Access Control List

Access Control List

An ACL is a sequential list of permit or DENY statements this apply to addresses or Upper-layer protocols. ACLs provide a powerful-to-control traffic into and out of a network. ACLs can configured for all routed network protocols.

IP ACL operation

When configured, ACLs perform the following tasks:

• Limit network traffic to increase network performance. For example, if corporate policy does don't allow video traffic on the network, ACLs this block video traffic could be confi Gured and applied. This would greatly reduce the network load and increase network performance.
• provide traffic flow control. ACLs can restrict the delivery of routing updates. IF updates is not required because of the network conditions, bandwidth is preserved.
• provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, access to the Human Resources network can is restricted to authorized users.
• Filter traffic based on traffic type. For example, an ACL can permit e-mail traffic, but block all Telnet traffic.
• Screen hosts to permit or deny access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP.

To evaluate network traffic, the ACL extracts the following information from the Layer 3 packet header:

• Source IP Address
• Destination IP Address
• ICMP Message Type

The ACL can also extract upper layer information from the layer 4 header, including:

• TCP/UDP Source Port
• TCP/UDP Destination Port

Types of Aclsstandard ACLs

Standard ACLs Match packets is examining the source IP address field in the IP header of this packet.

Router (config) # access-list {1-99} {Permit | deny} source-addr [Source-wildcard]

ACL number:1-99 or 1300-1999

Operation:permit or deny

Source IP Address

Source-wildcard Mask

Extended ACL

Extended ACL Filter IP packets based on several attributes, including the following:

• Source and Destination IP address
• Source and destination TCP and UDP ports
• Protocol type/protocol Number (IP, ICMP, UDP, TCP etc)

Router (config) # access-list {100-199} {Permit | deny} Protocol Source-addr

[Source-wildcard] [operator operand] destination-addr [Destination-wildcard]

[operator operand] [established]

ACL number:100-199 or 2000-2699

Operation:permit or deny

Protocol Type:ip, ICMP, TCP, UDP

Source IP address and Source-wildcard mask:determine where traffic originates

Destination IP address and Destination-wildcard mask indicate the final Destination of the network traffic.

Operator:eq, GT, LT,

Once the standard or extended numbered IP ACLs is created and the administrator must apply it to the appropriate interface.

Router (config-if) # IP access-group access-list-number { in | Out}

The command to apply the ACL to a vty line:

Router (config-line) # access-class access-list-number { in | Out}

Named ACL

It is the possible to create a named ACL instead of a numbered ACL. Named ACLs must is specified as either standard or extended.

Router (config) # IP access-list [ Standard | Extended] Name_of_acl

Executing this command places a user to sub-configuration mode where permit and deny commands are Ente Red. The permit and deny commands has the same basic syntax as those in the numbered IP ACL commands.

A Standard named ACL can use deny and permit statements.

Router (CONFIG-STD-NACL) # deny {source [source-wildcard] | any}

Router (CONFIG-STD-NACL) # permit {source [source-wildcard] | any}

An extended named ACL offers additional parameters.

Router (Config-ext-nacl) # {Permit | deny} Protocol Source-addr [Source-wildcard]

[operator operand] destination-addr [Destination-wildcard] [operator operand]

[established]

Advantages for using named ACLs include that the administrator can delete a specific entry in a named ACL by going into ACL Sub-configuration mode and prefacing the command with the no parameter.

At the end of an ACL statement, the administrator have the option to configure the log parameter.

R1 (config) # access-list 101 Permit tcp 192.168.1.0 0.0.0.255 192.168.2.0

0.0.0.255 eq $ log

If This parameter are configured, the Cisco IOS software compares packets and finds a match to the statement. The router logs it to any enabled logging facility, such as the console, the internal buffer of the router, or a syslog se RVer. Several pieces of information is logged:

Action-permit or deny

Protocol-tcp, UDP, or ICMP

Source and destination addresses

For TCP and Udp-source and destination port numbers

For icmp-message types

Log messages is generated on the first packet match and then in five minute intervals after that first packet match.

Several caveats should is considered when working with ACLs:

• implicit deny all-any Cisco ACLs end with a implicit "deny all" statement. Even if this statement was not a apparent in a ACL, it is there.
• Standard ACL packet filtering -standard ACLs is limited to packet filtering based on source addresses only. Extended ACLs might need to being created to fully implement a security policy.
• Order of statements - ACLs has a policy of first match. When a statement was matched, the list is no longer examined. Certain ACL statements is more specific than others and, therefore, must is placed higher in the ACL. For example, blocking all UDP traffic on the top of the list negates the statement for allowing SNMP packets, which use UD P, that's lower in the list. An administrator must ensure this statements at the top of the ACL does not negate any statements found lower.
• directional filtering -Cisco ACLs has a directional filter that determines whether inbound packets (toward the Interface) or outbound packets (away from the interface) is examined. An administrator should double-check the direction of data, an ACL is filtering.
• modifying ACLs-When a router compares a packet to an ACL, the ACL entries is examined from the top down. When a router locates a statement with matching criteria, the ACL processing stops and the packet are either permitted or D Enied based on the ACL entry. When new entries is added to an ACL, they is always added to the bottom. This can render new entries unusable if a previous entry are more general. For example, if an ACL have an entry that denies network 172.16.1.0/24 access to a server on one line, and the next line does WN permits a single host, host 172.16.1.5, access to this same server, that host would still be denied. This was because the router matches packets from 172.16.1.5 to the 172.16.1.0/24 network and denies the traffic without Rea Ding the next line. When a new statement renders the ACL unusable, a new ACL must is created with the correct statement ordering. The old aclshould is deleted, and the new ACL assigned to the router interface. If using Cisco IOS Release 12.3 and later, SequenCe numbers can used to ensure, a new statement is being added to the ACL in the correct location. The ACL is processed top-down based in the sequence numbers of the statements (lowest to highest).
• Special Packets -router-generated packets, such as routing table updates, is not subject to outbound ACL Statem Ents on the source router. If The security policy requires filtering these types of packets, inbound ACLs on adjacent routers or other router filter Mechanisms using ACLs must do the filtering task.

Access Control List