Home | Networking | Computer HWare/SWare | NOS: Unix/Linux | Favorites | Contact Me | RCC Home

Basics of Cisco IP access control lists


If you're managing anything bigger than a home network, you probably have a router or two in your network closet. These routers represent the first line of protection for your network from the rest of the world. By implementing access control lists (ACLs), you can enable or deny the flow of data to and from your network. In this article, we'll discuss setting up an Inbound ACL on your border router (the one that connects you to the Internet) to provide some basic security for your internal network.

Cisco IP ACLs can be divided into two basic types: Standard (sometimes called basic) and Extended. Both lists have a standard format used for their entry and a standard numbering scheme designed to help you differentiate which list is applied to which interface.

A word of caution: Before you jump into creating ACLs for your routers, know that all ACLs have an implicit "deny all" statement at the end of each list. You do not have to create this entry and it will not appear when you display the list. However, by default, it is the last entry on every list. That means that if you don't explicitly permit traffic to or from your network, it is denied as a rule when you apply the list. Also, make things easy on yourself and instead of working directly from the Cisco IOS command line, first type out your ACLs in Windows Notepad. Just make sure you restrict access to this file. It should not be public knowledge and should never be shared with anyone outside your network.

A Standard IP ACL controls the flow of information based on network addresses. These lists are created and applied to an interface as either inbound or outbound packet filters. The syntax follows this format:
access-list [list number] [permit | deny] [source address] [wildcard-mask] [log]

  • List Number = A number from 1 to 99 (think of it as the name of the list)
  • Permit | Deny = Whether to permit or deny this packet of information
  • Source Address = The address of the machine from which the packet originates
  • Wildcard Mask = The network mask to use with the source address (Cisco masks are a little different; 0=octet must match exactly; 255=octet is not significant or doesn't matter)
  • Log = Whether to log this entry to the console (if logging is enabled)

A sample inbound ACL would be:
access-list 1 deny 10.0.0.0 0.255.255.255 log
access-list 1 deny 172.16.0.0 0.15.255.255 log
access-list 1 deny 192.168.0.0 0.0.255.255 log
access-list 1 deny 127.0.0.1 0.0.0.0 log
access-list 1 deny 10.1.10.1 [replace with your IP address] 255.255.255.0 [replace with your subnet mask] log
access-list 1 permit 0.0.0.0 255.255.255.255 log

In this example, entries 1, 2, and 3 deny the non-routable (private) IP addresses for each network class as defined by RFC 1597.

 

Now let's look at how the entries differ and what they specifically deny or permit:

  • Entry 1—"access-list 1 deny 10.0.0.0 0.255.255.255 log"—is a deny statement for packets with an originating address of 10.0.0.0 to 10.255.255.255. Rather than having to make 16 million entries to block each Class A IP address, I use the mask 0.255.255.255. This tells the router to match the first octet of 10 and disregard the other three octets.
  • Entry 2—"access-list 1 deny 172.16.0.0 0.15.255.255 log"—is a deny statement for packets with an originating address of 172.16.0.0 to 172.31.255.255. Once again, rather than make 1 million entries to block each Class B IP address, I use the mask 0.15.255.255. This tells the router to match the first octet of 172 and to match the second octet of 16 with a range of 15 additional networks and to disregard the third and fourth octet.
  • Entry 3—"access-list 1 deny 192.168.0.0 0.0.255.255 log"—is a deny statement for packets with an originating address of 192.168.0.0 to 192.168.255.255. Instead of making 65,000 entries to block each Class C IP address, I use the mask 0.0.255.255. The router will match the first two octets exactly and disregard the last two octets.
  • Entry 4—"access-list 1 deny 127.0.0.1 0.0.0.0 log"—is a deny statement for packets with an originating address of 127.0.0.1, which is the hardware loop-back address of any Ethernet adapter. You could leave off the mask because a Standard IP ACL assumes a mask of 0.0.0.0 if none is specified.
  • Entry 5—"access-list 1 deny 10.1.10.1 [replace with your IP address] 255.255.255.0 [replace with your subnet mask] log"—will deny anyone from externally spoofing your network.
  • Entry 6—"access-list 1 permit 0.0.0.0 255.255.255.255 log"—is a permit entry to allow packets that were not previously rejected to enter your network.

Note

Remember that by default, all Cisco access control lists have an implicit "deny all" statement at the end of each list. You do not have to create this entry, and it will not appear when you display the list. However, this means that if you apply an empty ACL to an interface, then no traffic will pass through that interface.


You probably noticed that I put log at the end of every entry. I do this because every packet "walks down the ACL" until the router finds an entry it can apply to the packet. Some packets will be rejected by the first entry, and some packets will make it all the way to the last entry before they meet an entry that can be applied to them. The log comes in handy when you want to speed up processing of packets. After your ACL is running for a few minutes, you can type the command show ip access-list 1. You'll then see something like this:
access-list 1 deny 10.0.0.0 0.255.255.255 log
access-list 1 deny 172.16.0.0 0.15.255.255 log
access-list 1 deny 192.168.0.0 0.0.255.255 log
access-list 1 deny 127.0.0.1 0.0.0.0 log (8 matches)
access-list 1 deny 10.1.10.1 [replace with your IP address] 255.255.255.0 [replace with your subnet mask] log (87 matches)
access-list 1 permit 0.0.0.0 255.255.255.255 log (4320 matches)

As you can see, this says that entry 4 denied eight packets, and entry 5 denied 87 packets. Now to save processing time and speed up the flow of packets into your network, rearrange your ACL to move entry 5 to the top of list, followed by entry 4. A simple rule to follow is to have your most specific deny and permit statements at the top of the list, followed by the most active general entries.

Finally, let's apply the ACL that we created:

  1. Open the ACL you typed in Notepad.
  2. Copy the contents of the list to the Clipboard.
  3. Use a terminal emulator such as HyperTerminal to Telnet into your router.
  4. Log on to your router.
  5. Enter privileged exec mode.
  6. Type config terminal.
  7. Paste your ACL to the command line and press [Enter].
  8. Go to the interface you want to apply your ACL to (e.g., interface e0).
  9. Type ip access-group 1 in. To remove an ACL, type no ip access-group 1 in.


Your list is now entered and applied to an interface. Check it periodically with the show ip access-list 1 command and make adjustments as necessary.

 

Home | Networking | Computer HWare/SWare | NOS: Unix/Linux | Favorites | Contact Me | RCC Home