If you're a network administrator, you need to be familiar with access control lists (ACLs). Admins typically use ACLs to stop traffic or permit only specified traffic while stopping all other traffic. (While some people might refer to an ACL as a firewall, it's really only a firewall in its most basic form. Technically, it's a packet filter.)
The primary use of ACLs is to manage traffic, but there are many more uses for ACLs that many people just don't think about. This week, let's look at the many uses for ACLs.
Control traffic flow
Of course, you can use ACLs to control traffic flow, as mentioned above. What you need to remember about this is the "one-per" rule. That means that you can have one ACL per interface per direction per protocol.
So, each interface can have only one ACL for each direction for each protocol. Let's look at an example of a common ACL. The following ACL denies certain traffic, but it permits all other IP traffic.
Router(config)# access-list 100 deny ip host 184.108.40.206 host 220.127.116.11 eq 80 Router(config)# access-list 100 permit ip any any Router(config)# interface s0/0 Router(config-if)# ip access-group 100 in
This ACL denies ICMP traffic. But how does this ACL deny all ICMP traffic when there's no actual mention of ICMP? In an ACL, if you don't specifically permit something, the ACL will automatically deny it.
So, if you want to allow ICMP (for example, ping) to also flow across this link, you need to add the following statement:
Router(config)# access-list 100 permit icmp any any
When working with ACLs, a very useful option is the log keyword. If you want to log all traffic coming across the link, use the following:
Router(config)# access-list 101 permit ip any any log
The router's log will display all IP packets traversing this link.
Control traffic flow using TCP session information
You can use ACLs in reflexive mode to better understand TCP session information and perform session filtering. So, you can allow traffic to return back only to the source of the original request. For more information, see Cisco's Reflexive Access List Commands documentation.
Allow IP traffic only after authentication
Also known as the lock-and-key feature, dynamic ACLs require someone to Telnet to the router and successfully authenticate. This process dynamically creates an ACL to temporarily allow some traffic to pass through the router. For more information, see Cisco's Lock-and-Key Commands documentation.
What happens if you use the debug ip packet command on a router? Don't try it! This command can actually bring an entire production router down.
However, when used properly, this command can be a very helpful tool. For example, you can use debug ip packet with an ACL. And, you can even ask for details.
So, let's say you want to view only traffic from host 18.104.22.168 to host 22.214.171.124 that was using port 80. Being very careful, you could see it using debug ip packet and an ACL. Here's an example:
Router(config)# access-list 101 deny ip host 126.96.36.199 host 188.8.131.52 eq 80 Router(config)# exit Router# debug ip packet detail 101 IP packet debugging is on (detailed) for access list 101 Router#
In this example, you have a rudimentary packet sniffer that gives information on TCP port number (src/dest), sequence number, ack, window, and flag information. In addition, this is for the entire router—not just a single interface.
Show routes matching an ACL
A large production router often sports a very long list of routes. However, you can use an ACL to filter these routes. Here's an example:
Router(config)# access-list 3 permit 10.16.0.0 0.0.255.255 Router(config)# exit Router# show ip route list 3 D 10.16.100.4/30 [90/47250176] via 10.31.100.1, 03:12:14, Serial0/0 D 10.16.100.0/30 [90/46743296] via 10.31.100.1, 05:33:41, Serial0/0 Router#
Filter routing updates
You can also use ACLs to filter routing updates, which you can accomplish using distribute lists. Distribute lists tell the router which routes to accept or deny from remote neighbors. They also tell the router which routes to send out and which ones not to send out to remote neighbors.
Control access to the router
Let's say you want to specify which IP addresses or networks can connect to your router via Telnet or Web access. You can use an ACL to define those IP addresses or networks and then use an access class to tell the application which ACL to use. Below are examples for both HTTP and Telnet:
Router(config)# access-list 1 permit host 184.108.40.206 Router(config)# ! For HTTP Router(config)# ip http access-class 1 Router(config)# ! For Telnet Router(config)# line vty 0 4 Router(config)# access-class 1 in
Throttle down traffic
Or, let's say you want to slow HTTP traffic to use only 128K of bandwidth on a T1 circuit. You can use a rate limit to accomplish this. But how does the rate limit know what traffic to throttle down? You guessed it—an ACL. Listing A offers an example.
Because of space constraints and other limitations, it's not possible to address every use for ACLs in the Cisco IOS, but I wanted to mention a few you may not have thought of. You can also use ACLs when configuring IPSec VPN tunnels, network address translation (NAT), and policy routing.
There are many more uses for ACLs than the ones listed in this article. How do you use ACLs on your Cisco devices? Post your additional uses in this article's discussion.
Miss a column?
Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.
Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!
David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.