WP_Friebe_ACLs1

8/9/2019 WP_Friebe_ACLs1

1/19

Expert Reference Series of White Papers

1-800-COURSES www.globalknowledge.com

Access Control Lists(ACLs)


2/19

Copyright 2009 Global Knowledge Training LLC. All rights reserved. 2

Access Control Lists (ACLs)Al Friebe, Global Knowledge Instructor

IntroductionIn this white paper, well take a look at access control lists, often referred to as access lists or ACLs (sometimespronounced ackels). In Cisco IOS, ACLs are used for many things, including but not limited to:

Filteringdatapackets(rewalling)

ControllingTelnetorSSHaccesstoarouterorswitch

Filteringroutingprotocols

SpecifyingQualityofService(QoS)

Controllingencryption

ControllingNAT(NetworkAddressTranslation)

ControllingDial-on-Demand

Theideaofanaccesslistisstraightforward:itpermitssomethings,anddeniesothers.WhatexactlyisbeingpermittedordeniedvariesaccordingtotheapplicationoftheACL.Althoughaccesslistsforotherprotocols(suchasIPX,AppleTalk,MACaddresses,etc.)exist,wellbefocusingonIPaccesslists.Ingeneral,onlyroutersandmulti-layerswitchesunderstandIPaccesslists(butsomeLayer-2switchesareACL-awaretosomeextent).

IP Access ListsForexample,letssaythattrafcoriginatingfromahostwithIPaddress192.168.1.1shouldbepermittedtoleavetheFastEthernet0/0interface.AnACLthatwouldaccomplishthiswouldbe:

Router#congure terminal

Router(cong)#access-list 1 permit 192.168.1.1

TheACLresidesintherunningconfg, and can be seen with the command show access-lists.Therearevari-ous options for this command, including show ip access-lists, show access-lists X where X is the ACLidentier,etc.

TheACLcreatedaboveisnowresidentinmemory,butwillnottakeeffectuntilitisplacedintoserviceinsomemanner.ToplaceitoutboundontheFastEthernet0/0interface,thecommandswouldbe:

Router(cong)#interface fastethernet0/0

Router(cong-if)#ip access-group 1 out


3/19


Toseetheaccessliststhatareoutgoingorinboundonaninterface,usethecommandshow ip interace.Notethattheipisrequired(ifyoudontspecifytheprotocol,itwontshowyoutheACLinformation).Thiscom-mand also has options, such as the particular interface youre interested in, such as sh ip int 0/0.

Asusual,commandscanbeabbreviated,sotocreateandapplytheACL,youcouldsimplydo:

Router#conf t

Router(cong)#access-l 1 per 192.168.1.1

Router(cong)#int f0/0

Router(cong-if)#ip access-g 1 o

Findsomeshortcutsthatworkforyou,andthenusethem!

IntheACLwecreatedabove,wehaveexplicitlypermittedtrafcoriginatingfromthehostwithIPaddress192.168.1.1,butwhataboutothertrafc?Thedefaultbehaviorofanaccesslististodenyalltrafcthatisnotreferencedbythelist.Inotherwords,itsasifthereisadenyeverythingelseatthebottomofthelist.ThisismuchbetterthanhavingtodenyeveryotherIPaddress,ofwhichthereareoverfourbillionpossibilities!

Itscommonlydesiredtopermitand/ordenymultiplehostsinasinglelist.Whatifwewanttopermitmorehosts?Simplyaddmorelinestothelist.Thiscanbeaccomplishedbygoingbackintoglobalconfg mode andaddingthelines.Buildingonthesinglelinelistfromabove,letsaddlinestoACL1toalsopermitpacketsfromthehostswithaddresses192.168.1.2and192.168.1.3.

Router#conf t



IfweexamineACL1with show access-list,wellseethatitnowcontainsthreelines,for192.168.1.1,2,and3.ItsimportanttorealizethatbecausethesameACLnumberwasusedforeachline,alllinesbelongtothatac-cesslist(ACL1,inthiscase).Notethatifthelistisineffectontheinterfacewhileweareeditingit,thechangestake effect immediately (this can be dangerous, as well discuss in the future).

LetscreateanotherACL,thisonedenyingtrafcfromthehostswithaddresses10.1.1.1,10.1.1.2,and10.1.1.3,andpermittingallotheraddresses.SincethisisaseparateACL,welluseaccesslistnumber2:

Router#conf t

Router(cong)#access-list 2 deny 10.1.1.1

Router(cong)#access-list 2 deny 10.1.1.2Router(cong)#access-list 2 deny 10.1.1.3

Thelistwevejustcreatedwilldenytrafcfromthespeciedhosts,butwhatabouttrafcfromotherhosts?RememberthatACLsdenyalltrafcthattheydontexplicitlypermit,asiftherewasadenyeverythingelseat


4/19


the bottom. In other words, this list denies alltrafc!Obviously,weneedtopermittrafcfromtheotherhosts,butitwouldbeunreasonabletolistthebillionsofthemindividually.Instead,wecanusetheany keyword, thus:

Router(cong)#access-list 2 permit any

HINT:An ACL that contains only deny statements is either incomplete, or wrong!

