Page Content

Tutorials

Load more

CCNA ACL Configuration Cisco, Access Control Lists Operation

CCNA
Hemavathi
Author: Hemavathi
10 min.read

By applying consecutive permit or deny rules based on parameters like source/destination IP addresses and port numbers, Access Control Lists (ACLs) filter network traffic, restricting unwanted access and managing data flow. Planning include determining which traffic needs to be filtered and setting up the ACLs. Configuration entails applying the ACL to an interface after generating a sequential sequence of statements using standard/extended, numbered/named IPv4 or IPv6 commands. ACL statistics and traffic flow are viewed using show commands for verification, and errors in syntax, order, or location of rules are checked for during troubleshooting.

The ACL operation, planning, ACL configuration, verification, and troubleshooting are explained below.

ACL Operation

ACL Operation
ACL Operation

ACLs place restrictions on a router’s forwarding mechanism, which by default forwards every packet for which a route is available.

Key Operational Logic

  • Top-Down Sequential Processing: The device analyses packets against ACL ACEs in order.
  • After finding the first match, the router stops searching. Immediately, the matching action (permit or deny) specified in that matched sentence is carried out.
  • Every IP ACL ends with an implied deny any/all declaration. Any packet that doesn’t match ACL rules is deleted. Actionable ACLs must have one explicit permit statement.
  • ACLs filter transit traffic, not router-generated packets like routing protocol messages or ping command output.
  • Location and Direction: After routing, an interface must filter inbound and outbound packets with ACL logic.

Planning and Design Guidelines

ACLs must be planned carefully before use.

Identify Needs

Choose which resources should be restricted and which traffic should be permitted or banned.

Choose ACL Type

Choose conventional (source IP only), extended (source/destination IP, protocols, ports), or IPv6 ACLs for filtering.

Also Read About IPv6 Migration Explained: Transition From IPv4 To IPv6

ACL TypeMatching CriteriaPlacement RecommendationRationale
Standard ACL (IPv4)Filters only by source IP address.Should be placed near to the destination of the packets.Placing them too close to the source can unintentionally block traffic destined for other permitted locations (over-filtering).
Extended ACL (IPv4/IPv6)Filters by source/destination IP, protocol, and port numbers.Should be placed closest to the source of the traffic.Their high granularity prevents unwanted traffic from consuming network resources along the path.

Determine Style

Choose between named (more manageable and flexible) and numbered (less flexible) ACLs.

Think about the effect on performance and routing.

Ordering and Specificity

The sequential arrangement of statements is essential because of the first-match logic.

  • Prioritise more particular references over more generic ones, such as subnetworks or any, such as individual host addresses or rules with shorter wildcard masks or more zeros.
  • Prioritise problems that happen more often over ones that happen less frequently.
  • Misordered ACLs are a frequent mistake; an early, broad permit might override a later, more focused denial.

Types of IP ACLs

ACLs can be grouped according to their identification mechanism (Numbered vs. Named) and matching capability (Standard vs. Extended).

Standard ACLs

  • Matching Criteria: Only the source IP address and mask are used by standard IPv4 ACLs to filter traffic.
  • Granularity: They are unable to distinguish between distinct IP traffic types, such as web or Telnet, and can only allow or reject the full TCP/IP protocol suite.
  • 1 to 99 and the extended range of 1300 to 1999 are the numbered ranges (IPv4).
  • Placement Suggestion: To avoid inadvertently discarding traffic intended for other destinations, standard ACLs should ideally be positioned close to the packets’ destination.

Extended ACLs

  • Matching Criteria: More flexibility and accuracy are provided by extended IPv4 and IPv6 ACLs. They are able to filter traffic according to:
    • IP addresses of the source and the destination.
    • Certain protocols (such as icmp, udp, tcp, and ip).
    • TCP and UDP ports at the source and destination.
  • IPv4’s Numbered Range is 100–199, with an extended range of 2000–2699.
  • Placement Suggestion: Because extended ACLs are so granular, they should always be positioned closest to the traffic source.

Named ACLs

  • Configuration: The global configuration command ip access-list {standard | extended} name initiates the naming procedure.
  • Identification: Named ACLs don’t simply utilize a number; they also use a descriptive name. They are either standard or expanded ACLs in terms of structure.
  • Benefits: Especially in big deployments, named ACLs offer flexibility and simplicity of administration. Notably, they allow administrators to remove specific statements (Access Control Entries) by utilizing sequence numbers, in contrast to numbered ACLs that typically necessitate erasing and recreating the complete list.

Using named ACLs with IPv6 ACLs is required.

