Introduction to Access-Lists on Cisco IOS Router

Lessons Discussion
21

Hello Siu Kai L,

Both inbound and outbound get the job done, they filter packets. It depends on the scenario which one you might want to use. For example, let’s say you have a router with 4 interfaces:

* 1x WAN interface that connects to the Internet
* 3x LAN interface

Let’s say you want to restrict internet traffic from your LAN to the Internet. You could attach the same access-list INBOUND on all three LAN interfaces, or you can attach the access-list OUTBOUND on your WAN interface. Both get the job done, the only difference is you have to apply it once instead of on three interfaces.

You can also look at this from the other way around. Let’s say you want to restrict traffic from the Internet to your LAN. You could create an access-list and attach it INBOUND on your WAN interface, or you attach it OUTBOUND on all three LAN interfaces.

Both will get the job done, but adding it to the WAN interface INBOUND is probably easier since you only have to attach it once. Also, it prevents the traffic from going anywhere else since you filter it right away on where it enters the router.

Hope this helps!

1 Like
22

Hi Rene / Team ,

I have a query , suppose a router has two interface one is fa0/0 which treated inbound and other one Fa 1/1 which is outbound.

Like u said in above post on a single interface two inbound or two outbound access list is not possible.

Kindly confirm is it possible to permit above access list 1 and access list 2 separately on one inbound Fa 0/0 and other outbound Fa 1/1 interface because i am using a single router

If we apply this statement , is it work , please confirm

access-list 1 permit 1.1.1.0 0.0.0.255
access-list 2 permit 2.2.2.0 0.0.0.255

interface fa0/0
access-group 1 in

interface fa0/1
access-group 2 out

Imp edit,

But as i know i can not apply inbound acl or outbound acl at same time you need to choose first which acl u want inbound or outbound then what syntax or command required to permit or deny this specific network given below and how can be know that the network is source address or destination address .

access-list 1 permit 1.1.1.0 0.0.0.255
access-list 2 permit 2.2.2.0 0.0.0.255

One More doubt :smiley:

How u decided that in below example or above post the ACL is specified for destination traffic.

(config)#access-list out_acz_in permit any 10.0.32.10

The correct syntax for this would be:

(config)#ip access-list extended out_acz_in
(config-nacl)#permit ip any host 10.0.32.10

what it means by this statement used in ACL
out_acsz_in

Please explain this term

Let’s say you want to restrict internet traffic from your LAN to the Internet. You could attach the same access-list INBOUND on all three LAN interfaces, or you can attach the access-list OUTBOUND on your WAN interface. Both get the job done, the only difference is you have to apply it once instead of on three interfaces.

Sir , what it said in above highlighted statement , means we have to create different access list on all three inbound interface or other thing will do to restrict the traffic .

Please explain in the syntax form if we create same access list on all the three inbound interface of router .

Regards
Shivam Chaudhary

23

Hello Shivam

Yes, it is possible to apply the access lists as you mention in your post. Keep in mind that you can apply one access list per direction per interface. This means that you can have both an inbound and an outbound access list applied to the same interface. You can even have the same access list applied in both directions on a single interface. For example, you can have this:

interface GigabitEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 ip access-group 1 in
 ip access-group 1 out
!
interface GigabitEthernet0/1
ip address 10.10.20.1 255.255.255.0
 ip access-group 1 in
 ip access-group 2 out
!
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 2 permit 0.0.0.0 255.255.255.0

Notice that for GE0/0, the same access list is applied in both directions, while on GE0/1, different access lists are applied in each direction. But you can have the same access list applied to multiple interfaces as well.

You know that it is meant for destination traffic because the extended access list has the following syntax:

access-list access-list-number {deny|permit} protocol source source-wildcard destination destination-wildcard

So you see that after the protocol is specified, you begin with the source address and wildcard mask, and then the destination address and wildcard mask. So for the following command:

(config)#ip access-list extended out_acz_in
(config-nacl)#permit ip any host 10.0.32.10

…the any keyword specifies the source, and the 10.0.32.10 specifies the destination. When there is no subnet mask applied, then the assumed wildcard mask is 0.0.0.0, which means that the destination specifies only a single host with that address.

This is just a name used to name the access list. You can call it anything you like.

