Friday, May 6, 2011

Cisco IOS access lists: 10 things you should know

If you work with Cisco routers, you're more than likelyfamiliar with Cisco IOS access control lists (ACLs). But that doesn't mean youknow all there is to know about these important gatekeepers. Access lists arean integral part of working with routers, and they're vital to security.

Because ACLs are a fundamental part of router administration,I want to address 10 things you should know about working with these lists. Ifyou're new to working with Cisco routers, this list offers a good foundation toget you started. But even if you've worked with Cisco routers for a while, itnever hurts to review the basics—you might even learn something new.

So, without any further ado, here are 10 things you need toknow about Cisco IOS access lists, beginning with the basic definition of anACL.

What is an access control list?

In the Cisco IOS, an access control list is a record thatidentifies and manages traffic. After identifying that traffic, an administratorcan specify various events that can happen to that traffic.

What's the most common type of ACL?

IP ACLs are the most popular type of access lists because IPis the most common type of traffic. There are two types of IP ACLs: standardand extended. Standard IP ACLs can only control traffic based on the SOURCE IPaddress. Extended IP ACLs are far more powerful; they can identify trafficbased on source IP, source port, destination IP, and destination port.

What are the most common numbers for IP ACLs?

The most common numbers used for IP ACLs are 1 to 99 forstandard lists and 100 to 199 for extended lists. However, many other rangesare also possible.

  • Standard IP ACLs: 1 to 99 and 1300 to 1999
  • Extended IP ACLs: 100 to 199 and 2000 to 2699

How can you filter traffic using ACLs?

You can use ACLs to filter traffic according to the "threeP's"—per protocol, per interface, and per direction. You can only have oneACL per protocol (e.g., IP or IPX), one ACL per interface (e.g.,FastEthernet0/0), and one ACL per direction (i.e., IN or OUT).

How can an ACL help protect
my network from viruses?

You can use an ACL as a packet sniffer to list packets thatmeet a certain requirement. For example, if there's a virus on your networkthat's sending out traffic over IRC port 194, you could create an extended ACL(such as number 101) to identify that traffic. You could then use the debug ip packet 101 detail command onyour Internet-facing router to list all of the source IP addresses that aresending packets on port 194.

What's the order of operations in an ACL?

Routers process ACLs from top to bottom. When the routerevaluates traffic against the list, it starts at the beginning of the list andmoves down, either permitting or denying traffic as it goes. When it has workedits way through the list, the processing stops.

That means whichever rule comes first takes precedence. Ifthe first part of the ACL denies traffic, but a lower part of the ACL allowsit, the router will still deny the traffic. Let's look at an example:

Access-list 1 permit anyAccess-list 1 deny host 10.1.1.1Access-list 1 deny any

What does this ACL permit? The first line permits anything.Therefore, all traffic meets this requirement, so the router will permit alltraffic, and processing will then stop.

What about traffic you don't specifically address in an ACL?

At the end of an ACL is an implicit deny statement. Whether you see the statement or not, the routerdenies all traffic that doesn't meet a condition in the ACL. Here's an example:

Access-list 1 deny host 10.1.1.1Access-list 1 deny 192.168.1.0 0.0.0.255

What traffic does this ACL permit? None: The router denies alltraffic because of the implicit deny statement.In other words, the ACL really looks like this:

Access-list 1 deny host 10.1.1.1Access-list 1 deny 192.168.1.0 0.0.0.255Access-list 1 deny ANY

Can I name an ACL?

Numbers—who needs numbers? You can also name your ACLs soyou can more easily identify their purpose. You can name both standard andextended ACLs. Here's an example of using a named ACL:

router(config)# ip access-list ?  extended        Extended Access List  log-update      Control access list log updates  logging         Control access list logging  resequence      Resequence Access List  standard        Standard Access Listrouter(config)# ip access-list extended test router(config-ext-nacl)#router(config-ext-nacl)# 10 deny ip any host 192.168.1.1router(config-ext-nacl)# exitrouter(config)# exitrouter# show ip access-listExtended IP access list test
10 deny ip any host 192.168.1.1

What's a numbering sequence?

In the "old days," you couldn't edit an ACL—youcould only copy it to a text editor (such as Notepad), remove it, edit it innotepad, and then re-create it. In fact, this is still a good way to edit someCisco configurations.

However, this approach can also create a security risk.During the time you've removed the ACL to modify it, the router isn'tcontrolling traffic as needed. But it's possible to edit a numbered ACL withcommands. Here's an example:




router(config)# access-list 75 permit host 10.1.1.1router(config)#^Zrouter# conf tEnter configuration commands, one per line.  End with CNTL/Z.
router(config)# ip access-list standard 75
router(config-std-nacl)# 20 permit any router(config-std-nacl)# no 10 permit 10.1.1.1router(config-std-nacl)#^Z
router# show ip access-lists 75Standard IP access list 75
20 permit anyrouter#

How else can I use an ACL?

ACLs aren't just for filtering traffic. You can also usethem for a variety of operations. Let's look at some of their possible otheruses:

    • To control debug output: You can use the debug list X command to control debug output. By using this command before another debug command, the command only applies to what you've defined in the list.
    • To control route access: You can use a routing distribute-list ACL to only permit or deny certain routes either into or out of your routing protocol.
    • As a BGP AS-path ACL: You can use regular expressions to permit or deny BGP routes.
    • For router management: You can use an ACL to control which workstation or network manages your router with an ACL and an access-class statement to your VTY lines.
    • For encryption: You can use ACLs to determine how to encrypt traffic. When encrypting traffic between two routers or a router and a firewall, you must tell the router what traffic to encrypt, what traffic to send unencrypted, and what traffic to drop.

To wrap up this review, I'll leave you with one last tip: Don'tforget to use remark statements inyour ACLs. They'll come in handy when you have to troubleshoot something later.

Want to learn moreabout router and switch management? Automaticallysign up for our free Cisco Routers and Switches newsletter, delivered eachFriday!

David Davis has workedin the IT industry for 12 years and holds several certifications, includingCCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group ofsystems/network administrators for a privately owned retail company andperforms networking/systems consulting on a part-time basis.

No comments:

Post a Comment