OurACL2willnowdenytrafcfromthe10.1.1.1,2and3hosts,butpermittrafcsourcedfromanyotherhost.Again,aswithACL1,thelistdoesntactuallytakeeffectuntilitisplacedineffect.LetsplaceitinboundonSerial2/1.

Router(cong)#int s2/1

Router(cong-if)#ip access-group 2 in

As before, we can see the list with sh access-l 2, and see its application on the interface with sh ip int s2/1.

Tosummarizethebasicsofaccesslists,ACLs Arecreatedinglobalconfg mode

Endwithanimplicitdenyany(whichcanbeoverridden)

Mustbeplacedintoservicesomewheretohaveanyeffect

Thus,thecommands

Router#conf t



Router(cong)#access-list 3 deny 172.16.1.3Router(cong)#access-list 3 permit any

Router(cong)#interface g1/2


willcreateanACL3(denyingtrafcfromhosts172.16.1,2and3,whilepermittingallothertrafc),andplaceitinserviceontheGigEthernet1/2interfaceintheoutbounddirection.

Wildcard Mask (WCM)AnACLplacedinboundonarouterinterfacewillcontrolthetrafcthatsallowedtoentertherouterviathatinterface.Youwouldthink,therefore,thatanACLplacedoutboundonarouterinterface(suchasACL3above)wouldlikewisecontrolthetrafcthatsallowedtoleavetherouterviathatinterface.Thisisalsotrue,exceptfortrafcthatwasgeneratedbytherouteritself.Inotherwords,anoutboundACLwillaffectonlytrafcat-tempting to transittherouter,nottrafcoriginatedby the router.


5/19


Letslookatanotherexample.Inthiscase,wedliketouseACL4inboundontheSerial1/1interfacetopermittrafcfromallhostsonthe192.168.1.0network,anddenyallothertrafc.Wecouldstartasbefore:

Router#conf t



Butwait,theClassCnetwork192.168.1.0covers254hosts(192.168.1.1through192.168.1.254),whichwouldrequire254linesintheACL.Obviouslylistingeachhostaddressonebyoneisanon-scalablesolution(andimaginewhatwouldhappenwithaClassBoraClassAnetwork).Whatweneedisasystemtoshortenthelist.Suchasystemexists,anditmakesuseofawildcardmask.TherulesforIPv4wildcardmasksaresimple.

Wildcardmasksare32bitslong(justlikeIPv4addresses).

A0bitinaWCMmeansmatchthe corresponding address bit.

A1bitinaWCMmeansignorethe corresponding address bit.

WCMsarerepresentedindotted-decimal(justlikeIPv4addresses).

WCMsfollowaddresses.

Okay,letsuseaWCMtosolveourexample.Whatwewantistomatchtherstthreeoctets(the192.168.1part),andignorethefourthoctet.Thus,wecouldmatchtheentire192.168.1.0networklikethis:

Router(cong)#access-list 4 permit 192.168.1.0 0.0.0.255

Howdoesitwork?InACL4,youseethatthereisanaddress(192.168.1.0),followedbyawildcardmask(0.0.0.255).Therstoctetofthedotted-decimalWCMisa0,whichrepresentseightbinary0s.Sincea0inaWCMmeansmatch,theseeight0sintheWCMmeanmatchtherstoctetoftheaddress(the192part).

Likewise,thesecondandthirdoctetsoftheWCMarealso0s,meaningthatthesecondandthirdoctetsoftheaddress(168and1,respectively)mustbematchedexactly.Finally,thefourthoctetoftheWCMisa255,whichisall1sinbinary.Sincea1meansignore,theACLignorestheentirelastoctetoftheaddress,meaningthatitcouldhaveanyvalue(0through255).Sincethiscoverstherangeoflegalhostaddressesonnetwork192.168.1.0,itmeetstherequirementsstatedabove.

TheonlythinglefttodoistoplacetheACLinserviceontheinterface.

Router(cong)#int serial 1/1

Router(cong-if)#ip access-group 4 in

Thoseofuswhoareparticularlygeeky,mighthavenoticedthatthepermitstatementabovenotonlyper-mitstherangeoflegalhosts,italsopermitsthereservedaddressesof192.168.1.0and192.168.1.255(thenet-workandbroadcastaddresses).Sincethoseaddresseswillneverbeassignedtohosts,thisisntanoperationalproblem.Andonemorething,youllrecallthatthedefaultsubnetmaskforaClassCnetworkis255.255.255.0.Ifwesimplyipthebitsofthesubnetmask(0sbecome1s,1sbecome0s),wedhave0.0.0.255,whichisthewildcardmaskwewant.Moreonthislater!


