Access Control Lists (ACLs) – Part 4

Welcome back! This time we’ll look at additional tips and tricks when using standard IP ACLs. Let’s suppose that we’re given ACL 10 (the lines have been labeled “A” through “E” to facilitate the upcoming discussion):

A. access-list 10 permit 10.1.2.3
B. access-list 10 deny 10.1.2.0 0.0.0.255
C. access-list 10 permit 10.1.0.0 0.0.255.255
D. access-list 10 deny 10.0.0.0 0.255.255.255
E. access-list 10 permit any

Based on ACL 10, what will happen to packets that are sourced from the following addresses?
1) 10.1.2.4
2) 172.16.1.1
3) 10.1.3.3
4) 10.1.2.3
5) 10.2.2.3

Here are the results:

  • Packet #1: Denied by line B
  • Packet #2: Permitted by line E
  • Packet #3: Permitted by line C
  • Packet #4: Permitted by line A
  • Packet #5: Denied by line D

Why is packet #1 denied, although it matches some permits in ACL 10? Remember, access lists are “top-down, first-match”. Since line B is the top-most match for packet #1, the packet is denied. Because of this, the order of the lines in an ACL can be critical. For example, let’s say that we swap lines B and C in ACL 10, to obtain ACL 11:

  • (A) access-list 11 permit 10.1.2.3
  • (B) access-list 11 permit 10.1.0.0 0.0.255.255
  • (C) access-list 11 deny 10.1.2.0 0.0.0.255
  • (D) access-list 11 deny 10.0.0.0 0.255.255.255
  • (E) access-list 11 permit any

Now what happens to packet #1? Unlike with ACL 10, with ACL 11 packet #1 is permitted (by line B). In fact, any 10.1.0.0/16 address will be permitted by line B, and will never make it to line C. For that reason, ACL 11, although syntactically correct, is logically inconsistent. The old programmer’s rule of “Garbage in, garbage out” applies to ACLs as well.

The ACL editing capabilities depend on the IOS version. Under older IOS (early 12 and before), all you could do with a numbered ACL was:

  • Add lines to the bottom (append)
  • Delete the entire ACL

What you couldn’t do was add lines anywhere other than at the bottom, or delete individual lines. If you wanted to do more extensive editing, you had to delete the list, and then recreate it. With current IOS (12.4), you can add lines wherever you like or to the bottom and delete individual lines as well as the entire ACL.

You access the enhanced editing capabilities via sequence numbers that IOS automatically adds to the lines. You can see the sequence numbers with “show access-list”. For example, given ACL 11 above, we would see:

  • Router#show access-list
  • Standard IP access list 11
    • 10 permit 10.1.2.3
    • 20 permit 10.1.0.0, wildcard bits 0.0.255.255
    • 30 deny 10.1.2.0, wildcard bits 0.0.0.255
    • 40 deny 10.0.0.0, wildcard bits 0.255.255.255
    • 50 permit any

Using the per-line sequence numbers, you can make the changes you desire. And speaking of enhanced capabilities, named ACLs were introduced with IOS 12. Let’s take a look at creating a named standard ACL:

  • Router#conf t
  • Router(config)# ip access-list standard Block_RFC1918
  • Router(config-std-nacl)#

Note that the prompt now reads “config-std-nacl”, meaning that we’re configuring a standard named ACL (with the case-sensitive name “Block_RFC1918”). Now let’s add some lines to the list:

  • Router(config-std-nacl)#deny 10.0.0.0 0.255.255.255
  • Router(config-std-nacl)#deny 172.16.0 0.15.255.255
  • Router(config-std-nacl)#deny 192.168.0.0 0.0.255.255
  • Router(config-std-nacl)#permit any

You might recognize this as a list that denies the RFC 1918 private addresses, and permits the public addresses. Like numbered ACLs, a named ACL must be placed in service to have any effect, and that’s done exactly as it is for a numbered list. For example, to control the data flowing outbound through FastEthernet0/0:

  • Router(config)#interface fa0/0
  • Router(config-if)#ip access-group Block_RFC1918 out

You can also use a named standard ACL to control Telnet and/or SSH access:

  • Router(config)#line vty 0 4
  • Router(config-line)#ip access-group Block_RFC1918

As with the numbered ACLs, named ACLs are assigned per-line sequence numbers that facilitate editing. You can also use the named ACL editor to create and edit numbered ACLs. Just use the number of the ACL as the name:

  • Router(config)# ip access-list standard 12
  • Router(config-std-nacl)#

One more thing … with both named and numbered ACLs, you can add remarks. You add a remark to a numbered ACL like this:

  • Router(config)#access-list 13 remark This is my workstation
  • Router(config)#access-list 13 permit 10.1.2.3

Similarly, to add a remark to a named ACL, you would do:

  • Router(config)# ip access-list standard Permit_Me
  • Router(config-std-nacl)#remark This is my workstation
  • Router(config-std-nacl)#permit 10.1.2.3

You can have multiple remarks within a numbered or named ACL. Note that while the remarks don’t appear with “show access-list”, they do appear with “show run” and “show start”.

Next time, we’ll do more (there’s still lots more to do) with access-lists.

Author: Al Friebe

In this article

Join the Conversation