Networking

Use advanced parameters on your Cisco IOS ACLs


Recently, a fellow network administrator asked me why his Cisco IOS access control lists (ACLs) weren't working. He was trying to use some advanced parameters in his ACLs, but something was going wrong.

I figured he couldn't be the only one out there struggling with this problem. So, I decided to discuss the proper use of Cisco IOS ACL advanced parameters this week.

The basics of Cisco IOS ACLs

Cisco IOS ACLs can be complex to configure, but it doesn't have to be so difficult. Here are some resources to help:

The fellow network admin I was telling you about was breaking one of the core principles of ACL usage: He was trying to apply a Cisco IOS ACL in both the inbound and outbound directions on the same interface. While this will work, it isn't something that you should do.

When it comes to ACL basics, you need to know the principle of the three Ps. That is, you can only apply a Cisco IOS ACL:

  • Per protocol (such as IP)
  • Per interface (such as FastEthernet0/0)
  • Per direction (such as inbound or outbound)

When traffic flows through a router, there's one set of source IP address, destination IP address, and port numbers. When the response returns from that request, the IP source address, IP destination address, and port numbers have reversed. For this reason, the inbound and outbound ACLs are usually a mirror of each other.

Now that we've covered this core principle of ACLs, let's move on to some more advanced ACL parameters you can use.

Compiled (Turbo) ACL

If you have long and complex ACLs, I recommend enabling the Turbo ACL feature, available on newer routers with newer IOS versions. (The IOS disables this feature by default.)

With Turbo ACL, tables built into the router's memory help the router speed the processing of traffic through ACLs. Whenever you modify the ACLs, this triggers the router to recompile the ACL. Here's how you enable Turbo ACLs:

Router(config)# access-list compiled

Time-range ACLs

You can create ACLs that apply only for a certain time range. For example, say you want to allow FTP traffic only from 8 A.M. to 5 P.M.. You could do this using time-based ACLs using the time-range parameter. Here's an example:

time-range ftp

periodic weekdays 8:00 to 17:00

ip access-list extended ftpacl

permit tcp any any eq ftp time-range ftp

permit tcp any any eq ftp-data time-range ftp

permit tcp any any eq www

Dynamic ACLs

Another name for dynamic ACLs is lock and key. With lock and key, you can trigger the creation of a dynamic ACL when you Telnet to the router. For example, say you want to allow HTTPS to a LAN switch through a router. Telnetting to the router creates a temporary/dynamic ACL to allow this traffic for a limited time.

To do so, you use the dynamic parameter. Here's an example:

Router(config)# access-list 125 dynamic ....

In addition, using the autocommand access-enable command on the Telnet line will trigger the ACL. For more information, check out Cisco's Configuring Lock-and-Key Security (Dynamic Access Lists) documentation.

ACLs that only allow established TCP connections

Another interesting parameter for Cisco IOS ACLs is the established option. With the established parameter, you can create an ACL that only allows TCP traffic matching the ACL that has an ACK or RST bit set. That would deny any TCP traffic trying to create a new TCP session. Here's an example:

Router(config)# access-list 120 permit tcp any 1.1.1.0 0.0.0.255 established

This line, taken from a larger ACL, permits only TCP traffic going to the 1.1.1.0 network that's already established. So, it only permits responses to connections already initiated (i.e., set up) in the opposite direction.

This is similar to a stateless firewall that allows already-connected traffic; however, in this situation, we don't know what that traffic actually is. We're assuming that any TCP response we receive was a real request.

Summary

One final best practice for ACLs is to always use the remark keyword to make comments in your ACLs. This practice allows other network admins (and even yourself) to know the purpose of the ACL and how it works.

Cisco IOS ACLs offer many advanced features. With ACLs so heavily used on Cisco routers, it's important to not only know the basics but be able to use some of the more advanced features as well.

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

Editor's Picks