Imagine you have the following topology:

image
image643×630 39.6 KB

Now if you want to block traffic to the 147.52.0.0/16 network on the Internet, for example, then you would create an ACL such as this:

(config)#ip access-list extended block_147.52
(config-nacl)#deny ip any 147.52.0.0 0.0.0255.255
(config-nacl)#permit ip any any

Now you can apply this to the GE0/1, GE0/2, GE0/3 interfaces in an inbound direction or you can apply this to the GE0/0 interface in an outbound direction. Obviously it would be better to apply it only once to the GE0/0 interface. It is faster, more efficient, and clearer.

I hope this has been helpful!

Laz

1 Like
24

Hello,

first question : how many on type of ACL we have ? on routeur and on switch
second question : it is possible to use ACL layer 3/4 on switch Layer 2 only like ip permit tcp 1.1.1.1 eq 22 2.2.2.2 eq 22 for example

thanks for your help.

25

Hello Mohamed

It depends on what you mean when you say “types”. There are the following access lists:

  • standard - which examine only source addresses
  • extended - these access lists examine both source and destination addresses as well as many other aspects such as transport layer ports
  • reflexive - these are extended access lists that keep track of connections so that returning traffic of a session that has been allowed by a reflexive ACL will also be allowed
  • VLAN Access List (VACL) - allows you to filter traffic within a VLAN

Some layer 2 switches are capable of filtering traffic using layer 3 or layer 4 criteria, but this depends upon the IOS and the platform. These are called Port ACLs, and can be applied to Layer 2 interfaces. As I mentioned before, they are highly platform and IOS dependent. More information about these can be found here:

I hope this has been helpful!

Laz

26

Thank you , I little confuse.
In all document or lab I saw ACL on router or SW layer 3.
I didnt know for sw layer 2.
If I can put acl layer 3/4 how it will work. On vlan interface or in physical interface same question if it on trunk port or access.

27

Hello Mohamed

You are right that the general rule is that Layer 3 devices have the capability of using ACLs, and they are generally placed on layer 3 interfaces, such as routed ports and SVIs.

However, if a device supports port ACLs, then it is possible to place an ACL on a layer 2 port, but there are several restrictions.

  1. They can only be applied to ingress traffic
  2. They are only supported in hardware. In other words, any packets routed in software cannot be filtered.
  3. They can only be applied to physical layer 2 interfaces

You can find out more details here:

Remember, however, that port ACLs are special cases, and are supported only by specific platforms with specific IOS. They are not widely used, and will almost certainly not be included in any Cisco certification exam.

I hope this has been helpful!

Laz

1 Like
28

Hello Lazaro Agapides,
Ok, I understand, very clear for me now.
thank you very much.

1 Like
29

I am trying to find documentation on Access-list but not for the purpose of permitting or denying traffic for access.

I remember somewhere in back of my mind that access-list can be used to tag traffic or note/log it. Where you might not actually need block it but where you might want it tagged kind of so you can see it in something like snmp or something else.

while not the same thing I know NAT use access-list for a different method than just for blocking or permitting.

I just cannot remember where to find info on this specific side topic!

30

Hello Brian

I think you’re talking about the log keyword for access lists. For any access list entry, you can add this keyword at the end, and any packets that match that particular entry, whether a permit or deny entry, will be logged to syslog. You can find out more about it here:

Also, this Cisco document talks about it in detail:

I hope this has been helpful!

Laz

31

I will read that document when I get back from breakfast.

here is another example notice this is like the case of a NAT an access list but its not applied anywhere. Yet its required by having the access list it works but I am vague and unclear just how it works since its not applied and not really permitting or blocking yet its required. So while I have seen something somewhere on the past on this stuff I just cannot remember it well.

ip access-list 15
10 permit tcp 1.1.1.0/24 any
20 permit tcp 2.2.2.0/24 any
30 permit tcp 3.3.3.0/24 any
40 permit tcp 4.4.4.0/24 any
! Local IP subnets to be determined
50 permit tcp 5.5.5.0/24 any
snmp-server user TEST network-admin auth md5 TEST! priv testkey localizedkey
snmp-server community test1 network-operator
32

Hello Brian

Hmm, I don’t see how this access list plays any role in what you’re suggesting. As you mentioned, if you simply create an access list and don’t apply it somewhere, it essentially does nothing. If you remember where you have seen something like this applied, let me know and we can investigate it further…

I hope this has been helpful!

