Access List Tutorial

In this tutorial we will learn about access list.

Access control lists (ACLs) provide a means to filter packets by allowing a user to permit or deny
IP packets from crossing specified interfaces. Just imagine you come to a fair and see the guardian
checking tickets. He only allows people with suitable tickets to enter. Well, an access list’s function
is same as that guardian.

Access lists filter network traffic by controlling whether packets are forwarded or blocked at the
router’s interfaces based on the criteria you specified within the access list.

To use ACLs, the system administrator must first configure ACLs and then apply them to specific
interfaces. There are 3 popular types of ACL: Standard, Extended and Named ACLs.

Standard IP Access List

Standard IP lists (1-99) only check source addresses of all IP packets.

Configuration Syntax

access-list access-list-number {permit | deny} source {source-mask}

Apply ACL to an interface

ip access-group access-list-number {in | out}

Example of Standard IP Access List

Configuration:

In this example we will define a standard access list that will only allow network 10.0.0.0/8 to
access the server (located on the Fa0/1 interface)

Define which source is allowed to pass:

Router(config)#access-list 1 permit 10.0.0.0 0.255.255.255

(there is always an implicit deny all other traffic at the end of each ACL so we don’t need to define
forbidden traffic)

Apply this ACL to an interface:

Router(config)#interface Fa0/1
Router(config-if)#ip access-group 1 out

The ACL 1 is applied to permit only packets from 10.0.0.0/8 to go out of Fa0/1 interface while
deny all other traffic. So can we apply this ACL to other interface, Fa0/2 for example? Well we can
but shouldn’t do it because users can access to the server from other interface (s0 interface, for
example). So we can understand why an standard access list should be applied close to the
destination.

Note: The “0.255.255.255” is the wildcard mask part of network “10.0.0.0”. We will learn how to
use wildcard mask later.

Extended IP Access List

Extended IP lists (100-199) check both source and destination addresses, specific UDP/TCP/IP
protocols, and destination ports.

Configuration Syntax

access-list access-list-number {permit | deny} protocol source {source-mask} destination

{destination-mask} [eq destination-port]

Example of Extended IP Access List

In this example we will create an extended ACL that will deny FTP traffic from network 10.0.0.0/8
but allow other traffic to go through.

Note: FTP uses TCP on port 20 & 21.

Define which protocol, source, destination and port are denied:

Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 21

Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 20

Router(config)#access-list 101 permit ip any any

Apply this ACL to an interface:

Router(config)#interface Fa0/1
Router(config-if)#ip access-group 101 out
Notice that we have to explicit allow other traffic (access-list 101 permit ip any any) as there is an
“deny all” command at the end of each ACL.

As we can see, the destination of above access list is “187.100.1.6 0.0.0.0” which specifies a host.
We can use “host 187.100.1.6” instead. We will discuss wildcard mask later.

In summary, below is the range of standard and extended access list

Access list type Range

Standard 1-99, 1300-1999

Extended 100-199, 2000-

2699

Named IP Access List

This allows standard and extended ACLs to be given names instead of numbers

Named IP Access List Configuration Syntax

ip access-list {standard | extended} {name | number}

Example of Named IP Access List

This is an example of the use of a named ACL in order to block all traffic except the Telnet
connection from host 10.0.0.1/8 to host 187.100.1.6.

Define the ACL:

Router(config)#ip access-list extended in_to_out permit tcp host 10.0.0.1 host

187.100.1.6 eq telnet

(notice that we can use ‘telnet’ instead of port 23)

Apply this ACL to an interface:

Router(config)#interface Fa0/0

Router(config-if)#ip access-group in_to_out in

Where to place access list?

Standard IP access list should be placed close to destination.

Extended IP access lists should be placed close to the source.

How many access lists can be used?

You can have one access-list per protocol, per direction and per interface. For example, you can
not have two access lists on the inbound direction of Fa0/0 interface. However you can have one
inbound and one outbound access list applied on Fa0/0.

How to use the wildcard mask?

Wildcard masks are used with access lists to specify a host, network or part of a network.

The zeros and ones in a wildcard determine whether the corresponding bits in the IP address
should be checked or ignored for ACL purposes. For example, we want to create a standard ACL
which will only allow network 172.23.16.0/20 to pass through. We need to write an ACL,
something like this:

access-list 1 permit 172.23.16.0 255.255.240.0

Of course we can’t write subnet mask in an ACL, we must convert it into wildcard mask by
converting all bits 0 to 1 & all bits 1 to 0.

255 = 1111 1111 -> convert into 0000 0000

240 = 1111 0000 -> convert into 0000 1111

0 = 0000 0000 -> convert into 1111 1111

Therefore 255.255.240.0 can be written in wildcard mask as

00000000.00000000.00001111.11111111 = 0.0.15.255

Remember, for the wildcard mask, 1′s are I DON’T CARE, and 0′s are I CARE. Now let’s
analyze our wildcard mask.

Two first octets are all 0’s meaning that we care about the network 172.23.x.x. The third octet,
15 (0000 1111 in binary), means that we care about first 4 bits but don’t care about last 4 bits so
we allow the third octet in the form of 0001xxxx (minimum:00010000 = 16; maximum:
0001111 = 31).
 

The fourth octet is 255 (all 1 bits) that means I don’t care.

Therefore network 172.23.16.0 0.0.15.255 ranges from 172.23.16.0 to 172.23.31.255.

Some additional examples:

+ Block TCP packets on port 30 from any source to any destination:

Router(config)#access-list 101 deny tcp any any eq 30

+ Permit any IP packets in network 192.23.130.128 with subnet mask 255.255.255.248 to any
network:

Router(config)#access-list 101 permit ip 192.23.130.128 0.0.0.7 any

Apply the access control list to an interface:

Router(config)#interface fastEthernet0/0

Router(config-if)#ip access-group 101 in

Note: An ACL applied to the main interface does not affect the traffic of subinterfaces. If we want
to filter traffic on subinterfaces, we have to assign ACL to each subinterface separately.

There are some differences between numbered ACL and named ACL:

+ Only numbered ACL is supported on VTY lines (by using the access-class command)
+ Only named ACL support Noncontiguous Ports (allows you to specify noncontiguous ports in
a single ACL statement). For example:
Router(config)#ip access-list extended noncontiguousPorts
Router(config-ext-nacl)# permit tcp any eq telnet ftp any eq 23 45 34
+ Only with named ACL, we can easily remove an individual entry. For example:

R1# show access-list

Standard IP access list nat_traffic

10 permit 10.1.0.0, wildcard bits 0.0.255.255
20 permit 10.2.0.0, wildcard bits 0.0.255.255
30 permit 10.3.0.0, wildcard bits 0.0.255.255

Then to remove the second statement (the line “20 permit 10.2.0.0, wildcard bits
0.0.255.255”) we just need to type “no 20”:

R1(config)#ip access-list standard nat_traffic

R1(config-std-nacl)#no 20

But for numbered ACL, we have to recreated the whole ACL when entries are moved.