Chapter 4: Access Control Lists (ACLs)

Questions and Answers

What action does a router take by default regarding network traffic?

• The router forwards all the traffic.
• The router does not filter traffic. (correct)
• The router drops all the traffic.
• The router filters all the traffic.

What is the function of an Access Control List (ACL)?

• To encrypt network packets for secure transmission.
• To translate IP addresses between private and public networks.
• To route network packets to their destination.
• To evaluate network packets and determine if they are permitted or denied. (correct)

What criteria can ACLs use to filter traffic?

• Source/destination IP addresses, IP protocols, and TCP/UDP port numbers. (correct)
• IP protocols only.
• The size of the network packets.
• Source and destination IP addresses only.

What is the meaning of 'implicit deny' in the context of ACLs?

An automatic deny statement at the end of each ACL. (B)

What happens if an ACL does not have at least one permit statement?

The ACL will block all traffic. (D)

Which of the following is the primary difference between standard and extended ACLs?

Standard ACLs filter IP packets based only on the source address, while extended ACLs can filter based on several attributes. (A)

Which number ranges represent standard IP ACLs?

1 to 99 and 1300 to 1999 (B)

What convention should be followed when naming an ACL?

Names can contain alphanumeric characters, and it's suggested they are in CAPITAL LETTERS. (D)

In a wildcard mask, what does a '0' bit signify?

Match the corresponding bit value in the address. (D)

Which command is used to create a standard ACL?

access-list (D)

Where should extended ACLs be placed, according to Cisco's best practices?

As close as possible to the source of the traffic to be filtered. (A)

What does the command access-list 1 permit any do?

It permits all traffic. (D)

What is the command to apply an ACL to an interface?

ip access-group <acl_number> <in | out> (D)

What is the purpose of the remark keyword in an ACL?

To add comments for documentation purposes. (B)

After configuring a standard ACL, what mode must you enter to link the ACL to an interface?

Interface configuration mode. (A)

How can an existing numbered ACL be modified?

By using sequence numbers to insert or delete entries or using a text editor to rewrite the ACL. (D)

When would you prefer to use an extended ACL over a standard ACL?

When you need to filter traffic based on multiple criteria, such as source and destination IPs, protocols, and port numbers. (C)

Which command is used to remove an ACL completely?

no access-list (B)

A network administrator wants to block all Telnet traffic originating from the 192.168.1.0/24 network to any destination. Which is the most efficient extended ACL to accomplish this?

access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq 23 (D)

A router has two ACLs configured: a standard ACL (number 5) and an extended ACL (number 105). A network admin applies ACL 5 outbound and ACL 105 inbound on the same interface. The standard ACL blocks all traffic from any host. The extended ACL allows all TCP traffic on port 80 to a specific server, while the rest is denied. What is the unexpected and nearly untraceable result? (Assume no NAT/PAT)

The standard ACL renders the extended ACL useless, blocking all inbound and outbound traffic despite the intent of the extended ACL. (B)

By default, a router automatically filters network traffic without any configuration.

False (B)

When an ACL is applied to an interface, it evaluates only a sample of network packets to determine if they should be permitted or denied.

False (B)

An Access Control List (ACL) is a sequential list of permit or deny algorithms.

False (B)

Access Control Entries (ACEs) are exclusively referred to as ACL procedures.

False (B)

ACLs control whether a router permits or denies packets based on source IP address, destination IP address, and protocol, but not based on TCP/UDP port numbers.

False (B)

An outbound ACL filters packets before they are routed.

False (B)

Every ACL implicitly ends with an explicit deny-all statement

False (B)

An ACL without any permit statements will block all traffic due to the implicit deny.

True (A)

Standard ACLs filter packets based on both the source and destination IP address.

False (B)

Extended ACLs can filter based on source IP address, destination IP address, and protocol type but NOT on TCP or UDP ports.

False (B)

When using numbered ACLs, numbers 1 to 99 are reserved for Standard IP ACLs, and 100 to 199 are for Extended IP ACLs.

