IP ACLs cause a router to discard some packets based on criteria defined by the network engineer. The goal of these filters is to prevent unwanted traffic in the network.
IP access lists can also be used to filter routing updates, match packets for prioritization, to match packets for VPN tunneling, and to match packets for implementing QoS features. ACLs are also used as part of configuring Network Address Translation (NAT).
IP Standard ACL Concepts
Engineers need to decide: Which packets to filter, and where in the network to place the ACL.
Cisco applies the filtering logic of an ACL either as a packet enters an interface or as it exits the interface. ACLs are associated with interfaces, and specifically whether traffic is entering or exiting the interface. After you have chosen the router on which you want to place the access list, you must choose the interface on which to apply the access logic, as well as whether to apply the logic for inbound or outbound packets.
Key features of Cisco access lists:
- Packets can be filtered as they enter an interface, before the routing decision.
- Packets can be filtered before they exit an interface, after the routing decision.
- Deny is the term used in Cisco IOS software to imply that the packet will be filtered.
- Permit is the term used in Cisco IOS software to imply that the packet will not be filtered.
- The filtering logic is configured in the access list.
- At the end of every access list is an implied “denay all traffic” statement. Therefore, if a packet does not match any of your access list statements, it is blocked.
Access lists have two major steps in their logic: matching and action. Matching logic examines each packet and determines whether it matches the access-list statement. IP ACLs tell the router to take one of two actions when a statement is matched: deny or permit. Deny means to discard the packet, and permit implies that the packet should continue on its way.
Cisco calls its packet-filter features “access control lists” in part because the logic is created with multiple configuration commands that are considered to be in the same list. When an access list has multiple entries, IOS searches the list sequentially until the first statement is matched. The matched statement determines the action to be taken.
Logic of IOS with multiple-entry ACL summarization:
1. The matching parameters of the access-list statement are compared to the packet.
2. If a match is made, the action defined in this access-list statement (permit or deny) is performed.
3. If a match is not made in Step 2, repeat Steps 1 and 2 using each successive statement in the ACL until a match is made.
4. If no match is made with an entry in the access list, the deny action is performed.
IOS IP ACLs match packets by looking at the IP, TCP, and UDP headers in the packet. Extended access lists can check source and destination IP addresses, as well as source and destination port numbers, along with several other fields. Standard IP access lists can only examine the source IP address.
You can tell the router to match based on the entire IP address or just a part of the IP address.
Cisco wildcard masks define the portion of the IP address that should be examined. When defining the ACL statements, as you’ll see in the next section of this chapter, you can define a wildcard mask along with the IP address. The wildcard mask tells the router which part of the IP address in the configuration statement must be compared with the packet header.
Wildcard masks look similar to subnet masks, but they are not the same. Wildcard masks represent a 32-bit number, as do subnet masks. However, the wildcard mask’s 0 bits tell the router that those corresponding bits in the address must be compared when performing the matching logic. The binary 1s in the wildcard mask tell the router that those bits do not need to be compared. In fact, many people call these bits the “don’t care” bits.
Sample Access List Wildcard Masks
|Wildcard Mask||Binary Version of the Mask||Description|
|0.0.0.0||00000000.00000000.00000000.00000000||The entire IP address must match.|
|0.0.0.255||00000000.00000000.00000000.11111111||Just the first 24 bits must match.|
|0.0.255.255||00000000.00000000.11111111.11111111||Just the first 16 bits must match|
|0.255.255.255||00000000.11111111.11111111.11111111||Just the first 8 bits must match.|
|255.255.255.255||11111111.11111111.11111111.11111111||Automatically considered to match any and all addresses.|
|0.0.15.255||00000000.00000000.00001111.11111111||Just the first 20 bits must match.|
|0.0.3.255||00000000.00000000.00000011.11111111||Just the first 22 bits must match.|
A wildcard of 0.0.0.0 means that the entire IP address must be examined, and be equal, to be considered a match. 0.0.0.255 means that the last octet automatically matches, but the first 3 must be examined, and so on. More generally, the wildcard mask means the following:
Bit positions of binary 0 means that the access list compares the corresponding bit position in the IP address and makes sure it is equal to the same bit position in the address configured in the access-list statement. Bit positions of binary 1 are “don’t care” bits. Those bit positions are immediately considered to be a match.
0.0.15.255 in binary is 20 binary 0s followed by 12 binary 1s. This means that the first 20 bits must match. Similarly, 0.0.3.255 means that the first 22 bits must be examined to find out if they match. If the subnet mask is 255.255.240.0 and you want to match all hosts in the same subnet, the 0.0.15.255 wildcard means that all network and subnet bits must be matched, and all host bits are automatically considered to match. In general, if you want a wildcard mask that helps you match all hosts in a subnet, invert the subnet mask, and you have the correct wildcard mask.
Interpreting Wildcard Masks Quickly
Both IP standard ACLs (source IP address only) and extended ACLs (bout source and destination addresses) can be configured to examine all or part of an IP address based on the wildcard mask. For the exams, working with the masks in binary may be slow and laborious unless you master binary-to-decimal conversion and vice-versa.
In many cases, an ACL needs to match all hosts in a particular subnet. To match a subnet with an ACL, you can use the following shortcut:
* Use the subnet number as the address value in the access-list command.
* Use a wildcard mask found by subtracting the subnet mask from 255.255.255.255.
ie: for subnet 172.16.8.0/255.255.252.0, use the subnet number 172.16.8.0 as the address parameter, and then do the following match to find the wildcard mask:
255.255.255.255 – 255.255.252.0 = 0.0.3.255
Some exam questions may not ask that you pick the ACL statement that needs to be configured, instead asking that you interpret some existing access-list commands. Typically, these questions list preconfigured ACL statements, or you need to display the contents of an ACL from a router simulator, and you need to decide which statement a particular packet matches. To do that, you need to determine the range of IP addresses matched by a particular address/wildcard mask combination in each ACL statement.
If you have mastered subnetting math using any of the decimal shortcuts, avoiding binary math, another shortcut can be used to analyze each existing address/wildcard pair in each ACL command. To do so:
Step 1: Use the address in the access-list command as if it were a subnet number.
Step 2: Use the number found by subtracting the wildcard mask from 255.255.255.255 as a subnet mask.
Step 3: Treat the values from the first two steps as a subnet number and subnet mask, and find the broadcast address for the subnet. The ACL matches the range of addresses between the subnet number and the broadcast address, inclusively.
The range of addresses identified by this process is the same range of addresses matched by the ACL. So, if you can already find a subnet’s range of addresses quickly and easily, using this process to change an ACL’s math may help you find the answer more quickly on the exams. ie: with the command access-list 1 permit 172.16.200.0 0.0.7.255, you would first think of 172.16.200.0 as a subnet number. Then you could calculate the assumed subnet mask of 255.255.248.0: 255.255.255.255 – 0.0.7.255 = 255.255.248.0.