The ACL perform the following tasks:
- Limit network traffic to increase network performance.
- Provide traffic flow control.
- Provide a basic level of security for network access.
- Filter traffic based on traffic type. For example, an ACL can permit email traffic, but block all Telnet traffic.
- Screen hosts to permit or deny access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP.
The Terminology
- Packet filtering, sometimes called static packet filtering, controls access to a network by analysing the incoming and outgoing packets, and passing or dropping them based on given criteria.
- ACEs: An ACL is a sequential list of permit or deny statements, known as access control entries (ACEs). ACEs are also commonly called ACL statements. ACEs can be created to filter traffic according to : source address, destination address, protocol, and port numbers.
- Layer 3 filtering:To evaluate the network traffic, the following information is judged.
- Source IP address
- Destination IP address
- ICMP message type
- Layer 4 filtering: Based on the following information:
- TCP/UDP source port
- TCP/UDP destination port
- Inbound ACLs: Incoming packets are processed before they are routed to the outbound interface. It is processed before routing, so it saves the overhead of routing lookups if the packet is discarded.
- Outbound ACLs: Outbound ACLs are processed after being routed to the outbound interface.
- Last statement: last statement of an ACL is always an implicit deny.
Types of ACLs
- Standard ACLs: Evaluate traffic only by the source IPV4 addresses.
- *Extended ACLs: Based on several attributes:
- Protocol type
- Source IPv4 address
- Destination IPv4 address
- Source TCP or UDP ports
- Destination TCP or UDP ports
- Optional protocol type information for finer control
- Numbering ACLs:
- Standard: 1 through 99. Cisco IOS Software Release 12.0.1 extended these numbers by allowing 1300 to 1999 to be used for standard ACLs. This allows for a maximum of 798 possible standard ACLs.
- Extended: 100 to 199 and 2000 to 2699, providing a total of 799 possible extended numbered
- Naming ACLs
How many ACLs normally needed: In small network , there maybe 2-5 ACLs, in medium company, the number may be 10-25; in big company, there maybe 30-50 ACLs.
Wildcard Masks
IPv4 ACEs include the use of wildcard masks. A wildcard mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match.
The rules are :
- Wildcard mask bit 0 – Match the corresponding bit value in the address.
Note: Unlike IPv4 ACLs, IPv6 ACLs do not use wildcard masks. Instead, the prefix-length is used.
Practice:
- Example1: ip address: 192.168.1.1, Wildcard mask:0.0.0.0 means every bits must match, so only 192.168.1.1 will match; IP address:192.168.1.1,Wildcard mask: 255.255.255.255 means anything will match, so any address will match; IP address 192.168.1.1, wildcard mask 0.0.0.255 means only the network192.168.1.0/24 will match.
- Example2: Figure 1 the first two octets and first 4 bits of the third octet must match exactly. The last 4 bits in the third octet and the last octet can be any valid number. So the IP addresses range from 192.168.16.0 to 192.168.31.255.
Figure 2 is a interesting one. First and second octets must match, the last bit of the third octet must match. The result will be only the odd numbered networks in the 192.168.0.0/16 supernet will match. (Because the last bit of the octet will determine if the address is odd or even, if the IP address becomes 192.168.0.0, the wildcard mask still the same, the result will be the even numbered networks).
- Example 3: A wildcard mask of 0.0.0.254 (binary equivalent = 00000000.00000000.00000000.11111110) will allow even-numbered IP addresses to be examined. A 0 octet in the wildcard mask indicates that the corresponding octet in the network must match exactly. On the other hand, a 254 indicates that you don’t care what the corresponding octet is in the network except for the host(255) bit.
Wildcard mask Keywords:
- Host: If the wildcard masking process with a single IP address, such as 192.168.1.1 0.0.0.0; you can use host 192.168.1.1 instead.
- Any: If you want process with a match any IP address, such as 0.0.0.0 255.255.255.255, you can use keyword any by itself.
The range of interface address affected
- The low end of the range is the network address.
- The high end of the range is the network address add the Wildcard mask.
Eg. r1(config)#access-list 3 deny 192.168.10.0 0.0.0.255
The address is from 192.168.10.0 to 192.168.10.255 ( 192.168.10.0 + 0.0.0.255)
Guidelines for ACL creation
Guidelines for using ACLs:
- Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet.
- Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network.
- Configure ACLs on border routers, that is, routers situated at the edges of your networks. This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network.
- Configure ACLs for each network protocol configured on the border router interfaces.
Three Ps when applying ACLs on a router:
- One ACL per protocol – To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface.
- One ACL per direction – ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic.
- One ACL per interface – ACLs control traffic for an interface, for example, GigabitEthernet 0/0
Best Practices
- Base your ACLs on the security policy of the organization: this will ensure you implement organizational security guidelines.
- Prepare a description of what you want your ACLs to do: this will help you avoid inadvertently creating potential access problems.
- Use a text editor to create, edit, and save ACLs: this will help you create a library of reusable ACLs.
- Test your ACLs on a development network before implementing them on a production network: this will help you avoid costly errors.
Guidelines for ACL Placement:
Basic rules are:
- Extended ACLs – Locate extended ACLs as close as possible to the source of the traffic to be filtered. This way, undesirable traffic is denied close to the source network without crossing the network infrastructure. Because they have accurate source address and destination address, as well as protocols, so we don’t need to worry about it will miss block legitimate traffic.
- Standard ACLs – Because standard ACLs do not specify destination addresses, place them as close to the destination as possible. Placing a standard ACL at the source of the traffic will effectively prevent that traffic from reaching any other networks through the interface where the ACL is applied. So it will miss block some other legitimate traffic.
Other factors to consider:
- The extent of the network administrator’s control – Placement of the ACL can depend on whether or not the network administrator has control of both the source and destination networks.
- Bandwidth of the networks involved – Filtering unwanted traffic at the source prevents transmission of the traffic before it consumes bandwidth on the path to a destination. This is especially important in low bandwidth networks.
- Ease of configuration – If a network administrator wants to deny traffic coming from several networks, one option is to use a single standard ACL on the router closest to the destination. The disadvantage is that traffic from these networks will use bandwidth unnecessarily. An extended ACL could be used on each router where the traffic originated. This will save bandwidth by filtering the traffic at the source but requires creating extended ACLs on multiple routers.