Chapter 10

๐Ÿ‘ฎโ€โ™€๏ธ ACLs - The Security Guard

By Sys-Metricsยท ยท 60 min chapter

๐ŸŽฏ Meet the Network's Bouncer

If routers are like postal workers directing traffic between networks, then ACLs (Access Control Lists) are like security guards who check IDs and decide who gets in and who gets stopped. They're the bouncers of the networking world, examining every packet and making allow/deny decisions based on rules you create.

๐ŸŽฏ Chapter Goals: Master Access Control Lists fundamentals, configure standard and extended ACLs, understand wildcard masks, learn proper ACL placement, and secure your networks like a professional security expert!

๐Ÿ›ก๏ธ What Are ACLs and Why Do We Need Them?

Access Control Lists are sequential lists of permit and deny statements that control traffic flow based on various criteria. Think of them as a VIP list at an exclusive club:

ACL Fundamentals

Packet Filtering

Examine packets and make permit/deny decisions

Sequential Processing

Rules checked from top to bottom in order

Implicit Deny

Anything not explicitly permitted is automatically denied

Stateless

Each packet examined independently

Router Processing

Applied to router interfaces in specific directions

Common ACL Use Cases

๐Ÿ”’ Security Applications

  • Network Segmentation: Block traffic between departments
  • Server Protection: Allow only specific hosts to access servers
  • Internet Control: Block access to inappropriate websites
  • Administrative Access: Restrict management traffic
  • DoS Prevention: Block suspicious traffic patterns

โš™๏ธ Operational Applications

  • Routing Control: Filter routing protocol advertisements
  • NAT Definition: Define which traffic gets translated
  • VPN Control: Specify interesting traffic for tunnels
  • QoS Classification: Identify traffic for priority handling
  • Logging: Monitor specific traffic patterns

The Security Guard Analogy

Nightclub Security Guard at Work
๐Ÿ“‹
Guard has a list of rules: VIPs allowed, minors denied, dress code required
๐Ÿšถโ€โ™‚๏ธ
Person approaches club wanting entry
๐Ÿ”
Guard checks person against list rules, starting from top
โœ…
If person matches "permit" rule, they're allowed in
โŒ
If person matches "deny" rule, they're turned away
๐Ÿšซ
If no rules match, person is denied (implicit deny)
๐Ÿง  Memory Trick: ACLs = Access Control Lists = Awesome Club Lists!

๐Ÿ“Š Standard vs Extended ACLs

There are two main types of ACLs, like having different security clearance levels:

๐Ÿ“ Standard ACLs (Basic Security)

  • Numbers: 1-99 and 1300-1999
  • Criteria: Source IP address only
  • Granularity: Limited control options
  • Placement: Close to destination
  • Use Case: Simple allow/deny by location
  • Example: "Block all traffic from Sales network"

๐Ÿ” Extended ACLs (Advanced Security)

  • Numbers: 100-199 and 2000-2699
  • Criteria: Source/destination IP, protocols, ports
  • Granularity: Very specific control
  • Placement: Close to source
  • Use Case: Precise traffic control
  • Example: "Block HTTP from Sales to Internet"

Standard ACL Example

Router(config)# access-list 10 deny 192.168.10.0 0.0.0.255
# Block all traffic from 192.168.10.0/24 network
Router(config)# access-list 10 deny host 192.168.20.100
# Block traffic from specific host 192.168.20.100
Router(config)# access-list 10 permit any
# Allow all other traffic (explicit permit)

Extended ACL Example

Router(config)# access-list 100 deny tcp 192.168.10.0 0.0.0.255 any eq 80
# Block HTTP traffic from Sales network to anywhere
Router(config)# access-list 100 permit tcp 192.168.10.0 0.0.0.255 192.168.100.10 0.0.0.0 eq 443
# Allow HTTPS to specific server 192.168.100.10
Router(config)# access-list 100 permit ip any any
# Allow all other IP traffic

Named ACLs (Modern Approach)

Router(config)# ip access-list extended SALES-INTERNET-FILTER
Router(config-ext-nacl)# deny tcp 192.168.10.0 0.0.0.255 any eq 80
Router(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 443
Router(config-ext-nacl)# permit ip any any
Router(config-ext-nacl)# exit
๐Ÿท๏ธ Pro Tip: Use named ACLs for complex policies - they're easier to manage and understand than numbered ACLs!

