Functions of an Access List
Objective:
- Describe the purpose and types of ACLs
At this point, we have discussed a few access list uses in passing; however, the truth is that you will rarely encounter a major function of a Cisco router that does not require an access list in some way. For the CCNA exam, you should be aware of the following access list functions:
- Packet filtering
- Quality of service (QoS)
- Dial-on-demand routing (DDR)
- Network Address Translation (NAT)
- Route filtering
EXAM ALERT
Although you may be required to understand some of the common applications of access lists on the CCNA exam, you will be required only to demonstrate proficiency in configuring access lists for packet filtering and NAT.
Packet Filtering
Of course, packet filtering is the most well-known application of access lists. This access list application enables you to turn your router into a basic firewall. By using these foundation IOS features, you can begin filtering traffic inbound or outbound from any interface on your router. Depending on the type of access list you use, you can filter traffic based on the source
address (standard access list) or based on the source and destination address, along with protocol and port number (extended access list).
CAUTION
As soon as you apply an access list for packet filtering inbound or outbound on an interface, the router must begin comparing every packet against the access list. Depending on the size and matching criteria of your access list, this can cause significant processor load.
Quality of Service
With the emerging technology of Voice over IP (VoIP), it has become necessary to give unequal treatment to network traffic. For example, if a router is receiving a considerable amount of Web surfing traffic (HTTP) and a VoIP telephone call attempts to come through, the VoIP conversation should receive prioritization over the HTTP traffic to ensure highquality voice conversations; even if it means dropping a few of the HTTP packets. This is the concept of Quality of Service (QoS). The QoS matching methods rely extensively on access lists to define what types of traffic are prioritized over others. In this case, you see access lists in the view that they are permitting traffic to be prioritized and denying others from gaining network priority.
Now, not all QoS methods seek the good of the traffic they match. There is a QoS method called traffic policing that limits the bandwidth available to a certain application. For example, a network may have problems with users using peer-to-peer file sharing applications, such as Napster, Kazaa, or Morpheus, and depleting the Internet connection bandwidth. In this case, a QoS policing policy can be defined to limit the bandwidth available to these application types. Here’s where the access list irony can be seen: The access list matches these applications (permits) and then restricts the amount of bandwidth they can use. The applications that are not matched (denied) do not have any bandwidth restrictions placed on them. In this access list function, from the application’s point of view, it is better to be denied than permitted. Are you beginning to see that an access list is just a list of statements? How you apply that access list determines the effect it has on the network traffic.
Dial-on-Demand Routing
Dial-on-demand routing encompasses any type of temporary (not always on) connection. Despite their “legacy” stereotype, dial-up connections are here to stay because no other connection type has proved to be as reliable as the circuit switched technology. Although many people immediately think of modem connections, ISDN BRI and PRI services also fit this profile. In recent years in the United States, the number of ISDN BRI connections has dropped drastically because of the emergence of cheaper connections that use DSL and cable modem technology. However, the number of ISDN connections overseas is enormous.
Now you might wonder…what does dial-on-demand routing have to do with access lists? Well, in this case, access lists do not define what traffic is permitted across the dial-on-demand connection; rather, it defines what traffic is interesting enough to bring up the line. If you ever saw the movie Wayne’s World in the early 90s, there is a moment where the singer Alice Cooper walks by Wayne and Garth. Immediately, they fall to the ground yelling, “We’re not worthy!” In the same sense, you will create an access list that defines traffic that is “worthy” to dial the connection. Some ISDN connections charge a per-minute cost for being connected, so it may pay off to limit dial-up connections to certain traffic sources or packet types before the line is engaged.
Network Address Translation
Network Address Translation (NAT) has been in widespread use for over a decade, and yet still never ceases to amaze me. There is perhaps no other configuration that gives you as much satisfaction in “beating the system” as NAT (other than using your neighbor’s wireless access point, of course). NAT theoretically allows more than 60,000 internal hosts to share a single, registered, public IP address to access the Internet. This has overcome the current public IP address shortage and extended the life of TCP/IP version four for years beyond what many thought possible.
EXAM ALERT
Because of the overwhelming popularity of NAT deployments, it is one of the newest topics to be added to the CCNA exam. You will be expected to configure NAT using the Cisco SDM for CCENT-level certification (covered in Chapter 20, “Enabling Internet Connectivity with NAT”). Configuring NAT from the command-line interface is required for CCNA-level certification (covered in Chapter 21, “Command-Line NAT Implementation”).
The way access lists are used in NAT is similar to the way they were used in dial-on-demand routing. The access lists define what source addresses are “worthy enough” to be transmitted. A permit statement in the access list applied to a NAT configuration says, “This host (or subnet) is permitted to be translated with NAT.” A deny statement in the same access list says, “This host (or subnet) is not permitted to be translated with NAT.” A deny statement does not prevent traffic from being sent; rather, it denies it from being translated with NAT before it is sent.
Route Filtering
The final access list application covered in this text is route filtering. The routing protocols discussed so far, such as RIP, IGRP, EIGRP, and OSPF, all make it their mission to pass all known network routes to neighboring routers. In some network situations, this could cause a problem. Perhaps you don’t want the router to pass all routes to every router on your network.
For example, you might have some edge routers that connect to a partner company or an Internet-based peer. You could protect your network by using an access list to filter the routes that are sent and received to and from this peer. A configuration known as a distribute list is used most often to apply the access list used for this function. In order to set this up, you would configure an access list permitting only the networks you would like to send or receive (or denying the networks you would not like to send or receive, depending on your strategy). As discussed before, creating the access list does absolutely nothing, functionally speaking; it must be applied to take action. In the case of route filtering, you would apply the access list under router configuration mode, Router(configrouter) , for the routing protocol you would like to filter, by using the distribute-list
<access_list_number> <in/out> syntax. Access list numbers are used to identify the access list you are referencing. For example, if I wanted to keep my routing protocol from sending the routes I have listed as “deny” routes in access list #50, I would use the syntax:
Router(config-router)# distribute-list 50 out If I wanted to keep my router from receiving the routes I had listed as “deny” routes in access list #50, I would use the syntax:
Router(config-router)# distribute-list 50 in