cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
190957
Views
36
Helpful
3
Comments

Table of Contents

Introduction
Wildcard Masks
Classful Wildcard Examples
Classless Wildcard Examples
Standard Numbered ACL
Standard Named ACL
Extended Numbered Example 1
Extended Numbered Example 2
Extended Numbered Example 3
Extended Numbered Example 4
Extended Numbered Example 5
Extended Numbered Example 6
Extended Numbered Example 7
Extended Numbered Example 8
Extended ACL Operators Example 9
Extended ACL Operators Example 10
IPv4 Extended Named ACL Example 1
IPv4 Extended Named ACL Example 2
IPv6 Extended Named ACL  

Introduction

Cisco ACLs are single or multiple permit/deny statements that filter inbound or outbound packets on a network interface. Only two ACLs are permitted per network interface per protocol. For example, a single IP ACL applied inbound and a single IP ACL applied outbound. There are a variety of ACL types available that are configured based on security requirements.

Cisco best practices for creating and applying ACLs:

  • Apply extended ACL near source
  • Apply standard ACL near destination
  • Order ACL with multiple statements from most specific to least specific.
  • Maximum of two ACLs can be applied to a Cisco network interface.
  • Only one ACL can be applied inbound or outbound per interface per Layer 3 protocol.

There are some recommended best practices when creating and applying access control lists (ACL). The network administrator should apply a standard ACL closest to the destination. The standard ACL statement is comprised of a source IP address and wildcard mask. There is a common number or name that assigns multiple statements to the same ACL.

Standard ACLs are an older type and very general. As a result they can inadvertently filter traffic incorrectly. Applying the standard ACL near the destination is recommended to prevents possible over-filtering. The extended ACL should be applied closest to the source. Extended ACLs are granular (specific) and provide more filtering options. They include source address, destination address, protocols and port numbers. Applying extended ACLs nearest to the source prevents traffic that should be filtered from traversing the network. That conserves bandwidth and additional processing required at each router hop from source to destination endpoints.

Some access control lists are comprised of multiple statements. The ordering of statements is key to ACL processing. The router starts from the top (first) and cycles through all statements until a matching statement is found. The packet is dropped when no match exists. Order all ACL statements from most specific to least specific. Assigning least specific statements first will sometimes cause a false match to occur. As a result the match on the intended ACL statement never occurs.

The more specific ACL statement is characterized by source and destination address with shorter wildcard masks (more zeros). That configures specific subnets to match. In addition, application protocols or port numbers are also specified. The first ACL statement is more specific than the second ACL statement.

              access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.10.64.1 eq 23           
              access-list 100 deny tcp any any eq 23           

The dynamic ACL provides temporary access to the network for a remote user. The ACL configured defines the type of access permitted and the source IP address. In addition there is a timeout value that limits the amount of time for network access. The remote user sign-on is available with a configured username and password.

ACL Wildcard Masks

The wildcard mask is a technique for matching specific IP address or range of IP addresses.  Cisco access control lists (ACL) filter based on the IP address range configured from a wildcard mask. The wildcard mask is an inverted mask where the matching IP address or range is based on 0 bits. The additional bits are set to 1 as no match required. The wildcard 0.0.0.0 is used to match a single IP address. The wildcard mask for 255.255.224.0 is 0.0.31.255 (invert the bits so zero=1 and one=0) noted with the following example.

11111111.11111111.111 00000.00000000 = subnet mask (255.255.224.0)           
00000000.00000000.000 11111.11111111 = wildcard mask (0.0.31.255)          

All hosts and network devices have network interfaces that are assigned an IP address. Each subnet has a range of host IP addresses that are assignable to network interfaces. ACL wildcards are configured to filter (permit/deny) based on an address range. That could include hosts, subnets or multiple subnets.

There are classful and classless subnet masks along with associated wildcard masks. Classful wildcard masks are based on the default mask for a specific address class. Anytime a nondefault wildcard mask (or subnet mask) is applied to an address class, it is classless addressing.

Example 1: Classful Wildcard Mask

The following wildcard 0.0.0.255 will only match on 192.168.3.0 subnet and not match on everything else. This could be used with an ACL for example to permit or deny a subnet. 

      192     .      168   .      3        .     0           
11000000.10101000.00000011.00000000           
00000000.00000000.00000000.11111111 = 0.0.0.255           
192.168.3.0  0.0.0.255 = match on 192.168.3.0 subnet only

Example 2: Classful Wildcard Mask

The following wildcard 0.0.0.255 will only match on 200.200.1.0 subnet and not match on everything else. This could be used with an ACL for example to permit or deny a public host address or subnet.

     200     .      200   .      1        .      0           
11001000.11001000.00000001.00000000           
00000000.00000000.00000000.11111111 = 0.0.0.255           
200.200.1.0  0.0.0.255 = match on 200.200.1.0 subnet only                 

Example 3: Classful Wildcard Mask

The following wildcard 0.0.255.255 will match on all 172.16.0.0 subnets and not match on everything else. This could be used with an ACL for example to permit or deny multiple subnets. 