6/19


Notethatwecanalsorepresentthepermit anyattheendofACL3as:


Whilethisissyntacticallycorrect,ifyoutypeitintoarouter,IOSwilldisplayitaspermit any (which is easierto read), so thats the way you might as well enter it.

Nowthatwehaveaneatmethodofrepresentinglargeblocksofaddresses,letswriteandapplyanACLthatwill denypacketssentfromhostswithprivateaddresses,andpermitpackets from hosts with public address-es.Therstquestion,then,iswhataretheprivateandpublicaddresses?

PerRFC1918,theprivateaddressrangesare:

ClassA10.0.0.0/8

ClassB172.16.0.0/12

ClassC192.168.0.0/16

EverythingelseintheClassA,B,andCrangesispublic.Thus,weneedanACLthatdeniestheabove-listedaddressranges,andpermitseverythingelse.LetsuseACL5,andplaceitonSerial0/0.123(aFrameRelaysubinterface)outbound.Welltakeitonelineatatime.First,letshandlenetwork10.0.0.0,aClassAnetwork.Sincewereinterestedinmatchingthenetworkportion(therstoctet),andignoringthehostportion(thelast3octets),thewildcardmaskshouldbe0.255.255.255.Thus,therstlineinACL5is:

Router(cong)#access-list 5 deny 10.0.0.0 0.255.255.255

Next,welllookatthesecondline,whichinvolvestheClassBaddressspace172.16.0.0/12.Notethatthemaskhereisa/12,notthedefaultClassBmaskof/16.Asyoumayrecallfromroutesummarization,moving4bitstotheleft(from16to12)resultsinablockof16(24)networks.Therefore,thisaddressspaceencompassesthe

172.16.0.0through172.31.0.0networks.Wecouldlistthese16networksindividually,thus:



(12 more lines for 18 through 29 go here)



Notethatthewildcardmaskoneachlineis0.0.255.255becausewecareaboutthersttwooctets(thenet-work portion) but not about the last two (the host portion).

Thereis,however,amoreelegantway.Infact,wecancovertheClassBprivatenetworksinoneline.SincethemaskontheClassBaddressspaceisa/12,itmeansthatweonlycareabouttherst12bitsoftheaddressspace,andcanignorethelast20(remember,thereareatotalof32bitsinanaddress).Sincea0inaWCMmeans matchthecorrespondingaddressbit,anda1meansignore,theWCMinbinarywouldbetwelve0s,followedbytwenty1s,thus:


7/19


00000000.00001111.11111111.11111111

Thiscanberepresentedindotted-decimalas0.15.255.255,whichistheformatwewantforawildcardmask.AnothermethodfordeterminingtheWCMistonotethata/12(themaskspeciedwiththeaddressspace)is255.240.0.0,andifwesimplyipthebits,weget0.15.255.255,whichisexactlytheWCMweneed.Aneasy

waytoipthebitsistojustsubtracteachoctetofamask(255.240.0.0)from255: Firstoctet:255255=0

Secondoctet:255240=15

Thirdoctet:2550=255

Fourthoctet:2550=255

Sincetheaddressspacebeginswith172.16.0.0,andtheWCMis0.15.255.255,thesecondlineoftheACLshould be:


Next,weneedtotakecareoftheClassCaddressspace.Noticethatthemaskspeciedisa/16.SincethedefaultmaskforaClassCis/24,and/16is8bitstotheleftofthat,thisrepresentsablockof256(28) Class Cnetworks(thosestartingwith192.168).SimilartowhatwedidwiththeClassBblock,wecanjustipthebitsofthesummarymask(/16,or255.255.0.0)toget0.0.255.255,whichisthewildcardmaskweneed(matchtherst2octetsof192.168,andignorethelast2).Sincetheaddressspacestartswith192.168.0.0,thethirdlineofACL5shouldbe:


WhatwehaveatthispointisanACLthatdeniestheprivateaddressspace,butwhataboutthepublicad-dresses?RememberthatACLsactasiftheyhaveadeny any atthebottom.Wewanttopermiteverythingthat

wasntdenied,soweneedtonishtheACLwithapermit any line:Router(cong)#access-list 5 permit any

Altogether then, the list is:





Now,ofcourse,wehavetoinvokeitontheinterface:Router(cong)#interface s0/0.123

Router(cong-subif)#ip access-group 5 out


8/19


Keyword Host ACLAsourrstexample,wellwriteanACL6thatpermitspacketssourcedbythehostwithIPaddress192.168.100.123,thus:


Wecouldalsodothisusingawildcardmask(WCM).


Rememberthata0inawildcardmaskbitpositionspeciesamatchinthatbitoftheaddress.Thus,amaskofall0sindotted-decimal(whichrepresents32binary0s)meansmatchallbitsoftheaddressexactly.Ifyouomitthewildcardmask(asintherstexample),aWCMofall0sisassumed,thusthetwoversionsofACL6arefunc-tionallyequivalent.

