Cisco ACLs are characterized by single or multiple permit/deny statements. The purpose is to filter inbound or outbound packets on a selected network interface. There are a variety of ACL types that are deployed based on requirements. Only two ACLs are permitted on a Cisco interface per protocol. That would include for instance a single IP ACL applied inbound and single IP ACL applied outbound.
Cisco best practices for creating and applying ACLs
- Apply extended ACL near source
- Apply standard ACL near destination
- Order ACL with multiple statements from most specific to least specific.
- Maximum of two ACLs can be applied to a Cisco network interface.
- Only one ACL can be applied inbound or outbound per interface per Layer 3 protocol.
There are some recommended best practices when creating and applying access control lists (ACL). The network administrator should apply a standard ACL closest to the destination. The standard ACL statement is comprised of a source IP address and wildcard mask. There is a common number or name that assigns multiple statements to the same ACL.
Standard ACLs are an older type and very general. As a result they can inadvertently filter traffic incorrectly. Applying the standard ACL near the destination is recommended to prevents possible over-filtering. The extended ACL should be applied closest to the source. Extended ACLs are granular (specific) and provide more filtering options. They include source address, destination address, protocols and port numbers. Applying extended ACLs nearest to the source prevents traffic that should be filtered from traversing the network. That conserves bandwidth and additional processing required at each router hop from source to destination endpoints.
Some access control lists are comprised of multiple statements. The ordering of statements is key to ACL processing. The router starts from the top (first) and cycles through all statements until a matching statement is found. The packet is dropped when no match exists. Order all ACL statements from most specific to least specific. Assigning least specific statements first will sometimes cause a false match to occur. As a result the match on the intended ACL statement never occurs.
The more specific ACL statement is characterized by source and destination address with shorter wildcard masks (more zeros). That configures specific subnets to match. In addition, application protocols or port numbers are also specified. The first ACL statement is more specific than the second ACL statement.
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.10.64.1 eq 23
access-list 100 deny tcp any any eq 23
The dynamic ACL provides temporary access to the network for a remote user. The ACL configured defines the type of access permitted and the source IP address. In addition there is a timeout value that limits the amount of time for network access. The remote user sign-on is available with a configured username and password.
ACL Wildcard Masks
The wildcard mask is a technique for matching specific IP address or range of IP addresses. Cisco access control lists (ACL) filter based on the IP address range configured from a wildcard mask. The wildcard mask is an inverted mask where the matching IP address or range is based on 0 bits. The additional bits are set to 1 as no match required. The wildcard 0.0.0.0 is used to match a single IP address. The wildcard mask for 255.255.224.0 is 0.0.31.255 (invert the bits so zero=1 and one=0) noted with the following example.
11111111.11111111.111 00000.00000000 = subnet mask (255.255.224.0)
00000000.00000000.000 11111.11111111 = wildcard mask (0.0.31.255)
All hosts and network devices have network interfaces that are assigned an IP address. Each subnet has a range of host IP addresses that are assignable to network interfaces. ACL wildcards are configured to filter (permit/deny) based on an address range. That could include hosts, subnets or multiple subnets.
There are classful and classless subnet masks along with associated wildcard masks. Classful wildcard masks are based on the default mask for a specific address class. Anytime a nondefault wildcard mask (or subnet mask) is applied to an address class, it is classless addressing.
Example 1: Classful Wildcard Mask
The following wildcard 0.0.0.255 will only match on 192.168.3.0 subnet and not match on everything else. This could be used with an ACL for example to permit or deny a subnet.
192 . 168 . 3 . 0 11000000.10101000.00000011.00000000
00000000.00000000.00000000.11111111 = 0.0.0.255
192.168.3.0 0.0.0.255 = match on 192.168.3.0 subnet only
Example 2: Classful Wildcard Mask
The following wildcard 0.0.0.255 will only match on 200.200.1.0 subnet and not match on everything else. This could be used with an ACL for example to permit or deny a public host address or subnet.
