How to Implement a Basic Access Control List
- select the contributor at the end of the page -
Since its original implementation, the use of the ACL has extended considerably, this article will take a look at the basic functionality of the ACL and how it can be used to perform basic access control. We'll cover advanced access control lists later, including the more advanced ways that the ACL can be configured and how it can be used outside of traffic filtering.
The Basics of the ACL
As stated above, the original intention of the access control lists was to provide a mechanism to enable the filtering of specific traffic into and out of a device. This section will take a look at how an ACL can be configured on a Cisco device to offer basic filtering services.
The most basic form of an ACL that is typically taught is the standard IP ACL, with this type of ACL only the source IP address is matched; the syntax of this form of ACL is shown below:
router(config)#access-list access-list-number {permit | deny} {any |
host host-ip-address | ip-address wildcard-mask}
For a standard ACL, the access-list-number is set from 1-99 or 1300-1999. The part of this type of ACL (and most other ACL's types) that throws people off is the wildcard-mask. The wildcard-mask is used to determine which specific addresses are being matched with the ACL statement. Why it is so confusing for new network engineers is because it is formatted in a way that is not “normally” seen. The wildcard-mask is the inverse of the common subnet mask; for example, if the network 192.168.1.0 255.255.255.0 matched addresses from 192.168.1.0 through 192.168.1.255 then the wildcard mask that would match these same hosts would be 0.0.0.255.
The easiest way to look at this is in binary form (255.255.255.0):
11111111 11111111 11111111 00000000
Now the wildcard mask (0.0.0.255):
00000000 00000000 00000000 11111111
While the example shown here may not be that hard to follow, it can get a little interesting when matching different subnets. For example, let's take a look at matching the network 172.16.100.64 255.255.255.192:
(255.255.255.192)
11111111 11111111 11111111 11000000
(0.0.0.63)
00000000 00000000 00000000 00111111
Hopefully these examples can help a little in understanding how to determine the correct wildcard mask to use when implementing an access control list.
Configuring for complete coverage
To provide complete coverage it is necessary to point out that on modern equipment, the implementation of the standard ACL can be configured in a different way that does not use access list numbers, and replaces them with access list names. To be comprehensive let's take a look at how these can be used to configured a named standard ACL.
router(config)#ip access-list standard access-list-name
router(config-std-nacl)#{permit | deny} {any | host host-ip-address | ip-address wildcard-mask}
Now once the ACL has been created it must be applied to a specific interface and in a specific direction. Generally speaking, it is recommended to place standard ACL's as close to the traffic destination as possible and extended ACL's (next article) as close to the source as possible. To apply an ACL use the syntax shown here:
router(config-if)#ip access-group {access-list-number | access-list-name} {in | out}
Implementation on modern networks
While the standard ACL is a very simple tool and may not be implemented widely (for traffic filtering) in modern networks, it does provide a starting point in learning about ACL's. Hopefully this article gives you a base understanding of how an ACL can be used.
The next article will take a look at the extended IP access list and how both the standard and extended ACL's can be used for both traffic filtering and for other Cisco IOS features. Until then, any questions?
Refine your network security knowledge by watching CCNA Security Training made by a bonafide CCIE.