What are Access Lists? The increasing need for companies to share information results in more Internet connections and the creation of more extranets. Consequently, a higher awareness of security and bandwidth conservation is developed. Access lists (acls) can be used to increase security by denying unwanted traffic access to your network. They can also be used to restrict permission across a WAN link to a defined traffic group resulting in bandwidth optimization. However, Cisco does NOT recommend access lists as a standalone security mechanism. They should be used to supplement normal security features. Simply stated, access lists are a method of filtering traffic. Cisco's IOS supports statements that can be applied to a router to control traffic. Access lists allow you to define a specific group of traffic and apply a condition based upon the defined traffic group. Using acls, traffic can be permitted or denied based on this traffic grouping. One common access list application involves filtering traffic on a router's interface for bandwidth conservation, filtering telnet on virtual terminal lines, configuring Dial On Demand Routing (DDR), and configuring policy based routing using route maps to control the flow of routing updates. Cisco's IOS supports multiple protocol type access lists. Access lists can be configured for IP, IPX, or AppleTalk traffic. Depending upon the type of acls used, you can filter traffic based upon protocol type, port number, source address, destination address, and various other criteria. This lesson will focus on the most common type of acls, ip acls. 1. Define access lists and explain how they can aid in network performance. Access lists are a method of filtering traffic. Cisco's IOS supports statements that can be applied to a router for the purpose of controlling traffic. Common application of access lists include filtering traffic on a router's interface for bandwidth conservation, filtering telnet on virtual terminal lines, configuring dial on demand routing (DDR), and configuring policy based routing using route maps to control the flow of routing updates. Introduction to How Access Lists Work Now that we understand what acls are, let's view how they work. To effectively use acls you must fully understand how they operate. For acls to operate, you must create the access list, and apply the access list to a router interface. As a preparation step you should plan the list with paper and pencil and step through a mental test of the access list to determine if it will yield the expected results. This step is not necessary to making an operational access list, but is critical to making it successful! Creating Access List Statements Access lists consists of permit and/or deny statements. These statements are executed in a top down fashion. As traffic encounters the access list, the access list is parsed top to bottom, looking for a match. The first match encountered will determine if the traffic is permitted or denied. Therefore, the order of your access list statements is extremely important. Access list should be built from most specific to least specific. This will keep unintentional matching to a minimum. If no match is found, there is an implicit "deny everything" at the end of all access list statements. the figure below illustrates this process. Top-down access list statement execution. Applying Access Lists to Interfaces After the access list has been created with statements, it must be applied to a router interface so that traffic encountering that router interface will be permitted or denied based upon the list conditions. When applying an access list you must also specify if the access list applies to traffic coming in to or going out of the router interface. Remember, all directions are from the router's perspective. Virtual interfaces, such as vty lines in the router used for telnetting purposes, can also have access lists applied to control traffic flow. the figure below shows inbound access list flow. Inbound access list flow. When you use an outbound access list, the packet must enter the router and do a lookup in the routing table to determine the destination interface. If an access list has been applied to the interface to deny the packet, then routing processing has been wasted. It is best to use an inbound access list whenever possible, because the routing look up for denied traffic is inefficient. the figure below shows outbound access list flow. Outbound access list flow. Configuring acls using Cisco's IOS In Cisco's IOS the syntax to create an acls is: (config)#Access-list list number> [permit | deny] {specified traffic}. This command is executed in global configuration mode. To build multiple statements in the same access list, use the same access list number. The access list number represents what type of access list you are creating. There are predefined ranges of numbers to denote what type of protocol traffic the