200 . 200 . 1 . 0 11001000.11001000.00000001.00000000
00000000.00000000.00000000.11111111 = 0.0.0.255
200.200.1.0 0.0.0.255 = match on 200.200.1.0 subnet only
Example 3: Classful Wildcard Mask
The following wildcard 0.0.255.255 will match on all 172.16.0.0 subnets and not match on everything else. This could be used with an ACL for example to permit or deny multiple subnets.
172 . 16 . 0 . 0 10101100.00010000.00000000.00000000
00000000.00000000.11111111.11111111 = 0.0.255.255
172.16.0.0 0.0.255.255 = match on 172.16.0.0 subnet only
Example 1: Classless Wildcard Mask
Anytime you apply a nondefault wildcard, that is referred to as classless addressing. In this example, 192.168.1.0 is a class C network address. All class C addresses have a default subnet mask of 255.255.255.0 (/24). Conversely, the default wildcard mask is 0.0.0.255 for a class C address.
To permit of deny a range of host addresses within the 4th octet requires a classless wildcard mask. For this example, wildcard 0.0.0.15 will match on the host address range from 192.168.1.1 - 192.168.1.14. and not match on everything else. It is the first four bits of the 4th octet that add up to 14 host addresses. The network and broadcast address cannot be assigned to a network interface. This could be used with an ACL for example to permit or deny specific host addresses only.
192 . 168 . 1 . 0 11000000.10101000.00000001.0000 0000
00000000.00000000.00000000.0000 1111 = 0.0.0.15
192.168.1.0 0.0.0.15 = match 192.168.1.1/28 -> 192.168.1.14/28
Example 2: Classless Wildcard Mask
The following wildcard mask 0.0.0.3 will match on host address range from 192.168.4.1 - 192.168.4.2 and not match on everything else. It is the first two bits of the 4th octet that add up to 2 host addresses. The network and broadcast address cannot be assigned to a network interface. This could be used for example to permit or deny specific host addresses on a WAN point-to-point connection.
192 . 168 . 4 . 0 11000000.10101000.00000100.000000 00
00000000.00000000.00000000.000000 11 = 0.0.0.3
192.168.4.0 0.0.0.3 = match 192.168.4.1/30 and 192.168.4.2/30
Example 3: Classless Wildcard Mask
The network administrator must configure an ACL that permits traffic from host range 172.16.1.32 to 172.16.1.39 only. What is the ACL and wildcard mask that would accomplish this?
Answer
The following wildcard mask 0.0.0.7 will match on host address range from 172.16.1.33 - 172.16.1.38 and not match on everything else. It is the first three bits of the 4th octet that add up to 6 host addresses. The network address and broadcast address cannot be assigned to a network interface. This could be used for example to permit or deny specific host addresses within a subnet.
172 . 16 . 1 . 32 10101100.00010000.00000001.00100 000
00000000.00000000.00000000.00000 111 = 0.0.0.7
172.16.1.0 0.0.0.7 = match on 172.16.1.33/29 -> 172.16.1.38/29
The following standard ACL will permit traffic from host IP address range 172.16.1.33/29 to 172.16.1.38/29. Invert the wildcard mask to calculate the subnet mask (0.0.0.7 = 255.255.255.248 (/29) or count all zeros.
access-list 10 permit 172.16.1.32 0.0.0.7
Standard Numbered ACL
The standard access list has a number range from 1-99 and 1300-1999. It specifies permit/deny traffic from only a source address with optional wildcard mask. The wildcard mask is used for filtering of subnet ranges. By default, there is an implicit deny all clause as a last statement with any ACL. That will deny all traffic that is not explicitly permitted. The standard ACL requires that you add a mandatory permit any as a last statement.
access-list 99 deny host 172.33.1.1
access-list 99 permit any
This allows all packets that do not match any previous clause within an ACL. The Cisco best practice is to order statements in sequence from most specific to least specific.
