Networking

What you need to know about Cisco IOS access-list filtering

Cisco IOS ACLs are difficult to use. You can unwittingly create havoc on your network if you don't know some of the basic rules. David Davis focuses on the role of ACLs in packet filtering and tells you what you must know in order to make them work for you.

Let's face it, if you don't use Cisco IOS access lists (ACL) every day, they can be very painful to use. Why are ACLs so painful? Besides just being difficult to use, the penalty for mistake is huge. In one swift swoop, you could incorrectly permit malicious attackers onto your network or incorrectly deny all valid users from your network. Either way, the consequences could be devastating to your company and to your career. So how do you prevent this from happening? If you follow these guidelines, you will be "feeling good again" about your Cisco ACLs.

Know what an ACL can and cannot do

In the simplest of terms, a Cisco IOS ACL is used to define traffic. Once that traffic is defined, some action can then be taken on that traffic.

Commonly, an ACL is associated with the filtering of IP packets (Network Layer 3 of the OSI Model) as they pass through a router. In other words, it is used to permit or deny traffic through a router. However, if you just define the ACL only and don't apply it to an interface using the access-group command, nothing happens.

While ACLs can be used for many functions like QoS, route filtering, and allowing access to the router, in this article, we will focus on using ACLs for filtering traffic in and out of the router.

Know the syntax of ACLs

To configure an ACL you need to include some basic information about which packets to permit or deny.

The general syntax for a standard access list is:

access-list {list number} permit | deny | [source address} [source mask]

Note that the standard ACL can only permit or deny traffic based on the source of the traffic.

The general syntax of a TCP extended access list is:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]

You should also know that extended ACL can filter IP traffic, TCP, UDP, ICMP, and other types of traffic. The syntax above is to filter TCP traffic.

Know that ACLs use wildcard masks

Cisco IOS ACLs use wildcard masks. These wildcard masks are required anytime you enter an IP address in your ACL. The only way NOT to enter an IP address (thus, using a wildcard mask) is to enter a keyword like "any" or use the keyword "host" before the absolute IP address of a host on the network.

Wildcard masks are the binary reverse of a subnet mask. Thus, to calculate a wildcard mask, you take the subnet mask of a network address or IP address, convert it to binary, turn all the 1s into 0s and the 0s into 1s, and convert it back to decimal. Sounds complicated, but it really isn't. If the subnet mask is masked at the 8-bit subnet boundaries, then a 0 will turn into a 255 and a 255 will turn into a 0. Here are a few examples:

  • SN 255.0.0.0 = wildcard 0.255.255.255
  • SN 255.255.255.0 = wildcard 0.0.0.255
  • SN 255.255.128.0 = wildcard 0.0.127.255
  • SN 255.255.255.224 = 0.0.0.31

Do NOT use a subnet mask in a wildcard mask on a Cisco IOS router or switch, or you will end up with unintended results. (On the other hand, if you are configuring an ACL on a Cisco PIX, use regular subnet masks, not wildcard masks).

Know how to create an ACL and apply it to an interface

For example, here's how a sample configuration might look for access list 1:

Router(config)# access-list 1 permit 172.16.30.0 0.0.0.255 Router(config-if)# interface e0/0 Router(config-if)# ip access-group 1 out The ip access-group command is used to apply an ACL to an interface and specify the direction that it applies.

The commands above permit any traffic coming from IP network 172.16.30.0 going OUT the router's Ethernet 0/0 interface.

Know the implicit deny

Let me ask you this: What is allowed through the ACL above? Answer: Only the traffic from the 172.16.30.0 /24 network. Why is that? That is because at the end of every ACL, whether you see it or not, ALL TRAFFIC IS IMPLICITLY DENIED.

So, what traffic is allowed through the ACL below?

Router(config)# access-list 1 deny 172.16.30.0 0.0.0.255

That's right - NO TRAFFIC is allowed because certain traffic is explicitly denied and ALL OTHER TRAFFIC IS DENIED by the implicit deny.

How do you see the traffic being denied? You can enter your own explicit deny with the log keyword, like this:

Router(config)# access-list 1 permit 172.16.30.0 0.0.0.255 Router(config)# access-list 1 deny any log

Know that ACLs use top-down processing

Cisco IOS ACLs use top-down processing. This means that when a condition in the ACL is met, all processing is stopped. Thus, if there is a permit for network 1.1.1.0 in the fifth line of the ACL but it is denied in the third line of the ACL, then that traffic is denied.