๐ŸŽญ Wildcard Masks: The Flexible Security Filter

Wildcard masks are like flexible filters that let you specify exactly which parts of an IP address to check. Think of them as spotlight controls - 0 means "care about this bit" and 1 means "ignore this bit":

Wildcard Mask Logic

0 = Check This Bit

Must match exactly (like saying "check this person's ID")

1 = Ignore This Bit

Don't care what value it is (like saying "don't check age")

Opposite of Subnet Mask

Subnet mask inverted equals wildcard mask

Network Matching

Allows matching ranges of IP addresses

Common Wildcard Mask Examples

Single Host
192.168.10.100 0.0.0.0
Match exactly one host
Entire Subnet
192.168.10.0 0.0.0.255
Match whole /24 network
Any Address
0.0.0.0 255.255.255.255
Match any IP address

Wildcard Mask Calculation

Converting Subnet Mask to Wildcard:
Subnet Mask: 255.255.255.0 (/24 network)
Wildcard: 0.0.0.255 (subtract from 255.255.255.255)

Subnet Mask: 255.255.248.0 (/21 network)
Wildcard: 0.0.7.255 (8 networks matched)

Subnet Mask: 255.255.255.252 (/30 point-to-point)
Wildcard: 0.0.0.3 (4 addresses matched)

Advanced Wildcard Examples

access-list 10 permit 192.168.0.0 0.0.255.255
# Match 192.168.x.x (any third and fourth octet)
access-list 10 permit 10.1.1.0 0.0.0.3
# Match 10.1.1.0, 10.1.1.1, 10.1.1.2, 10.1.1.3
access-list 10 permit 192.168.10.1 0.0.0.254
# Match odd-numbered hosts in 192.168.10.0/24
access-list 10 deny host 192.168.10.100
# Block specific host (shortcut for 0.0.0.0 wildcard)
access-list 10 permit any
# Allow everything else (shortcut for 0.0.0.0 255.255.255.255)

Wildcard Mask Binary Example

Goal: Match 192.168.10.0/24 network
Network: 192.168.10.0
Binary: 11000000.10101000.00001010.00000000
Wildcard: 0.0.0.255
Binary: 00000000.00000000.00000000.11111111

Result: Match 192.168.10.x where x = anything
First 24 bits must match exactly (0s in wildcard)
Last 8 bits can be anything (1s in wildcard)
๐ŸŽฏ Quick Check: Host = 0.0.0.0 wildcard, Network = subnet mask inverted, Any = 255.255.255.255 wildcard!

๐Ÿ“ ACL Placement: Location, Location, Location!

Just like real estate, ACL placement is all about location. Place your security guards in the wrong spot, and they either block too much or too little traffic:

ACL Placement Rules

๐Ÿ“
Standard ACLs
Place close to DESTINATION (they're not very smart)
๐Ÿ”
Extended ACLs
Place close to SOURCE (they're very specific)
โฌ‡๏ธ
Inbound
Filter traffic ENTERING the interface
โฌ†๏ธ
Outbound
Filter traffic LEAVING the interface

Why Placement Matters

Bad Standard ACL Placement (Too Close to Source)
โŒ
Standard ACL blocks entire Sales network at source router
๐Ÿ˜ต
Sales users can't access ANY network resources
๐Ÿ’”
Legitimate traffic to other servers also blocked
๐Ÿ”ฅ
Network administrator gets angry phone calls
Good Extended ACL Placement (Close to Source)
โœ…
Extended ACL blocks specific HTTP traffic at source
๐ŸŽฏ
Only unwanted traffic filtered, legitimate traffic flows
๐Ÿš€
Network resources conserved (no unnecessary traffic)
๐Ÿ˜Š
Users happy, security goals achieved

