Access-List are one of the most frequently used features that are utilized to achieve different kinds of tasks.
Unlike what the name suggests, Access Lists are not only used to filter traffic (even though they can be used to do that). Instead, they are used to select interesting traffic. in other words, An Access List on its own achieves absolutely nothing.
Access Lists Types:
Access lists have two types, standard and extended access lists.
The standard access lists are used to match traffic based on the source IP address only,
while the extended access lists are much more flexible and they can be used to match traffic based on source/destination IP addresses, used Protocol (IP/GRE/ESP/ICMP …etc), and source/destination ports, connection state, and more.
Both types of access lists can be defined as numbered access lists or named access lists (as a rule of thumb, always use named access lists)
Cons of Numbered ACLs:
Numbered ACLs are rarely used in production mainly due to the fact that:
- Deleting a single line would result in having the entire ACL deleted.
- Adding anything to a numbered ACL would always be at the bottom of it (Sequencing is not supported, more on this ahead).
Defining ACLs:
To define a numbered access list, we use the command access-list under config mode; whereas names access-lists are defined using ip access-list command.
SampleSW(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1300-1999> IP standard access list (expanded range)
<2000-2699> IP extended access list (expanded range)
<2700-2799> MPLS access list
acl-ace-limit set the max configurable ace limit for all ACLs
acl-limit Set the max configurable acl limit
dynamic-extended Extend the dynamic ACL absolute timer
global-ace-limit set the max ace limit for the entire system
rate-limit Simple rate-limit specific access list
SampleSW(config)#ip access-list ?
extended Extended Access List
helper Access List acts on helper-address
log-update Control access list log updates
logging Control access list logging
persistent enable persistency across reload
resequence Resequence Access List
role-based Role-based Access List
standard Standard Access List
Notably, the type of a named access list is to be defined explicitly after the access-list keyword whereas the number of the numbered access list is what defines its type.
Standard | Extended |
1-99 | 100-199 |
1300-1999 | 2000-2699 |
Now, once the access list has been defined, we need to define entries within it using permit and deny keywords.
IMPORTANT: All ACLs come with an implicit deny at the end of them; what that means that only the permitted traffic will be matched by a given ACL, the rest won’t be matched without the need of adding an explicit deny statement.
For the sake of simplicity and to keep your reading short and useful I will only demonstrate named ACLs.
SampleSW(config)#ip access-list standard SampleACL
SampleSW(config-std-nacl)#?
Standard Access List configuration commands:
<1-2147483647> Sequence Number
default Set a command to its defaults
deny Specify packets to reject
exit Exit from access-list configuration mode
no Negate a command or set its defaults
permit Specify packets to forward
remark Access list entry comment
As we can see, we can start by specifying the sequence of the access-list entry (ACE), followed by a permit/deny keyword which is later followed by the related IP addresses and wildmasks. You will find detailed samples and uses cases at the end of this article.
Common ACL-Dependent Features:
- Access-Groups and Access-Classes.
- Address Translation (NAT).
- Matching interesting traffic for IPSec Tunels (Policy-Based).
- Classifying traffic (QoS).
Access Groups and Access Classes:
Access groups is the name of the feature that utilizes Access Lists to filter traffic in or out of the device while access classes is the same but it’s used with VTY connections (Telnet / SSH)
Important:
- Filtering can only be applied on the traffic transiting the device (inbound or outbound).
- Filtering can’t be applied for the traffic generated by the router.
- Filtering can’t be applied inbound or outbound of loopback interfaces.
- Filtering incoming VTY connection is usually done using a standard access list.
Configuration and Sample Access Lists:
Using an Access list to filter allowed sources to talk specific destinations:
ip access-list extended ACL-SOURCE-DESTINATION
10 permit ip 192.168.83.0 0.0.0.255 192.168.17.32 0.0.0.15
20 permit ip 192.168.82.0 0.0.0.255 192.168.17.64 0.0.0.31
30 permit ip 192.168.84.0 0.0.0.255 192.168.17.96 0.0.0.7
interface g0/0
ip access-group ACL-SOURCE-DESTINATION in
Same example but over specific TCP port:
ip access-list extended ACL-SOURCE-DESTINATION
10 permit tcp 192.168.83.0 0.0.0.255 192.168.17.32 0.0.0.15 eq 443
20 permit tcp 192.168.82.0 0.0.0.255 192.168.17.64 0.0.0.31 eq 80
30 permit tcp 192.168.84.0 0.0.0.255 192.168.17.96 0.0.0.7 eq 443
interface g0/0
ip access-group ACL-SOURCE-DESTINATION in
Using an access list to filter allowed SNMP poolers:
ip access-list standard ACL_SNMP_ACCESS
10 deny 192.168.17.124
20 permit 192.168.17.0 0.0.0.255
snmp-server group SNMPv3-group priv read SNMPv3-readgroup access ACL_SNMP_ACCESS
Using an access list with VTY connections (Access Classes)
ip access-list standard ACL_VTY_ACCESS
10 permit 192.168.50.0 0.0.0.255
20 permit 192.168.61.0 0.0.0.255
line vty 0 5
access-class ACL_VTY_ACCESS in
I don’t want to further lengthen this post, as we can talk about access lists for as long as we want. Accordingly, expect more advanced posts this.