Network security is a huge subject, and much of it is far beyond the scope of th

is course. However, one of the most important skills a network administrator nee
ds is mastery of access control lists (ACLs). Administrators use ACLs to stop tr
affic or permit only specified traffic while stopping all other traffic on their
networks. This chapter includes an opportunity to develop your mastery of ACLs
with a series of lessons, activities, and lab exercises.
Network designers use firewalls to protect networks from unauthorized use. Firew
alls are hardware or software solutions that enforce network security policies.
Consider a lock on a door to a room inside a building. The lock only allows auth
orized users with a key or access card to pass through the door. Similarly, a fi
rewall filters unauthorized or potentially dangerous packets from entering the n
etwork. On a Cisco router, you can configure a simple firewall that provides bas
ic traffic filtering capabilities using ACLs.
An ACL is a sequential list of permit or deny statements that apply to addresses
or upper-layer protocols. ACLs provide a powerful way to control traffic into a
nd out of your network. You can configure ACLs for all routed network protocols.

The most important reason to configure ACLs is to provide security for your netw
ork. This chapter explains how to use standard and extended ACLs as part of a se
curity solution and teaches you how to configure them on a Cisco router. Include
d are tips, considerations, recommendations, and general guidelines on how to us
e ACLs.

ACLs enable you to control traffic into and out of your network. This control ca
n be as simple as permitting or denying network hosts or addresses. However, ACL
s can also be configured to control network traffic based on the TCP port being
used. To understand how an ACL works with TCP, let us look at the dialogue that
occurs during a TCP conversation when you download a webpage to your computer.
When you request data from a web server, IP takes care of the communication betw
een the PC and the server. TCP takes care of the communication between your web
browser (application) and the network server software. When you send an e-mail,
look at a webpage, or download a file, TCP is responsible for breaking data down
into packets for IP before they are sent, and for assembling the data from the
packets when they arrive. The TCP process is very much like a conversation in wh
ich two nodes on a network agree to pass data between one another.
Recall that TCP provides a connection-oriented, reliable, byte stream service. T
he term connection-oriented means that the two applications using TCP must estab
lish a TCP connection with each other before they can exchange data. TCP is a fu
ll-duplex protocol, meaning that each TCP connection supports a pair of byte str
eams, each stream flowing in one direction. TCP includes a flow-control mechanis
m for each byte stream that allows the receiver to limit how much data the sende
r can transmit. TCP also implements a congestion-control mechanism.

Packet filtering, sometimes called static packet filtering, controls access to a

network by analyzing the incoming and outgoing packets and passing or halting t
hem based on stated criteria.
A router acts as a packet filter when it forwards or denies packets according to
filtering rules. When a packet arrives at the packet-filtering router, the rout
er extracts certain information from the packet header and makes decisions accor
ding to the filter rules as to whether the packet can pass through or be discard
ed. Packet filtering works at the network layer of the Open Systems Interconnect
ion (OSI) model, or the Internet layer of TCP/IP.
As a Layer 3 device, a packet-filtering router uses rules to determine whether t
o permit or deny traffic based on source and destination IP addresses, source po
rt and destination port, and the protocol of the packet. These rules are defined
using access control lists or ACLs.
Recall that an ACL is a sequential list of permit or deny statements that apply
to IP addresses or upper-layer protocols. The ACL can extract the following info
rmation from the packet header, test it against its rules, and make "allow" or "
deny" decisions based on:
Source IP address
Destination IP address
ICMP message type

The ACL can also extract upper layer information and test it against its rules.
Upper layer information includes:
TCP/UDP source port
TCP/UDP destination port

Packet Filtering Example

To understand the concept of how a router uses packet filtering, imagine that a
guard has been posted at a locked door. The guard's instructions are to allow on
ly people whose names appear on a list to pass through the door. The guard is fi
ltering people based on the criterion of having their names on the authorized li
st.
For example, you could say, "Only permit web access to users from network A. Den
y web access to users from network B, but permit them to have all other access."
Refer to the figure to examine the decision path the packet filter uses to acco
mplish this task.
For this scenario, the packet filter looks at each packet as follows:
If the packet is a TCP SYN from network A using port 80, it is allowed to pass.
All other access is denied to those users.
If the packet is a TCP SYN from network B using port 80, it is blocked. However,
all other access is permitted.

This is just a simple example. You can configure multiple rules to further permi
t or deny services to specific users. You can also filter packets at the port le
vel using an extended ACL, which is covered in Section 3.

