Saturday, March 19, 2011

Lesson 47 - Packet Filtering with Standard ACL

Access Control Lists can inspect the traffic based on different protocols and criteria. In this post I’m going to focus in on IP-based ACLs. Other types such as MAC-based ACLs, dynamic or reflective ACLs are beyond the scope of this tutorial.

Have you noticed how your hand luggage is being scanned at the airport? ACL is similar to such scanner only used on the router. It can look at the content of the packet traversing it and check the content of the packet up to the layer 4 (extended ACL). You, as an administrator, get to decide what the action is going to be if the packet matches your criteria. A few applications of ACLs are as follows:
  • ACLs can filter the packets that traverse the router in order to drop the unwanted traffic.
  • ACLs can deny SSH or Telnet traffic to vty lines (router/switch remote management).
  • ACLs are used as to match an interesting traffic to trigger VPN tunnel establishment and encrypt data.
  • ACLs are commonly used in Quality of Service to prioritize certain applications or traffic flows over others or provide different treatment to a certain stream of packets.
  • ACLs are used to filter inbound or outbound dynamic protocol advertisements.
  • Etc.
To summarize it: you cannot call yourself a network specialist without being able to use ACLs. In this tutorial, we focus in on IP based ACLs.

IP  Based ACLs
You can use two major IP-based ACLs (look at the guidelines above):
  1. Standard ACLs (numbers: 1 through 99)
  2. Extended ACLs (numbers: 100 through 199)
  3. Named ACL (standard or extended). Named ACLs offer more flexibility in terms of modifying ACLs 'on the fly'
The major differences between them are the amount and type of criteria we can use to inspect the packets as well as the syntax used to create the statement.

In this post I present IP standard ACL only used as a filtering mechanism (permit or deny the traffic through the router), but get familiar with the general guidelines first as they apply to all types and applications of ACLs.

ACL Guidelines
Here are some important guidelines regarding ACLs:
  • ACLs use the top-down processing. This means that statements are being processed from the one listed on the top of the list first. If the statement is a successful match (permit or deny), the remaining entries listed below this matching statement are NOT inspected anymore.
  • Cisco IOS allows to apply only one ACL per interface, protocol and direction. This means that you can apply ACL1 on two different interfaces, or ACL1 and ACL2 on the same interface but in two different directions (in and out).
  • The ACL number will determine whether it is IP standard ACL (numbers 1-99) or IP extended ACL (numbers 100-199).
  • Standard ACL can only inspect the source IP of the packet.
  • Extended ACL will inspect both source and destination IP. In addition to these it can match on layer 4 protocols (TCP, UDP, OSPF, EIGRP etc.) and even the layer 4 port numbers (either source or destination or both).
  • The standard ACLs should be placed close to the destination, extended ACLs should be placed close to the source of the transmission.
  • There is an IMPLICIT DENY ALL at the end of all the statements that you create. This means, that if your statements have been created to deny traffic, there must be at least a single permit statements. Otherwise all traffic crossing the interface where ACL has been configured will be denied (filtered out).
The process of configuring ACLs consist of two steps:
  1. Configuring the ACL statements in the global configuration mode.
  2. Applying the ACLs on the interfaces to inbound or outbound traffic.
Standard Access Lists
Standard ACL offers you only a single criterion to single packets out from the flows a router handles. It is a source IP address. Based on this criterion, a router determines if the packet should be forwarded or dropped. This type of ACL does not check if IP carries TCP, UDP, OSPF, EIGRP etc. Based on the source IP address the “whole” IP packet (irrespective of the layer 4-5 content) will be forwarded or dropped.

This time, I'm going to show you the syntax taken directly from the Cisco web site. The point is, that sooner or later you have to learn how to use the official Cisco Documentation. You must learn how to be self-reliant at your work because in many cases you will not have anyone around to take you by the hand and solve an issue.

The ultimate source of all Cisco related configurations can be found at (here IOS 12.4 version):

Pic. 1 - IP Standard ACL Syntax.
Pic. 1 shows you the standard ACL syntax you type in the 'config' mode (global configuration mode.
  • access-list - the ACL keyword that is followed by a number of argument
  • access-list-number - IP standard ACLs use the numbers in the range 1-99
  • permit|deny - what is in braces '{}' are possible options; here permit or deny
  • host|source - again in braces '{}' are possible options; here either a host address or other source such as network or subnet.
  • source-wildcard|any - this is the inversed network mask ('1' becomes '0' and vice versa).
Bold font is the keyword that you must use.
Italic font is the arguement that follows the keyword.
| - a pipe is the logical 'or' statement giving you multiple choices.
{} - in braces the possible options are listed.

The next step in configuring an ACL (standard or Extended) is to apply it on the interface in either inbound or outbound direction.

Pic. 2 - Applying ACL on the Interface.
interface - the keyword to enter the interface context (must be in the 'config mode')
<interface> - type/number of the interface (e.g. interface Fa0/0)
ip access-group - the keyword that applies an ACL on the interface
number - the number of access-list configured in the 'config' mode (standard ACL use range 1-99)

in|out - the direction inbound or outbound (how packets are going to be processed)

This type of ACL analyzes the packets coming towards the router (the interface where packet was received on). Based on the criteria defined in the ACL, the packet will further be processed (layer 3 lookup performed trying to find the outbound interface), or dropped.

If you apply the ACL as 'out' the incoming interface does NOT compare the packet content with the ACL statements. It performs a layer 3 lookup immediately. Once the outbound interface is found, and the ACL is applied there as 'out' it analyzes the ACL statement one by one (top-down). Once the match is found (permit or deny) the packet is or is not sent out that interface.

Remember, that IP standard ACLs check the source IP only!

In the next post, I show you a few examples of IP standard ACL with a detailed analysis how they work. This and the next post should get you going with IP standard ACLs.