     172     .       16     .        0      .      0           
10101100.00010000.00000000.00000000           
00000000.00000000.11111111.11111111 = 0.0.255.255           
172.16.0.0  0.0.255.255 = match on 172.16.0.0 subnet only                

Example 1: Classless Wildcard Mask

Anytime you apply a nondefault wildcard, that is referred to as classless addressing. In this example, 192.168.1.0 is a class C network address. All class C addresses have a default subnet mask of 255.255.255.0 (/24). Conversely, the default wildcard mask is 0.0.0.255 for a class C address.

To permit of deny a range of host addresses within the 4th octet requires a classless wildcard mask. For this example, wildcard 0.0.0.15 will match on the host address range from 192.168.1.1 - 192.168.1.14. and not match on everything else. It is the first four bits of the 4th octet that add up to 14 host addresses. The network and broadcast address cannot be assigned to a network interface. This could be used with an ACL for example to permit or deny specific host addresses only. 

      192    .      168    .       1       .    0           
11000000.10101000.00000001.0000 0000           
00000000.00000000.00000000.0000 1111 = 0.0.0.15           
192.168.1.0  0.0.0.15 = match 192.168.1.1/28 -> 192.168.1.14/28                               

Example 2: Classless Wildcard Mask

The following wildcard mask 0.0.0.3 will match on host address range from 192.168.4.1 - 192.168.4.2 and not match on everything else. It is the first two bits of the 4th octet that add up to 2 host addresses. The network and broadcast address cannot be assigned to a network interface. This could be used for example to permit or deny specific host addresses on a WAN point-to-point connection.

      192    .      168    .       4       .     0           
11000000.10101000.00000100.000000 00           
00000000.00000000.00000000.000000 11 = 0.0.0.3           
192.168.4.0 0.0.0.3 = match 192.168.4.1/30 and 192.168.4.2/30                    

Example 3: Classless Wildcard Mask

The network administrator must configure an ACL that permits traffic from host range 172.16.1.32 to 172.16.1.39 only. What is the ACL and wildcard mask that would accomplish this?

Answer

The following wildcard mask 0.0.0.7 will match on host address range from 172.16.1.33 - 172.16.1.38 and not match on everything else. It is the first three bits of the 4th octet that add up to 6 host addresses. The network address and broadcast address cannot be assigned to a network interface. This could be used for example to permit or deny specific host addresses within a subnet.

       172   .      16      .      1       .     32            
10101100.00010000.00000001.00100 000           
00000000.00000000.00000000.00000 111 = 0.0.0.7                    
172.16.1.0 0.0.0.7 = match on 172.16.1.33/29 -> 172.16.1.38/29                 

The following standard ACL will permit traffic from host IP address range 172.16.1.33/29 to 172.16.1.38/29. Invert the wildcard mask to calculate the subnet mask (0.0.0.7 = 255.255.255.248 (/29) or count all zeros. 

             access-list 10 permit 172.16.1.32 0.0.0.7

Standard Numbered ACL

The standard access list has a number range from 1-99 and 1300-1999. It specifies permit/deny traffic from only a source address with optional wildcard mask. The wildcard mask is used for filtering of subnet ranges. By default, there is an implicit deny all clause as a last statement with any ACL. That will deny all traffic that is not explicitly permitted. The standard ACL requires that you add a mandatory permit any as a last statement. 

             access-list 99 deny host 172.33.1.1           
             access-list 99 permit any                

This allows all packets that do not match any previous clause within an ACL. The Cisco best practice is to order statements in sequence from most specific to least specific.

Standard Named ACL

This is an ACL that is configured with a name instead of a number. It does have the same rules as a standard numbered ACL. The following ACL named internet will deny all traffic from all hosts on 192.168.1.0/24 subnet. In addition, it will log any packets that are denied.

             ip access-list internet log             
             deny 192.168.1.0 0.0.0.255             
             permit any             

Named ACLs allow for dynamically adding or deleting ACL statements without having to delete and rewrite all lines. There is of course less CPU utilization required as well. They are easier to manage and enable troubleshooting of network issues.

Extended Numbered ACL

The number range is from 100-199 and 2000-2699. It supports multiple permit and deny statements with source and/or destination IP address. In addition you can filter based on IP, TCP or UDP application-based protocol or port number.

There is an implicit hidden deny all last statement clause added to the end of any extended ACL. You must include permit ip any any as a last statement to all extended ACLs. That effectively permits all packets that do not match any previous clause within an ACL. Some ACLs are comprised of all deny statements as well, so without the last permit statement, all packets would be dropped.

Figure 1  Extended ACL

                acl.png

 

Example 1: Extended Numbered ACL

The following IOS command permits http traffic from host 10.1.1.1 to host 10.1.2.1 address.

             access-list 100 permit tcp host 10.1.1.1 host 10.1.2.1 eq 80

The access control list (ACL) statement reads from left to right as - permit all tcp traffic from source host only to destination host that is http (80). The TCP refers to applications that are TCP-based. The UDP keyword is used for applications that are UDP-based such as SNMP for instance.

This article was an excerpt from my CCNA 200-301 Masterclass.        

Comments
pmckenzie
Level 3
Level 3

A great introduction to ACLs especially for prospective CCNA candidates.

Question and Answer get you thinking about the content.

dmacholz
Level 1
Level 1

Thanks! Great Information.

Sithin Adiyeri
Level 1
Level 1

Great content!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking for a $25 gift card