.4.4.2, wildcard bits 0.0.255.255 5 permit 10.0.0.44, wildcard bits 0.0.0.255 10 permit 10.0.0.1, wildcard bits 0.0.0.255 15 permit 10.5.5.5, wildcard bits 0.0.0.255 20 permit 10.0.0.2, wildcard bits 0.0.0.255
Using the number of a standard access list as the name, you can also use this feature to place an entry in a specific location of a numbered access list. In Example 6-10, a new entry is added to a specified access list.
Example 6-10 Placing an Entry in a Numbered List Using the Name Function
RouterX# show ip access- list Standard IP access list 1 2 permit 10.4.4.2, wildcard bits 0.0.255.255 5 permit 10.0.0.44, wildcard bits 0.0.0.255 10 permit 10.0.0.1, wildcard bits 0.0.0.255 20 permit 10.0.0.2, wildcard bits 0.0.0.255 RouterX(config)# ip access- list standard 1 RouterX(config-std-nacl)# 1 5 permit 1 0. 5. 5. 5 0. 0. 0. 255 RouterX(config-std-nacl)# end RouterX# show ip access- list Standard IP access list 1 2 permit 10.4.4.2, wildcard bits 0.0.255.255 5 permit 10.0.0.44, wildcard bits 0.0.0.255 10 permit 10.0.0.1, wildcard bits 0.0.0.255 15 permit 10.5.5.5, wildcard bits 0.0.0.255 20 permit 10.0.0.2, wildcard bits 0.0.0.255
Named Extended ACL: Deny a Single Host from a Given Subnet For the network shown in Figure 6-19, you want to create a list named “troublemaker” to prevent traffic that originates from the host 172.16.4.13 from traveling out Ethernet interface E0.
Figure 6-19 Named Extended ACL Denying a Single Host
The configuration in Example 6-11 provides a solution for this example.
Example 6-11 Access List Preventing Traffic from a Specific Host
RouterX(config)#ip access- list standard troublemaker RouterX(config-std-nacl)#deny host 1 72. 1 6. 4. 1 3 RouterX(config-std-nacl)#permit 1 72. 1 6. 4. 0 0. 0. 0. 255 RouterX(config-std-nacl)#interface e0 RouterX(config-if)#ip access- group troublemaker out
Table 6-10 describes the command syntax that is presented in Example 6-11.
Table 6-10 Named Extended IPv4 ACL Example Denying a Single Host
Named Extended ACL—Deny a Telnet from a Subnet
Using Figure 6-19 again, this time you want to create a list named “badgroup” to prevent Telnet traffic that originates from the subnet 172.16.4.0/24 from traveling out Ethernet interface E0.
The configuration in Example 6-12 provides a solution.
Example 6-12 Access List Preventing Telnet Traffic from a Specific Subnet
RouterX(config)#ip access- list extended badgroup RouterX(config-ext-nacl)#deny tcp 1 72. 1 6. 4. 0 0. 0. 0. 255 any eq 23 RouterX(config-ext-nacl)#permit ip any any RouterX(config-ext-nacl)#interface e0 RouterX(config-if)#ip access- group badgroup out
Table 6-11 describes the command syntax that is presented in the figure.
Table 6-11 Named Extended IPv4 ACL Example Denying Telnet from a Subnet
Adding Comments to Named or Numbered ACLs
Comments, also known as remarks, are ACL statements that are not processed. They are simple descriptive statements you can use to better understand and troubleshoot either named or numbered ACLs.
Each remark line is limited to 100 characters. The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so it is clear which remark describes which permit or deny statement. It would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements. To add a comment to a named IP ACL, use the command remark remark in access list configuration mode. To add a comment to a numbered IP ACL, use the command access-list
access-list-number remark remark.
The following is an example of adding a comment to a numbered ACL:
access-list 101 remark Permitting_John to Telnet to Server access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet The following is an example of adding a comment to a named ACL: ip access-list standard PREVENTION remark Do not allow Jones subnet through deny 171.69.0.0 0.0.255.255
More Resources