This tutorial explains how to configure Cisco access control lists. Learn Cisco ACLs configuration commands with their arguments, options, and parameters. Show There are eight types of ACLs. These types are standard-numbered, standard-named, standard-numbered with the sequence editing feature, standard-named with the sequence editing feature, extended-numbered, extended-named, extended-numbered with the sequence editing feature, and extended-named with the sequence editing feature. To create and configure these access lists, we have two commands. These commands are 'access-list' and 'ip access-list'. The main difference between both commands is the first command supports only the standard-numbered and extended-numbered while the second command supports all eight types. In this part, we will discuss the meaning of the arguments, options, and parameters of the 'access-list' command. We will also learn how to use the 'access-list' command to create and manage access lists. We will discuss the 'ip access-list' command in the next part of this article. The 'access-list' commandThis is a global configuration mode command. This command allows us to create a standard-numbered ACL and an extended-numbered ACL. This command uses the following syntax. Router(config)# access-list ACL_# permit|deny conditions ACL_#: - It is a numerical argument. The router uses this number for the following purposes.
Each network layer protocol is assigned a range of numbers. For the IP protocol, the following ranges are defined. 1-99, 100-199, 1300-1999, and 2000-2699. From these ranges, the ranges 1-99 and 1300-1999 are used for standard access lists, and the ranges 100-199 and 2000-2699 are used for extended access lists. To create an IP access list, you must specify a number from the above pre-defined number ranges. For example, to create a standard IP access list, you can choose any number between 1-99 and 1300-1999. Similarly, to create an extended IP access list, you can select any number between 100-199 and 2000-2699. While selecting a number for the ACL, you must follow the following two principles.
Permit|denyIt is an option with two values. If you use the permit option, the router will allow the packet that matches the condition defined next to it. If you use the deny option, the router will block the packet that matches the condition defined next to it. ConditionsThese are the condition that the router uses to match the packet. A standard ACL and an extended ACL use different criteria to match a packet. The available options in this section depend on the value of the ACL_# argument. Standard ACL conditionsIf you have specified a number that belongs to the standard ACL, the command will use the following syntax. Router(config)# access-list 1-99|1300-1999 permit|deny source_IP_address [wildcard_mask] [log] We have already discussed the options and arguments till the action option. Now, let's discuss the remaining arguments and options. source_IP_addressIt is an argument. It accepts the source address. You can use a host address or a network address. If you use a host address, the router will match that particular host. Or if you use a network address, the router will match all hosts of the specified network. wildcard_maskIt is also an argument. It allows us to define the type of source address. You can define a particular IP address or a range of IP addresses. I have already explained wildcard masks in the previous part of this article. You can check that article to learn what wildcard masks are and how they are used. logIt is an optional parameter. If you specify this parameter, the router will print any match of this statement on the console port. By default, the router does not print log messages on a non-console connection. For example, if you use a VTY connection, you will not see log messages on the console port. If you want to see log messages on a non-console connection, you must use the following command. This command works on the current session only. It means you have to execute this command each time to see logging messages on your VTY or TTY session. For debugging and security purposes, you can also forward these messages to a Syslog server. Extended ACL conditionsIf you have specified a number that belongs to the extended ACL, the command will use the following syntax. Router(config)# access-list 100-199|2000-2699 permit|deny IP_protocol source_address source_wildcard_mask [protocol_information] destination_address destination_wildcard_mask [protocol_information] [log] We have already discussed the syntax till the action option. Let's discuss the rest of the syntax. Unlike a standard ACL that supports only the source address, an extended ACL supports many options in the condition field. An extended ACL allows you to filter traffic based on supported IP protocols. The supported IP protocols are ICMP, TCP, GRE, UDP, IGRP, EIGRP, IGMP, IPINP, NOS, and OSPF. The options available after this argument depend on the protocol you select. For example, if you select the 'ip' protocol, you will see the options for the 'ip' protocol. Or if you select the 'tcp' protocol, you will see the options for the 'tcp' protocol. CCNA exam syllabus includes four IP protocols. These protocols are ip, tcp, udp, and icmp. Before we discuss the options of these protocols, let's understand the type of