Standard ACLs Access Control Lists

Practice this topic in the router emulator The simplest ACL you can configure is the standard access control list, which allows you to permit or deny traffic based on the source address only. For this reason they are not always practical for permitting or denying traffic on an interface, but instead are likely to be used to match addresses in conjunction with other technologies such as deciding which addresses to translate with NAT, or which networks should be redistributed into a routing protocol using distribution lists. When they are applied to an interface however, then they need to be placed as close to the destination as possible to catch all of the traffic. If they are not, then they would need to be applied to each point in the network that has a path to the destination, causing an administrative burden.

Standard access control list syntax

An access list is defined from global configuration mode using the access-list command, the syntax of which is below:

Router(config)#access-list <access-list-number> {permit|deny} {host|source source-wildcard|any}

There are three elements to a standard ACL: the ACL number, the action to perform, and the source.

ACL Number: Standard access control lists are identified by a number (names can be used too, covered later) between either 1 and 99 inclusive, or 1300 and 1999 inclusive, the latter of which is known as the expanded range.

Action: The action simply defines whether addresses that match should be permitted, or denied.

Source: This element is the more complicated part of the access list as there are 3 possible values. You can either define all hosts using the any word, a single host by entering its IP address or define entire networks using a wildcard mask.

Wildcard masks

Wildcard masks are used as a matching rule using bit logic just like subnet masks, except with the purpose of the bits inverted (1s indicate bits to ignore, and 0s bits to use). They are not simply inverted subnet masks though as they can have non-contiguous 1s and 0s, and can create exotic rules. If, for example, you only wanted to match addresses stating with 128, and an even 3rd octet, the wildcard mask would be 127.0.1.0. However, they are rarely used in this manner and can generally be thought of as an inverted subnet mask. To convert between wildcard masks and subnet masks, subtract the mask from 255.255.255.255. For example, the wildcard mask that matches a class C subnet would be 0.0.0.255:

+-----+-----+-----+-----+
| 255 | 255 | 255 | 255 |
| 255 | 255 | 255 |  0  |
+ --- + --- + --- + --- +
|  0  |  0  |  0  | 255 |
+-----+-----+-----+-----+

Key points

Standard access list example

Consider the example access list below:

access-list 50 deny 192.168.1.0 0.0.0.255
access-list 50 deny 192.168.2.3
access-list 50 permit any

With the three sections of this standard access list highlighted, we can quite easily see that all of the access control entries (ACEs) are for access list 50. The first ACE denies all traffic within the network 192.168.1.0/24, the second will deny the host 192.168.2.3, and the final entry will permit all other traffic.

Practice access lists

Using a pen and paper, see if you can create 3 access lists, numbered 1-3, that match these rules:

ACL 1: The networks 172.16.0.0/16 and 172.17.0.0/16 should be permitted access, with all others denied.

ACL 2: All hosts within the network 192.168.50.0/23 should be denied access, except hosts 192.168.50.128-255. All other hosts should be permitted access.

ACL 3: Create an access list that only denies the network 10.0.0.0/19.

ACL 1 Answer

There are two methods that meet this objective - either a two line access list with each line permitting a class B network, or a single line access list permitting the two of them. Remember that there is an implicit deny at the end of the access list, so there is no need to declare it.

access-list 1 permit 172.16.0.0 0.0.255.255
access-list 1 permit 172.17.0.0 0.0.255.255
				or
access-list 1 permit 172.16.0.0 0.1.255.255

ACL 2 Answer

When making this access list, remember that order matters and that as soon as there is a match, the ACL evaluation stops. To that end, the two hosts within the subnet that need to be denied, should be permitted first. Finally, add an explicit permit.

access-list 2 permit 192.168.50.128 0.0.1.127
access-list 2 deny 192.168.50.0 0.0.1.255
access-list 2 permit any

ACL 3 Answer

Two lines will meet the objectives of this access list.

access-list 3 deny 10.0.0.0 0.0.31.255
access-list 3 permit any

Further reading

Comments