Access Control Lists

Note: ACL are used in firewalls / routers to filter packets and restrict traffic to/from certain spots. In this article I am just going through implementations of various ACL as a overview and not covering the details. You can go through internet to search for details about them. However if you are stuck then email me and I will try to help in best possible manner I can. The address is h i [ a t ] d e v h a r s h [ d o t ] m e.

What is ACL?
Access Control Lists are used to filter traffic based on incoming or outgoing address, port, and protocols. ACL can be named or numbered. There are various types of ACL.

Types of ACL:
  1. Standard IP
  2. Extended IP
  3. TCP Established
  4. Context Based
  5. Time Based
  6. Lock and Key / Dynamic
  7. Reflexive

Standard ACL:

It is the simplest ACL and it deals with source traffic.

Numbered:

Syntax:
access-list access-list-number {permit|deny} {host|source source-wildcard|any}

Example:
access-list 1 permit 10.1.1.0 0.0.0.255

Range of numbers: 1-99 and 1300-1999

Named:

Syntax:
ip access-list standard name_of_ACL
{permit|deny} {host|source source-wildcard|any} [log]

Example:
ip access-list standard restrict_VTY
permit 192.168.1.10

Extended ACL:

It has provisions to specify source and destination details.

Numbered:

Syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny|permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log|log-input] [time-range time-range-name]

Example:
access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo

Range of numbers: 100-199 and 2000-2699

Named:

Syntax:
ip access-list extended <acl-name> deny | permit <ip-protocol> <source-ip> | <hostname> <wildcard> [<operator> <source-tcp/udp-port>] <destination-ip> | <hostname> [<icmp-num> | <icmp-type>] <wildcard> [<tcp/udp comparison operator> <destination-tcp/udp-port>] [dscp-cos-mapping ] [dscp-marking <0-63> [802.1p-priority-marking <0 –7>... | dscp-cos-mapping]] [dscp-matching <0-63>] [log] [precedence <name> | <0 – 7>] [tos <0 – 63> | <name>] [traffic policy <name>]

Example:
ip access-list extended in_to_out
permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet

TCP Established ACL:

Just need to specify one parameter in extended ACL.

Syntax:
access-list access-list-number {deny|permit} protocol source source-wildcard destination destination-wildcard established

Example:
access-list 102 permit tcp any any gt 1023 established

Context Based ACL:

Syntax:
ip inspect name inspection-name protocol [timeoutseconds]

Example:
ip inspect name myfw ftp timeout 3600
access-list 111 deny icmp any 10.1.1.0 0.0.0.255 echo

Time Based ACL:

Syntax:
time-range time-range-name
periodic days-of-the-week hh:mm to [days-of-the-week] hh:mm
absolute [start time date] [end time date]
ip access-list name|number <extended_definition> time-rangename_of_time-range

Example:
time-range WEBNETDAY
periodic Monday Wednesday Friday 9.00 to 17.00
access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq telnet time-range WEBNETDAY

Lock and Key / Dynamic ACL:

Syntax:
access-list access-list-number dynamic name {permit|deny} [protocol] {source source-wildcard|any} {destination destination-wildcard|any} [precedence precedence] [tos tos] [established] [log|log-input] [operator destination-port|destination port]

Example:
access-list 101 dynamic testlist timeout 15 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

Reflexive ACL:

Syntax:
ip access-list extended name
permit protocol any any reflect name [timeoutseconds]
ip access-list extended name
evaluate name

Example:
ip access-list extended inboundfilters
permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
evaluate tcptraffic
ip access-list extended outboundfilters
permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect tcptraffic

Popular posts