Networking

Use advanced parameters on your Cisco IOS ACLs


Recently, a fellow network administrator asked me why his Cisco IOS access control lists (ACLs) weren't working. He was trying to use some advanced parameters in his ACLs, but something was going wrong.

I figured he couldn't be the only one out there struggling with this problem. So, I decided to discuss the proper use of Cisco IOS ACL advanced parameters this week.

The basics of Cisco IOS ACLs

Cisco IOS ACLs can be complex to configure, but it doesn't have to be so difficult. Here are some resources to help:

The fellow network admin I was telling you about was breaking one of the core principles of ACL usage: He was trying to apply a Cisco IOS ACL in both the inbound and outbound directions on the same interface. While this will work, it isn't something that you should do.

When it comes to ACL basics, you need to know the principle of the three Ps. That is, you can only apply a Cisco IOS ACL:

  • Per protocol (such as IP)
  • Per interface (such as FastEthernet0/0)
  • Per direction (such as inbound or outbound)

When traffic flows through a router, there's one set of source IP address, destination IP address, and port numbers. When the response returns from that request, the IP source address, IP destination address, and port numbers have reversed. For this reason, the inbound and outbound ACLs are usually a mirror of each other.

Now that we've covered this core principle of ACLs, let's move on to some more advanced ACL parameters you can use.

Compiled (Turbo) ACL

If you have long and complex ACLs, I recommend enabling the Turbo ACL feature, available on newer routers with newer IOS versions. (The IOS disables this feature by default.)

With Turbo ACL, tables built into the router's memory help the router speed the processing of traffic through ACLs. Whenever you modify the ACLs, this triggers the router to recompile the ACL. Here's how you enable Turbo ACLs:

Router(config)# access-list compiled

Time-range ACLs

You can create ACLs that apply only for a certain time range. For example, say you want to allow FTP traffic only from 8 A.M. to 5 P.M.. You could do this using time-based ACLs using the time-range parameter. Here's an example:

time-range ftp

periodic weekdays 8:00 to 17:00

ip access-list extended ftpacl

permit tcp any any eq ftp time-range ftp

permit tcp any any eq ftp-data time-range ftp

permit tcp any any eq www

Dynamic ACLs

Another name for dynamic ACLs is lock and key. With lock and key, you can trigger the creation of a dynamic ACL when you Telnet to the router. For example, say you want to allow HTTPS to a LAN switch through a router. Telnetting to the router creates a temporary/dynamic ACL to allow this traffic for a limited time.

To do so, you use the dynamic parameter. Here's an example:

Router(config)# access-list 125 dynamic ....

In addition, using the autocommand access-enable command on the Telnet line will trigger the ACL. For more information, check out Cisco's Configuring Lock-and-Key Security (Dynamic Access Lists) documentation.

ACLs that only allow established TCP connections

Another interesting parameter for Cisco IOS ACLs is the established option. With the established parameter, you can create an ACL that only allows TCP traffic matching the ACL that has an ACK or RST bit set. That would deny any TCP traffic trying to create a new TCP session. Here's an example:

Router(config)# access-list 120 permit tcp any 1.1.1.0 0.0.0.255 established

This line, taken from a larger ACL, permits only TCP traffic going to the 1.1.1.0 network that's already established. So, it only permits responses to connections already initiated (i.e., set up) in the opposite direction.

This is similar to a stateless firewall that allows already-connected traffic; however, in this situation, we don't know what that traffic actually is. We're assuming that any TCP response we receive was a real request.

Summary

One final best practice for ACLs is to always use the remark keyword to make comments in your ACLs. This practice allows other network admins (and even yourself) to know the purpose of the ACL and how it works.

Cisco IOS ACLs offer many advanced features. With ACLs so heavily used on Cisco routers, it's important to not only know the basics but be able to use some of the more advanced features as well.

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

6 comments
bonnyface
bonnyface

Hi David, I am newbie into acls.. I have a server 2008 (10.0.1.101) with open ports for file sharing. I have a dedicated ip address (212.xxx.xxx.xxx) from the ISP. How can i write an acl on the router (cisco 1841) that will permit access to my shares from any internet location especially when that isp address is pointed?

himdobriyal
himdobriyal

Sir I want to know that is it possible that i placed the accesslist which i made later i.e how can i edit in access list and place most rescent access list in one number

ddavis
ddavis

Yes, editing ACL's is easy. Here is how I made an ACL, then edited it. Make sure you notice the difference between an ACL number and an ACL SEQUENCE line number in that ACL. robo0#conf t Enter configuration commands, one per line. End with CNTL/Z. robo0(config)#access-list 100 deny ip any any robo0(config)#ip access-list ext 100 robo0(config-ext-nacl)#? Ext Access List configuration commands: Sequence Number default Set a command to its defaults deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or DENYs evaluate Evaluate an access list exit Exit from access-list configuration mode no Negate a command or set its defaults permit Specify packets to forward remark Access list entry comment robo0(config-ext-nacl)#101 permit tcp any any eq www robo0(config-ext-nacl)#no 10 deny ip any any robo0(config-ext-nacl)#^Z robo0#sh access-list Extended IP access list 100 101 permit tcp any any eq www robo0#

raynebc
raynebc

With regards to live ACLs, are there any serious issues to changing an ACL that is in use on an interface?

jb123
jb123

The only issue that I am aware of is that any currently opened connections will be dropped temporarily. This of course only applies if you are still using a version of the IOS that doesn't support line numbers in the ACLs and have to issue a no access-list command to get the rules in the correct order. To the best of my knowledge there is no issue if you are able to modify the ACL using line numbers. If you issue the no access-list command don't forget to re-attach the ACL to the interface.