Interestingly enough, we can also write this ACL line a third way, by using the keyword host:

Router(cong)#access-list 6 permit host 192.168.100.123

Notethatwhenusingthismethod,thekeywordhostisplacedbeforethe address, and that no wildcard maskisused.ThustherearethreefunctionallyequivalentmethodsforspecifyingasinglehostaddressinanACL,andthe router doesnt care which one you use.

Specifytheaddress,withoutaWCM

Specifytheaddress,followedbyaWCMofallzeros

Precedetheaddressbythekeywordhost,withnoWCMused

InastandardACL(thetypeweveexaminedsofar),Igenerallyusetherstoption,becauseitsbrief,concise,

andspecic(inotherwords,easytotypeandread).Thesecondoptiongainsusnothing,soIneveruseit.Thethird option is also commonly used.

ACL for vty LinesNow,letsputourACLtowork.Thistime,though,insteadofusingittocontroluserdataowingthrougharoutersinterfaces,welluseittoenforcesecurityonarouter(oranIOS-basedswitch).Todothis,insteadofplacingtheACLinservicebyusingtheip access-group command on an interface, well use the access-classcommandonthevty(virtualterminal)lines,likethis:

Router(cong)#line vty 0 4

Router(cong-line)#access-class 6 in

RememberthatinboundTelnetsessionsareviathevtylines.WhattheabovecommandsdoisplaceACL6inuseinboundonthevtylines,whichhastheeffectofconstraininginboundTelnettrafctohostspermittedbyACL6(inthiscase,thehostwithaddress192.168.100.123only).NotethatthisACLonlyaffectsTelnettrafctargetedto this router. It has noeffectontrafcowingthroughtherouter.


9/19


Ofcourse,youcanalsobuildmoresophisticatedACLsusingwildcardmasks,andusethemtocontrolvtyaccess.Anexamplewouldbe:







ACL7wouldpermitanypublicaddresstoTelnettothisrouter,butblockattemptsatTelnetfromanyprivatead-dress.NotethatweareplacingtheACL inboundonthevtylines,whichcontrolsTelnetaccesstotherouter.IfyouplacetheACLinserviceoutboundonthevtylines,itwillaffecttheroutersbeingusedasthemiddlemaninastringofTelnetsessions.Forexample,letssaythatR1wantstoTelnettoR2.TheabilityofR1todothisiscontrolledbyR2sinboundvtyACL.IfthereisnoinboundvtyACLonR2,thenanyhostcanfreelyTelnetintoR2(assumingthatR2svtypasswordisknown,ofcourse).

Now,assumingthatR1hasusedTelnettoaccessR2,theabilityofR1tothenTelnetonwardfromR2toanotherhostwouldbecontrolledbyR2soutboundvtyACL.IfthereisnooutboundvtyACLonR2,thenR1couldfreelyTelnettoanyotherhostviaR2(assumingthatthetargethostsTelnetpasswordisknown).

NotethatwhentheACLisusedinboundonthevtylines,theACLspeciessourceaddresses(fromwhichhostsareinboundTelnetintoourrouterallowed).WhentheACLisused outboundonthevtylines,theACLspeciesdestinationaddresses(towhichhostsareoutboundTelnetsessionsallowed).ThelatterisanunusualusageofastandardIPACL,whichnormallyspeciessourceaddressesonly.

Okay,nowitsQuizTime:Letssupposethatthefollowingcommandsareplacedonourrouter.Whateffectdotheyhave?





Router(cong-line)#access-class 9 out

SinceACL8isplacedinboundonthevtylines,itcontrolswhichhostscanTelnetintoourrouter.Inthiscase,onlythehostwithaddress172.16.1.1willsucceed(dontforgetabouttheimplicitdenyanyatthebottomof

theACL).Now,assumingthatithasestablishedaTelnetsessionwithourrouter,towherecoulditTelnetfromourrouter?ThatscontrolledbyACL9,whichisineffectoutboundonthevtylines.BecauseofACL9,ifhost172.16.1.1accessesourrouterbyTelnet,itcanonlystartTelnetsessionswithhost10.1.2.3whileusingourrouter as the middleman (again, dont forget the implicit deny at the end).


10/19


Notethathost172.16.1.1(oranyotherhost)canstillTelnetthroughourroutertoanywhere.TheACLsplacedonourroutersvtylinesareonlycontrollingTelnetsessionsforwhichourrouterisanendpoint.Inotherwords,the access-class statementsonthevtylineshaveabsolutely no effecton data passing through our router,butonlyonTelnetsessionsterminatingat(orstartingfrom)ourrouter(orswitch).

InadditiontocontrollingTelnetaccess(TCPport23),access-classstatementsonvtylinesalsoaffectSSHses-sions(SSHistheencryptedversionofTelnet,anditusesTCPport22).Finally,rememberthatACLscanbeusedtocontrolTelnetorSSHaccesstoandfromIOS-basedswitches,aswell.

Sowhyuseaccess-classonthevtylines?