ACL Application to Interfaces

Router(config)# interface fastethernet 0/0
Router(config-if)# ip access-group 10 in
# Apply standard ACL 10 to inbound traffic
Router(config-if)# ip access-group SALES-FILTER out
# Apply named ACL to outbound traffic
Router(config-if)# exit

ACL Processing Order

Inbound ACL
Check before routing decision
Routing Table
Find outbound interface
Outbound ACL
Check before forwarding
Forward Packet
Send to destination

Interface Limits

One ACL per Interface

Maximum one ACL per direction per protocol

Per Direction

Separate ACLs for inbound and outbound

Per Protocol

Different ACLs for IP, IPX, AppleTalk, etc.

Replace, Don't Add

New ACL replaces existing one on same interface/direction

โš™๏ธ ACL Configuration Examples

Example 1: Block Sales from HR Server

Scenario: Block Sales network (192.168.10.0/24) from HR server (192.168.100.10)

Router(config)# access-list 10 deny 192.168.10.0 0.0.0.255
Router(config)# access-list 10 permit any

Router(config)# interface fastethernet 0/2
# Interface connected to HR server
Router(config-if)# ip access-group 10 in
# Apply close to destination (standard ACL rule)

Example 2: Allow Only HTTPS and Email

Scenario: Sales can only use HTTPS (443) and email (25, 110, 143) to internet

Router(config)# ip access-list extended SALES-INTERNET
Router(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 443
Router(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 25
Router(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 110
Router(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 143
Router(config-ext-nacl)# permit icmp 192.168.10.0 0.0.0.255 any
# Allow ping for troubleshooting
Router(config-ext-nacl)# exit

Router(config)# interface fastethernet 0/0
# Interface connected to Sales network
Router(config-if)# ip access-group SALES-INTERNET in
# Apply close to source (extended ACL rule)

Example 3: Time-Based ACL

Scenario: Block internet access during business hours (9 AM - 5 PM)

Router(config)# time-range BUSINESS-HOURS
Router(config-time-range)# periodic weekdays 9:00 to 17:00
Router(config-time-range)# exit

Router(config)# ip access-list extended TIME-BASED-FILTER
Router(config-ext-nacl)# deny ip 192.168.10.0 0.0.0.255 any time-range BUSINESS-HOURS
Router(config-ext-nacl)# permit ip any any

Example 4: Port Range and Multiple Criteria

Scenario: Block P2P traffic (high ports) but allow web and email

Router(config)# ip access-list extended BLOCK-P2P
Router(config-ext-nacl)# permit tcp any any eq 80
Router(config-ext-nacl)# permit tcp any any eq 443
Router(config-ext-nacl)# permit tcp any any range 25 110
Router(config-ext-nacl)# deny tcp any any range 1024 65535
# Block high port numbers (P2P applications)
Router(config-ext-nacl)# permit ip any any
๐Ÿ”ง Best Practice: Always end with explicit permit to avoid unintended blocking due to implicit deny!

๐Ÿ” ACL Verification and Troubleshooting

Essential ACL Show Commands

Router# show access-lists
Standard IP access list 10
10 deny 192.168.10.0, wildcard bits 0.0.0.255 (4 matches)
20 permit any (156 matches)
Extended IP access list 100
10 deny tcp 192.168.10.0 0.0.0.255 any eq www (12 matches)
20 permit tcp 192.168.10.0 0.0.0.255 any eq 443 (45 matches)
30 permit ip any any (2341 matches)
Router# show access-lists 10
Standard IP access list 10
10 deny 192.168.10.0, wildcard bits 0.0.0.255 (4 matches)
20 permit any (156 matches)
Router# show ip interface fastethernet 0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 192.168.10.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is SALES-FILTER
Proxy ARP is enabled
Router# show running-config | include access
access-list 10 deny 192.168.10.0 0.0.0.255
access-list 10 permit any
ip access-list extended SALES-FILTER
deny tcp 192.168.10.0 0.0.0.255 any eq www
permit ip any any
interface FastEthernet0/0
ip access-group SALES-FILTER in