Standard Named ACL
This is an ACL that is configured with a name instead of a number. It does have the same rules as a standard numbered ACL. The following ACL named internet will deny all traffic from all hosts on 192.168.1.0/24 subnet. In addition, it will log any packets that are denied.
ip access-list internet log
deny 192.168.1.0 0.0.0.255
permit any
Named ACLs allow for dynamically adding or deleting ACL statements without having to delete and rewrite all lines. There is of course less CPU utilization required as well. They are easier to manage and enable troubleshooting of network issues.
Extended Numbered ACL
The number range is from 100-199 and 2000-2699. It supports multiple permit and deny statements with source and/or destination IP address. In addition you can filter based on IP, TCP or UDP application-based protocol or port number.
There is an implicit hidden deny any any last statement added to the end of any extended ACL. You must include permit ip any any as a last statement to all extended ACLs. That effectively permits all packets that do not match any previous clause within an ACL. Some ACLs are comprised of all deny statements as well, so without the last permit statement, all packets would be dropped.
Figure 1 Extended ACL
Extended ACL Configuration (Video)
Example 1: Extended ACL
The following IOS command permits http traffic from host 10.1.1.1 to host 10.1.2.1 address.
access-list 100 permit tcp host 10.1.1.1 host 10.1.2.1 eq 80
The access control list (ACL) statement reads from left to right as - permit all tcp traffic from source host only to destination host that is http (80). The TCP refers to applications that are TCP-based. The UDP keyword is used for applications that are UDP-based such as SNMP for instance.
Example 2: Extended ACL
What is the purpose or effect of applying the following ACL?
access-list 100 deny ip host 192.168.1.1 host 192.168.3.1
access-list 100 permit ip any any
The first statement denies all application traffic from host-1 (192.168.1.1) to web server (host 192.168.3.1). The ip keyword refers to Layer 3 and affects all protocols and applications at layer 3 and higher. The last statement is required to permit all other traffic not matching.
Example 3: Extended ACL
What is the purpose or effect of applying the following ACL?
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq telnet
access-list 100 permit ip any any
The first statement permits Telnet traffic from all hosts assigned to subnet 192.168.1.0/24 subnet. The tcp keyword is Layer 4 and affects all protocols and applications at Layer 4 and higher. The permit tcp configuration allows the specified TCP application (Telnet). The any keyword allows Telnet sessions to any destination host. The last statement is mandatory and required to permit all other traffic.
Example 4: Extended ACL
What is the purpose or effect of applying the following ACL?
access-list 100 permit ip 172.16.1.0 0.0.0.255 host 192.168.3.1
access-list 100 deny ip 172.16.2.0 0.0.0.255 any
access-list 100 permit ip any any
- The first ACL permits only hosts assigned to subnet 172.16.1.0/24 access to all applications on a server (192.168.3.1)
- The second statement denies hosts assigned to subnet 172.16.2.0/24 access to any server. That would include any additional hosts added to that subnet and any new servers added.
- The last ACL statement is required to permit all other traffic not matching previous filtering statements.
- ACL is applied to an interface with ip access-group command. Most routers often have multiple interfaces (subnets) with hosts assigned. ACL applied outbound to an interface shared by multiple subnets will filter traffic from all hosts on each subnet.
Table 1 Application Ports Numbers and ACL Keywords
Example 5: Extended ACL
Refer to the network drawing. The following ACL was configured inbound on router-1 interface Gi0/1. What is the effect?
access-list 100 deny tcp any host 192.168.1.1 eq 21
access-list 100 permit ip any any
Figure 2 Extended ACL
Answer
The following extended ACL will deny all FTP traffic from any subnet that is destined for server-1.
access-list 100 deny tcp any host 192.168.1.1 eq 21
access-list 100 permit ip any any
- Extended ACL numbering 100-199 and 2000-2699
- FTP = TCP application port 21
- ACL keyword ftp (alternate)
- ACL denies all other traffic explicitly with last statement
Example 6: Extended ACL
Refer to the following router configuration. ACL 100 is not configured correctly and denying all traffic from all subnets. What interface level IOS command immediately removes the effect of ACL 100?
access-list 100 deny tcp 172.16.0.0 0.0.255.255 any eq 80
access-list 100 deny ip any any
router# show ip interface gigabitethernet 1/1
GigabitEthernet1/1 is up, line protocol is up Internet address is 192.168.1.1/24 Broadcast address is 255.255.255.255 Address determined by DHCP MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled
Outgoing access list is 100
Inbound access list is not setProxy ARP is enabled
Answer
ACL must be applied to an interface for it to inspect and filter any traffic. ACL is applied with IOS interface command ip access-group 100 out. To remove filtering requires deleting ip access-group command from the interface. There is support for specifying either an ACL number or name. The access-class in | out command filters VTY line access only.