True (A)

Named ACLs can only contain numeric characters.

False (B)

In wildcard masks, a '0' bit means 'ignore the corresponding bit value in the address'.

False (B)

A wildcard mask of 0.0.0.0 is equivalent to the keyword any.

False (B)

According to Cisco best practices, ACLs should be based on the IT department's preferences rather than organizational security policies.

False (B)

For optimal efficiency, extended ACLs should be placed as close as possible to the destination of the traffic to be filtered.

False (B)

Standard ACLs are best placed close to the destination because they do not specify destination addresses.

True (A)

The command access-list 1 remark This is a test ACL applies the ACL to interface 1.

False (B)

In the command access-list 101 deny tcp any eq telnet any, the any eq telnet refers to the source port.

False (B)

If an administrator configures an extended ACL with sequence numbers and later decides to insert a new rule between sequence numbers 10 and 20, it's impossible to insert a sequence numbered entry between those numbers and they would have to re-write the entire ACL.

False (B)

Flashcards

What are Access Control Lists (ACLs)?

A sequential list of permit or deny statements used to filter network traffic.

Default Router Behavior

A router does not filter traffic by default.

ACL on an Interface

Evaluates network packets and determines if they are permitted or denied, based on the ACL configuration.

Inbound ACL

Filters packets coming into a specific interface before being routed.

Outbound ACL

Filters packets after being routed, regardless of the inbound interface.

Implicit Deny

The last statement of an ACL that denies all traffic if no other statements are matched.

ACL without Permit

An ACL that does not have at least one permit statement will block all traffic due to the implicit deny.

Standard ACLs

Filter IP packets based on the source address only.

Extended ACLs

Filter IP packets based on several attributes including source/destination IP addresses, TCP/UDP ports, and protocol types.

Wildcard Mask

Used to match or ignore bit values in an IP address.

Wildcard Mask Bit 0

Match the corresponding bit value in the address.

Wildcard Mask Bit 1

Ignore the corresponding bit value in the address.

Extended ACL Placement

Located as close as possible to the source of the traffic to be filtered.

Standard ACL Placement

Located as close to the destination as possible because they do not specify destination addresses.

One ACL per Protocol

An ACL must be defined for each protocol enabled on the interface to control traffic flow.

One ACL per Direction

ACLs control traffic in one direction at a time on an interface; two separate ACLs are needed for inbound and outbound traffic.

One ACL per Interface

ACLs control traffic for an interface i.e. GigabitEthernet 0/0.

ACL Use in Firewalls

Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet

Calculating Wildcard Mask

Subtract Subnet Mask from 255.255.255.255

Remark Keyword in ACLs

The remark keyword is used for documentation and makes access lists easier to understand.

The host keyword

Abbreviates an IP address/wildcard mask combination where all address bits must match.

The any keyword

Abbreviates the 0.0.0.0 255.255.255.255 wildcard mask, ignoring all address bits.

Border routers

Routers at the edges of the networks, where ACLs should be configured.

Security Policy

Base ACLs on this to implement the organizational security guidelines.

Text Editor for ACLs

Tool used to create, edit, and save ACLs.

Development Network

Test ACLs here before implementation on a production network.

no access-list command

The access-list command is removed with this global configuration command.

Packet Filtering

Filters traffic from a source to a destination according to a configured rule-set.

Internal Logic

Cisco IOS internal logic when accepting and processing access-lists.

ip access-group command

Command used link an ACL to an interface, such as GigabitEthernet 0/0.

ip access-list command

Global configuration command used to create a named ACL.

Show IP Interface

Command used to show the configuration of a particular interface. E.g. show ip interface g0/0.

Established Parameter

Used in extended ACLs to match traffic based on connection status.

