ACLs are lists of conditions that are applied to traffic traveling across a router's interface.  These lists tell the router what types of packets to accept or deny. Acceptance and denial can be based on specified conditions. ACLs enable management of traffic and secure access to and from a network.

ACLs can be created for all routed network protocols, such as Internet Protocol (IP) and Internetwork Packet Exchange (IPX). ACLs can be configured at the router to control access to a network or subnet.

ACLs filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. The router examines each packet to determine whether to forward or drop it, based on the conditions specified in the ACL. Some ACL decision points are source and destination addresses, protocols, and upper-layer port numbers.

ACLs must be defined on a per-protocol, per direction, or per port basis. To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface. ACLs control traffic in one direction at a time on an interface. A separate ACL would need to be created for each direction, one for inbound and one for outbound traffic. Finally every interface can have multiple protocols and directions defined.  If the router has two interfaces configured for IP, AppleTalk, and IPX, 12 separate ACLs would be needed. One ACL for each protocol, times two for direction in and out, times two for the number of ports.

The following are some of the primary reasons to create ACLs:

• Limit network traffic and increase network performance. By restricting video traffic, for example, ACLs could greatly reduce the network load and consequently increase network performance.
• Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved.
• Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, Host A is allowed to access the Human Resources network and Host B is prevented from accessing it.
• Decide which types of traffic are forwarded or blocked at the router interfaces. Permit e-mail traffic to be routed, but block all telnet traffic.
• Allow an administrator to control what areas a client can access on a network.
• Screen certain hosts to either allow or deny access to part of a network. Grant or deny user permission to access only certain types of files, such as FTP or HTTP.

If ACLs are not configured on the router, all packets passing through the router will be allowed onto all parts of the network.

Web Links Access Control List http://searchsecurity.techtarget.com/ sDefinition/0,,sid14_ gci213757,00.html

An ACL is a group of statements that define whether packets are accepted or rejected at inbound and outbound interfaces. These decisions are made by matching a condition statement in an access list and then performing the accept or reject action defined in the statement.

The order in which ACL statements are placed is important. The Cisco IOS software tests the packet against each condition statement in order from the top of the list to the bottom. Once a match is found in the list, the accept or reject action is performed and no other ACL statements are checked. If a condition statement that permits all traffic is located at the top of the list, no statements added below that will ever be checked.

If additional condition statements are needed in an access list, the entire ACL must be deleted and recreated with the new condition statements. To make the process of revising an ACL simpler it is a good idea to use a text editor such as Notepad and paste the ACL into the router configuration.

The beginning of the router’s process is the same, whether ACLs are used or not. As a frame enters an interface, the router checks to see whether the layer 2 address matches or if it is a broadcast frame. If the frame address is accepted, the frame information is stripped off and the router checks for an ACL on the inbound interface. If an ACL exists, the packet is now tested against the statements in the list. If the packet matches a statement, the action of accepting or rejecting the packet is performed. If the packet is accepted in the interface, it will then be checked against routing table entries to determine the destination interface and switched to that interface. Next, the router checks whether the destination interface has an ACL. If an ACL exists, the packet is now tested against the statements in the list and if the packet matches a statement, the action of accepting or rejecting the packet is performed. If there is no ACL or the packet is accepted, the packet is encapsulated in the new layer 2 protocol and forwarded out the interface to the next device.

As a review, ACL statements operate in sequential, logical order. If a condition match is true, the packet is permitted or denied and the rest of the ACL statements are not checked. If all the ACL statements are unmatched, an implicit "deny any" statement is placed at the end of the list by default. Even though the "deny any" is not visible as the last line of an ACL, it is there and it will not allow any packets not matched in the ACL to be accepted. When first learning how to create ACLs, it is a good idea to add the implicit deny at the end of ACLs to reinforce the dynamic presence of the command line.

ACLs are created in the global configuration mode. There are many different types of ACLs including standard, extended, IPX, AppleTalk, and others. When configuring ACLs on a router, each ACL must be uniquely identified by assigning a number to it. This number identifies the type of access list created and must fall within the specific range of numbers that is valid for that type of list.

