Advanced Cisco Access Control Lists (ACLs)
By Joshua Erdman
Before you try to read up on this article, be sure you are familiar with the terms and ideas. Recall the ACL basics. It covers how ACLs are made and when to use a standard ACL vs. an extended one.
Reusing our example:
We will create an ACL that allows the users in our office to access the internet using a range of common ports. As you can see in the example above, we have been just specifying individual ports.
In the example you see the letters 'eq' before the port is declared. This is short for 'equal to'. Other ones include:
As your access lists grow and become more complex it is a great idea to add comments. Adding a comment is as simple as beginning the comment line with an exclamation point.
Using filter masks allow you to group IP Addresses together instead of having to specify each IP address individually. So for example, if you were to have five servers and all their addresses were 10.10.10.1 - 10.10.10.5 it is easy to grant or deny access to all 5 with only one line in the access list. If you have the addresses scattered you either have to make 5 separate entries or change the IPs of the servers.
The way you specify a group of IP addresses is very similar to how a subnet mask is used, except that the 1s and 0s are inversed. For example, all the web servers on our sample network fall in the subnet of 10.10.10.1 - 10.10.10.15 (if this was a subnet mask it would be: 255.255.255.240). We would never assign the servers this subnet mask because we want the workstations (using addresses 10.10.10.65-10.10.10.254) to talk directly to the servers. This prevents our router from being taxed. But now that we know the equivalent subnet mask for this ip block of servers, we can easily create the access-list filter mask, which is 0.0.0.15 As I mentioned earlier the filter mask is the opposite of the subnet mask. Here is how it looks in binary:
128 64 32 16|8 4 2 1 SM 1 1 1 1|0 0 0 0=240 FM 0 0 0 0|1 1 1 1=15
Clue: If you put the servers and workstations on 2 different network blocks the router will have an insane amount of traffic to route. Definitely not a good idea.
With filter masks you can almost easily guess the correct value as long as the numbers in the filter mask are a power of 2 minus 1. IFor example, I know that my web servers aregrouped in the first 15 IP addresses. The smallest power of two that 15 can fit into is 16. Then subtract 1 and my filter mask is 0.0.0.15
Filter Masks in Access Lists
So if I wanted to permit all incoming web traffic requests to my web servers (To prevent any Internet access to Rogue web servers on employee's workstations). I would enter this line in the access list:
!Permit HTTP port 80 traffic
Many, Many ACLs
When I last worked for an ISP we had several connections terminating into one router. To make things as secure as possible I made 2 access lists for each interface. One for incomming traffic and one for outgoing. Keeping track of all this quickly became a nightmare. What I did to help was to have a notepad text file for each access list. At the top of each access list was the function of each access list, a description of the lastest modifications, modification date and who made the modification.
Article last reviewed: 04/21/2004