Welcome back! This time, we’ll take a look at access control lists, often referred to as “access lists” or “ACLs” (sometimes pronounced “ackels”). In Cisco IOS, ACLs are used for many things, including but not limited to:
- Filtering data packets (“firewalling”)
- Controlling Telnet or SSH access to a router or switch
- Filtering routing protocols
- Specifying Quality of Service (QoS)
- Controlling encryption
- Controlling NAT (Network Address Translation)
- Controlling Dial-on-Demand
The idea of an access list is straightforward: it permits some things, and denies others. What exactly is being “permitted” or “denied” varies according to the application of the ACL. Although access lists for other protocols (such as IPX, AppleTalk, MAC addresses, etc.) exist, we’ll be focusing on IP access lists. In general, only routers and multi-layer switches understand IP access lists (but some Layer-2 switches are ACL-aware to some extent).
For example, let’s say that traffic originating from a host with IP address 192.168.1.1 should be permitted to leave the FastEthernet0/0 interface. An ACL that would accomplish this would be:
- Router#configure terminal
- Router(config)#access-list 1 permit 192.168.1.1
The ACL resides in the running config, and can be seen with the command “show access-lists”. There are various options for this command, including “show ip access-lists”, “show access-lists X” where “X” is the ACL identifier, etc.
The ACL created above is now resident in memory, but will not take effect until it is placed into service in some manner. To place it outbound on the FastEthernet0/0 interface, the commands would be:
- Router(config)#interface fastethernet0/0
- Router(config-if)#ip access-group 1 out
To see the access lists that are outgoing or inbound on an interface, use the command “show ip interface”. Note that the “ip” is required (if you don’t specify the protocol, it won’t show you the ACL information). This command also has options, such as the particular interface you’re interested in, such as “sh ip int f0/0”.
As usual, commands can be abbreviated, so to create and apply the ACL, you could simply do:
- Router#conf t
- Router(config)#access-l 1 per 192.168.1.1
- Router(config)#int f0/0
- Router(config-if)#ip access-g 1 o
Find some shortcuts that work for you, and then use them!
In the ACL we created above, we have explicitly permitted traffic originating from the host with IP address 192.168.1.1, but what about other traffic? The default behavior of an access list is to deny all traffic that is not referenced by the list. In other words, it’s as if there is a “deny everything else” at the bottom of the list. This is much better than having to deny every other IP address, of which there are over four billion possibilities!
It’s commonly desired to permit and/or deny multiple hosts in a single list. What if we want to permit more hosts? Simply add more lines to the list. This can be accomplished by going back into global config mode and adding the lines. Building on the single line list from above, let’s add lines to ACL 1 to also permit packets from the hosts with addresses 192.168.1.2 and 192.168.1.3:
- Router#conf t
- Router(config)#access-list 1 permit 192.168.1.2
- Router(config)#access-list 1 permit 192.168.1.3
If we examine ACL 1 with “show access-list”, we’ll see that it now contains three lines, for 192.168.1.1, 2 and 3. It’s important to realize that because the same ACL number was used for each line, all lines belong to that access list (ACL 1, in this case). Note that if the list is in effect on the interface while we are editing it, the changes take effect immediately (this can be dangerous, as we’ll discuss in the future).
Let’s create another ACL, this one denying traffic from the hosts with addresses 10.1.1.1, 10.1.1.2, and 10.1.1.3, and permitting all other addresses. Since this is a separate ACL, we’ll use access list number 2:
- Router#conf t
- Router(config)#access-list 2 deny 10.1.1.1
- Router(config)#access-list 2 deny 10.1.1.2
- Router(config)#access-list 2 deny 10.1.1.3
The list we’ve just created will deny traffic from the specified hosts, but what about traffic from other hosts? Remember that ACLs deny all traffic that they don’t explicitly permit, as if there was a “deny everything else” at the bottom. In other words, this list denies all traffic! Obviously, we need to permit traffic from the other hosts, but it would be unreasonable to list the billions of them individually. Instead, we can use the “any” keyword, thus:
- Router(config)#access-list 2 permit any
HINT: An ACL that contains only “deny” statements is either incomplete, or wrong!
Our ACL 2 will now deny traffic from the 10.1.1.1, 2 and 3 hosts, but permit traffic sourced from any other host. Again, as with ACL 1, the list doesn’t actually take effect until it is placed in effect. Let’s place it inbound on Serial 2/1:
As before, we can see the list with “sh access-l 2”, and see its application on the interface with “sh ip int s2/1”.
Well, that’s it for now. Next time, we’ll do more with access-lists!
Author: Al Friebe