Security

Learn additional uses for Cisco IOS access control lists

Network administrators typically use access control lists (ACLs) to stop traffic or permit only specified traffic while stopping all other traffic. While this is the primary use of ACLs, there are many more possible uses that admins don't always think about. David Davis explores the various uses of ACLs on a Cisco router.

If you're a network administrator, you need to be familiar with access control lists (ACLs). Admins typically use ACLs to stop traffic or permit only specified traffic while stopping all other traffic. (While some people might refer to an ACL as a firewall, it's really only a firewall in its most basic form. Technically, it's a packet filter.)

The primary use of ACLs is to manage traffic, but there are many more uses for ACLs that many people just don't think about. This week, let's look at the many uses for ACLs.

Control traffic flow

Of course, you can use ACLs to control traffic flow, as mentioned above. What you need to remember about this is the "one-per" rule. That means that you can have one ACL per interface per direction per protocol.

So, each interface can have only one ACL for each direction for each protocol. Let's look at an example of a common ACL. The following ACL denies certain traffic, but it permits all other IP traffic.

Router(config)# access-list 100 deny ip host 1.1.1.1 host 2.2.2.2 eq 80
Router(config)# access-list 100 permit ip any any
Router(config)# interface s0/0
Router(config-if)# ip access-group 100 in

This ACL denies ICMP traffic. But how does this ACL deny all ICMP traffic when there's no actual mention of ICMP? In an ACL, if you don't specifically permit something, the ACL will automatically deny it.

So, if you want to allow ICMP (for example, ping) to also flow across this link, you need to add the following statement:

Router(config)# access-list 100 permit icmp any any

When working with ACLs, a very useful option is the log keyword. If you want to log all traffic coming across the link, use the following:

Router(config)# access-list 101 permit ip any any log

The router's log will display all IP packets traversing this link.

Control traffic flow using TCP session information

You can use ACLs in reflexive mode to better understand TCP session information and perform session filtering. So, you can allow traffic to return back only to the source of the original request. For more information, see Cisco's Reflexive Access List Commands documentation.

Allow IP traffic only after authentication

Also known as the lock-and-key feature, dynamic ACLs require someone to Telnet to the router and successfully authenticate. This process dynamically creates an ACL to temporarily allow some traffic to pass through the router. For more information, see Cisco's Lock-and-Key Commands documentation.

Debug traffic

What happens if you use the debug ip packet command on a router? Don't try it! This command can actually bring an entire production router down.

However, when used properly, this command can be a very helpful tool. For example, you can use debug ip packet with an ACL. And, you can even ask for details.

So, let's say you want to view only traffic from host 1.1.1.1 to host 2.2.2.2 that was using port 80. Being very careful, you could see it using debug ip packet and an ACL. Here's an example:

Router(config)# access-list 101 deny ip host 1.1.1.1 host 2.2.2.2 eq 80
Router(config)# exit
Router# debug ip packet detail 101
IP packet debugging is on (detailed) for access list 101
Router#

In this example, you have a rudimentary packet sniffer that gives information on TCP port number (src/dest), sequence number, ack, window, and flag information. In addition, this is for the entire router—not just a single interface.

Show routes matching an ACL

A large production router often sports a very long list of routes. However, you can use an ACL to filter these routes. Here's an example:

Router(config)# access-list 3 permit 10.16.0.0 0.0.255.255
Router(config)# exit

Router# show ip route list 3
D       10.16.100.4/30 [90/47250176] via 10.31.100.1, 03:12:14, Serial0/0
D       10.16.100.0/30 [90/46743296] via 10.31.100.1, 05:33:41, Serial0/0
Router#

Filter routing updates

You can also use ACLs to filter routing updates, which you can accomplish using distribute lists. Distribute lists tell the router which routes to accept or deny from remote neighbors. They also tell the router which routes to send out and which ones not to send out to remote neighbors.

Control access to the router

Let's say you want to specify which IP addresses or networks can connect to your router via Telnet or Web access. You can use an ACL to define those IP addresses or networks and then use an access class to tell the application which ACL to use. Below are examples for both HTTP and Telnet:

Router(config)# access-list 1 permit host 1.1.1.1
Router(config)# ! For HTTP
Router(config)# ip http access-class 1

Router(config)# ! For Telnet
Router(config)# line vty 0 4
Router(config)# access-class 1 in

Throttle down traffic

Or, let's say you want to slow HTTP traffic to use only 128K of bandwidth on a T1 circuit. You can use a rate limit to accomplish this. But how does the rate limit know what traffic to throttle down? You guessed it—an ACL. Listing A offers an example.

More uses

Because of space constraints and other limitations, it's not possible to address every use for ACLs in the Cisco IOS, but I wanted to mention a few you may not have thought of. You can also use ACLs when configuring IPSec VPN tunnels, network address translation (NAT), and policy routing.

There are many more uses for ACLs than the ones listed in this article. How do you use ACLs on your Cisco devices? Post your additional uses in this article's discussion.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

0 comments

Editor's Picks