Access List General

Access-List is a router configuration script that controls whether a router should permit or deny packets based on the information found in the packet header. ACLs are also used for selecting some types of traffic to be analyzed, forwarded or processed in other ways.

Access List enables you to control traffic flowing into or out of your network. it can permit or deny traffic from or destined to certain host/network, or it can even deny or permit traffic from or destined to certain port. and in addition to permitting or denying, access list can be used to classify traffic to enable priority processing.

Packet filtering controls access to a network by analyzing incoming or outgoing packets and decide to pass or to drop them based on some filter rules. these filter rules are defined using Access-List. a router can act as a packet filter. when a packet arrives at the router, the router extracts information from the packet header and decides according to the filter rules wether to pass or to halt the packet. Access-List works on layer 3 of the OSI layer model. but recall that, ACL can also use upper layer information such as the protocol used and the source/destination port number (service).

you can have one access-list per protocol, per direction (inbound and outboundand) and per interface (the three Ps). each interface has two direction which are in and out direction, while each direction may receive packets from different protocols (IP, IPX, AppleTalk). you can apply an ACL on interface FastEthernet0/0 at inbound direction for IP, and also an ACL for FastEthernet0/0 at inbound direction for IPX, because both are applied for different protocols.

Some guidelines on using ACLs:
  • use ACL in the firewall to control traffic flowing between you internal network and the external network.
  • use ACL on a router between certain parts of your internal network. this could be between a less controlled area in your network and a network that has more sensitive data.
  • use ACL for each network protocol at the border router interfaces.

How Access-List Works
you can set ACLs in inbound or outbound direction, the difference is:
  • inbound, incoming packets is checked for a match in the ACL before the packets are routed. therefore, an inbound ACL is efficient because a dropped packet need not to be routed.
  • outbound, packet has been routed from incoming interface to the outgoing interface. then the packet is checked for a match in ACL if the outgoing interface has an outgoing ACL applied to it. this is less efficient, imagine a packet has been routed just to be dropped at the outgoing interface.

ACL works in a sequential manner. it reads each statement one-by-one from top to down. when it reads a statement, it checks whether it mathes the information extracted from the packet header. if it matches, it decides to permit or to deny the packet based on the statement. if it doesn't, it reads the next statement if there's any (that's why you should put the most frequent used ACL at the top of the list). if that is the last statement of the list, then the packet will be dropped. this should be kept in mind, that if a packet doesn't match any statement in the ACL, then it will be dropped. this is often called "implicit deny any statement".

because of the "implicit deny any statement", when you define an inbound ACL for traffic filtering, you should include explicit access-list criteria statements to permit routing updates. if not, communication of the routing protocol could also be blocked.

Two types of cisco ACLs,
  • Standard ACL, filter packets based on source IP address only. the destination address or the port destination doesn't matter. (numbered 1 to 99 and 1300 to 1999 are standard IP ACL)
  • Extended ACL, filter packets based on some attributes, the source/destination address, source/destination port (service) and the protocol used. (numbered 100 to 199 and 2000 to 2699 are extended IP ACL)

NOTE: since Cisco IOS Software Reales 12.0.1, the standard and extended ACL numbers has been extended to 1300 to 2700.

Numbered and Named ACL
numbering access-list can give you the idea whether the ACL is a standard or an extended ACL. this can be used in a small network where the traffic generally homogeneous. But numbered ACL doesn't give you the purpose of the ACL, because of this since Cisco IOS version 11.2, you can give a name to an ACL to identify an ACL.

Numbered ACL
  • Standard IP ACL, numbered from 1 to 99 and 1300 to 1999
  • Extended IP ACL, numbered from 100 to 199 and 2000 to 2699
  • ACL numbered 200 to 1299 are used for other protocols than IP. for example, ACL numbered 600 to 699 are used for AppleTalk and ACL numbered 800 to 899 are used for IPX.

Named ACL
certain rules in naming an ACL:
  • names can contain alphanumeric characters
  • suggested to use CAPITAL LETTERS for the name
  • names cannot contain any spaces or punctual characters, and must begin with a letter
  • entries in named ACL can be edited

the placement of ACLs plays an important role in the network performance. the place you apply ACLs can reduced unwanted traffic. imagine packets that has been routed just to be dropped at the last router. the basic rule in placing ACLs are:
  • Extended ACL, place as close as possible to the source of the traffic to be denied.
  • Standard ACL, place as close as possible to the destination of traffic to be denied. because standard ACL only cares about the source of the traffic, if you put it near the source, some other traffic destined to other network that should be allowed, could be blocked also.

ACL best practices
  • Create ACLs based on the organization security policy.
  • Prepare a description of the ACLs that you want to create (this will avoid creating potential problems).
  • Use a text editor to create, edit and save ACLs (this way, you can create a library of ACL that is reusable).
  • Test ACLs created on a Lab environment before deploying it on the production network (avoid costly errors).