Access-lists are the cornerstone of security in networking. They are used on Routers, Switches and Firewalls and are often a challenge to understand when first starting your career in networking. Before we dive into the configuration of access-lists, or otherwise known as ACL’s (Access Control Lists), it’s important to get an understanding of the concepts, how they work, and what they are used for.
Firstly, most people believe that access-lists are used purely for denying or allowing traffic, although this is certainly one of the functions of an access-list it is not the only function.
Access-lists can be used for:
- Permitting or denying packets moving THROUGH the router.
- Permitting or denying packet TO or FROM the router.
- QOS (Quality of Service)
- DDR (Dial-on Demand Routing)
- Route filtering
So let’s dive into each of the above points to see how they can be applied and used.
1/ When you want to restrict traffic from flowing THROUGH a router, you can attach a ACL to an interface of the router. This can be done on a INBOUND or OUTBOUND direction. The direction of the traffic is vitally important to understand when designing Access-lists as the router processes the information differently depending on direction of the access-list. If an access-list is bound to an interface in the INBOUND direction the access-list will take effect before any processing is done by the router. If the access-list is bound to an interface in the OUTBOUND direction, the router would have already processed the packet entirely internally before the packet is checked against this ACL. The end result might be that the access-list drops the packet, unnecessarily wasting the resources of the router.
2/ Attaching an access-list to an interface however does NOT stop traffic that is going TO or FROM the router. This means that if I’m trying to telnet to the router, the ACL on the interface will NOT APPLY. In order to restrict traffic TO or FROM the router we need to attach the access-list to the Virtual Interfaces of the router (ie: VTY lines).
3/ QOS uses ACL to define traffic that you wish to prioritize. The access-lists are not bound to interfaces but are used in modular QOS
4/ When using dial-up interfaces such as modems or ISDN you don’t want to allow any traffic to cause the interfaces to dial. If all traffic was allowed to cause the lines to dial then every time a broadcast message took place the lines would dial. This would result in the lines constantly been connected and result in a large phone bill. With access-lists for DDR we define what traffic is allowed to make the modem or ISDN lines dial and create a connection. It is important to understand that when the line is active ALL traffic is allowed to flow through the line. These access-lists do not restrict traffic from flowing, they restrict traffic from causing the lines to dial! In order to block traffic, an access-list needs to be applied to the interface (as seen in point 1). This could be the same access-list as used for DDR, although not common.
5/ Route filtering is used when we wish to re-distribute routes learnt from one routing protocol into another one. This is most commonly seen when you have an EGP (Exterior Gateway Protocol) like BGP and you wish to insert some of the routes learnt from BGP into your IGP (Interior Gateway Protocol) such as OSPF. You cannot re-distribute the entire BGP routing table into OSPF as OSPF cannot handle a routing table of that size, so we can restrict which entries that will be re-distributed using an access-list.
Now that we understand the different uses of Access Control Lists we now need to discuss the 3 different types of ACL’s. STANDARD, EXTENDED and NAMED
Standard access-lists only check the source address of the packet and can either permit or deny the entire protocol suite. It will have a number between 1-99 or 1300-1999
Extended access-lists can check the source and destination addresses, the source and destination port numbers, and specific protocols. It will have a number between 100-199 or 2000-2699
Named access-lists can be either standard or extended access-lists, however we can associate a name to the ACL instead of using numbers.
- One access-list per interface, per protocol, per direction
- The order of access-list statements is important. Once a match has been made no further testing is done.
- The most restrictive statements go at the top of the list
- The last statement in an access-list is ALWAYS an implicit deny any, so every access-list needs at least one permit statement
- Access-lists must be configured before applying them to interfaces