Study Notes

• ACLs can be used to filter network traffic
• Standard and Extended IPv4 ACLs can be compared
• ACLs utilizes wildcard masks
• ACL creation involves following key guidelines
• Guidelines exist for ACL placement
• Standard IPv4 ACLs can be configured to filter network traffic as required
• Sequence numbers can modify standard IPv4 ACLs
• Standard ACLs configure vty access securely
• Extend access control entry includes the structure of ACE
• Extended IPv4 ACLs are configured to filter traffic as required
• ACLs limit debug output
• Routers process packets when an ACL applies
• CLI commands troubleshoot common ACL errors

Purpose of ACLs

• Routers do not filter traffic by default

• When an ACL applies to an interface, it evaluates all network packets and determines if the packet is permitted or denied

• An ACL is a sequential list of permit or deny statements known as access control entries (ACEs) a.k.a, ACL statements

• Routers permit or deny packets based on the criteria in the header that contain:

  • Source and destination IP addresses
  • IP protocols such as ICMP, TCP, UDP, EIGRP
  • TCP/UDP, source/destination ports

• Routers can filter packets when forwarding or denying packets according to filtering rules

• Inbound ACLs filter packets coming into a specific interface before they are routed to the outbound interface

• Outbound ACLs filter packets after being routed regardless of the inbound interface

• The last ACL statement is always an implicit deny, automatically inserted at the end, even if it is not physically present

• The implicit deny blocks all traffic, so an ACL without the permit statement blocks all traffic

Standard versus Extended IPv4 ACLs

• Standard ACLs filter IP packets based on the source address only
• Extended ACLs can filter IP packets with the following attributes:
  • Source and destination IP addresses
  • Source and destination TCP and UDP ports
  • Protocol type or number like, IP, ICP, UDP, TCP

Numbering and Naming ACLs

• Numbered ACLs assign a number based on which protocol is to be filtered
  • (1 to 99) and (1300 to 1999) specifies a Standard IP ACL
  • (100 to 199) and (2000 to 2699) specifies an Extended IP ACL
• Named ACLs assign a name by providing the name of the ACL
  • Names use alphanumeric characters
  • Best practice is to write the name in CAPITAL LETTERS
  • Spaces or punctuation are not valid for named ACLs
  • Entries can be easily added or deleted within the ACL

Wildcard Masks in ACLs

• Wildcard masks and subnet masks match binary 1s and 0s differently
• Wildcard Masks use the following rules to match binary 1s and 0s:
  • Wildcard mask bit 0 - Match the corresponding bit value in the address
  • Wildcard mask bit 1 - Ignore the corresponding bit value in the address
• Wildcard masks are often referred to as an inverse mask
• Subnet masks have a binary 1 equal to a match and a binary 0 as not a match
• In a wildcard mask, the reverse is true

Calculating the Wildcard Mask

• Calculating wildcard masks can be challenging
• A shortcut method is to subtract a provided subnet mask from 255.255.255.255

Wildcard Mask Keywords

• access-list 1 permit 192.168.10.10 0.0.0.0 is the same as access-list 1 permit host 192.168.10.10

• access-list 1 permit 0.0.0.0 255.255.255.255 is the same as access-list 1 permit any

Guidelines for ACL Creation

• Place ACLs in firewall routers positioned between your internal network and an external network like the internet
• Place ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network
• Configure ACLs on border routers situated at the edges of your networks
• Configure ACLs for each network protocol configured on the border router interfaces

General Guidelines for Creating ACLs

• One ACL per protocol controls traffic flow on an interface
• An ACL must be defined for each protocol enabled on the interface
• One ACL per direction controls traffic in one direction at a time on an interface
• Two separate ACLs must be created to control inbound and outbound traffic
• Utilize one ACL per interface on interfaces such as, GigabitEthernet 0/0

ACL Best Practices

Guideline	Benefit
Base ACLs on the organizations' security policy	Will ensure implementation of organizational security guidelines
Prepare a description of what you want your ACLs to do	Avoids inadvertently creating potential access problems
Use a text editor to create, edit and save ACLs	Creates a library of reusable ACLs
Test ACLs on a development network before production deployment	Avoids costly errors