filtering. There are two types of filtering: host-level filtering and application-level filtering. Host-level filtering is used to filter all the traffic from the host. Application-level filtering is used to filter specific traffic from the host. For example, if you want to filter all traffic from host 10.0.0.10/8, you would use host-level filtering. But if you want to filter only web traffic from host 10.0.0.10/8, you would use application-level filtering. In other words, host-level filtering checks "whether host A is allowed to access host B" while application-level filtering checks "how much host A is allowed to access host B?". Let's discuss both types in detail. Host level filteringTo filter all the traffic from the host, we use the IP address of the host. To use an IP address, we need to specify the 'IP' keyword after the action argument. The 'IP' keyword instructs the command that we want to filter the traffic based on the host address. Unlike a standard access list that allows us to use only the source IP address, an extended access list allows us to use both the source and destination IP addresses. Since you can use both addresses, you can filter the exact traffic. This feature makes extended access lists more flexible than standard access lists. To use host-level filtering, use the following syntax. Router(config)#access-list 100-199|2000-2699 permit|deny ip source_address source_wildcard_mask destination_address destination_wildcard_mask [log] After the 'ip' keyword, we have two fields to specify the source address and the destination address. We can specify a single host address or a range of IP addresses in both fields. We can use wildcard masks with both addresses. Application-level filteringTo filter a specific type of traffic coming from a host or going to a host, we use the name of the protocol that transports the traffic. On an IP network, an application can send its traffic by using one of two protocols. These protocols are TCP and UDP. Both protocols can simultaneously transport data of many applications. Both protocols use a unique number for each application to keep its data separate from other applications. These numbers are known as port numbers. Both protocols use different port numbers for applications. The following table lists some of the most common port numbers and their associated applications.
To filter traffic based on an application, we use the following syntax. Router(config)#access-list 100-199|2000-2699 permit|deny tcp|udp source_address source_wildcard_mask [operator source_port_#] destination_address destination_wildcard_mask [operator destination_port_#] [established] [log] OperatorsOperators allow us to match ports more specifically. You can use operators to define a range of ports or a particular port. Extended access lists support five operators. The following table lists them.
Operators are optional. Only TCP/UDP uses operators. Other IP protocols do not use them. EstablishedThe Established keyword allows traffic to pass through only if it is generated from inside. It is used only with TCP packets. With this keyword, we can control the direction of the data flow. If we use this keyword, the ACL will allow only those TCP packets which have the 'Established' flag bit set in their header. LogThis keyword instructs the router to log a message every time an ACL entry is hit. ICMPSending a packet is not a guarantee of the packet being delivered. Sometimes packets get lost on the way to the destination. In such a case, the nearest device sends the error message back to the sender. From the message, the sender can know about the undelivered packets and their possible reasons. Networking devices use the ICMP protocol to send error messages. An adversary may use the ICMP protocol to reveal information about the network. Extended access lists allow us to control what error messages devices can send. To filter ICMP error messages, the command uses the following syntax. Router(config)# access-list 100-199|2000-2699 permit|deny ICMP source_address source_wildcard_mask destination_address destination_wildcard_mask [icmp_message] [log] If we do not specify a particular message type, ACL will match all message types. The following table lists some of the most common ICMP messages.
Enabling an access listAn ACL does nothing until it is applied to an interface. To apply an ACL to an interface, use the following commands. Router(config)#interface interface_number Router(config-if)#ip access-group ACL_# in|Out To apply ACL, we need to enter the interface mode. The first command allows us to enter the interface mode. We use the second command to activate the ACLs on the interface. The second command accepts one argument and one option. Let's discuss them. ACL_#:- It is the ACL that we want to activate on the interface. Specify the ACL number here as the argument. in|out:- It is the direction in which we want to activate the ACL. If you want to filter incoming traffic, specify the keyword 'in' here. If you want to filter outgoing traffic, specify the keyword 'out' here. Deleting access listsTo delete an access list, use the following global configuration command. Router(config)#no access-list ACL_# Replace the ACL_# with the number of ACL that you want to delete. That's all for this tutorial. In the next tutorial, we will discuss the 'ip access-list' command. |