After the proper command mode is entered and the list type number is decided upon, the user enters the access list statements using the keyword access-list, followed by the proper parameters. Creating the access list is the first half of using them on a router. The second half of the process is assigning them to the proper interface.

ACLs are assigned to one or more interfaces and can filter inbound traffic or outbound traffic by using the access-group command. The access-group command is issued in the interface configuration mode. When assigning an ACL to an interface inbound or outbound placement should be specified. The filter direction can be set to check packets that are traveling into or out of an interface. When determining if the ACL is addressing inbound or outbound traffic, the network administrator needs to look at at the interfaces from inside the router. This is a very important concept. Traffic coming in from an interface is filtered by an inbound access list, traffic going out an interface is filtered by the outbound access list. After creating a numbered ACL, it must be assigned to an interface. To alter an ACL containing numbered ACL statements, all the statements in the numbered ACL must be deleted by using the command no access-list list-number.

These basic rules should be followed when creating and applying access lists:

• One access list per protocol per direction.
• Standard access lists should be applied closest to the destination.
• Extended access lists should be applied closest to the source.
• Use the inbound or outbound interface reference as if looking at the port from inside the router.
• Statements are processed sequentially from the top of list to the bottom until a match is found, if no match is found then the packet is denied.
• There is an implicit deny at the end of all access lists. This will not appear in the configuration listing.
• Access list entries should filter in the order from specific to general. Specific hosts should be denied first, and groups or general filters should come last.
• The match condition is examined first. The permit or deny is examined ONLY if the match is true.
• Never work with an access list that is actively applied.
• Use a text editor to create comments outlining the logic, then, fill in the statements that perform the logic.
• New lines are always added to the end of the access list. A no access-list x command will remove the whole list. It is not possible to selectively add and remove lines with numbered ACLs.
• An IP access list will send an ICMP host unreachable message to the sender of the rejected packet and will discard the packet in the bit bucket.
• Care should be used when removing an access list. If the access list is applied to a production interface and the access list is removed, depending on the version of the IOS, there may be a default deny any applied to the interface, and all traffic will be halted.
• Outbound filters do not affect traffic originating from the local router.

Lab Activity e-Lab Activity: Creating ACLs In this lab, the students will explore the syntax for creating standard and extended access-lists.

Interactive Media Activity Drag and Drop: Creating ACLs After completing this activity, the student will be able to create ACLs.

Web Links ACL http://www.foothilltech.org/tsharif/ apjohns0_Ch06__ ACLs%5B1%5D.ppt

A wildcard mask is a 32-bit quantity that is divided into four octets. A wildcard mask is paired with an IP address. The numbers one and zero in the mask are used to identify how to treat the corresponding IP address bits. The term wildcard masking is a nickname for the ACL mask-bit matching process and comes from of an analogy of a wildcard that matches any other card in the game of poker. Wildcard masks have no functional relationship with subnet masks. They are used for different purposes and follow different rules. Subnet masks start from the left side of an IP address and work towards the right to extend the network field by borrowing bits from the host field. Wildcard masks are designed to filter individual or groups of IP addresses permitting or denying access to resources based on the address. Trying to figure out how wildcard masks work by relating them to subnet masking will only confuse the entire matter. The only similarity between a wildcard mask and a subnet mask is that they are both thirty-two bits long and use ones and zeros for the mask.

Another issue is that the ones and zeros mean something different in a wildcard mask as opposed to a subnet mask. In order to eliminate confusion, X’s will be substituted for the 1’s in the wildcard masks in the graphics. This mask would be written as 0.0.255.255. A zero means let the value through to be checked, the X’s (1’s) mean block the value from being compared.

In the wildcard mask process, the IP address in the access-list statement has the wildcard mask applied to it. This creates the match value, which is used to compare and see if a packet should be processed by this ACL statement, or sent to the next statement to be checked. The second part of the ACL process is that any IP address that is checked by a particular ACL statement will have the wildcard mask of that statement applied to it. The result of the IP address and the wildcard mask must equal the match value of the ACL. This process is illustrated in the animation.

There are two special keywords that are used in ACLs, the any and host options. Simply put, the any option substitutes 0.0.0.0 for the IP address and 255.255.255.255 for the wildcard mask. This option will match any address that it is compared against. The host option substitutes for the 0.0.0.0 mask. This mask requires that all bits of the ACL address and the packet address match. This option will match just one address.