ACL Hit Counters

Match Counters

Each ACL line shows number of packets matched

Troubleshooting Tool

Zero matches indicate unused or misplaced rules

Reset Counters

Use "clear access-list counters" to reset statistics

Monitor Traffic

Watch counters increment to verify ACL operation

Common ACL Problems

Problem: ACL blocking too much traffic
Legitimate traffic being denied unexpectedly
Check These:
โœ“ Implicit deny at end catching wanted traffic
โœ“ ACL rules in wrong order (specific rules after general)
โœ“ Wildcard mask errors
โœ“ Wrong direction (inbound vs outbound)
โœ“ ACL applied to wrong interface
Problem: ACL not blocking anything
Unwanted traffic still getting through
Investigate:
โœ“ ACL not applied to interface
โœ“ Applied in wrong direction
โœ“ Permit rule before deny rule
โœ“ Traffic taking different path
โœ“ Wrong source/destination criteria

ACL Troubleshooting Steps

Step 1: Verify ACL exists and has correct rules
show access-lists [number/name]

Step 2: Check ACL is applied to interface
show ip interface [interface]

Step 3: Monitor hit counters
show access-lists [number/name]

Step 4: Test with ping/telnet
ping [destination]
telnet [destination] [port]

Step 5: Use logging for detailed analysis
access-list [number] deny [criteria] log

๐Ÿ› ๏ธ Hands-On ACL Labs

Lab 1: Basic Standard ACL

  1. Topology Setup:
    • Create router with 3 networks: Sales, Engineering, Servers
    • Add PCs to each network for testing
    • Configure all IP addresses and routing
    • Test connectivity between all networks
  2. Standard ACL Configuration:
    • Block Sales network from accessing Server network
    • Allow all other traffic to flow normally
    • Apply ACL close to destination (server network)
    • Test blocking and permitted traffic
  3. Verification:
    • Verify Sales cannot reach servers
    • Confirm Engineering can still reach servers
    • Check ACL hit counters
    • Document all test results

Lab 2: Extended ACL with Multiple Criteria

  1. Advanced Topology:
    • Add internet connection via ISP router
    • Configure web server and email server
    • Set up different VLANs for departments
    • Create realistic network addressing scheme
  2. Extended ACL Policy:
    • Sales: Allow HTTPS and email only to internet
    • Engineering: Allow all internet access
    • Everyone: Block access to HR server except HR users
    • Servers: Allow specific management protocols only
  3. Implementation:
    • Create named ACLs for clarity
    • Apply ACLs in optimal locations
    • Test all permit and deny scenarios
    • Monitor and adjust as needed

Lab 3: ACL Optimization and Troubleshooting

  1. Create Problems:
    • Misorder ACL statements
    • Apply ACLs in wrong direction
    • Use incorrect wildcard masks
    • Create conflicting rules
  2. Troubleshooting Practice:
    • Use systematic troubleshooting approach
    • Analyze hit counters and logs
    • Test connectivity methodically
    • Fix problems and re-test
  3. Optimization:
    • Reorder rules for efficiency
    • Combine similar rules
    • Add logging where needed
    • Document final configuration

Lab 4: Time-Based and Advanced ACLs

  1. Business Requirements:
    • Block social media during business hours
    • Allow administrative access only from specific hosts
    • Implement different policies for different user groups
    • Create emergency access procedures
  2. Advanced Features:
    • Configure time-based ACLs
    • Use object groups for easier management
    • Implement reflexive ACLs if supported
    • Add comprehensive logging
  3. Testing and Validation:
    • Test time-based rules at different times
    • Verify logging captures security events
    • Document all policies and procedures
    • Create rollback plan for emergencies
๐ŸŽฏ Security Challenge: Build a complete enterprise ACL policy with DMZ, internal networks, and internet access. Include both security and operational requirements!