An ACL is a router configuration script that controls whether a router permits o

r denies packets to pass based on criteria found in the packet header. ACLs are
among the most commonly used objects in Cisco IOS software. ACLs are also used f
or selecting types of traffic to be analyzed, forwarded, or processed in other w
ays.
As each packet comes through an interface with an associated ACL, the ACL is che
cked from top to bottom, one line at a time, looking for a pattern matching the
incoming packet. The ACL enforces one or more corporate security policies by app
lying a permit or deny rule to determine the fate of the packet. ACLs can be con
figured to control access to a network or subnet.
By default, a router does not have any ACLs configured and therefore does not fi
lter traffic. Traffic that enters the router is routed according to the routing
table. If you do not use ACLs on the router, all packets that can be routed thro
ugh the router pass through the router to the next network segment.
Here are some guidelines for using ACLs:
Use ACLs in firewall routers positioned between your internal network and an ext
ernal network such as the Internet.
Use ACLs on a router positioned between two parts of your network to control tra
ffic entering or exiting a specific part of your internal network.
Configure ACLs on border routers-routers situated at the edges of your networks.
This provides a very basic buffer from the outside network, or between a less c
ontrolled area of your own network and a more sensitive area of your network.
Configure ACLs for each network protocol configured on the border router interfa
ces. You can configure ACLs on an interface to filter inbound traffic, outbound
traffic, or both.

The Three Ps
A general rule for applying ACLs on a router can be recalled by remembering the
three Ps. You can configure one ACL per protocol, per direction, per interface:
One ACL per protocol-To control traffic flow on an interface, an ACL must be def
ined for each protocol enabled on the interface.
One ACL per direction-ACLs control traffic in one direction at a time on an inte
rface. Two separate ACLs must be created to control inbound and outbound traffic
.
One ACL per interface-ACLs control traffic for an interface, for example, Fast E
thernet 0/0.

Writing ACLs can be a challenging and complex task. Every interface can have mul
tiple protocols and directions defined. The router in the example has two interf
aces configured for IP: AppleTalk and IPX. This router could possibly require 12
separate ACLs-one ACL for each protocol, times two for each direction, times tw
o for the number of ports.
ACLs perform the following tasks:
Limit network traffic to increase network performance. For example, if corporate
policy does not allow video traffic on the network, ACLs that block video traff
ic could be configured and applied. This would greatly reduce the network load a
nd increase network performance.
Provide traffic flow control. ACLs can restrict the delivery of routing updates.
If updates are not required because of network conditions, bandwidth is preserv
ed.
Provide a basic level of security for network access. ACLs can allow one host to
access a part of the network and prevent another host from accessing the same a
rea. For example, access to the Human Resources network can be restricted to sel
ect users.
Decide which types of traffic to forward or block at the router interfaces. For
example, an ACL can permit e-mail traffic, but block all Telnet traffic.
Control which areas a client can access on a network.
Screen hosts to permit or deny access to network services. ACLs can permit or de
ny a user to access file types, such as FTP or HTTP.

ACLs inspect network packets based on criteria, such as source address, destinat
ion address, protocols, and port numbers. In addition to either permitting or de
nying traffic, an ACL can classify traffic to enable priority processing down th
e line. This capability is similar to having a VIP pass at a concert or sporting
event. The VIP pass gives selected guests privileges not offered to general adm
ission ticket holders, such as being able to enter a restricted area and be esco
rted to their box seats.

How ACLs Work

ACLs define the set of rules that give added control for packets that enter inbo
und interfaces, packets that relay through the router, and packets that exit out
bound interfaces of the router. ACLs do not act on packets that originate from t
he router itself.
ACLs are configured either to apply to inbound traffic or to apply to outbound t
raffic.
Inbound ACLs-Incoming packets are processed before they are routed to the outbou
nd interface. An inbound ACL is efficient because it saves the overhead of routi
ng lookups if the packet is discarded. If the packet is permitted by the tests,
it is then processed for routing.
Outbound ACLs-Incoming packets are routed to the outbound interface, and then th
ey are processed through the outbound ACL.