Know the three Ps of ACLs

Remember, you can only apply ONE ACL:
  • Per Interface
  • Per Protocol
  • Per Direction

As most of us are applying IP ACLs, the protocol doesn't matter that much, but the important thing to know is that you can apply only ONE ACL on each interface in each direction. In other words, you can apply only one INBOUND and one OUTBOUND ACL per interface.

Know how to verify which ACLs are applied and which are configured

Showing what ACLs are created and what ACLs are applied is easy if you know just a few commands. These commands are:

  • show access-lists
  • show ip interface
  • show running-config

Know that there are many methods and types of ACLs

The Cisco IOS supports IP Standard and Extended ACLs in both named and numbered versions. Additionally, there are reflexive, dynamic, and lock-and-key access lists, among many others.

Know how ACLs can be used in the real world

While you may understand the concept of ACLs and how to configure them, it is important to know how to use them in the real world.

Here are a few business applications for ACLs:

1. Basic packet filtering for security: Filter traffic from a host, a network, a protocol, or port.

2. Packet filtering for bandwidth control: Say that a streaming audio or video application was using network bandwidth, and it was on a certain port number. With an ACL, you could discard those video and audio packets to prevent overutilization of bandwidth.

3. Other functions with ACLs: Route filtering, QoS, controlling access to the router, etc.

Know where to find more resources to learn ACLs

There is a lot to know about ACLs, and we can't cover it all in this short format. To learn more about ACLs, here are some links to other articles and videos I have created on this topic.

Conclusion

ACLs are the least understood feature that new Cisco administrators and CCNA candidates struggle with. I hope you find this information about Cisco IOS access lists helpful, and you keep it handy to "cure those ACL pains" whenever they come up.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

20 comments
akahan
akahan

Can an ACL be used to block packets from one IP address to another on the LAN (on the same interface, e.g., VLAN), or only packets traveling from one interface to another? For example, suppose I want to block packets going from 192.168.1.24 to 192.168.1.28, but allow all other LAN traffic. Can such a thing be done?

tomeci85
tomeci85

David, How you doing, man? You said in your article this "Wildcard masks are the binary reverse of a subnet mask" but let me ask you something . If i had to deny/permit a range of IP addresses. How would you handle that situation? For Instance, from 172.16.0.32 to 172.16.0.63 Please let me now your thoughts

sharris34
sharris34

Nice article, but there's an error in the section "Know how to create an ACL and apply it to an interface." You have "access-list 1 permit 172.16.30.0 0.0.0.255" which is a standard access list and therefore applies to the source network of 172.16.30.0; but in your comments you say: "The commands above permit any traffic going *to* IP network 172.16.30.0 from going OUT the router???s Ethernet 0/0 interface. Any traffic addressed to that network will still be allowed in, but it won???t be permitted to go out interface e0/0." In fact, what the list does is permit traffic *from* network 172.16.30.0 to go out the interface. But it doesn't allow traffic from any other source to go out (due to the implicit deny). You should really rewrite the last sentence, too, as it doesn't make sense.

elmidwill
elmidwill

I have an Exchange server that I would like it to be the only machine to be able send any information out on port 25. How do I go about doing that?

jayorinde
jayorinde

Vry nice work. We still need to know how to set up and configure cisco Router.

john.hamilton
john.hamilton

A bit off topic, but this article landed on my desk at the same time as I was wondering "how can I ...." What is the best way to restict an interface on a router to only communicating to/from a range of destaination UDP ports on 255 destination subets i.e any IP subnet 10.*.252.0 /22 (255.255.252.0) where * is 0-255 My requirement is restrict a single remote subnet to only making VoIP UDP connections to/from 100+ other remoteIP subnets, but not to any others. TCP will be permitted to a single IP subnet for call control etc. Can ACls do this with out having 255+ lines of ACL any easier way ?

kevaburg
kevaburg

Its a good article but its isn't quite everything you need to know about access-lists. I would have liked to have seen a section about applying access-lists using the ACCESS-CLASS command as well. After all, telnet is inherently insecure by virtue of how it works so any means of securing it would be useful to know.

