Cisco Access Control Lists

Subnetting and access control lists (ACLs) are easily among the most difficult topics on the CCNA exam. They are required for multiple different topics and are absolutely key to passing your exam. You will learn how to configure and interpret (read) ACLs for the CCNA and CCNP exam.


Introduction
Wildcard Masks
Classful Wildcard Examples
Classless Wildcard Examples
Standard Numbered ACL
Standard Named ACL
Extended Numbered ACL

Introduction

Cisco ACLs are characterized by single or multiple permit/deny statements. The purpose is to filter inbound or outbound packets on a selected network interface. There are a variety of ACL types that are deployed based on requirements. Only two ACLs are permitted on a Cisco interface per protocol. For example, a single IP ACL applied inbound and a single IP ACL applied outbound. The following are Cisco recommended best practices for creating and applying ACLs.

  • Apply extended ACL near source
  • Apply standard ACL near destination
  • Order ACL with multiple statements from most specific to least specific.
  • Maximum of two ACLs can be applied to a Cisco network interface.
  • Only one ACL can be applied ingress or egress per interface per L3 protocol.

Standard ACLs are an older type that are very general. As a result they can inadvertently filter traffic incorrectly. Applying the standard ACL near the destination is recommended to prevents possible over-filtering. The extended ACL should be applied closest to the source. Extended ACLs are granular (specific) and provide more filtering options. They include source address, destination address, protocols and port numbers. Applying extended ACLs nearest to the source prevents traffic that should be filtered from traversing the network. That conserves bandwidth and additional processing required at each router hop from source to destination.

Some access control lists are comprised of multiple statements. The ordering of statements is key to ACL processing. The router starts from the top (first) and cycles through all statements until a matching statement is found. The packet is dropped when no match exists. Order all ACL statements from most specific to least specific. Assigning least specific statements first will sometimes cause a false match to occur. As a result the match on the intended ACL statement never occurs.

The more specific ACL statement is characterized by source and destination address with shorter wildcard masks (more zeros). That configures specific subnets to match. In addition, application protocols or port numbers are also specified. The first ACL statement is more specific than the second ACL statement.

        access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.10.64.1 eq 23 
        access-list 100 deny tcp any any eq 23   
        access-list 100 permit ip any any  

Dynamic ACLs provides temporary access to the network for a remote user. The ACL configured defines the type of access permitted and the source IP address. In addition there is a timeout value that limits the amount of time for network access. The remote user sign-on is available with a configured username and password.

ACL Wildcard Masks

The wildcard mask is a technique for matching specific IP address or range of IP addresses.  Cisco access control lists (ACL) filter based on the IP address range configured from a wildcard mask. The wildcard mask is an inverted mask where the matching IP address or range is based on 0 bits. The additional bits are set to 1 as no match required. The wildcard 0.0.0.0 is used to match a single IP address. The wildcard mask for 255.255.224.0 is 0.0.31.255 (invert the bits so zero=1 and one=0) noted with the following example.

11111111.11111111.11100000.00000000 = 255.255.224.0 (subnet mask)           
00000000.00000000.00011111.11111111 = 0.0.31.255 (wildcard mask)           

All hosts and network devices have network interfaces that are assigned an IP address. Each subnet has a range of host IP addresses that are assignable to network interfaces. ACL wildcards are configured to filter (permit/deny) based on an address range. That could include hosts, subnets or multiple subnets.

There are classful and classless subnet masks along with associated wildcard masks. Classful wildcard masks are based on the default mask for a specific address class. Anytime a nondefault wildcard mask (or subnet mask) is applied to an address class, it is classless addressing.