ACL statements operate in sequential order. They evaluate packets against the AC
L, from the top down, one statement at a time.
The figure shows the logic for an inbound ACL. If a packet header and an ACL sta
tement match, the rest of the statements in the list are skipped, and the packet
is permitted or denied as determined by the matched statement. If a packet head
er does not match an ACL statement, the packet is tested against the next statem
ent in the list. This matching process continues until the end of the list is re
ached.
A final implied statement covers all packets for which conditions did not test t
rue. This final test condition matches all other packets and results in a "deny"
instruction. Instead of proceeding into or out of an interface, the router drop
s all of these remaining packets. This final statement is often referred to as t
he "implicit deny any statement" or the "deny all traffic" statement. Because of
this statement, an ACL should have at least one permit statement in it; otherwi
se, the ACL blocks all traffic.
You can apply an ACL to multiple interfaces. However, there can be only one ACL
per protocol, per direction, and per interface.

The figure shows the logic for an oubound ACL. Before a packet is forwarded to a
n outbound interface, the router checks the routing table to see if the packet i
s routable. If the packet is not routable, it is dropped. Next, the router check
s to see whether the outbound interface is grouped to an ACL. If the outbound in
terface is not grouped to an ACL, the packet can be sent to the output buffer. E
xamples of outbound ACL operation are as follows:
If the outbound interface is not grouped to an outbound ACL, the packet is sent
directly to the outbound interface.
If the outbound interface is grouped to an outbound ACL, the packet is not sent
out on the outbound interface until it is tested by the combination of ACL state
ments that are associated with that interface. Based on the ACL tests, the packe
t is permitted or denied.

For outbound lists, "to permit" means to send the packet to the output buffer, a
nd "to deny" means to discard the packet.

ACL and Routing and ACL Processes on a Router

The figure shows the logic of routing and ACL processes on a router. When a pack
et arrives at a router interface, the router process is the same, whether ACLs a
re used or not. As a frame enters an interface, the router checks to see whether
the destination Layer 2 address matches its own or if the frame is a broadcast
frame.
If the frame address is accepted, the frame information is stripped off and the
router checks for an ACL on the inbound interface. If an ACL exists, the packet
is now tested against the statements in the list.
If the packet matches a statement, the packet is either accepted or rejected. If
the packet is accepted in the interface, it is then checked against routing tab
le entries to determine the destination interface and switched to that interface
.
Next, the router checks whether the destination interface has an ACL. If an ACL
exists, the packet is tested against the statements in the list.
If the packet matches a statement, it is either accepted or rejected.
If there is no ACL or the packet is accepted, the packet is encapsulated in the
new Layer 2 protocol and forwarded out the interface to the next device.
The Implied "Deny All Traffic" Criteria Statement
At the end of every access list is an implied "deny all traffic" criteria statem
ent. It is also sometimes referred to as the "implicit deny any" statement. Ther
efore, if a packet does not match any of the ACL entries, it is automatically bl
ocked. The implied "deny all traffic" is the default behavior of ACLs and cannot
be changed.
There is a key caveat associated with this "deny all" behavior: For most protoco
ls, if you define an inbound access list for traffic filtering, you should inclu
de explicit access list criteria statements to permit routing updates. If you do
 not, you might effectively lose communication from the interface when routing u
pdates are blocked by the implicit "deny all traffic" statement at the end of th
e access list.

There are two types of Cisco ACLs, standard and extended.

Standard ACLs
Standard ACLs allow you to permit or deny traffic from source IP addresses. The
destination of the packet and the ports involved do not matter. The example allo
ws all traffic from network 192.168.30.0/24 network. Because of the implied "den
y any" at the end, all other traffic is blocked with this ACL. Standard ACLs are
created in global configuration mode.

Extended ACLs
Extended ACLs filter IP packets based on several attributes, for example, protoc
ol type, source and IP address, destination IP address, source TCP or UDP ports,
destination TCP or UDP ports, and optional protocol type information for finer
granularity of control. In the figure, ACL 103 permits traffic originating from
any address on the 192.168.30.0/24 network to any destination host port 80 (HTTP
). Extended ACLs are created in global configuration mode.
The commands for ACLs are explained in the next few topics.

A standard ACL is a sequential collection of permit and deny conditions that app
ly to IP addresses. The destination of the packet and the ports involved are not
covered.
The decision process is mapped in the figure. Cisco IOS software tests addresses
against the conditions one by one. The first match determines whether the softw
are accepts or rejects the address. Because the software stops testing condition
s after the first match, the order of the conditions is critical. If no conditio
ns match, the address is rejected.
The two main tasks involved in using ACLs are as follows:
Step 1. Create an access list by specifying an access list number or name and ac
cess conditions.
Step 2. Apply the ACL to interfaces or terminal lines.