1102.book Page 839 Tuesday, May 20, 2003 2:53 PM
Objectives
Upon completion of this chapter, you will be able to
■ Understand the purpose of ACLs
■ Describe how ACLs work
■ Determine which wildcard mask should be used
■ Describe and use standard ACLs, extended ACLs, and named ACLs
■ Describe a simple firewall architecture
1102.book Page 840 Tuesday, May 20, 2003 2:53 PM
Chapter 20
Access Control Lists
In this chapter, you learn about using standard and extended access control lists (ACLs) as
a means to control network traffic and how ACLs are used as part of a security solution.
In addition, this chapter includes tips, considerations, recommendations, and general
guidelines on how to use ACLs, and includes the commands and configurations needed to
create ACLs. Finally, this chapter provides examples of standard and extended ACLs and
shows how to apply ACLs to router interfaces.
Please be sure to look at this chpater’s associated e-Labs, Videos, and PhotoZooms that
you will find on the CD-ROM accompanying this book. These CD elements are designed
to supplement the material and reinforce the concepts introduced in this chapter.
ACL Overview
Network administrators must be capable of denying unwanted access to the network
while allowing appropriate access. Although security tools such as passwords, callback
equipment, and physical security devices are helpful, they often lack the flexibility of
basic traffic filtering and the specific controls that most administrators prefer. For exam-
ple, a network administrator might want to allow users access to the Internet but might
not want external users Telnetting into the LAN.
Routers provide basic traffic-filtering capabilities, such as blocking Internet traffic, with
access control lists (ACLs). An ACL is a sequential collection of permit or deny state-
ments that apply to addresses or upper-layer protocols.
1102.book Page 841 Tuesday, May 20, 2003 2:53 PM

842 Chapter 20: Access Control Lists
It is important to configure ACLs correctly and to know where to place ACLs on the
network. ACLs serve multiple purposes in a network. Common ACL functions include
the following:
■ Filtering packets internally
■ Protecting the internal network from illegal Internet access
■ Restricting access to virtual terminal ports
ACLs are lists of instructions that you apply to a router’s interface. These lists tell the
router what kinds of packets to accept and what kinds of packets to deny. Acceptance
and denial can be based on certain specifications, such as source address, destination
address, and TCP/UDP port number.
ACLs enable you to manage traffic and scan specific packets by applying the ACL to a
router interface. Any traffic going through the interface is tested against certain condi-
tions that are part of the ACL.
ACLs can be created for all routed network protocols, such as Internet Protocol (IP)
and Internetwork Packet Exchange (IPX), to filter packets as the packets pass through
a router. ACLs can be configured at the router to control access to a network or subnet.
ACLs filter network traffic by controlling whether routed packets are forwarded or
blocked at the router’s interfaces. The router examines each packet to determine
whether to forward or drop it, based on the conditions specified in the ACL. ACL
conditions could be the source address of the traffic, the destination address of the
traffic, the upper-layer protocol, the port, or applications.
ACLs must be defined on a per-protocol basis. In other words, you must define an
ACL for every protocol enabled on an interface if you want to control traffic flow for
that protocol on that interface. (Note that some protocols refer to ACLs as filters.)
For example, if your router interface were configured for IP, AppleTalk, and IPX, you
would need to define at least three ACLs. As shown in Figure 20-1, ACLs can be used
as a tool for network control by adding the flexibility to filter the packets that flow in
or out of router interfaces. This is accomplished by establishing a numbering range or
scheme for each protocol’s ACL. You learn more about the ACL numbers later in this

chapter.
N
O
TE
ACLs consume CPU
resources in the router
because every packet
has to be punted to
the CPU.
1102.book Page 842 Tuesday, May 20, 2003 2:53 PM
Why Create ACLs? 843
Figure 20-1 ACL Example
Why Create ACLs?
Many reasons exist for creating ACLs. ACLs can be used to do the following:

■
Limit network traffic and increase network performance. For example, ACLs can
designate certain packets to be processed by a router before other traffic, on the
basis of a protocol. This is referred to as queuing. Queuing ensures that routers
will not process packets that are not needed. As a result, queuing limits network
traffic and reduces network congestion.