โšก ACL Best Practices and Security Tips

ACL Design Principles

Principle of Least Privilege

Grant only minimum access needed for business function

Deny by Default

Block everything, then explicitly allow what's needed

Document Everything

Maintain clear documentation of all ACL policies

Regular Review

Periodically audit and update ACL rules

Performance Optimization

Rule Order Matters

Place most frequently matched rules first

Minimize Rules

Combine similar rules where possible

Use Named ACLs

Easier to manage and understand than numbered

Avoid Complex Wildcards

Simple patterns process faster

Common Configuration Mistakes

Mistake: Adding permit any any at beginning
Defeats entire purpose of ACL
Solution:
โœ“ Place specific deny rules first
โœ“ Add permit statements for allowed traffic
โœ“ End with permit any if needed (carefully consider)
Mistake: Forgetting return traffic
Blocking response packets from servers
Solution:
โœ“ Remember TCP is bidirectional
โœ“ Allow established connections
โœ“ Consider using reflexive ACLs
โœ“ Test both directions thoroughly

Security Considerations

Layer Defense

ACLs are one layer - use with firewalls, IPS, etc.

Regular Updates

Update ACLs when network changes occur

Monitor Logs

Review ACL logs for security incidents

Emergency Access

Plan for emergency ACL bypass procedures

ACL Management Commands

Router(config)# ip access-list extended SALES-FILTER
Router(config-ext-nacl)# no 10
# Remove line 10 from ACL
Router(config-ext-nacl)# 15 permit tcp 192.168.10.0 0.0.0.255 any eq 443
# Insert new rule at line 15
Router# clear access-list counters
# Reset all ACL hit counters
Router(config)# no access-list 10
# Remove entire ACL 10

Logging and Monitoring

access-list 100 deny tcp any any eq 23 log
# Log all denied Telnet attempts
access-list 100 deny ip any any log-input
# Log with input interface information
Router# show logging | include SEC
Sep 17 14:23:15.123: %SEC-6-IPACCESSLOGP: list 100 denied tcp
192.168.10.50(1234) -> 192.168.100.10(23), 1 packet

๐Ÿ“– Chapter Summary

  • ACL Purpose: Filter traffic based on permit/deny rules, providing network security
  • ACL Types: Standard (source IP only), Extended (source, destination, protocols, ports)
  • Wildcard Masks: Specify which IP address bits to check (0=check, 1=ignore)
  • Placement Rules: Standard ACLs near destination, Extended ACLs near source
  • Processing Order: Sequential from top to bottom, first match wins
  • Implicit Deny: Unmatched traffic automatically denied at end of ACL
  • Interface Application: One ACL per interface per direction per protocol
  • Best Practices: Use named ACLs, document policies, monitor hit counters
๐ŸŽฏ Security Mastery Achieved! You now control network traffic like a professional security guard. ACLs are your first line of defense against unwanted network access!

๐Ÿ“ ACL Mastery Quiz

1. What's the difference between standard and extended ACLs? Standard ACLs filter by source IP only (1-99, 1300-1999); Extended ACLs filter by source/destination IP, protocols, and ports (100-199, 2000-2699)

2. How do wildcard masks work? Binary mask where 0 = must match exactly, 1 = ignore this bit. Opposite of subnet mask logic

3. Where should you place standard vs extended ACLs? Standard ACLs close to destination (limited filtering), Extended ACLs close to source (specific filtering)

4. What happens with implicit deny? Any traffic not explicitly permitted by ACL rules is automatically denied at the end

5. How are ACL rules processed? Sequential processing from top to bottom, first matching rule wins, no further processing

6. What's the wildcard mask for a single host? 0.0.0.0 (all bits must match exactly) or use "host" keyword

7. How many ACLs can you apply per interface? One ACL per direction (inbound/outbound) per protocol per interface

8. Why use named ACLs instead of numbered? Easier to manage, edit individual lines, self-documenting, more descriptive than numbers

Comments