The in | out keyword specifies a direction on the interface to filter packets. The output from show ip interface command lists the ACL and direction configured for the interface. There is ACL 100 applied outbound on interface Gi1/1.
router(config)# interface gigabitethernet1/1
router(config-if)# no ip access-group 100 out
Example 7: Extended ACL
What IOS command permits Telnet traffic from host 10.1.1.1 to host 10.1.2.1 address?
Answer
The following IOS command permits Telnet traffic from host 10.1.1.1 to host 10.1.2.1 address.
access-list 100 permit tcp host 10.1.1.1 host 10.1.2.1 eq 23
In the context of ACLs, there are source and destination subnets and/or hosts. Consider that hosts refer to a single endpoint only whether it is a desktop, server or network device. ACL statement reads from left to right as - permit all tcp traffic from source host to destination host that is Telnet (23). TCP refers to applications that are TCP-based. The UDP keyword is used for UDP-based applications such as SNMP for example.
Example 8: Extended ACL
Refer to the network topology drawing. What are the correct commands to configure the following extended ACL?
- Deny Telnet traffic from 10.0.0.0/8 subnets to router-2
- Deny HTTP traffic from 10.0.0.0/8 subnets to all subnets
- Permit all other traffic that does not match
Figure 3 Extended ACL
Answer
The following IOS commands will configure the correct ACL statements based on the security requirements.
access-list 100 deny tcp 10.0.0.0 0.255.255.255 host 192.168.2.2 eq 23
access-list 100 deny tcp 10.0.0.0 0.255.255.255 any eq 80
access-list 100 permit ip any any
All extended ACLs must have a source and destination whether it is a host, subnet or range of subnets. The last ACL statement permit ip any any is mandatory for extended ACLs. Apply the ACL inbound on router-1 interface Gi1/0 with IOS command ip access-group 100 in. All ACL statements numbered 100 are grouped as a single ACL and applied to that interface. Extended ACL is always applied nearest to the source.
The following examples describe syntax for source and destination ports. Configuring both ACL statements would filter traffic from the source and to the source as well.
permit tcp any any eq 80
(Allows all traffic with destination port 80 (http) from any host to any destination)
permit tcp any eq 80 any
(Allows all traffic with source port 80 (http) from any host to any destination)
The deny tcp with no application specified will deny traffic from all TCP applications (Telnet, SSH etc). It would however allow all UDP-based application traffic.
Example 9: Extended ACL
What access list permits all TCP-based application traffic from clients except HTTP, SSH and Telnet?
Answer
There is support for operators that can be applied to access control lists based on filtering requirements. There is include ports (eq), exclude ports (neq), ports greater than (gt), ports less than (lt) and range of ports.
access-list 100 permit tcp any any neq 22,23,80
The ACL reads from left to right " permit all tcp-based applications from any source to any destination except TCP 22 (SSH), TCP 23 (Telnet), and TCP 80 (HTTP).
Example 10: Extended ACL
What access list denies all TCP-based application traffic from clients with ports higher than 1023?
Answer
Cisco access control lists support multiple different operators that affect how traffic is filtered. The most common is eq (equal to) operator that does a match on an application port or keyword. For example, eq 80 is used to permit/deny web-based application traffic (http). The following ACL denies all TCP-based application traffic from any source to any destination where port is higher than 1023.
access-list 100 deny tcp any any gt 1023
Most application are assigned an application port lower than 1024. This ACL would deny dynamic ephemeral ports (1024+) that are randomly assigned for a TCP or UDP session. The client is assigned a dynamic source port and server is assigned a dynamic range destination port. In effect, it would not permit any TCP/UDP session setup since dynamic ports (ephemeral) are required between client and server. You could also deny dynamic reserved ports from a client or server only. For example, to deny TCP application traffic from client to server, then access-list 100 deny tcp any gt 1023 any command would drop packets since client is assigned a dynamic source port.
