ACLs

What are ACLs?

Definition: Access Control Lists (ACLs) are a set of rules applied to network
devices (routers, switches) to control and filter incoming and outgoing
traffic based on various criteria such as source and destination IP
addresses, ports, or protocols.

Purpose:

Enhance network security by permitting or denying traffic.

Optimize traffic flow and reduce unnecessary load.

Implement basic network policies.

Key Characteristics of ACLs:

Applied to interfaces (either inbound or outbound).

Processed sequentially: The router evaluates each rule in the ACL until a
match is found.

Implicit deny any at the end of the ACL: If no rules match, the traffic is
denied.

Types of ACLs
1. Standard ACLs:

ACLs 1
 Filters traffic based on source IP addresses only.

Cannot filter based on destination IP, protocol, or port.

Typically applied closer to the destination to avoid unnecessary

filtering of valid traffic.

2. Extended ACLs:

Filters traffic based on:

Source and destination IP addresses.

Protocol (TCP, UDP, ICMP, etc.).

Port numbers (e.g., HTTP: port 80, HTTPS: port 443).

More flexible and granular compared to Standard ACLs.

Typically applied closer to the source to prevent unwanted traffic from

traveling through the network.

Standard Numbered ACLs

Use numbers between 1 and 99 or 1300 to 1999.

Example configuration:

Router(config)# access-list 10 permit 192.168.1.0 0.0.0.

255
Router(config)# access-list 10 deny any

Standard Named ACLs

Identified by a custom name instead of numbers, making them more
descriptive.

Example configuration:

Router(config)# ip access-list standard ALLOW_NET1

Router(config-std-nacl)# permit 192.168.1.0 0.0.0.255
Router(config-std-nacl)# deny any

ACLs 2
 Differences Between Standard Numbered and Named ACLs:

Feature Standard Numbered Standard Named

Identifier Uses a number (1–99) Uses a custom name

Can add/remove rules

Editability Cannot be modified easily
easily

Preferred for larger

Usage Suitable for small ACLs
networks

Inbound vs Outbound ACLs

Inbound ACL:

Filters incoming traffic before the router processes it.

Applied on the interface receiving the traffic.

Efficient for blocking unwanted traffic early.

Example:

Router(config)# interface g0/0

Router(config-if)# ip access-group 10 in

Outbound ACL:

Filters outgoing traffic after the router processes it and determines the
outgoing interface.

ACLs 3
 Applied on the interface sending the traffic.

Example:

Router(config)# interface g0/1

Router(config-if)# ip access-group 10 out

Example Scenario
Allow only traffic from 192.168.1.0/24 network to access the router, deny all
others.

Using a Standard Numbered ACL:

Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255

Router(config)# access-list 10 deny any
Router(config)# interface g0/0
Router(config-if)# ip access-group 10 in

Using a Standard Named ACL:

Router(config)# ip access-list standard BLOCK_OTHER

Router(config-std-nacl)# permit 192.168.1.0 0.0.0.255
Router(config-std-nacl)# deny any
Router(config)# interface g0/0
Router(config-if)# ip access-group BLOCK_OTHER in

Summary:
1. ACL Types: Standard and Extended.

2. Standard ACLs:

Filters by source IP only.

Numbered (1–99) or Named (custom names).

3. Inbound vs Outbound:

Inbound: Filters traffic entering the router.

Outbound: Filters traffic leaving the router.

ACLs 4
 4. General Rules:

Place Standard ACLs closer to the destination.

Apply Inbound ACLs to reduce unnecessary processing.

Extended ACLs

What are Extended ACLs?

Extended ACLs provide advanced traffic filtering by evaluating multiple
parameters, including:

Source IP address

Destination IP address

Protocol (e.g., TCP, UDP, ICMP, etc.)

Port numbers (e.g., HTTP, HTTPS, SSH)

They are highly granular and versatile compared to standard ACLs.

Characteristics of Extended ACLs

1. Filtering Criteria:

Source and destination IP addresses.

Protocol (Layer 3 and Layer 4).