access list is configured to filter. For example, if the access list number is 1-99 or 100-199, then the access list is an IP access list, as shown in the following table. When the access list is applied, a match against the specified traffic will be determined and the operation (permit or denied) will be executed. Protocol ACL Number Range IP Standard 1-99 IP Extended 100-199 IPX Standard 800-899 IPX Extended 900-999 IPX SAP filters 1000-1099 AppleTalk 600-699 DECnet 300-399 To apply the list to an interface: (config-if)#{protocol type} Access- group [in | out]. This command is executed in interface configuration mode. The protocol type parameter specifies what type of protocol traffic is being evaluated with the access list. Examples of protocol types are IP, IPX, and AppleTalk. The access list number in this command references the access list number you want to apply to this router interface. You have to specify which access list you want to apply to the interface, as you are able to configure multiple access lists per router. The last parameter [in | out] specifies which direction you want to apply the access list. If you want all traffic coming in to the router interface to be filtered, choose in. If you want to filter traffic going through your router, out of the applied interface, then choose out. NOTE: You never truly filter traffic originating from a router, only traffic going through the router in the outbound direction. Wildcard Masks When configuring access lists, a wildcard mask is used instead of a normal subnet mask. In a wildcard mask the bit values are swapped, thus a one means to ignore and a zero means to check the corresponding bit value. If you have difficulty calculating a wildcard mask, simply calculate the subnet mask and "flip the bits." For example, if we wanted to create an access list that denied all traffic in the entire class B subnet 128.90.0.0 the wildcard mask is calculated as follows: IP Address 128.90.0.0 10000000. 01011010. 00000000. 00000000 Subnet Mask 255.255.0.0 11111111. 11111111. 00000000. 00000000 "FLIP THE BITS" Wildcard Mask 0.0.255.255 00000000. 00000000. 11111111. 11111111 In this example the first 16 bits will be checked for matches. If the ip address matches these bits then the condition (permit or deny) will be applied to the traffic. Let's take a look at a more complex example. Suppose you wanted to deny a range of addresses within a class B subnet, 128.90.32.0 to 128.90.32.31. First, find the common bits. Then determine the wildcard mask by checking the common bits (zero) and ignoring the other bits (one). Decimal Binary 128.90.32.0 10000000. 01011010.00100000.00000000 128.90.32.1 10000000. 01011010.00100000.00000001 128.90.32.2 10000000. 01011010.00100000.00000010 128.90.32.3 10000000. 01011010.00100000.00000011 128.90.32.30 10000000. 01011010.00100000.00011110 128.90.32.31 10000000. 01011010.00100000.00011111 Wildcard Mask Check common bits, 0 =check and 1=ignore 0.0.0.31 00000000.00000000.00000000.00011111 In some instances you may need to permit a specific host or permit all traffic. The wildcard mask to check all bits, thus indicating a specific host, would be all zeros. In Cisco's IOS you can use the keyword host or the 0.0.0.0 wildcard mask to denote a single host. The default wildcard mask for access list ip addresses is 0.0.0.0 (host). The three statements that follow are the same; only traffic from 192.168.7.1 is permitted. Access-list 1 permit 192.168.7.1 0.0.0.0 Access-list 1 permit 192.168.7.1 host Access- list 1 permit 192.168.7.1 To denote all traffic you can use the keyword any or 0.0.0.0 ip address and 255.255.255.255 wildcard mask. The following statements are identical and permit all ip traffic. Access-list 2 permit 0.0.0.0 255.255.255.255 Access-list 2 permit any Generally speaking, there are two types of acls, standard and extended. Standard acls are easy to understand and easy to configure, they filter based on more generic traffic group information. Extended acls are more difficult to configure, but allow you to filter based upon more specific traffic group information, allowing for greater granularity. How an ACLS operate - Access lists consists of permit and/or deny statements. These statements are executed in a top down fashion. As traffic encounters the access list, the access list is parsed top to bottom, looking for a match. The first match encountered will determine if the traffic is permitted or denied. Overview of Standard IP Access Lists Standard IP acls filter traffic based upon source ip address only. The number range for standard ip acls is 1-99. Standard ip acls filter the entire TCP/IP protocol suite. There is no method using standard ip acls to filter only a specific port or protocol. Two of the benefits of standard acls are that they are easy to understand and easier to maintain. The Cisco IOS command to configure a standard ip access list: (config)#Access-list <1-99> [permit | deny]