MGP2
MGP2

This is the one that tripped me up on a school project. What I don't get is, why isn't there some error message if you violate the rule? The end result of making a mistake is, the router simply defaults to the "permit ip any any" and doesn't block anything.

gfjim
gfjim

Just my 2 cents here... I would create an entry in the ACL for the range below the lowest IP and then one that includes the range you want to permit/deny. Since the previous paragraph does not make much sense (even to me!) let me use an example: Say you want to permit ICMP traffic TO that range and deny to the remaining, so my suggestion would be access-list 101 deny icmp any 172.16.0.0 0.0.0.31 access-list 101 permit icmp any 172.16.0.0 0.0.0.63 And then apply this ACL to the interface facing this range of IPs in outbound direction. So, if you are pinging 172.16.0.20, the first entry will apply, all ACL processing stops and traffic will be denied. Now, if you ping 172.16.0.40, the first entry doesn't apply, so the second one is processed and since that destination is within the range... voila! traffic is allowed through Hope I explained myself. Cheers

ddavis
ddavis

Good Catch! You are completely correct. I will correct this. Thanks for reading TechRepublic and thanks for taking time to comment! David

ddavis
ddavis

Hi John Yes, you can do this with the wildcard mask. In fact, that is what it is there for. So, your ACL could be something like- access-list 100 deny udp 10.0.252.0 0.255.3.0 any access-list 100 deny udp any 10.0.252.0 0.255.3.0 I hope that helps, David

Doug Vitale
Doug Vitale

There are definitely some useful tips and key points made in the article, but you are right that it's not as complete as it could be. After all, you could write a whole book just on access control lists, and Mr. Davis was limited to one article. In my opinion, no discussion on ACLs for perimeter devices would be complete without mentioning the topic of bogons. I describe them in detail here: http://dougvitale.wordpress.com/2011/12/01/using-bogon-ip-addresses-in-access-control-lists/

ddavis
ddavis

Hi MGP2, Thanks for reading the article and thanks for the comment! I think that the reason there is no error and why a router, by default, will just pass traffic is that that is the default job of a router -> to pass all traffic. This is contrary to a firewall where, by default, NO traffic is passed and you have to create ACLs just to get it to pass traffic. I hope that helps and I hope the articles helps you out as well. Thanks for reading TechRepublic! David Davis

n.stockwell
n.stockwell

Under the "Know the implicit deny" there is still an error when you say, "Let me ask you this: What is allowed through the ACL above? Answer: Only the traffic *to* the 172.16.30.0 /24 network." It should say, "Let me ask you this: What is allowed through the ACL above? Answer: Only the traffic *from* the 172.16.30.0 /24 network." The sentence was still incorrect because the ACL was applied to Fa0/0's outbound direction, but before you corrected the previous section it was consistent with what you wrote earlier. Would it be correct to assume that the 172.16.30.0 /24 network is on a different interface than Fa 0/0? I think you should write an article just about figuring out what direction to apply standard and extended ACLs on interfaces, because it does seem confusing especially to people who either are learning ACLs for the first time or people who need a refresh their memories.

john.hamilton
john.hamilton

Hi, More precise question: Query is how can I permit UDP packets - from source IPs on subnet 10.100.252.0 /22 - to destination IPs on numerous subnets 10.nnn.252.0 /22 (i.e. 10.nnn.252.0 to 10.nnn.255.255 on all Class-B networks -- is this inverse mask 0.255.3.255 ? - to destination ports: 16384-32767 - deny everything else The reverse UDP packets will also need to need to be permitted. -- John

walbro
walbro

Maybe I misread the requirements but, I think the ACL would be something like- access-list 100 permit udp 10.0.252.0 0.255.3.0 any access-list 100 deny udp any 10.0.252.0 0.255.3.0

ddavis
ddavis

Hi n.stockwell, Thanks for your comment - excellent point. That is a great idea for an article - I will write one on that topic. Thanks for reading TechRepublic! David

john.hamilton
john.hamilton

Thanks David. I think I've just about got the hang of inverse binary masks. Slainte ! -- John

ddavis
ddavis

Hi John My stab at this ACL would be- access-list 100 permit udp 10.100.252.0 0.0.3.255 10.0.252.0 0.255.3.255 range 16384 32767 apply this outbound at the source of the traffic on the external interface of the router. As for the return traffic, you could create a mirrored ACL at the destination. That would be recommended. I hope that helps! David personal website: www.HappyRouter.com

Editor's Picks