Wildcard Masks

Network administrators use a wildcard mask to match IP addresses within ACLs. This 32-bit value indicates which IP address bits, when compared to the ACL entry, should be examined (or disregarded).

  • In the wildcard mask, a binary 0 indicates that the matching IP address bit must be present.
  • When the corresponding IP address bit in the wildcard mask has a binary 1 in it, it is a “don’t care” (or wildcard) bit that will not be used in the comparison.

Typical acronyms consist of:

  • host IP_address: A shorthand for a single host address that matches a 0.0.0.0 wildcard mask.
  • any: An abbreviation for the IP address 0.0.0.0 that matches any address with a wildcard mask of 255.255.255.255.

ACL Configuration

ACL Configuration
ACL Configuration

Usually, there are two processes involved in ACL configuration: 1) Adding rules to the ACL and 2) Applying the ACL to a direction or interface.

Standard Numbered IPv4 ACLs

Only the originating IP address is a match between these listings.

Numbered Ranges: 1 to 99 and the expanded range of 1300 to 1999.

Creation (Global Config Mode): To match a single IP address, you can use the address followed by a wildcard mask of 0.0.0.0, or sometimes just the address alone. Uses the access-list command, specifying the number, action, source address, and wildcard mask: Router(config)# access-list access-list-number {permit | deny} source [source-wildcard] [log] (Example: access-list 1 permit 172.16.0.0 0.0.255.255).

Application (Interface Config Mode): Router(config-if)# ip access-group number {in | out}

Extended Numbered IPv4 ACLs

These lists offer fine-grained filtering according to protocols, port numbers, and source/destination addresses.

Numbered Ranges: 100 to 199 and the expanded range of 2000 to 2699.

Creation (Global Config Mode): The command includes specifying the protocol (e.g., ip, tcp, udp, icmp) and optional Layer 4 operators/ports: Router(config)# access-list access-list-number {permit | deny} protocol source source-wildcard destination destination-wildcard [operator [port]] [established] [log]

The optional established keyword (used with TCP) permits traffic only if it is part of an established connection (i.e., has the ACK or RST bit set).

You must include permit ip any any as a last statement if other traffic needs to be permitted, as there is an implicit hidden deny all clause at the end.

Application (Interface Config Mode): Uses the same ip access-group number {in | out} command as standard ACLs.ce configuration mode) uses the ip access-group number {in | out} command.

Example

Router(config)# access-list 110 permit tcp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 80
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip access-group 110 out

Permits HTTP traffic from 192.168.1.0/24 to 10.1.1.0/24 outbound.

Also Read About CISCO LLDP Link Layer Discovery Protocol Advantages, Types

Named IPv4 ACLs

Named ACLs can be set up as standard or extended lists and are identified by an alphanumeric name rather than a number.

  • The main advantage of named ACLs is that, unlike numbered ACLs, which usually necessitate removing and recreating the entire list, named ACLs enable administrators to add or remove particular statements (ACEs) using sequence numbers, simplifying adjustments.
  • Steps in Creation:
    • The Global Config Mode ACL can be named with the command ip access-list {standard | extended} name.
    • In ACL Configuration Mode, create statements by using [sequence-number] {permit | deny}. If a sequence number is not supplied, it is assigned automatically, usually increasing by 10.
  • Editing: In ACL configuration mode, the no sequence-number command can be used to eliminate individual statements.
  • Router (config-if) is the application (interface configuration mode).# name of the IP access group {in | out}

IPv6 ACLs

Supports Named ACLs only. Numbered ACLs are not used in IPv6.

  • Creation (Global Config Mode): ipv6 access-list name in Router(config)#
  • Matching Criteria: Layer 4 protocols (TCP, UDP, and ICMPv6) are among the packet header fields that Extended IPv6 ACLs match on. Both source and destination address information are used by standard IPv6 ACLs to filter.
  • Implicit Statements: At the conclusion of IPv6 ACLs, there is a required implicit deny IPv6 any statement. Permit icmp any any nd-na (neighbor advertisement) and permit icmp any any nd-ns (neighbour solicitation) statements are also explicitly included in some systems (as well as refuse ipv6 any any).
  • Router (config-if) is the application (interface configuration mode).#ipv6 access-list-name { in | out } for the traffic filter

Additional Configuration Options

  • VTY Access: Using the access-class command on Virtual Terminal (VTY) lines, ACLs can limit remote management access (Telnet/SSH) to the router:
    • IPv4: name [in | out] | access-class number.
    • IPv6: ipv6 access-list-name, access-class.
  • Time Ranges: Depending on the device’s clock, ACL rules can be set up with time ranges to regulate the exact day and hour the rule is in effect. Time ranges can be periodic (days of the week/time ranges) or absolute (specified start/end dates).
  • Object Groups and Policy-Based ACLs (PBACLs): Object groups let network managers group relevant ports (Protocol Port Object Groups) or IP addresses (IPv4/IPv6 Address Object Groups) and use the group name in ACL rules. When updating large settings, this simplifies the process.
  • ACL Logging (IPv4): To help with troubleshooting, the log keyword applied to a permit or deny statement tells the device to produce a syslog message when that statement is matched. Configuring settings like flow entries, log interval, and severity level is supported by IPv4 ACL logging. Note that certain settings (like Cisco NX-OS) do not allow IPv6 ACL logging.