Guidelines for ACL Placement

• Place every ACL where it has the greatest impact on efficiency
• Locate extended ACLs as close as possible to the traffic source that is to be filtered
  • Because standard ACLs do not specify destination addresses, places them as close to the destination as possible
• Placement of the ACL and the type of ACL used may also depend on various factors:
  • The extent of administrator control
  • Bandwidth of the networks involved
  • Ease of configuration

Configuring a Standard ACL Example

• access-list 2 deny host 192.168.10.10

• access-list 2 permit 192.168.10.0 0.0.0.255

• access-list 2 deny 192.168.0.0 0.0.255.255

• access-list 2 permit 192.0.0.0 0.255.255.255

• The full syntax of the standard ACL commands:

  • Router(config)# access-list access-list-number deny | permit | remark source [source-wildcard] [log]

• The global configuration no access-list command removes the ACL

• Use the remark keyword for documentation and create easy to understand access lists

Internal Logic for ACLs

• Cisco IOS applies an internal logic when accepting and processing standard access list statements
• Access list statements are processed sequentially
• Statement order is important

Applying Standard ACLs to Interfaces

• The ip access-group command links an configured standard ACL within interface configuration mode
  • Router(config-if)# ip access-group { access-list-number | access-list-name } { in | out }
• To remove an ACL from an interface:
  • First enter the no ip access-group command on the interface
  • Then enter the global no access-list command to remove the entire ACL

Creating Named Standard ACLs

• The following command activates a named IP ACL on an interface:

  • Router(config)#ip access-list [standard | extended ] name
  • Alphanumeric name must be unique and not begin with a number

• The following command syntax is used:

  • Router(config-std-nacl)# [permit | deny | remark] {source [source- wildcard]} [log]

• The resulting command is:

  • Router(config-if)#ip access-group name[in | out]

Structure of Extended IPv4 ACLs

• Extended ACLs can filter on:

  • Source address
  • Destination address
  • Protocol
  • Port numbers

• Extended ACLs are used more often than standard ACLs because of their greater degree of control

  • Also characterized as "increased granular control"

• Extended ACLS filter on source IP address AND destination IP address

• Additionally, filters can be executed on the upper layer, protocols such as IP, TCP, UDP, ICMP, EIGRP with respective source and destination ports

• The procedural steps for extended ACL configurations are the same as standard ACLs

• After configuring the extended ACL, it must be activated on an interface

  • Configuration syntax and parameters may be more complex because of support for additional extended ACL features

• Syntax example:

  • access-list access-list-number {deny | permit | remark} protocol source [source-wildcard] [operator operand] [port port-number or name] destination [destination-wildcard] [operator operand] [port port-number or name] [established]

Extended IP ACLs

• access-list 101 permit ip any any permits all packets
• access-list 101 deny ip any host 10.1.1.1 denies all packets from any source address going to host 10.1.1.1
• access-list 101 deny ip host 10.1.1.1 any denies all packets from host 10.1.1.1 going to any destination address

Extended TCP ACLs

• Port protocols that come after a destination address refers to the destination port for, access-list 101 deny tep any any eq telnet a.k.a. port 23

  • This denies packets whose destination port is 23 (Telnet) from anywhere to anywhere

• A Prot/protocol after the source address refers to the source port, access-list 101 deny tcp any eq telnet any

• Any TCP packets whose source port is 23 (telnet) are denied access to any destination

Editing Extended ACLs

• Editing an extended ACL uses the same process as editing a standard ACL
• Extended ACLs can be modified by:
  • Text editor
  • Sequence numbers

Verifying ACLs

• The show ip interface command will show the ACL configured on the interface and direction
• The command to verify is, R1#show ip interface g0/0

ACL Statistics

• Use the show access-lists command to show the ACL statistics
• It will show the number of matches for each ACL
• R1#show access-lists