Specific port numbers (e.g., port 80 for HTTP, port 443 for HTTPS).

2. Placement:

Close to the source: To block unwanted traffic as early as possible,

preventing it from traversing the network unnecessarily.

Why? Extended ACLs allow you to specify both source and destination,
so applying them closer to the source minimizes network load.

3. Number Range:

Numbered ACLs: 100–199 and 2000–2699.

Named ACLs: Use a custom name for easier management and

flexibility.

Syntax and Configuration

ACLs 5
 Numbered Extended ACLs
Syntax:

access-list <number> <permit|deny> <protocol> <source> <

wildcard mask> <destination> <wildcard mask> [eq <port>]

Example:

Allow traffic from 192.168.1.0/24 to 10.0.0.0/8 on port 80 (HTTP):

Router(config)# access-list 100 permit tcp 192.168.1.

0 0.0.0.255 10.0.0.0 0.255.255.255 eq 80
Router(config)# access-list 100 deny ip any any

Named Extended ACLs

Syntax:

ip access-list extended <name>

Example:

Allow SSH from 192.168.10.0/24 to 172.16.0.0/16 and deny everything

else:

Router(config)# ip access-list extended ALLOW_SSH

Router(config-ext-nacl)# permit tcp 192.168.10.0 0.0.
0.255 172.16.0.0 0.0.255.255 eq 22
Router(config-ext-nacl)# deny ip any any
Router(config)# interface g0/1
Router(config-if)# ip access-group ALLOW_SSH in

Inbound vs Outbound ACLs in Extended ACLs

Inbound Extended ACL:

Filters traffic as it enters the router's interface.

Best used for early blocking to conserve resources and bandwidth.

ACLs 6
 Example:

Router(config)# interface g0/0

Router(config-if)# ip access-group 100 in

Outbound Extended ACL:

Filters traffic as it leaves the router's interface.

Useful when traffic filtering requires access to the final routing decision.

Example:

Router(config)# interface g0/1

Router(config-if)# ip access-group 100 out

Example Scenarios

1. Permit HTTPS Traffic and Block Others:

Allow only HTTPS traffic from 192.168.1.0/24 to 172.16.0.0/16 .

Deny all other traffic.

Configuration:

Router(config)# access-list 101 permit tcp 192.168.1.0 0.0.

0.255 172.16.0.0 0.0.255.255 eq 443
Router(config)# access-list 101 deny ip any any
Router(config)# interface g0/0
Router(config-if)# ip access-group 101 in

2. Block ICMP Traffic:

Deny all ping (ICMP) requests to 192.168.20.0/24 and permit other traffic.

Configuration:

Router(config)# access-list 102 deny icmp any 192.168.20.0

0.0.0.255
Router(config)# access-list 102 permit ip any any

ACLs 7
 Router(config)# interface g0/0
Router(config-if)# ip access-group 102 in

Placement Guidelines
1. Close to the Source:

Use extended ACLs close to the source to prevent unnecessary traffic

from traversing the network.

Example:

Block FTP (port 21) traffic from 192.168.10.0/24 to 10.1.0.0/16 .

Apply inbound ACL on the router closest to 192.168.10.0/24 .

2. Avoid Placing on the Destination:

If placed close to the destination, unwanted traffic will already have

traversed most of the network, consuming bandwidth and resources.

Best Practices for Extended ACLs

1. Specificity:

Write rules as specific as possible to minimize unintended matches.

Example: Use specific source and destination IPs, along with protocols
and ports.

2. Implicit Deny:

Always remember there’s an implicit deny all at the end of every ACL.
Include explicit permit rules to avoid blocking all traffic unintentionally.

3. Order of Rules:

Place frequently matched rules at the top to optimize performance.

4. Testing:

Test ACLs in a lab or non-critical environment before applying them in

production.

ACLs 8
ACLs 9
ACLs 10
ACLs 11
 1. Dynamic ACLs

Definition:
Dynamic ACLs (also called lock-and-key ACLs) are temporary access rules
created dynamically when a user authenticates. They allow access based on
user authentication and can be set to expire after a specific time or upon
session termination.

