Wouldn't it be great if you could install an out of the box Cisco router on your network, without worrying about any security issues? That would be just perfect, but unfortunately that's not the case. Every single network infrastructure has its own specific requirements in terms of security, malicious access prevention and traffic filtering.

Network administrators are responsible for designing and implementing proper security policies, like preventing access to specific hosts or allowing certain users to access specific services, etc. Strong encrypted passwords and firewall devices are just not enough.

Access Control Lists (ACLs) constitute a helpful feature for controlling the filtering of network traffic as well as providing an added feature of security. In this article I'll show you how to manage IP traffic with Access Lists. I'll describe the main characteristics of ACLs and present important key points regarding their configuration.

Access List Types

Cisco IOS access lists are divided into two distinct types:

• Standard ACLs: This type of AL is the simplest one since it only filters based on source IP addresses. In other words, this AL can be used only when you need to permit or deny traffic from a specific host IP address or a specific source network.
• Extended ACLs: This type of AL is the most preferred one and the most advanced as well. Using this type of AL you can filter traffic based on:

  • Source IP address
  • Destination IP address
  • Protocol (TCP, UDP)
  • Port Numbers (Ftp 21, Telnet 23, etc.)
  • Supplementary parameters

Common Features in Cisco IOS Access Lists

Access Lists in Cisco routers operate in a sequential order. An ACL can be seen as a table with a special ID code (Access list number) having a series of rows with filtering statements (Access list statements).

The following characteristics pertain to all Cisco IOS ACLs:

• Access list statements are evaluated from top to bottom.
• When an AL statement is matched, the filtering process skips the rest of the statements and the AL evaluation at this point is terminated. Based on the match condition, the packet in question is permitted or denied accordingly.
• Only one AL per protocol per interface is allowed
• There is an implicit "deny any" at the end of every access list therefore, keep in mind that unless you want all your traffic to be denied you need to have at least one "permit" statement in your access list.
• Standard ACLs do not specify destination addresses, therefore they should be placed as close to the destination as possible.
• Extended ACLs should be placed as close as possible to the source of the traffic denied.
• ACLs do not block traffic originating from the local router

Identifying Standard Access Lists

When creating an Access list with a number between 1 and 99 or 1300 to 1999 you specify to the router that you are about to enter filter statements of a standard IP ACL. Remember that this kind of access list is able to permit or deny traffic based on source IP address or source network. The following is a graphical representation of a standard AL traffic control:

Identifying Extended Access Lists

Extended IP ACLs are used when more precise traffic filtering is needed. They are numbered from 100 to 199 and 2000 to 2699 and they are able to filter traffic based on Destination-Source address combination, Protocol type and also UDP and TCP port numbers.

A graphical representation of the functional behavior of an Extended ACL is presented below:

Configuring Standard IP Access Lists

To configure a standard ACL on a Cisco router you need to define the ACL, specify its filter statements and finally activate the ACL on a specific interface. Use the following steps to create and apply this type of ACL:

1. Specify the ACL by applying a number to it and entering its condition statements. Use the following command to do so:

Router(config)#access-list access-list-number {deny | permit} source [source-wildcard ] [log]

Keep in mind that the access-list-number is a number between 1 and 99 or between 1300 and 1999. The permit or deny terms specify how packets that match the ALs conditions will be treated. The default source-wildcard mask is 0.0.0.0.

2. Activate the ACL on a specific interface and specify if it is an inbound or an outbound ACL; the default is outbound. Use the following command to do so:

Router(config-if)#ip access-group access-list-number {in | out}

Keep in mind that an inbound ACL is applied at the input before the packet is processed for routing. And an outbound ACL is applied at the output after the packet is processed and prior to be forwarded out from interface.

Configuring Extended IP Access Lists

The steps for configuring an extended IP ACL do not actually differ from those of a standard ACL. More options are available in this case.

The commands to use for creating and applying this type of AL on an interface are the following:

1. Use the following command:

Router(config)#access-list access-list-number {deny | permit} protocol source source-wildcard [source port] destination destination-wildcard [destination port] [log]

Keep in mind that the available numbers to use are between 100 and 199 and 2000 to 2699. You can deny or permit a specific protocol (e.g. IP, TCP), traffic coming from a specific host or network destined for a specific host or network and using specific services (identified by application ports for example 23 for telnet, 53 for DNS, etc).

2. To apply the access list on an interface use the following command:

Router (config-if)#ip access-group access-list-number {in | out}

Extended IP Access List Example

Our trusted network is 192.168.10.0. We will see in this example how we can deny Telnet traffic (tcp port 23) and permit everything else from the untrusted network reaching our trusted network. Also we will see how to Deny FTP traffic from our trusted network to subnet 172.16.0.0.

Deny Telnet Traffic from the Trusted to the Untrusted Network

Note: "Any" in the command statement means 0.0.0.0 255.255.255.255 which is equivalent to "every host"

Deny FTP Traffic from 172.16.0.0 Network

Note: FTP data use destination port 20 and for FTP control the well known destination port 21 is used.

Final Thoughts on ACLs

• To completely remove an entire ACL, first remove it from the interface by using the no ip access-group access-list-number command on the specific interface and then use the global configuration no access-list access-list-number command to delete the entire ACL. Be careful to use the correct sequence of events in order to avoid unexpected situations.
• Be wise and place your Access lists at the proper place in order to minimize unnecessary traffic from traversing your network. Remember to place Standard ACLs closer to the destination and Extended ACLs closer to the source.
• Use the show access-lists command to see the definitions of all configured access lists and also observe how many packets have matched a specific condition. It is a useful command to verify that your access lists are operating correctly.
• And last but not least, remember practice makes perfect and once you get a hang of Access lists you'll be able to stop your network security worries!