■
Provide traffic flow control. For example, ACLs can restrict or reduce the con-
tents of routing updates. These restrictions are used to limit information about
specific networks from propagating through the network.

■
Provide a basic level of security for network access. ACLs can allow one host to
access a part of your network and prevent another host from accessing the same

area. In Figure 20-2, Host A is allowed to access the Human Resources network,
and Host B is prevented from accessing the Human Resources network. If you do
not configure ACLs on your router, all packets passing through the router could
be allowed onto all parts of the network.

■
Decide which type of traffic is forwarded or blocked at the router interface. For
example, you can permit e-mail traffic to be routed, but at the same time block
all Telnet traffic.
FDDI
Token
Ring
172.16.0.0
172.17.0.0
Internet
ACL
ACL
NOTE
The rule of thumb is
one ACL per interface
per direction.

chpt_20.fm Page 843 Tuesday, May 27, 2003 9:18 AM
844 Chapter 20: Access Control Lists
Figure 20-2 Limiting Network Traffic
Creating an ACL: Why Order Matters
Order matters when creating an ACL. As traffic enters or exits a router’s interface,
where an ACL is applied, Cisco IOS Software compares the packet against the rules
defined in the ACL. Statements are evaluated in the order they were entered into the
ACL by the network administrator. The packet is compared, one at a time in sequence,

until a match is found. After a match is found, the action specified in the line matching
the traffic in question is taken. No more conditions are checked.
For example, if a condition statement permitting all traffic is created, statements added
later will never be checked. If additional statements are required or if statements must
be changed, you must delete the ACL and re-create it with the new statements. It is a
good idea to use a PC text editor to create and modify ACLs and then send them to the
router via Trivial File Transfer Protocol (TFTP) or HyperTerminal text file transfer.
Using ACLs
You can create an ACL for each protocol that you want to filter for each router inter-
face. For some protocols, you create one ACL to filter inbound traffic and one ACL to
filter outbound traffic.
After an ACL statement checks a packet for a match, the packet can be denied or per-
mitted to use an interface in the access group. Cisco IOS Software ACLs check the
packet and upper-layer headers, as shown in Figure 20-3.
Human
Resources
Network
Research and
Development
Network
Host B
Host A
X
N
O
TE
When an ACL is cre-
ated, new lines are
added to the end of
the ACL. Individual

lines cannot be
deleted. Only entire
ACLs can be deleted.
1102.book Page 844 Tuesday, May 20, 2003 2:53 PM
How ACLs Work 845
Figure 20-3 Checking the Packet and Upper-Layer Headers
How ACLs Work
An ACL is a group of statements that define how packets do the following:
■ Enter inbound router interfaces
■ Relay through the router
■ Exit outbound router interfaces
As shown in Figure 20-4, the beginning of the communication process is the same,
whether ACLs are used or not. As a packet enters an interface, the router checks to
see whether the packet is routable or bridgeable. Now the router checks whether the
inbound interface has an ACL. If one exists, the packet is tested against the conditions
in the list. If the packet is allowed, it then is checked against routing table entries to
determine the destination interface. ACLs filter not packets that originate in the router
itself, but packets from other sources.
Next, the router checks whether the destination interface has an ACL. If it does not,
the packet can be sent to the destination interface directly; for example, if it will use
E0, which has no ACLs, the packet uses E0 directly.
ACL statements operate in a sequential, logical order. If a condition match is true, the
packet is permitted or denied and the rest of the ACL statements are not checked. If all
the ACL statements are unmatched, an implicit deny any statement is imposed. Even
though you will not see the deny any as the last line of an ACL, it is there by default. In
Figure 20-5, if by matching the first test a packet is denied access to the destination, it
is discarded and dropped into the bit bucket. It is not exposed to any ACL tests that
follow. If the packet does not match the conditions of the first test, it drops to the next
statement in the ACL.
Frame

Header
(For Example,
HDLC)
Packet
(IP Header)
Segment
(For Example,
TCP Header)
Port
Number
Deny
Destination Address
Source Address
Protocol
Data
Use
Access
List Statements
to Test
the Packet
Permit
1102.book Page 845 Tuesday, May 20, 2003 2:53 PM
846 Chapter 20: Access Control Lists
Figure 20-4 How ACLs Work
Figure 20-5 ACL Test Matching and Implicit deny any
Choose
Interface
Route/
Bridge
?

