Acess Control List

Prerequisites

Requirements

There are no specific prerequisites for this document. The concepts discussed are present in Cisco IOS® Software Releases 8.3 or later. This is noted under each access list feature.

Components Used

This document discusses various types of ACLs. Some of these are present since Cisco IOS Software Releases 8.3 and others were introduced in later software releases. This is noted in the discussion of each type.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

ACL Concepts

This section describes ACL concepts.

Masks

Masks are used with IP addresses in IP ACLs to specify what should be permitted and denied. Masks in order to configure IP addresses on interfaces start with 255 and have the large values on the left side, for example, IP address 209.165.202.129 with a 255.255.255.224 mask. Masks for IP ACLs are the reverse, for example, mask 0.0.0.255. This is sometimes called an inverse mask or a wildcard mask. When the value of the mask is broken down into binary (0s and 1s), the results determine which address bits are to be considered in processing the traffic. A 0 indicates that the address bits must be considered (exact match); a 1 in the mask is a "don't care". This table further explains the concept.
Mask Example

network address (traffic that is to be processed) 10.1.1.0

mask 0.0.0.255

network address (binary) 00001010.00000001.00000001.00000000


mask (binary) 00000000.00000000.00000000.11111111


Based on the binary mask, you can see that the first three sets (octets) must match the given binary network address exactly (00001010.00000001.00000001). The last set of numbers are "don't cares" (.11111111). Therefore, all traffic that begins with 10.1.1. matches since the last octet is "don't care". Therefore, with this mask, network addresses 10.1.1.1 through 10.1.1.255 (10.1.1.x) are processed.

Subtract the normal mask from 255.255.255.255 in order to determine the ACL inverse mask. In this example, the inverse mask is determined for network address 172.16.1.0 with a normal mask of 255.255.255.0.

255.255.255.255 - 255.255.255.0 (normal mask) = 0.0.0.255 (inverse mask)

Note these ACL equivalents.

The source/source-wildcard of 0.0.0.0/255.255.255.255 means "any".

The source/wildcard of 10.1.1.2/0.0.0.0 is the same as "host 10.1.1.2".

ACL Summarization

Note: Subnet masks can also be represented as a fixed length notation. For example, 192.168.10.0/24 represents 192.168.10.0 255.255.255.0.

This list describes how to summarize a range of networks into a single network for ACL optimization. Consider these networks.

192.168.32.0/24
192.168.33.0/24
192.168.34.0/24
192.168.35.0/24
192.168.36.0/24
192.168.37.0/24
192.168.38.0/24
192.168.39.0/24
The first two octets and the last octet are the same for each network. This table is an explanation of how to summarize these into a single network.

The third octet for the previous networks can be written as seen in this table, according to the octet bit position and address value for each bit.

Decimal 128 64 32 16 8 4 2 1


32 0 0 1


33 0 0 1 1


34 0 0 1 1


35 0 0 1 1 1


36 1 1


37 1 1 1


38


39 1 1 1 1



Since the first five bits match, the previous eight networks can be summarized into one network (192.168.32.0/21 or 192.168.32.0 255.255.248.0). All eight possible combinations of the three low-order bits are relevant for the network ranges in question. This command defines an ACL that permits this network. If you subtract 255.255.248.0 (normal mask) from 255.255.255.255, it yields 0.0.7.255.

access-list acl_permit permit ip 192.168.32.0 0.0.7.255
Consider this set of networks for further explanation.

192.168.146.0/24
192.168.147.0/24
192.168.148.0/24
192.168.149.0/24
The first two octets and the last octet are the same for each network. This table is an explanation of how to summarize these.

The third octet for the previous networks can be written as seen in this table, according to the octet bit position and address value for each bit.

Decimal

128

64

32

16

8

4

2

1

146

1

0

0

1

0

0

1

0

147

1

0

0

1

0

0

1

1

148

1

0

0

1

0

1

0

0

149

1

0

0

1

0

1

0

1

M

M

M

M

M

?

?

?