CIDR Subnet MaskWildcard Mask
/32255.255.255.255 0.0.0.0
/31255.255.255.2540.0.0.1
/30255.255.255.2520.0.0.3
/29255.255.255.2480.0.0.7
/28255.255.255.2400.0.0.15
/27255.255.255.2240.0.0.31
/26255.255.255.1920.0.0.63
/25255.255.255.1280.0.0.127
/24255.255.255.00.0.0.255
/23255.255.254.00.0.1.255
/22255.255.252.00.0.3.255
/21255.255.248.00.0.7.255
/20255.255.240.00.0.15.255
/19255.255.224.00.0.31.255
/18255.255.192.00.0.63.255
/17255.255.128.00.0.127.255
/16255.255.0.00.0.255.255
/15255.254.0.00.1.255.255
/14255.252.0.00.3.255.255
/13255.248.0.00.7.255.255
/12255.240.0.00.15.255.255
/11255.224.0.00.31.255.255
/10255.192.0.00.63.255.255
/9255.128.0.00.127.255.255
/8255.0.0.00.255.255.255
/7254.0.0.01.255.255.255
/6252.0.0.03.255.255.255
/5248.0.0.07.255.255.255
/4240.0.0.015.255.255.255
/3224.0.0.031.255.255.255
/2192.0.0.063.255.255.255
/1128.0.0.0127.255.255.255
/00.0.0.0255.255.255.255

Example 1: Classful Wildcard Mask

The following wildcard 0.0.0.255 will only match on 192.168.3.0/24 subnet and not match on everything else. This could be used with an ACL for example to permit or deny a subnet. 

    192   .       168    .       3       .     0           
11000000.10101000.00000011.00000000           
00000000.00000000.00000000.11111111 = 0.0.0.255           
192.168.3.0  0.0.0.255 = match on 192.168.3.0 subnet only

Example 2: Classful Wildcard Mask

The following wildcard 0.0.0.255 will only match on 200.200.1.0/24 subnet and not match on everything else. This could be used with an ACL for example to permit or deny a public host address or subnet.

      200      .       200    .       1         .       0           
11001000.11001000.00000001.00000000           
00000000.00000000.00000000.11111111 = 0.0.0.255           
200.200.1.0  0.0.0.255 = match on 200.200.1.0 subnet only                 

Example 3: Classful Wildcard Mask

The following wildcard 0.0.255.255 will match on all 172.16.0.0/16 subnets and not match on everything else. This could be used with an ACL for example to permit or deny multiple subnets. 

     172    .        16     .        0       .       0           
10101100.00010000.00000000.00000000           
00000000.00000000.11111111.11111111 = 0.0.255.255           
172.16.0.0  0.0.255.255 = match on 172.16.0.0 subnet only

Example 1: Classless Wildcard Mask

Anytime you apply a nondefault wildcard, that is referred to as classless addressing. In this example, 192.168.1.0 is a class C network address. All class C addresses have a default subnet mask of 255.255.255.0 (/24). Conversely, the default wildcard mask is 0.0.0.255 for a class C address.

To permit of deny a range of host addresses within the 4th octet requires a classless wildcard mask. For this example, wildcard 0.0.0.15 will match on the host address range from 192.168.1.1/28 – 192.168.1.14/28 and not match on everything else. It is the first four bits of the 4th octet that add up to 14 host addresses. The network and broadcast address cannot be assigned to a network interface. This could be used with an ACL for example to permit or deny a specific range of host addresses only. 

      192     .      168     .       1        .  0           
11000000.10101000.00000001.0000 0000           
00000000.00000000.00000000.0000 1111 = 0.0.0.15           
192.168.1.0  0.0.0.15 = match 192.168.1.1/28 to 192.168.1.14/28                               

Example 2: Classless Wildcard Mask

The following wildcard mask 0.0.0.3 will match on host address range from 192.168.4.1/30 – 192.168.4.2/30 and not match on everything else. It is the first two bits of the 4th octet that add up to 2 host addresses. The network and broadcast address cannot be assigned to a network interface. This could be used for example to permit or deny specific host addresses on a WAN point-to-point connection.