ItallowsyoutoeasilycontrolTelnetand/orSSHsessionstoarouterorswitch.

Itcoversallofthedatainterfaces(andalargeswitchcouldhavehundredsofdatainterfaces).

ItaffectsonlyTelnetandSSHtrafctargetingourrouterorswitch,nottrafctraversingourrouterorswitch.

ItusesstandardACLs,whichareeasiertowritethanextendedACLs.

Thatmakesthevtyaccess-classstatementaslicksolution.Letsmoveon;theresstillalotmoretodowithaccess-lists.

Additional Tips and Tricks for Standard IP ACLsThistimewelllookatadditionaltipsandtrickswhenusingstandardIPACLs.LetssupposethatweregivenACL10(thelineshavebeenlabeledAthroughEtofacilitatetheupcomingdiscussion):

A.access-list10permit10.1.2.3

B.access-list10deny10.1.2.00.0.0.255

C.access-list10permit10.1.0.00.0.255.255D.access-list10deny10.0.0.00.255.255.255

E.access-list10permitany

BasedonACL10,whatwillhappentopacketsthataresourcedfromthefollowingaddresses?

1)10.1.2.4

2)172.16.1.1

3)10.1.3.3

4)10.1.2.3

5)10.2.2.3

Herearetheresults:

Packet#1:DeniedbylineB

Packet#2:PermittedbylineE


11/19


Packet#3:PermittedbylineC

Packet#4:PermittedbylineA

Packet#5:DeniedbylineD

Whyispacket#1denied,althoughitmatchessomepermitsinACL10?Remember,accesslistsaretop-down,

rst-match.SincelineBisthetop-mostmatchforpacket#1,thepacketisdenied.Becauseofthis,theorderofthelinesinanACLcanbecritical.Forexample,letssaythatweswaplinesBandCinACL10,toobtainACL11:

(A)access-list11permit10.1.2.3

(B)access-list11permit10.1.0.00.0.255.255

(C)access-list11deny10.1.2.00.0.0.255

(D)access-list11deny10.0.0.00.255.255.255

(E)access-list11permitany

Nowwhathappenstopacket#1?UnlikeACL10,withACL11packet#1ispermitted(bylineB).Infact,any

10.1.0.0/16addresswillbepermittedbylineB,andwillnevermakeittolineC.Forthatreason,ACL11,al-thoughsyntacticallycorrect,islogicallyinconsistent.TheoldprogrammersruleofGarbagein,garbageoutapplies to ACLs as well.

ACL EditingTheACLeditingcapabilitiesdependontheIOSversion.UnderolderIOS(early12andbefore),allyoucoulddowith a numbered ACL was:

Addlinestothebottom(append)

DeletetheentireACL

Whatyoucouldntdowasaddlinesanywhereotherthanatthebottom,ordeleteindividuallines.Ifyouwantedtodomoreextensiveediting,youhadtodeletethelist,andthenrecreateit.WithcurrentIOS(12.4),youcanaddlineswhereveryoulikeortothebottom,anddeleteindividuallinesaswellastheentireACL.

YouaccesstheenhancededitingcapabilitiesviasequencenumbersthatIOSautomaticallyaddstothelines.Youcan see the sequence numbers with show access-list.Forexample,givenACL11above,wewouldsee:

Router#show access-list

Standard IP access list 11

10 permit 10.1.2.3

20 permit 10.1.0.0, wildcard bits 0.0.255.25530 deny 10.1.2.0, wildcard bits 0.0.0.255

40 deny 10.0.0.0, wildcard bits 0.255.255.255

50 permit any


12/19


Usingtheper-linesequencenumbers,youcanmakethechangesyoudesire.

Named ACLsAnotherenhancedcapability,namedACLs,wasintroducedwithIOS12.Letstakealookatcreatinganamed

standard ACL.Router#conf t

Router(cong)# ip access-list standard Block_RFC1918

Router(cong-std-nacl)#

Notethatthepromptnowreadsconfg-std-nacl,meaningthatwereconguringastandardnamedACL(withthecase-sensitivenameBlock_RFC1918).Nowletsaddsomelinestothelist:

Router(cong-std-nacl)#deny 10.0.0.0 0.255.255.255

Router(cong-std-nacl)#deny 172.16.0 0.15.255.255

Router(cong-std-nacl)#deny 192.168.0.0 0.0.255.255

Router(cong-std-nacl)#permit any

YoumightrecognizethisasalistthatdeniestheRFC1918privateaddresses,andpermitsthepublicaddresses.LikenumberedACLs,anamedACLmustbeplacedinservicetohaveanyeffect,andthatsdoneexactlyasitisforanumberedlist.Forexample,tocontrolthedataowingoutboundthroughFastEthernet0/0:

Router(cong)#interface fa0/0

Router(cong-if)#ip access-group Block_RFC1918 out

YoucanalsouseanamedstandardACLtocontrolTelnetand/orSSHaccess:

Router(cong)#line vty 0 4Router(cong-line)#ip access-group Block_RFC1918

AswiththenumberedACLs,namedACLsareassignedper-linesequencenumbersthatfacilitateediting.Youcanalso use the named ACL editor to create and edit numbered ACLs. Just use the number of the ACL as the name:

Router(cong)# ip access-list standard 12

Router(cong-std-nacl)#

Onemorething-withbothnamedandnumberedACLs,youcanaddremarks.YouaddaremarktoanumberedACL like this:

Router(cong)#access-list 13 remark This is my workstation



13/19


Similarly, to add a remark to a named ACL, you would do:

Router(cong)# ip access-list standard Permit_Me

Router(cong-std-nacl)#remark This is my workstation

Router(cong-std-nacl)#permit 10.1.2.3

YoucanhavemultipleremarkswithinanumberedornamedACL.Notethatwhiletheremarksdontappearwithshowaccess-list,theydoappearwithshow run and show start.

Differences between Standard and Extended ACLsHavingdiscussedgeneralACLrulesandsyntax,letsnowturntothedifferencesbetweenstandardandextend-edACLs.Asyoumightrecall,numberedACLsfallintoseveralranges.

199:StandardIP

100199:ExtendedIP

13001999:StandardIP(expandedrange)

20002699:ExtendedIP(expandedrange)

Otherrangesforotherprotocols

Originally,therangesforstandardandextendedIPACLswere1-99and100-199,respectively,butnowthatACLsareusedforsomanythings,ahundredorsoofeachmightnotbeenough.Forthisreason,theexpandedrangeswereintroduced.Therearenowatotalof699standard,and700extendednumberedIPACLsavailable.

So,asidefromthedifferentnumericalrangesinvolved,whatarethedifferencesbetweenastandardandanex-tendedACL?Inadditiontolteringbysourceaddress(whichisallthatastandardIPACLcando),anextendedIPACLallowsustolterbasedon:

Destinationaddress

Transportlayerprotocols

Portnumbers

Otheroptions

Toseewhatthismeans,letslookatanexampleofanextendedIPACL.

access-list 101 permit tcp host 1.2.3.4 host 5.6.7.8 eq tel-

net

ACL101permitsonlyTelnettrafc(TCPport23)originatingfromsource1.2.3.4andtargetinghost5.6.7.8,anddeniesallothertrafc(theimplicitdenyanyalsoappliestoextendedACLs).Notethatthesourceaddressisgivenrst(alongwitheitherthekeywordhostorawildcardmask),followedbythedestinationaddress(alsowitheitherthekeywordhostoraWCM).YoucouldalsowriteACL101usingwildcardmasks,likethis:


14/19


access-list 101 permit tcp 1.2.3.4 0.0.0.0 5.6.7.8 0.0.0.0eq telnet

Thetwochoicesarefunctionallyequivalent,butformosthumanstheWCMformatishardertoreadthanthatusing keyword host,soIpersonallyavoidthe0.0.0.0WCM.Notethat,unlikeastandardACL,whenspecify-

inganaddressinanextendedACL,eitherthekeywordhostorawildcardmaskmustbeused.AttemptingtowriteACL101likethiswouldresultinasyntaxerror:

access-list 101 permit tcp 1.2.3.4 5.6.7.8 eq telnet

HeresanotherexampleofasyntacticallycorrectextendedIPACL.

access-list 102 deny udp 172.16.0.0 0.0.255.255 192.168.1.00.0.0.255 eq tftp

access-list 102 permit ip any any

ACL102deniesTFTPtrafc(andonlyTFTPtrafc)fromanyhostonthe172.16.0.0networkgoingtoanyhost

onthe192.168.1.0network,andpermitseverythingelse.Notethatapermit anyinanextendedACLmustspecify the protocol (ip, meaning anything in the IP suite), and both the source and destination addresses (anyany).

Using Port NumbersBytheway,inourextendedACLswevebeenusingkeywordsforthecommonportnumbers(Telnet=23,TFTP=69,etc),butyoucanalsousetheportnumbers,whichmeansthatACL102couldalsobewrittenlikethis:

access-list 102 deny udp 172.16.0.0 0.0.255.255 192.168.1.00.0.0.255 eq 69


Togetalistofthekeywordsforcommonlyusedports,youcanusethequestionmark,likethis(notethespaceinbetweentheWCMandthe?):

access-list 102 deny udp 172.16.0.0 0.0.255.255 192.168.1.00.0.0.255 eq ?

Also, in addition to eq(equal-to),youcanalsospecifygt(greater-than),lt(less-than),andotheroptions.Youcanalsousethequestionmarktoviewthese.

Letssaythatwewanttopermittrafconlytohostsonnetwork10.0.0.0,whiledenyingeverythingelse.Heresa possible solution.

access-list 103 permit ip any 10.0.0.0 0.255.255.255


15/19


ACL103appliestoanyprotocolintheIPsuite(duetotheip keyword), from any source (keyword any), goingtoanydestinationonthe10.0.0.0network(notetheWCM).Sincenoportorotheroptioninformationwasspecied,theACLappliestoallportsandoptions.

