ACL

Done

ACLs (Access Control List) have multiple uses, and among one of them is a packet filter. It can filter certain packets by looking for the following:

Source/Destination IP Addresses

Source/Destination Layer 4 Ports

Other parameters

⚠️

IMPORTANT: ACLs are configured in global config mode.

ACLs are an ordered sequence of ACEs (Access Control Entries). Think of them as lines of “if” and “elif” (Python) in a programming language which will be executed sequentially from top to bottom, and when it finds a match it will ignore the rest of the code.

Also, ACLs can be applied for traffic inbound (entering the interface) or outbound (leaving the interface)

⚠️

IMPORTANT: ACLs are applied to an interface.

⚠️

IMPORTANT: There can only be one ACL per-direction in an interface, totaling a maximum of 2 ACLs in an interface. 1x ACL for inbound traffic 1x ACL for outbound traffic

Implicit Deny

If a packet arrives at an interface, and it has no matching ACE in the ACL, it will be denied.

Types of ACLs

Standard ACLs: Filter only by Source IP Address
- Standard Numbered ACLs
- Standard Named ACLs

Extended ACLs: Filter by a combination of Source/Destination IP Address, Source/Destination port, etc.
- Extended Numbered ACLs
- Extended Named ACLs

Show ACLs

Option #1 Show all ACLs with all types

show access-lists

Option #2 Show only IP ACLs

show ip access-lists

Standard ACLs

🚨

IMPORTANT: As a good practice, Standard ACLs should be applied as close as possible from the intended DESTINATION.

Numbered

This type of Standard ACL is identified with a number (i.e. ACL 1, ACL 2, ACL 3, etc.)

These number can range from 1-99 and 1300-1999.

Configure Standard Numbered ACL

configure terminal
access-list {number} {deny | permit} ip-address wildcard

💡

NOTE: For a single host (/32) you can do the following: access-list {number} {deny | permit} ip-address access-list {number} {deny | permit} host ip-address

Add an entry to an existing ACL

configure terminal
access-list {acl-number} {deny | permit} ip-address wildcard

💡

NOTE: For any host (/0) you can do the following: access-list {number} {deny | permit} any access-list {number} {deny | permit} 0.0.0.0 255.255.255.255

💡

NOTE: If you delete an entry using a no statement with any of the entries from global config mode, the whole ACL is gonna be deleted. The best way is to enter “named ACL config mode” and delete the entry.

Add commentary entry to an existing ACL

configure terminal
access-list {acl-number} remark {text}

💡

NOTE: It will only appear in the running-config.

APPLY an ACL to an interface

configure terminal
interface g0/0     // Here the interface Gigabit 0/0 is an example
ip access-group {acl-number} {in | out}

Named

This type of Standard ACL is identified by a name (i.e. BLOCK_BOB)

And differently from numbered, you first have to enter in “standard named ACL mode”

Enter Standard Named ACL Mode

configure terminal
ip access-list standard {acl-name}

⚠️

IMPORTANT: In modern IOSs, you can use the same command for numbered ACLs, just use a acl-number instead of acl-name.

Add an ACE (entry) to the ACL

[entry-number] {deny | permit} ip-address wildcard

💡

NOTE: Differently from numbered ACLs where the order you enter the commands must be the exact order of the ACL. But with named ACLs you can specify the order (or not) before the permit or deny statements.

💡

NOTE: You can insert a new entry in the middle of an ACL, just specify a number in between entries.

Resequencing an existing Access List

This is a useful feature if you want to inset values in between entries but they have no space for it (i.e. 1,2,3,4,5…). So you could you use this command to make the OS use different number of each entry maintaining the sequence.

configure terminal
ip access-list resequence {acl-name | acl-number} {starting-number} {increment}

Remove an ACE (entry) on an ACL

configure terminal
interface g0/0
ip access-list standard {acl-name}
no {entry-number}

💡

NOTE: If you don`t remember the entry number, just do a show access-lists and discover it.

APPLY an Standard Named ACL to an interface

configure terminal
interface g0/0 // Here this an interface being used as example
access-group {acl-name} {in | out}

Extended ACLs

They work with the same principle as standard ACL, but they use more parameters to narrow the content filtering, thus being more precise and complex.

🚨

IMPORTANT: Differently from Standard ACLs, Extended ACLs should be placed as close as possible from the SOURCE.

Numbered ACLs

configure terminal
access-list {number} [permit | deny} {protocol} {source-ip} {wildcard} {destination-ip} {wildcard}

Named ACLs

configure terminal
ip access-list extended {acl-name | acl-number}
[entry-number] {permit | deny} {protocol} {source-ip} {wildcard} {destination-ip} {wildcard}

⚠️

IMPORTANT: If you don`t care about which protocol it will permit or deny (good for any statements) use ip in the protocol field (i.e. permit ip any any}

⚠️

IMPORTANT: If you want to specify a /32 address (host address), you must use the host statement or a wildcard of 0.0.0.0

💡

NOTE: If you use the any statement, you don`t need a wildcard mask.

Filter by port number

If you block a port number, you are blocking a specific service (a layer 7 protocol), like SSH, FTP and etc.

[entry-number] {permit | deny} {source-ip} {wildcard} [{eq|gt|lt|neq|range} {port-number}] {destination-ip} {wildcard} [{eq|gt|lt|neq|range} {port-number}]

eq → “Equal to” (=)

gt → “Greater than” (>)

lt → “Less than” (<)

neq → “Not equal to” (≠)

range → Consecutive number (i.e. 80-90)