Web Links ACL http://www.foothilltech.org/tsharif/ apjohns0_Ch06__ ACLs%5B1%5D.ppt

The show ip interface command displays IP interface information and indicates whether any ACLs are set. The show access-lists command displays the contents of all ACLs on the router. To see a specific list, add the ACL name or number as an option for this command. The show running-config command will also reveal the access lists on a router and the interface assignment information.

These show commands will verify the list contents and placement. It is also a good practice to test the access lists with sample traffic to ensure that the access list logic is correct.

Lab Activity e-Lab Activity: Verifying ACLs In this lab, the students will verify configured access-lists on the router.

Web Links show ip interface EXEC Command http://www.cisco.com/en/US/products/sw/ iosswrel/ps1835/ products_command_reference_ chapter09186a0080087387.html#1020817

Standard ACLs check the source address of IP packets that are routed. The comparison will result in either permit or deny access for an entire protocol suite, based on the network, subnet, and host addresses. For example, packets coming in Fa0/0 are checked for source address and protocol. If they are permitted, the packets are routed through the router to an output interface. If they are not permitted, they are dropped at the incoming interface.

The standard version of the access-list global configuration command is used to define a standard ACL with a number in the range of 1 to 99 (also from 1300 to 1999 in recent IOS). In the first ACL statement, notice that there is no wildcard mask. In this case where no list is shown, the default mask is used, which is 0.0.0.0. This means that the entire address must match or this line in the ACL does not apply and the router must check for a match in the next line in the ACL..

The full syntax of the standard ACL command is:

Router(config)#access-list access-list-number {deny | permit} source [source-wildcard ] [log]

The no form of this command is used to remove a standard ACL. This is the syntax:

Router(config)#no access-list access-list-number

The table shows descriptions of the parameters used in this syntax.

Lab Activity Lab Exercise: Configuring Standard Access Lists  In this lab, the student will configure and apply a standard ACL to permit or deny specific traffic.

Lab Activity Lab Exercise: Standard ACLs In this lab, the student will plan, configure, and apply a standard ACL to permit or deny specific traffic. The student will then test the ACL to determine if the desired results were achieved.

Lab Activity e-Lab Activity: Configuring a Standard Access List In this lab, the students will plan, configure, and apply a standard ACL to permit or deny specific traffic and test the ACL to determine if the desired results were achieved.

Lab Activity e-Lab Activity: Standard ACL In this lab, the students will configure a standard access-control list for the local router "Rome".

Lab Activity e-Lab Activity: Standard ACL In this lab, the students will configure a standard access-control list for the local router "Athens".

Lab Activity e-Lab Activity: Standard ACL In this lab, the students will configure a standard access-control list for the local router "Bucharest".

Lab Activity e-Lab Activity: Standard ACL In this lab, the students will configure a standard access-control list for the local router "Sofia".

Web Links access-list Command http://www.cisco.com/en/US/products/sw/ iosswrel/ps1835/ products_command_reference_ chapter09186a00800873c8.html#1072438

Extended ACLs are used more often than standard ACLs because they provide a greater range of control. Extended ACLs check the source and destination packet addresses as well as being able to check for protocols and port numbers. This gives greater flexibility to describe what the ACL will check. Packets can be permitted or denied access based on where the packet originated and its destination as well as protocol type and port addresses. An extended ACL can allow e-mail traffic from Fa0/0 to specific S0/0 destinations, while denying file transfers and web browsing. When packets are discarded, some protocols send an echo packet to the sender, stating that the destination was unreachable.

For a single ACL, multiple statements may be configured. Each of these statements should contain the same access-list-number, to relate the statements to the same ACL. There can be as many condition statements as needed, limited only by the available router memory. Of course, the more statements there are, the more difficult it will be to comprehend and manage the ACL.

The syntax for the extended ACL statement can get very long and often will wrap in the terminal window. The wildcards also have the option of using the host or any keywords in the command.

At the end of the extended ACL statement, additional precision is gained from a field that specifies the optional Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number. The well-known port numbers for TCP/IP are shown in Figure . Logical operations may be specified such as, equal (eq), not equal (neq), greater than (gt), and less than (lt), that the extended ACL will perform on specific protocols. Extended ACLs use an access-list-number in the range 100 to 199 (also from 2000 to 2699 in recent IOS).

