Securing Networks Access List Implementation on Cisco Routers
This article is the second part in a series centered in IT Security and focused on access control lists or ACLs. In my previous article on ACL Concepts, we looked at the definition of an ACL, why we use them, when to use them, general types and structure, and general router interface placement. In this article, we will investigate the actual configuration of standard and extended IP ACLs and their placement on Cisco router interfaces. ACL configuration and deployment are an important part of Cisco and other router certifications.
ACLs and Protocols
Internet Protocol version 4 (IPv4) ACLs are the most common types of ACLs in use in the networking world today, but there are several different protocols supported on Cisco routers for ACLs. In addition, each ACL utilizes a name specified by a numeric range as shown in Table 1.
|Protocols with Access Lists Specified by Numbers|
|IP||1 to 99|
|Extended IP||100 to 199|
|Ethernet type code||200 to 299|
|Ethernet address||700 to 799|
|Transparent bridging (protocol type)||200 to 299|
|Transparent bridging (vendor code)||700 to 799|
|Extended transparent bridging||1100 to 1199|
|DECnet and extended DECnet||300 to 399|
|XNS||400 to 499|
|Extended XNS||500 to 599|
|AppleTalk||600 to 699|
|Source-route bridging (protocol type)||200 to 299|
|Source-route bridging (vendor code)||700 to 799|
|IPX||800 to 899|
|Extended IPX||900 to 999|
|IPX SAP||1000 to 1099|
|Standard VINES||1 to 100|
|Extended VINES||101 to 200|
|Simple VINES||201 to 300|
In addition, IPv6 ACLs are not restricted to numerical ranges and can include alpha-numerical characters as well for the name of the list. It may be important to note that other routers like Juniper and Force10 allow for alpha-numeric names in most if not all ACLs, and that the ACL name convention is not a standard applied to all network routers.
Configuration Commands for Creating ACLs
Basing ACL names on the range of numbers may be confusing, but it is best to consider the way that the ACLs are created at the router configure prompt. ACLs are configured based on their protocol first. Some, but not all, ask for standard or extended qualifiers in their statements and then the numeric name is assigned. Here are some examples:
- Router (config)# ip access-list standard 6
- Router (config)# ip access-list extended 185
- Router (config)# ipx access-list standard 810
- Router (config)# ipx access-list extended 915
- Router (config)# vines access-list 65 —this is a standard vines list
- Router (config)# vines access-list 140 —this is an extended vines list
Configuring IP Standard ACLs on Cisco routers
Cisco IP Standard ACLs are used to filter traffic based on a single or range of source IP addresses in the IP packet header. Destination addresses are not considered in a standard ACL.
Let’s look at the format of an IP Standard ACL:
access-list [access-list-number] [deny/permit] [ wildcard mask]
Looking at the format, you can see the configuration statement begins with access-list command and the ACL number. In this case, the range for IP Standard ACLs is 1 to 99. You must then declare if this ACL statement will deny or permit the IP addresses that follow. The final two parts of the statement are associated with the source IP address and a wild card mask that determine if the address is a single host or a range of IP addresses. The following an example of a valid IP Standard ACL:
access-list 6 deny 172.16.0.2 0.0.0.0
access-list 6 deny 172.16.1.0 0.0.0.255
access-list 6 permit 172.16.2.0 0.0.0.127
access-list 6 deny any
In the first statement of this ACL, IP traffic from a single host of 172.16.0.2 is denied. The second statement denies a range of IP addresses in the 172.16.1.0 network. The range covers 256 IP addresses, 0 to 255 for that subnet. A shorter range is shown in the third statement, which permits 128 IP addresses from the 172.16.2.0 subnet (0-127). The final statement in the ACL gives an implicit deny to all IP addresses.