N
Y
Permit
?
N
Y
Table
Entry
?
Inbound
Interface
Packet
Discard
Bucket
Unwanted Packet
Firewall
Notify Sender
Packets
N
N
Y
ACL
Y
Test
ACL
Statements
Packets
Packets
Outbound
Interfaces

Y
Match
First
Test
Packet
Discard
Bucket
N
Y
Match
Next
Test(s)
Packets to Interface(s)
in the Access Group
Destination
Interface(s)
N
YY
YY
Match
Next
Test
N
Deny
Deny
Deny
Deny
Implicit
Deny
Permit

Permit
Permit
1102.book Page 846 Tuesday, May 20, 2003 2:53 PM
Assigning a Unique Number to Each ACL 847
ACLs enable you to control what clients can access on your network. Conditions in an
ACL file can do the following:
■ Screen out certain hosts to either allow or deny access to part of your network
■ Grant or deny users permission to access only certain types of applications, such
as FTP or HTTP
ACL Configuration Tasks
In practice, ACL commands can be lengthy character strings. Key tasks covered in this
section for creating ACLs include the following:
■ You create ACLs by using global configuration mode.
■ Specifying an ACL number from 1 to 99 defines a standard ACL for IP and
instructs the router to accept standard ACL statements.
■ Specifying an ACL number from 100 to 199 defines an extended ACL for IP and
instructs the router to accept extended ACL statements.
■ You must carefully select and logically order the ACL. Permitted IP protocols
must be specified; all other protocols should be denied unless required.
■ You need to select which protocols to check; any other protocols are not
checked. Later in the procedure, you can specify an optional destination port for
more precision.
■ You apply an ACL to an interface.
Although each protocol has its own set of specific tasks and rules that are required to
provide traffic filtering, in general most protocols require two basic steps:
Step 1 Create an ACL definition.
Step 2 Apply the ACL to an interface.
ACLs are assigned to one or more interfaces and can filter inbound traffic or outbound
traffic, depending on the configuration and how they are applied. Outbound ACLs
generally are more efficient than inbound and, therefore, are preferred. A router with

an inbound ACL must check every packet to see whether it matches the ACL condition
before switching the packet to an outbound interface.
Assigning a Unique Number to Each ACL
When configuring ACLs on a router, you must identify each ACL uniquely by assign-
ing a number to the protocol’s ACL. When you use a number to identify an ACL, the
1102.book Page 847 Tuesday, May 20, 2003 2:53 PM
848 Chapter 20: Access Control Lists
number must be within the specific range of numbers that is valid for the protocol.
Example 20-1 defines ACLs 1 and 2 and applies the ACLs to interface Ethernet 0:
Table 20-1 lists valid protocol ACL numbers.
Using Wildcard Mask Bits
A wildcard mask is a 32-bit quantity that is divided into four octets, with each octet
containing 8 bits. A wildcard mask bit of 0 means “check the corresponding bit
value,” and a wildcard mask bit of 1 means “do not check (ignore) that corresponding
bit value” (see Figure 20-6).
Example 20-1 Assigning ACLs to an Interface
access-list 1 permit 5.6.0.0 0.0.255.255
access-list 1 deny 7.9.0.0 0.0.255.255
!
access-list 2 permit 1.2.3.4
access-list 2 deny 1.2.0.0 0.0.255.255
!
interface ethernet 0
ip address 1.1.1.1 255.0.0.0
!
ip access-group 1 in
ip access-group 2 out
Table 20-1 Protocols, ACLs, and Their Corresponding Numbers
Protocol Range
IP 1 to 99

Extended IP 100 to 199
AppleTalk 600 to 699
IPX 800 to 899
Extended IPX 900 to 999
IPX Service Advertising Protocol 1000 to 1099
1102.book Page 848 Tuesday, May 20, 2003 2:53 PM