Network security is a crucial element of any network strategy. Cisco routers can be used as part of your network security strategy. The most important tool in Cisco IOS software used as part of that strategy are IP Access Lists or Access Control Lists (ACLs). IP access lists define rules that can be used to prevent some packets from flowing through the network and should be part of an organization's security policy.
IP access lists cause a router to discard some packets based on criteria the network engineer defines by means of filters. The goal of these filters is to prevent unwanted traffic in the network. Access lists.
There are two main categories of IOS IP ACLs:
- Standard Access Lists, which use simpler logic; and
- Extended Access Lists, which use more-complex logic.
Section 8.1: Standard IP Access Lists
Filtering logic could be configured on any router and on any of its interfaces. Cisco IOS software applies the filtering logic of an IP access list either as a packet enters an interface or as it exits the interface. In other words, IOS associates an IP access list with an interface, and specifically for traffic either entering or exiting the interface. After you have chosen the router on which you want to place the access list, you must choose the interface on which to apply the access logic, as well as whether to apply the logic for inbound or outbound packets.
The key features of Cisco IP access list are:
- Packets can be filtered as they enter an interface, before the routing decision.
- Packets can be filtered before they exit an interface, after the routing decision.
- Deny is the term used in Cisco IOS software to imply that the packet will be filtered.
- Permit is the term used in Cisco IOS software to imply that the packet will not be filtered.
- The filtering logic is configured in the access list.
- If a packet does not match any of your access list statements, it is blocked.
Access lists have two major steps in their logic: matching, which determines whether it matches the access-list
statement; and action, which can be either deny or permit. Deny means to discard the packet, and permit implies that the packet should be allowed. However, the logic that IOS uses with a multiple-entry ACL can be much more complex. Generally, the logic can be summarized as follows:
Step 1: The matching parameters of the access-list
statement are compared to the packet.
Step 2: If a match is made, the action defined in this access-list
statement (permit or deny) is performed.
Step 3: If a match is not made in Step 2, repeat Steps 1 and 2 using each successive statement in the IP access list until a match is made.
Step 4: If no match is made with an entry in the access list, the deny action is performed.
8.1.1: Wildcard Masks
IOS IP access lists match packets by looking at the IP, TCP, and UDP headers in the packet. Standard IP access lists can also examine only the source IP address. You can configure the router to match the entire IP address or just a part of the IP address. When defining the ACL statements you can define a wildcard mask along with the IP address. The wildcard mask tells the router which part of the IP address in the configuration statement must be compared with the packet header. The wildcard masks look similar to subnet masks, in that they represent a 32-bit number. However, the wildcard mask's 0 bits tell the router that those corresponding bits in the address must be compared when performing the matching logic. The binary 1s in the wildcard mask tell the router that those bits do not need to be compared. Thus, wildcard mask 0.0.0.0, which in binary form is 00000000.00000000.00000000.00000000
, indicates that the entire IP address must be matched, while wildcard mask 0.0.0.255, which in binary form is 00000000.00000000.00000000.11111111
, indicates that the first 24 bits of the IP address must be matched, and wildcard mask 0.0.31.255, which in binary form is 00000000.00000000.00011111.11111111
, indicates that the first 24 bits of the IP address must be matched.
8.1.2: Standard IP Access List Configuration
A standard access list is used to match a packet and then take the directed action. Each standard IP access list can match all, or only part, of the packet's source IP address. The only two actions taken when an access-list
statement is matched are to either deny or permit the packet. The configuration commands required are:
ip access-group {number | action [in | out]}
, in which action can be either permit of deny and is used to enable access lists; andaccess-class number | action [in | out]
, which can be used to enable either standard or extended access lists.
The standard access list configuration can be verified using the following show
commands:
show ip interface[type number]
, which includes a reference to the access lists enabled on the interface;show access-lists [access-list-number | access-list-name]
, which shows details of configured access lists for all protocols; andshow ip access-list [access-list-number | access-list-name]
, which shows the access lists.