Laz

1 Like
34

======================EDITED=================================I FOUND IT LAZ!!!

I found what I was talking about Renee talks about it here!

Classification does not drop IP packets like filtering does but we use it to "select” traffic. Let’s take a look at an example:

In the picture above we have a VPN that encrypts traffic between the two routers. Whenever we create a VPN we can use an access-list to “select” what traffic should be encrypted. Perhaps I want traffic from network 192.168.2.0 /24 to be encrypted but traffic from 172.16.2.0 /24 not. We can use an access-list to “select” traffic, this is called classification.

This is where access-list are used without applying them. I think NAT, SNMP and now this VPN is a few examples.

This is what I was looking for.

Renee just uses the one example and does not talk about the others such as NAT and SNMP but he may when he gets to those sections I am unsure as I have not got back to those yet as I study for the most part sequentially according to the lessons. Its not a big topic so may just be assumed people understand its classification going on so not spelled out.

Point is would be nice if we had a bit more info about this as its interesting because its being used to do a different job than what we normally think access-list are used for which is filtering.

So to me that is fascinating and I would love to see more articles on it so I can find the boundaries of this idea and how far it can be taken and what all its used for.

Anyway I am pretty sure this is what I was talking about.

35

Hi,

I have an unusual problem. If you are unable to apply an access-list to a VLAN interface due to the command access-group in/out not being available, will this affect a route map being placed on the VLAN interface?

Regards,

Shannon.

36

Hello Shannon

If the access-group command is not available, then that means that the device you are configuring it on is an L2 device.

Now when you say you placed a route map on the VLAN interface, what do you mean exactly? There is policy-based routing where you apply a route map to an interface using the ip policy route-map command, but again that is an L3 feature. Can you give us more details about the commands that you are applying to the VLAN interface as well as the platform and IOS version you are attempting them on?

Let us know and we’ll be able to help you further!

I hope this has been helpful!

Laz

37

Hello Brian

Ah, I see. Yes, Rene states that access lists can be used for either filtering or classification. However, keep in mind that in both cases the access list must be applied somewhere. In the case of filtering, it is applied using the access-group command on the interface. In the case of classification, it will be matched in some route map, or class-map, or a NAT translation, or a transform set such as that applied when configuring IPSec tunnel mode.

If you simply create an access list and do nothing with it, it will simply do nothing. Even when used for classification, it must be applied within the mechanism that is using that classification.

I hope this has been helpful!

Laz

38

Hello, everyone!

I’ve been wondering…

We have the option to use ACLs. There’s standard, extended, time-based and some other types of ACLs.

However, when it comes to security, aren’t there firewalls which can serve the same function and even provide some more advanced security features?

So when would I want to use ACLs to filter packets/provide security if there are firewalls out there which can achieve the same thing more efficiently?

Thank you!

David

39

Hello David

Yes, it is true that firewalls have the same capabilities as access lists, and can perform the same security functions as ACLs (and a lot more of course). However, they are used at different levels, and have different capacities.

Sometimes you simply want to block certain addresses from accessing certain subnets. Using an ACL is the simplest and most immediately applicable solution… not to mention the cheapest! ACLs are a built-in functionality of routers, so it is definitely preferrable to simply apply an ACL on a particular interface of a router and be done with it rather than to install a while new device to do that for you. Sometimes, an ACL is all you need.

Firewalls are typically installed to deliver more comprehensive security, providing holistic solutions for the whole network. They are typically placed on the edge of a network and can apply ACLs and other features to protect the “inside” network from the dangers of the “outside” network. If you want to extend those capabilities internally to the network (such as filtering traffic between internal subnets), then you’ll have to add more firewalls at the appropriate positions within your network to achieve this.

One more thing. Although firewalls do perform the same function as ACLs, they can do much much more. Firewalls operate at a higher level and can make more complex decisions based on application-level information, and not only source and destination IP addresses. They can also maintain state information, which allows them to filter traffic based on the state of a connection.

Finally, it all comes down to your needs. If you need to filter traffic based on IP addresses, protocols, or ports, and you don’t need the additional features offered by a firewall, then an ACL might be sufficient. However, if you need more advanced features, such as stateful filtering or application-level filtering, then a firewall would be more appropriate.

I hope this has been helpful!

Laz

40

A great explanation, thank you Laz!