Verification

Verification entails making sure the ACL is implemented correctly and that its content is accurate. Show commands frequently show hit counts (also known as packet match statistics) for every line, which are helpful for debugging.

Viewing ACL Configuration and Statistics

 â—¦ show access-lists [access-list-number | access-list-name]: Displays the contents of all ACLs (including IPv6) and often includes match statistics (the number of times packets have matched a statement).

    â—¦ show ip access-lists [access-list-number | access-list-name]: Displays details specifically about IPv4 ACLs, including sequence numbers and match statistics.

    â—¦ show ipv6 access-list: Displays configured IPv6 ACLs, including match statistics and sequence numbers.

Verifying Application to Interfaces

  â—¦ show running-config: Shows the full ACL definition and where it is applied using ip access-group or ipv6 traffic-filter commands on the interface configuration.

    â—¦ show ip interface [type number]: Lists details about IPv4 ACLs enabled on a specific interface and the direction they are applied.

Also Read About Cisco VLAN Troubleshooting Commands And VLAN Issues

Troubleshooting

Analysing the logic and verifying the application specifics are necessary for troubleshooting ACLs.

Structured Troubleshooting Steps

Determine Impacted Interfaces: Use the show running-config or show ip interfaces command to find the interfaces that ACLs have an influence on and the direction in which they are applied.

Verify Configuration: Use show access-lists, show ip access-lists, or show run to determine how the pertinent ACLs are configured.

Traffic is being stopped by a rule above a permit rule if the counter for the rule you expected to be struck is zero.

You’ve identified the rule that is reducing traffic if the counter for a deny rule is increasing suddenly.

Examine and Forecast Matches: Examine the ACL logic to ascertain which packets ought to correspond. To determine match statistics and determine whether packets are reaching the intended statements or falling through to the implicit deny, use the output from show access-lists.

Wildcard Mask: Verify that the wildcard mask is accurate. A wildcard of 0.0.0.0, for instance, indicates “match the host exactly,” whereas 255.255.255.255 indicates “match any address.” An whole subnet may be blocked by improper masks, or more may be permitted than planned.

Interface Application: Using the ip access-group or ipv6 traffic-filter command, did you remember to apply the ACL to the appropriate interface and in the appropriate direction (in or out)?

Common Errors

  • Misordered ACLs: A particular denial statement might not work because the traffic was matched first by a more general permit statement that came before it (First-Match Logic).
  • Incorrect Direction/Interface: Although the ACL is applied correctly, it is either on the incorrect interface or in the incorrect direction (in vs. out).
  • Standard ACL Placement: When a Standard ACL is positioned too near the source, it causes unnecessary blocking of acceptable traffic.
  • Implicit Deny: All other desirable traffic may inadvertently be blocked if an explicit permit statement is not included at the end of the ACL.

Troubleshooting Tip

By adding the log keyword to a statement, you may verify precisely which rule is being activated by producing syslog messages when that rule is matched.

Hardware Considerations (Cisco NX-OS)

ACL troubleshooting may also entail examining hardware resources for devices such as the Cisco Nexus series:

  • Ternary Content Addressable Memory (TCAM): This specialised hardware is used to process ACLs on the I/O modules. The sizes of the TCAM regions are shown by the Show hardware access-list tcam region command.
  • TCAM Carving: Administrators must re-carve (lower the size of) one TCAM region to make room for new ACLs (particularly IPv6 ACLs, which are “double wide”), and then enlarge the appropriate region. Reloading the device (or line cards) and storing the configuration are necessary for this process.

Also Read About CISCO IOS Architecture, Functions And Characteristics

Previous article
What is the Readonly Property in TypeScript?
Next article
PAT Port Address Translation: How It Works And Limitations
Hemavathi
Hemavathihttps://govindhtech.com/
Myself Hemavathi graduated in 2018, working as Content writer at Govindtech Solutions. Passionate at Tech News & latest technologies. Desire to improve skills in Tech writing.

About Us 

Contact Us

Privacy Polacy

Disclaimer

© G Solutions

Index