Options

Speakingofoptions,letslookatafewofthose.ICMPhasmanydifferentoptions,oneofthembeingecho usedby the pingapplication.HeresanACLthatwillspecicallydenypings,whilepermittingallothertrafc:

access-list 104 remark This ACL stops pings

access-list 104 deny icmp any any echo


Ifyoureallywantedtonailthingsdown,youcoulddenynotonlypings(ICMPechoes),butalsotheirreplies(ICMPechoreplies),likethis:

access-list 105 remark This ACL stops pings and replies

access-list 105 deny icmp any any echo

access-list 105 deny icmp any any echo-reply


AswithstandardIPACLs,youcancreatenamedextendedIPACLs.Forexample,youcouldcreateanamedACLequivalenttoACL105likethis:

Router#conf t

Router(cong)#ip access-list ext stop_ping

Router(cong-ext-nacl)#This ACL stops pings and replies

Router(cong-ext-nacl)#deny icmp any any echo

Router(cong-ext-nacl)#deny icmp any any echo-reply

Router(cong-ext-nacl)#permit ip any any

Finally,youputanextendedIPACLinservicethesamewayyoudoastandardIPACL.Forexample,toputACL105ineffectoutboundontheGigEthernet2/1interface,youwoulddo:

Router#conf t

Router(cong)#int g2/1


Likewise, to place ACL stop_pinginforceinboundontheSerial1/2interface:Router#conf t

Router(cong)#int s1/2

Router(cong-if)#ip access-group stop_ping in


16/19


Remember,ACLnamesarecase-sensitive,andtheunderscoreisnotthesameasthedash(hyphen).YouneedtoplaceanACLinserviceusingexactlythesamenameasthatusedtocreateit.

Packet Filtering

WecanuseextendedIPACLstolterpacketsbasedonsourceaddress,destinationaddress,transportlayerprotocols, and other options, as follows:

access-list 106 permit tcp host 1.2.3.4 host 5.6.7.8 eq tel-net

ForapackettobepermittedbyACL106,thefollowingmustbetrue:

ThetransportlayerprotocolisTCP

Thesourceaddressis1.2.3.4

Thedestinationaddressis5.6.7.8

ThedestinationportisTelnet(port23)

Whyisitthedestinationport,andnotthesourceport?Itsbecausetheportspecication(eq telnet) followsthedestinationaddress(5.6.7.8).InACL106,sincethesourceportisunspecied,itcouldbeanything.Whatifinstead we had written the ACL like this:

access-list 107 permit tcp host 1.2.3.4 eq telnet host5.6.7.8

ForapackettobepermittedbyACL107,thefollowingmustbetrue:

ThetransportlayerprotocolisTCP.

Thesourceaddressis1.2.3.4.

ThesourceportisTelnet(port23).

Thedestinationaddressis5.6.7.8.

Thus,usinganextendedIPACLgivesusdirectionalcontrolthatwedonthavewithastandardIPACL.Letslookatanexample:

access-list 108 deny tcp host 1.2.3.4 host 5.6.7.8 eq telnet


AssumingthatACL108isplacedinservicecorrectly,itwillpreventhost1.2.3.4fromopeningaTelnetsessiontohost5.6.7.8.Thisisbecausewhenhost1.2.3.4(theTelnetclient)sendstheTCPsyntohost5.6.7.8(theTelnetserver),theaddressesmatchthedenyline,asdoesthedestinationportof23(Telnet)andthetransportlayerprotocol(TCP).Thus,thesynpacketisdenied,andtheTCPsessionisneverestablished.


17/19


WillACL108alsopreventhost5.6.7.8fromopeningaTelnetsessiontohost1.2.3.4?Rememberthatformostapplications,clientportsarechosenrandomlyintherangeof1024andabove.Letssaythatwhenhost5.6.7.8sTelnetclientprocessstarts,theIPstackin5.6.7.8assignsthatprocessaportnumberof2000.Now,when5.6.7.8sendsaTCPsyntohost1.2.3.4(theTelnetserver),eventhoughthedestinationportof23(theserver)matchesthatspeciedbythedenylineofACL108,asdoesthetransportprotocol(TCP),thesourceanddesti-nationaddressesdonotmatch(theaddressesarereversed).Sincethepacketdoesnotmatchthedenyline,its

permittedbythepermitline.Thus5.6.7.8receivesthesynpacket,andtherstphaseoftheTCPthree-wayhandshake is successful.

