Access Control Lists (ACLs) are rules used to filter network traffic on routers and switches.
- Standard ACL:
Filters traffic is based only on the source IP address.
Number range: 1–99, 1300–1999. - Extended ACL:
Filters traffic based on source, destination, protocol type, ports, and other parameters.
Number range: 100–199, 2000–2699.
Purpose: Access control, security enhancement, and traffic management.
#ACL - Access Control List
#Configuring an ACL in Global Config Mode will not the ACL take effect
#The ACL must be applied to an interface
#ACLs are applied ether inbound or outbound
#ACLs are made up of one or more ACEs (Access Control Entry)
#Then the router checks a packet against the ACL, it processes the ACEs in order, from top to bottom
#If the packet matches on of the ACEs in the ACL, the router takes the action and stops processing the ACL,
#All entries below the matching entry qill be ignored
#Maximum of one ACL can be applied to a single interface per direction. Indound -max one ACL, outbound -max one ACL
#ACL 1
#1: if source IP=192.168.1.0/24 then permit
#2: if source IP=192.168.2.0/24 then deny
#3: if source ip=any then permit
#
#ACL 2
#1: if source IP=192.168.1.0/24 then permit
#2: if source IP=192.168.0.0./16 then deny
#A packet 192.168.1.0/24 will go out, but if you reverse entries in ACL will not
#Implicit deny
#What happen if a packet doesn`t match any ot the enteries in an ACL?
#There is an "implicit deny" at the end of all ACLs
#3: if source IP=any, then deny
#ACL Types
#Standart ACLs: Match based on Source IP address only
# -Standart Numbered ACLs <1-99>
# -Standart Named ACLs <1300-1999>
#Extended ACLs: Match on Source/Destination IP address and Source/Destination port
# -Extended Numbered ACLs <100-199>
# -Extended Named ACLs <2000-2699>
# The basic command to configure a standart numbered ACL is:
access-list <number> {deny | permit} <IP address + wildcard mask>
#Example (all rules do the same):
access-list 1 deny 1.1.1.1 0.0.0.0
access-list 1 deny 1.1.1.1
access-list 1 deny host 1.1.1.1
#Because we have an implicit deny in each ACL it will deny all traffic too
#To avoid that, add this (rules below do the same action):
access-list 1 permit any
access-list 1 permit 0.0.0.0 255.255.255.255
#To add the description on the ACL use:
# access-list 1 remark ##Block bad guy## # "#" is not nessesary
show access-list #to show all ACLs
show ip access-list
show running-config | include access-list
#To apply the ACL on the interface do:
interface <interface>
ip access-group <ACL`s number> {in | out}
# Standart ACLs should be applied as close as to the desstination as possible!
#Standart Named ACLs
#Advantages of named ACLs config mode
# 1:You can delete individual entries, but in global mode can`t do that. You can only delete the entire ACL
Use: no sequence-number
2:You can insert new entries in between other entries by specifying the sequence-number
ip access-list standart <ACL name>
[entry-number] {deny | Permit} <IP address + wildcard mask>
#Example:
ip access-list standart BLOCK_BAD_GUY
5 deny 1.1.1.1
10 permit any
remark ##Configured 12/01/2024##
exit
interface g0/0
ip access-group BLOCK_BAD_GUY in
show access-list # If you add | include access-list you will see only a name
#Resequencing ACLs
ip access-list resequence <ACL ID starting sequence-number increment>
#If the rules go like 1,2,3,4,5, then there is no apportunity to add a new entry between them
#That is why we should use like 10,20,30,40,50
#Example:
ip access-list resequence 1 10 10
| | |
| | do step 10,20,30 ...
| change the first entry number to 10
The ACL number
#Extended ACL
# -Extended Numbered ACLs <100-199>
access-list <ACL number> [permit | deny] protocol Src-IP Dst-IP
# -Extended Named ACLs <2000-2699>
access-list extended {name | ACL number}
[sequence-number] {permit | deny} protocol Src-IP Dst-IP
#Examples of Extended ACLs
access-list extended {name | ACL number}
permit ip any any #to allow all traffic
deny udp 10.0.0.0 0.0.255.255 host 192.168.1.1 #to prevent 10.0.00/16 from sending UDP traffic to 192.168.1.1
deny icmp host 172.16.1.1 192.168.0.0 0.0.0.255 #to prevent 172.16.1.1/32 from pinging hosts 192.168.0.0/24
#Extended ACL with matching the TCP or UDP port number
deny tcp <src-ip> {eq|gt|lt|neq|range} <src-port number> <dst-ip> {eq|gt|lt|neq|range} <dst-port-number>
# eq=equal to port 80
# gt=greater than 80 -->81 and greater
# lt=less than 80 -->79 and less
# neq=not equal 80 -->not 80
# range 80 100 -->from port 80 to port 100
#Examples:
#Allow traffic from 10.0.0.0/16 to access the server at 2.2.2.2/32 using HTTPS
access-list extended {name | ACL number}
permit 10.0.0.0 0.0.255.255 2.2.2.2 0.0.0.0 eq 443
#Prevent all hosts using source UDP port numbers from 20000 to 30000 from accessing the server at 3.3.3.3/32
deny udp any range 20000 30000 host 3.3.3.3
# Allow hosts in 172.16.1.0/24 using all TCP source ports greater than 9999 to access all TCP ports on the server 4.4.4.4/32, exept port 23
permit tcp 172.16.1.0 0.0.0.255 gt 9999 host 4.4.4.4 neq 23
#Extended ACLs should be applied as close to the source as possible, to limit how far packets travel in the network before being denided
#Standart ACLs are less specific, so it they are applied close to the source there is a risk of blocking more traffic that intended