Extended Named ACL
There is an option to configure an extended ACL based on a name instead of a number. You can dynamically add or delete statements to any named ACL without having to delete and rewrite all lines. They are easier to manage and troubleshoot as well.
Example 1: Extended Named ACL
Refer to the network topology drawing. Router-1 is configured with the following (ACL configuration. The purpose is to deny access from all hosts on 192.168.0.0/16 subnets to the server. What is the correct router interface and direction to apply the named ACL?
ip access-list extended hosts-deny
deny ip 192.168.0.0 0.0.255.255 host 172.16.3.1
Figure 4 Extended Named ACL
Answer
The named ACL hosts-deny is to deny traffic from all hosts assigned to all 192.168.0.0/16 subnets. Wildcard mask 0.0.255.255 is configured to include all subnets for that address class.
The ACL is applied outbound on router-1 interface Gi1/1. That filters traffic nearest to the source for all subnets attached to router-1. Applying ACL inbound on router-1 interface Gi0/0 for example, would deny access from subnet 192.168.1.0/24 only and not 192.168.2.0/24 subnet.
Example 2: Extended Named ACL
Refer to the network topology drawing. Create an extended named ACL based on the following security requirements?
- assign ACL name http-ssh-filter
- add a remark describing the purpose of ACL
- permit http traffic from all 192.168.0.0/16 subnets to web server
- deny SSH traffic from all 192.168.0.0/16 subnets
- permit all traffic that does not match any ACL statement
Figure 5 Extended Named ACL
Answer
The following IOS commands will configure the correct ACL statements based on the security requirements.
ip access-list extended http-ssh-filter
remark permit HTTP to web server and deny SSH protocol
permit tcp 192.168.0.0 0.0.255.255 host 192.168.3.1 eq 80
deny tcp any any eq 22
permit ip any any
interface Gigabitethernet0/0
ip access-group http-ssh-filter in
The extended named ACL is applied inbound on router-1 interface Gi0/0 with ip access-group http-ssh-filter command.
IPv6 Extended ACL
Cisco does support both IPv4 and IPv6 ACLs on network interfaces for security filtering. There are some differences with how IPv6 ACLs are deployed. The following are three primary differences between IPv4 and IPv6 support for access control lists (ACL).
- IPv6 supports only extended named ACLs
- IPv6 permits ICMP neighbor discovery (ARP) as implicit default
- IPv6 denies all traffic as an implicit default for the last line of the ACL
Example: IPv6 Extended ACL
Refer to the network drawing. What does the following IPv6 ACL accomplish when applied inbound on router-1 interface Gi0/1?
ipv6 access-list web-traffic
deny tcp host 2001:DB8:3C4D:1::1/64 host 2001:DB8:3C4D:3::1/64 eq www
permit ipv6 any any
Figure 6 IPv6 Extended ACL
Answer
IPv4 and IPv6 ACLs use similar syntax from left to right. For example, the IPv6 ACL reads as - deny tcp traffic from host address (source) to host address (destination). All web applications are TCP-based and as such require deny tcp. The keyword www specifies HTTP (web-based) traffic.
The deny tcp with no application specified will deny traffic from all TCP applications (Telnet, SSH, HTTP, etc). It would however allow all UDP-based application traffic. The deny ipv6 host portion when configured won't allow UDP or TCP traffic. IP is a lower layer protocol and required for higher layer protocols. IPv6 ACL requires permit ipv6 any any as a last statement.
Operational Commands
The following IOS command lists all IPv4 ACLs configured on a router.
router# show access-lists
The following IOS command lists all IPv6 ACLs configured on a router.
router# show ipv6 access-list
CiscoNet Training Solutions