Next,theTelnetserver(1.2.3.4)willreplytotheclient(5.6.7.8)withasyn ack(thesecondphaseoftheTCPthree-wayhandshake).Forthispacket,theaddressesdomatchthosespeciedbythedenylineofACL108,asdoesthetransportprotocol(TCP),butthedestinationportdoesnt.Remember,theserver(1.2.3.4),usingport23(whichwouldbethesourceport),isreplyingtotheclient(5.6.7.8),atport2000(thedestinationport).Since2000isnotthedestinationportspeciedbythedenylineofACL108,thepacketdoesnotmatchthedeny line,andispermittedbythepermitline.Thus,the syn ackmakesitto5.6.7.8.

When5.6.7.8thensends1.2.3.4anack(tocompletethethree-wayhandshake),thispacketispermittedaswell,andtheTelnetsessionhasbeensuccessfullyestablished.Thus,anextendedIPACLgivesusdirectionalcontrol,whichisbothgoodandbad.Itsgood,becauseitgivesusmoreexibility,butitsbadbecausetodenytrafcinbothdirections,wehavetoexplicitlydenythetrafcinbothdirections.Inotherwords,toblockTelnetbi-direc-tionallybetween1.2.3.4and5.6.7.8,butpermiteverythingelse,wecoulddothis:


access-list 109 deny tcp host 1.2.3.4 eq telnet host 5.6.7.8


Whenblockingparticularprotocols,becarefultopermiteverythingyouintendtopermit.WhatdoesACL110permit?



access-list 110 permit tcp any any

ACL110permitsanyTCPtrafcthatisntTelnet,butitdoesntpermitTFTPorVoIP(whichuseUDP)orping(whichusesICMP).Ifyoumeantopermitip(theentireprotocolsuite),thenthatswhatyouhavetosay.Andrememberthatinadditiontospecifyinganexactport(eq), you can also use lt, gt, or a range(less-than,greater-than,orarangeorportsnumbers,respectively).

Similarly,whatifwewanttoblockpings(ICMPechoes)fromhost1.2.3.4tothe10.0.0network?Wecoulddo:access-list 111 deny icmp host 1.2.3.4 10.0.0.00.255.255.255 echo



18/19


NotethatalthoughACL111willpreventhost1.2.3.4fromsuccessfullypinginghostsonthe10.0.0.0network,itwillpermitnetwork10.0.0.0hoststopinghost1.2.3.4.Toblockpingsinbothdirections,youcouldalsodenyICMPechoreplies,likethis:

access-list 112 deny icmp host 1.2.3.4 10.0.0.0

0.255.255.255 echo

access-list 112 deny icmp host 1.2.3.4 10.0.0.00.255.255.255 echo-reply


WhatotheroptionsareavailablewithextendedIPACLs?Asyoumightrecall,bothstandardandextendedIPACLsnowcountthenumberofmatchesoneachline,andthiscanbeviewedwithshow access-lists.Thisal-lows you to monitor who is doing what, or, in the case of a deny, who is attempting to do what.

WithextendedIPACLs,youcangoonestepfurther,andhavetheACLdisplayconsolemessageswhenmatchesoccur.ThisisaccomplishedbyappendingthekeywordlogtolinesoftheACL,likethis:

access-list 113 deny tcp host 1.2.3.4 host 5.6.7.8 eq telnetlog


log


NotethatinACL113,wedidntaddthelogoptiontothepermit,becausewearentinterestedinthenon-Telnettrafc,anddontwanttoseemessagesregardingthat.

TherearemanyotherthingsthatcanbedonewithextendedIPACLs.ConsulttheCiscodocsforexamples,and

dontforgettousethe?tocheckforavailablekeywordsandoptionswithyourparticularversionofIOS.

Learn MoreLearnmoreabouthowyoucanimproveproductivity,enhanceefciency,andsharpenyourcompetitiveedge.CheckoutthefollowingGlobalKnowledgecourses:

ICND1InterconnectingCiscoNetworkDevices1

ICND2InterconnectingCiscoNetworkDevices2

CCNABootCamp

Formoreinformationortoregister,visitwww.globalknowledge.com or call 1-800-COURSES to speak with asalesrepresentative.

Ourcoursesandenhanced,hands-onlabsofferpracticalskillsandtipsthatyoucanimmediatelyputtouse.Ourexpertinstructorsdrawupontheirexperiencestohelpyouunderstandkeyconceptsandhowtoapplythemto


19/19


yourspecicworksituation.Choosefromourmorethan700courses,deliveredthroughClassrooms,e-Learning,andOn-sitesessions,tomeetyourITandmanagementtrainingneeds.

About the Author

AlFriebeisaCiscoCertiedSystemsInstructor(CCSI)whohasbeenteachingnetworkingclassessince1995.Inthepast,hehasservedasGlobalKnowledgesCourseDirectorforBGPandBSCI,andheistheauthorofGlobalKnowledgescurrentICND2labs.HispreviousexperienceincludesinstructordutyintheU.S.NavysNuclearPowerSchool,radiochemistry,softwareengineering,andnetworkmanagement.HiscerticationsincludeCCDA,CCDP,CCNA,CCNP,A+andothers.

Documents

WP_Friebe_ACLs1