NOTE: ACL Statement flow
It is crucial that you understand how ACLs are parsed for matches when compared with an IP packet. All comparisons start at the top of the list and work down. Once a match is made, the traffic is either permitted or denied and then comparison stops. You must be careful in the placement of your ACLs
Configuring IP Extended ACLs on Cisco Routers
Cisco IP Extended ACLs are more complex than the Standard versions. The IP Extended ACL adds the ability to filter on destination IP address and includes some additional layer 3 and layer 4 protocol support, in particular TCP, UDP, and ICMP. This additional functionality makes IP Extended ACLs very powerful tools for IT security and network professionals. Let’s take a look at the format of the IP Extended ACL:
access-list [access-list-number] [deny/permit] [protocol] [ wildcard mask] [destination ip address] [wildcard mask] [destination port] [statement flag]
As you can see from this format, IP Extended ACL statements can become rather long, but are very effective in filtering specific types of traffic based on address and ports. Below are a few examples of IP Extended ACL statements:
access-list 165 deny ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 165 deny ip 172.16.1.0 0.0.0.255 host 172.16.4.1 log
access-list 165 permit tcp 172.16.3.0 0.0.0.255 eq 80 any log
access-list 165 deny udp 172.16.6.0 0.0.0.127 172.16.5.0 0.0.0.31 eq 53 log
access-list 165 permit icmp any any host-unreachable
access-list 165 deny ip any any
What do we see happening in this IP Extended ACL? The first statement denies IP traffic from the 172.16.1.0 subnet to the entire 172.16.5.0 destination subnet and logs any matches in the router log. The second statement is similar, but denies traffic from the 172.16.1.0 subnet to a single host 172.16.4.1. It is important to note the difference that IP Extended ACLs use for identifying a single host compared to an IP Standard ACL. Single hosts in the Extended version utilize the host identifier before the IP address and no wildcard mask is required.
The next statements in the ACL show how TCP, UDP, and ICMP can be utilized in these ACLs. The third statement permits TCP traffic from the 172.16.3.0 subnet with a source port of 80 to any destination IP and then logs the traffic matches. Continuing down the list, the next statement denies the UDP traffic from the first 128 IP addresses in the 172.16.6.0 subnet to the 32 IP addresses in the 172.16.5.0 subnet with a destination port of 53, and then logs any matches.
These two statements utilize ports for both TCP and UDP as part of their match criteria. Cisco and other routers can associate well known ports for these protocols to acronyms for familiarity. In the TCP statement, port 80 is associated with HTTP traffic. A Cisco ACL would accept 80 or http in the ACL as a valid port. The UDP statement uses port 53, which is for DNS. Most routers will automatically translate the port number to these acronyms for you and you can see them in the ACL list when you perform a show ip access-list or show running config command.
The next statement is slightly different. This statement permits icmp traffic, which is associated with network ping. The statement allows ICMP traffic from any source and to any destination, but uses the flag host-unreachable. This flag identifies ICMP traffic that is replied from a ping request, that the target host cannot be contacted. The final statement in the list is an implicit deny of all traffic that was not matched in previous ACL statements.
Implementation of ACLs on a router interface
Now that we have seen the structure of these ACLs, we need to be able configure them to a router interface. To configure the ACL to the interface, you must enter that interface’s configuration mode on the router. The command to associate an IP ACL to an interface is in the following format:
ip access-group [access-list-number] [in/out]
Note the difference in the statement as the command is ip access-group not access-list as in the ACL configuration. Let’s look at a quick example of assigning an ACL to interface FastEthernet 0/0 on a Cisco router.
Router (config)#interface Fast Ethernet0/0
Router (config-if)#ip access-group 165 in
This example configures the IP Extended ACL 165 to the interface and places it in on the ingress side of the interface. To place the ACL on the egress side, the final flag at the end would be changed to out.
What Have We Learned?
In this article, we covered the configuration of both IP Standard and Extended ACLs and how to assign them to a Cisco router interface. These topics are extremely important to understand for network security and for the Cisco network certification exams. This brief introduction to IP ACLs can start you on the journey to better understanding of this topic, but in-depth Cisco networking training can provide you with the tools you need to grasp these concepts and master them.
In future articles, we will look at ACL tips and best practices that will provide real world examples and valuable information for achieving your certification.