Before looking into the configuration of ACL (Access Control Lists), it’s important to get some of the concepts and understanding of how they work and what they are used for.

Firstly, most people believe that ACL’s are used purely for denying or allowing traffic, although this is certainly one of the functions of a ACL it certainly not the only function. ACL’s can be used for

 

1/ Permitting or denying packets moving THROUGH the router.

2/ Permitting or denying packet TO or FROM the router.

3/ QOS (Quality of Service)

4/ DDR (Dial-on Demand Routing)

5/ Route filtering

 

So let’s break down each of the above to see its use.

 

1/ When you want to restrict traffic from flowing THROUGH a router, you can attach a ACL to an interface of the router. This can be done on a INBOUND or OUTBOUND direction. The direction of the traffic is vitally important and how the router processes the information differs depending on direction of the ACL. If the ACL is bound to an interface INBOUND the ACL will take effect before any processing is done by the router. If the ACL is bound to an interface in a OUTBOUND direction, the router would have already processed the packet entirely before possibly dropping it. This could increase the processing on the router unnecessarily.

 

2/ Attaching an ACL to an interface however does NOT stop traffic that is going TO or FROM the router. This means that if I’m trying to telnet to the router, the ACL on the interface will NOT APPLY. In order to restrict traffic TO or FROM the router we need to attach the ACL to the Virtual Interfaces of the router (VTY lines).

 

3/ QOS uses ACL to define traffic that you wish to prioritise. The ACL are not bound to interfaces but are used in modular QOS

 

4/ When using dial-up interfaces such as modems or ISDN you don’t want to allow any traffic to cause the interfaces to dial. If all traffic was allowed to cause the lines to dial then every time a broadcast message took place the lines would dial. This would result in the lines constantly been connected and result in a large phone bill. With ACL for DDR we define what traffic is allowed to make the modem or ISDN lines dial and create a connection. It is important to understand that when the line is active ALL traffic is allowed to flow through the line. These ACL do not restrict traffic from flowing, they restrict traffic from causing the lines to dial!

 

5/ Route filtering is used when we wish to re-distribute routes learnt from one routing protocol into another one. This is most commonly seen when you have an EGP (Exterior Gateway Protocol) like BGP and you wish to insert some of the routes learnt from BGP into your IGP (Interior Gateway Protocol) such as OSPF. You cannot re-distribute the entire BGP routing table into OSPF as OSPF cannot handle a routing table of that size, so we can restrict which entries that will be re-distributed using an ACL.

 

Now that we understand the different uses of Access Control List we now need to see the 3 different types of ACL’s. STANDARD, EXTENDED and NAMED

 

Standard ACL only check the source address of the packet and can either permit or deny the entire protocol suite. It will have a number between 1-99 and 1300-1999

Extended ACL can check the source and destination addresses, the source and destination port numbers, and specific protocols. It will have a number between 100-199 and 2000-2699

Named ACL can be either standard or extended ACL, however we can associate a name to the ACL instead of using numbers.

 

Guidelines:

- One ACL per interface, per protocol, per direction

- The order of ACL statements is important. Once  match has been made no further testing is done.

- The most restrictive statements go at the top of the list

- The last statement in an ACL is ALWAYS an implicit deny any, so every ACL needs at least one permit statement

- ACL must be configured before applying them to interfaces

Related posts:

1. Restricting access to VTY (Virtual Terminal Lines)
2. Mitigating Smurf DoS Attacks
3. IP Address Spoofing Mitigation with Access Control Lists (ACL)
4. Configuring VTY Access
5. Wildcard Mask

This entry was posted on Thursday, August 13th, 2009 at 14:31 and is filed under Access-Lists, CCNA (ICND2), Networking 101, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.