The ip access-group command links an existing extended ACL to an interface. Remember that only one ACL per interface, per direction, per protocol is allowed. The format of the command is:

Router(config-if)#ip access-group access-list-number {in | out}

Lab Activity Lab Exercise: Configuring Extended Access Lists This lab is to configure, and apply an extended ACL to permit or deny specific traffic.

Lab Activity Lab Exercise: Simple Extended Access Lists This lab is to configure, and apply extended access lists to filter network to network, host to network, and network to host traffic.

Lab Activity e-Lab Activity: Configuring an Extended Access List In this lab, the student will plan, configure, and apply and extended ACL to permit or deny specific traffic and test the ACL to determine if the desired results were achieved.

Lab Activity e-Lab Activity: Extended ACL In this lab, the students will configure an extended access-control list for the local router "Mexico".

Lab Activity e-Lab Activity: Extended ACL's In this lab, the students will configure an extended access-control list for the local router "Jakarta".

Lab Activity e-Lab Activity: Extended ACL In this lab, the students will configure an extended access-control list for the local router "Kuwait".

Lab Activity e-Lab Activity: Extended ACL In this lab, the students will configure an extended access-control list for the local router "Abuja".

Web Links access-list Command http://www.cisco.com/en/US/products/sw/ iosswrel/ps1835/ products_command_reference_ chapter09186a00800873c8.html#1072413

IP named ACLs were introduced in Cisco IOS Software Release 11.2, allowing standard and extended ACLs to be given names instead of numbers. The advantages that a named access list provides are:

• Intuitively identify an ACL using an alphanumeric name.
• Eliminate the limit of 798 simple and 799 extended ACLs
• Named ACLs provide the ability to modify ACLs without deleting and then reconfiguring them. It is important to note that a named access list will allow the deletion of statements but will only allow for statements to be inserted at the end of a list. Even with named ACLs it is a good idea to use a text editor to create them.

Consider the following before implementing named ACLs.

Named ACLs are not compatible with Cisco IOS releases prior to Release 11.2.

The same name may not be used for multiple ACLs. For example, it is not permissible to specify both a standard and extended ACL named George.

It is important to be aware of named access lists because of the advantages just discussed. Advanced access list operations such as named ACLs will be presented in the CCNP curriculum.

A named ACL is created with the ip access-list command. This places the user in the ACL configuration mode. In ACL configuration mode, specify one or more conditions to be permitted or denied. This determines whether the packet is passed or dropped when the ACL statement matches.

The configuration shown creates a standard ACL named Internet filter and an extended ACL named “marketing_group”. Also shown is how the named access lists are applied to an interface.

Lab Activity Lab Exercise: Configuring a Named Access List In this lab, the student will create a named ACL to permit or deny specific traffic.

Lab Activity Lab Exercise: VTY Restriction In this lab, the student will use the access-class and line commands to control telnet access to the router.

Lab Activity Lab Exercise: Simple DMZ Extended Access Lists In this lab, the student will use extended access lists to create a simple DeMilitarized Zone (DMZ).

Lab Activity Lab Exercise: Multiple Access Lists Functions (Challenge Lab) In this lab, the student will configure and apply an extended access control list to control Internet traffic using one or more routers.

Lab Activity e-Lab Activity: Named ACL In this lab, the students will configure a named access-control list for the local router "Ougoudou".

Lab Activity e-Lab Activity: Configuring a Named Access List In this lab, the students will create a named ACL to permit or deny specific traffic and test the ACL to determine if the desired results were achieved.

Web Links ip access-list Command http://www.cisco.com/en/US/products/sw/ iosswrel/ps1835/ products_command_reference_ chapter09186a00800873c8.html#1018731

Suppose the enterprise policy aim is to deny telnet or FTP traffic from Router A Ethernet LAN segment to the switched Ethernet LAN Fa0/1 on Router D. At the same time, other traffic must be permitted. Several approaches can accomplish this policy. The recommended approach uses an extended ACL specifying both source and destination addresses. Place this extended ACL in Router A. Then, packets do not cross Router A's Ethernet, do not cross the serial interfaces of Routers B and C, and do not enter Router D. Traffic with different source and destination addresses will still be permitted.