Purpose/Functionality:
Provide temporary access to specific resources.

Allow access dynamically, only when a condition (like user authentication)

is met.

Key Features:
Require the user to authenticate before allowing traffic.

Once authenticated, a temporary permit statement is added to the ACL.

The ACL expires after a set timeout or when the session ends.

Use Cases:
Secure administrative access to internal servers.

Controlled access to resources for authenticated users.

ACLs 12
 Configuration Example:
1. Step 1: Define a dynamic ACL:

ip access-list extended DYNAMIC_ACL

dynamic TEMP_ACCESS timeout 10 permit tcp any host 192.1
68.1.10 eq 22

2. Step 2: Use VTY lines for authentication:

line vty 0 4
access-class DYNAMIC_ACL in
login local

3. Step 3: User authenticates using telnet:

After successful authentication, the dynamic ACL allows SSH traffic to
192.168.1.10 for 10 minutes.

2. Reflexive ACLs

Definition:
Reflexive ACLs are temporary ACLs that allow outbound traffic and dynamically
create entries to permit the return traffic. They are stateful, meaning they
monitor and filter traffic based on session states.

Purpose/Functionality:
Allow only traffic that is part of an initiated session (dynamic and stateful).

Automatically remove entries when sessions end.

Key Features:
Do not require user authentication.

Entries are temporary and are removed when the session ends.

Focuses on outbound-to-inbound traffic relationship.

Use Cases:
Protecting internal hosts from unsolicited inbound traffic.

ACLs 13
 Filtering return traffic dynamically.

Configuration Example:
1. Step 1: Create an extended ACL for outbound traffic:

ip access-list extended OUTBOUND

permit tcp any any reflect SESSION_TRAFFIC

2. Step 2: Create an extended ACL for inbound traffic:

ip access-list extended INBOUND

evaluate SESSION_TRAFFIC

3. Step 3: Apply the ACLs to interfaces:

interface GigabitEthernet0/0
ip access-group OUTBOUND out
ip access-group INBOUND in

Real-Life Example:
A user initiates an HTTPS connection to a website.

The reflexive ACL allows the outbound traffic and dynamically permits
return traffic for the session.

Once the session ends, the ACL entry is removed.

3. Time-Based ACLs

Definition:
Time-based ACLs allow or deny traffic based on the time of day or specific
time periods. These ACLs use time ranges to enforce policies at scheduled
times.

Purpose/Functionality:
Provide scheduled access control.

Enforce time-based restrictions on traffic.

ACLs 14
 Key Features:
Utilize time ranges to define when rules are active.

Combine with other ACL features for dynamic access control.

Use Cases:
Permit user access to resources only during working hours.

Restrict internet usage during specific hours (e.g., for employees or

students).

Configuration Example:
1. Step 1: Define a time range:

time-range WORKING_HOURS
periodic weekdays 08:00 to 18:00

2. Step 2: Create a time-based ACL:

ip access-list extended TIME_BASED_ACL

permit tcp any host 192.168.1.20 eq 80 time-range WORKIN
G_HOURS
deny ip any any

3. Step 3: Apply the ACL to an interface:

interface GigabitEthernet0/1
ip access-group TIME_BASED_ACL in

Real-Life Example:
The ACL permits HTTP traffic to a web server ( 192.168.1.20 ) only during
weekdays from 8:00 AM to 6:00 PM.

Outside these hours, all traffic is denied.

Key Differences Between the ACL Types:

Feature Dynamic ACL Reflexive ACL Time-Based ACL

ACLs 15
 Trigger User authentication Session initiation Defined time range

Session Awareness No Yes (stateful) No

Temporary user Return traffic Scheduled access

Usage
access filtering control

User and resource- Time-sensitive

Scope Bidirectional traffic
specific policies

Summary:
Dynamic ACLs: Best for temporary, user-authenticated access to
resources.

Reflexive ACLs: Ideal for dynamically permitting return traffic for sessions
initiated by internal users.

Time-Based ACLs: Perfect for enforcing time-specific traffic filtering.

ACLs 16