      192     .       168     .        4        .      0           
11000000.10101000.00000100.000000 00           
00000000.00000000.00000000.000000 11 = 0.0.0.3           
192.168.4.0 0.0.0.3 = match 192.168.4.1/30 and 192.168.4.2/30                    

Example 3: Classless Wildcard Mask

The network administrator must configure an ACL that permits traffic from host range 172.16.1.33 to 172.16.1.38 only. What is the ACL and wildcard mask that would accomplish this?

Answer: The following wildcard mask 0.0.0.7 will match on host address range from 172.16.1.33 – 172.16.1.38 and not match on everything else. It is the first three bits of the 4th octet that add up to 6 host addresses. The network address and broadcast address cannot be assigned to a network interface. This could be used for example to permit or deny specific host addresses within a subnet.

       172   .       16       .       1        .      32            
10101100.00010000.00000001.00100 000           
00000000.00000000.00000000.00000 111 = 0.0.0.7                    
172.16.1.0 0.0.0.7 = match on 172.16.1.33/29 to 172.16.1.38/29                 

The following standard ACL will permit traffic from 172.16.1.33/29 to 172.16.1.38/29 address range. Invert wildcard mask to calculate the subnet mask (0.0.0.7 = 255.255.255.248 = /29) or count all zeros. 

             access-list 10 permit 172.16.1.32 0.0.0.7

Standard Numbered ACL

The standard access list has a number range from 1-99 and 1300-1999. It specifies permit/deny traffic from a source address only with an optional wildcard mask. The wildcard mask is used for filtering of subnet ranges. There is an implicit deny all clause added to the end of any standard ACL by default. That will deny all traffic that is not explicitly permitted. The standard ACL must include a mandatory permit any last statement when there are all deny statements to prevent all packets from being dropped. It also allows packets that do not match any previous clause within an ACL and should be permitted.  

             access-list 99 deny host 172.33.1.1           
             access-list 99 permit any                

Standard Named ACL

This is an ACL that is configured with a name instead of a number. It does have the same rules as a standard numbered ACL. The following is a named ACL internet will deny all traffic from all hosts on 192.168.1.0/24 subnet. In addition, it will log any packets that are denied.

             ip access-list standard internet log             
             deny 192.168.1.0 0.0.0.255             
             permit any             

Named ACLs allow for dynamically adding or deleting ACL statements without having to delete and rewrite each line. There is less CPU utilization required as well. They are easier to manage and enable troubleshooting of network issues.

Extended Numbered ACL

The number range is from 100-199 and 2000-2699. It supports multiple permit and deny statements with source and/or destination IP address. In addition you can filter based on IP, TCP or UDP application-based protocol or port number.

Cisco supports a variety of access control lists (ACL) including standard, extended, named, dynamic, and timed. They are all comprised of single or multiple permit and/or deny statements. The interface applies each ACL rule to inbound or outbound packets looking for a match. There is an implicit deny all clause added to the end of any extended ACL by default. That will deny all packets that do not match any ACL rule.

The problem is you do not typically want to filter all traffic and have packets dropped when no match exists. The solution is to configure permit ip any any as a last statement to any extended ACL or permit any as a last statement to any standard ACL. This applies to any ACL that is comprised of all deny statements. In addition, it could also apply to any ACL with permit statements where no match condition occurs.

Figure 1  Extended Numbered ACL

acl.png

Example 1: Extended Numbered ACL

The following extended ACL permits http traffic from host 10.1.1.1 to host 10.1.2.1 (server) address.

             access-list 100 permit tcp host 10.1.1.1 host 10.1.2.1 eq 80

The access control list (ACL) statement reads from left to right as – permit all tcp traffic from source host only to destination host that is http (80). The TCP refers to applications that are TCP-based. The UDP keyword is used for applications that are UDP-based such as SNMP for instance.

Table 1  Application Ports Numbers and ACL Keywords

acl keywords.png

Full lecture and videos included with CCNA 200-301 Masterclass