The general rule is to put the extended ACLs as close as possible to the source of the traffic denied. Standard ACLs do not specify destination addresses, so they should be placed as close to the destination as possible. For example, a standard ACL should be placed on Fa0/0 of Router D to prevent traffic from Router A.

An administrator can only place an access list on a device that they control. Therefore access list placement must be determined in the context of where the network administrator’s control extends.

Interactive Media Activity Point and Click: ACL Placement After completing this activity, the student will be able to place ACLs.

Web Links ACLs Usage Guidelines http://www.cisco.com/en/US/products/sw/ iosswrel/ps1835/ products_command_reference_ chapter09186a00800873c8.html#1018684

In this architecture, the router that is connected to the Internet, referred to as the exterior router, forces all incoming traffic to go to the application gateway. The router that is connected to the internal network, the interior router, accepts packets only from the application gateway. In effect, the gateway controls the delivery of network-based services both into and from the internal network. For example, only certain users might be allowed to communicate with the Internet, or only certain applications might be permitted to establish connections between an interior and exterior host. If the only application that is permitted is mail, then only mail packets should be allowed through the router. This protects the application gateway and avoids overwhelming it with packets that it would otherwise discard.

ACLs should be used in firewall routers, which are often positioned between the internal network and an external network, such as the Internet. The firewall router provides a point of isolation so that the rest of the internal network structure is not affected. ACLs can be used on a router positioned between the two parts of the network to control traffic entering or exiting a specific part of the internal network.

A configuration of ACLs on border routers, which are routers situated on the boundaries of the network, is necessary to provide security benefits. This provides basic security from the outside network, or from a less controlled area of the network, into a more private area of the network. On these border routers, ACLs can be created for each network protocol configured on the router interfaces.

Web Links Cisco IOS Firewall http://www.cisco.com/en/US/ products/sw/secursw/ ps1018/index.html

Standard and extended access lists apply to packets traveling through a router. They are not designed to block packets that originate within the router. An outbound Telnet extended access list does not prevent router initiated Telnet sessions, by default.

Just as there are physical ports or interfaces, such as Fa0/0 and S0/0 on the router, there are also virtual ports. These virtual ports are called vty lines. There are five such vty lines, numbered 0 through 4, as shown in figure . For security purposes, users can be denied or permitted virtual terminal access to the router but denied access to destinations from that router.

The purpose of restricted vty access is increased network security.  Access to vty is also accomplished using the Telnet protocol to make a nonphysical connection to the router. As a result, there is only one type of vty access list. Identical restrictions should be placed on all vty lines as it is not possible to control which line a user will connect on.

The process to create the vty access list is the same as described for an interface. However, applying the ACL to a terminal line requires the access-class command instead of the access-group command.

The following should be considered when configuring access lists on vty lines:

• When controlling access to an interface, a name or number can be used.
• Only numbered access lists can be applied to virtual lines.
• Set identical restrictions on all the virtual terminal lines, because a user can attempt to connect to any of them.

Lab Activity e-Lab Activity: Access Control Lists In this lab, the students will practice using ACLs to filter IP traffic.

Web Links Strategies & Issues: Ports of Entry - Routers in the Crosshairs http://www.networkmagazine.com/shared/article/ showArticle.jhtml?articleId=8703354&classroom=

• ACLs perform several functions within a router, including implementing security/access procedures.
• ACLs are used to control and manage traffic.
• For some protocols, two ACLs can be applied to an interface: one inbound ACL and one outbound ACL.
• With ACLs, after a packet is matched to an ACL statement, it can be denied or permitted access to the router.
• Wildcard mask bits use the number one (1) and the number zero (0) to identify how to treat the corresponding IP address bits.
• Access list creation and application is verified through the use of various IOS show commands.
• The two main types of ACLs are standard and extended.
• Named ACLs allow for the use of a name to identify the access list instead of a number.
• ACLs can be configured for all routed network protocols.
• ACLs are placed where they allow the most efficient control.
• ACLs are typically used in firewall routers.
• Access lists can also restrict virtual terminal access to the router.