Unlike the previous example, you cannot summarize these networks into a single network. If they are summarized to a single network, they become 192.168.144.0/21 because there are five bits similar in the third octet. This summarized network 192.168.144.0/21 covers a range of networks from 192.168.144.0 to 192.168.151.0. Among these, 192.168.144.0, 192.168.145.0, 192.168.150.0, and 192.168.151.0 networks are not in the given list of four networks. In order to cover the specific networks in question, you need a minimum of two summarized networks. The given four networks can be summarized into these two networks:

For networks 192.168.146.x and 192.168.147.x, all bits match except for the last one, which is a "don't care." This can be written as 192.168.146.0/23 (or 192.168.146.0 255.255.254.0).

For networks 192.168.148.x and 192.168.149.x, all bits match except for the last one, which is a "don't care." This can be written as 192.168.148.0/23 (or 192.168.148.0 255.255.254.0).

This output defines a summarized ACL for the above networks.


!--- This command is used to allow access access for devices with IP
!--- addresses in the range from 192.168.146.0 to 192.168.147.254.

access-list 10 permit 192.168.146.0 0.0.1.255


!--- This command is used to allow access access for devices with IP
!--- addresses in the range from 192.168.148.0 to 192.168.149.254

access-list 10 permit 192.168.148.0 0.0.1.255
Process ACLs

Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted. A single-entry ACL with only one deny entry has the effect of denying all traffic. You must have at least one permit statement in an ACL or all traffic is blocked. These two ACLs (101 and 102) have the same effect.


!--- This command is used to permit IP traffic from 10.1.1.0
!--- network to 172.16.1.0 network. All packets with a source
!--- address not in this range will be rejected.

access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

!--- This command is used to permit IP traffic from 10.1.1.0
!--- network to 172.16.1.0 network. All packets with a source
!--- address not in this range will be rejected.

access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 102 deny ip any any
In this example, the last entry is sufficient. You do not need the first three entries because TCP includes Telnet, and IP includes TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).


!--- This command is used to permit Telnet traffic
!--- from machine 10.1.1.2 to machine 172.16.1.1.

access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet

!--- This command is used to permit tcp traffic from
!--- 10.1.1.2 host machine to 172.16.1.1 host machine.

access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1

!--- This command is used to permit udp traffic from
!--- 10.1.1.2 host machine to 172.16.1.1 host machine.

access-list 101 permit udp host 10.1.1.2 host 172.16.1.1

!--- This command is used to permit ip traffic from
!--- 10.1.1.0 network to 172.16.1.10 network.

access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
Define Ports and Message Types

In addition to defining ACL source and destination, it is possible to define ports, ICMP message types, and other parameters. A good source of information for well-known ports is RFC 1700 . ICMP message types are explained in RFC 792 .

The router can display descriptive text on some of the well-known ports. Use a ? for help.

access-list 102 permit tcp host 10.1.1.1 host 172.16.1.1 eq ?
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
During configuration, the router also converts numeric values to more user-friendly values. This is an example where you type the ICMP message type number and it causes the router to convert the number to a name.

access-list 102 permit icmp host 10.1.1.1 host 172.16.1.1 14
becomes

access-list 102 permit icmp host 10.1.1.1 host 172.16.1.1 timestamp-reply
Apply ACLs

You can define ACLs without applying them. But, the ACLs have no effect until they are applied to the interface of the router. It is a good practice to apply the ACL on the interface closest to the source of the traffic. As shown in this example, when you try to block traffic from source to destination, you can apply an inbound ACL to E0 on router A instead of an outbound list to E1 on router C. An access-list has a deny ip any any implicitly at the end of any access-list. If traffic is related to a DHCP request and if it is not explicity permitted, the traffic is dropped because when you look at DHCP request in IP, the source address is s=0.0.0.0 (Ethernet1/0), d=255.255.255.255, len 604, rcvd 2 UDP src=68, dst=67. Note that the source IP address is 0.0.0.0 and destination address is 255.255.255.255. Source port is 68 and destination 67. Hence, you should permit this kind of traffic in your access-list else the traffic is dropped due to implicit deny at the end of the statement.

Note: For UDP traffic to pass through, UDP traffic must also be permited explicitly by the ACL