This document discusses how access control lists (ACLs) can be used to filter network traffic. ACLs allow network administrators to analyze packet contents and either allow or block packets based on criteria like source/destination IP addresses and protocols. ACLs can be implemented on routers, firewalls, and servers to specify allowed traffic, classify traffic for quality of service, and restrict certain activities. The document provides guidance on creating standard, extended, and named ACLs; using wildcard masks; applying ACLs to interfaces; and logging ACL activity for monitoring.

1. Filtering Traffic
Using Access
Control Lists
Introducing Routing and Switching in the Enterprise –
Chapter 8
Version 4.0 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1

2. Objectives
 Describe traffic filtering and explain how Access
Control Lists (ACLs) can filter traffic at router
interfaces.
 Analyze the use of wildcard masks.
 Configure and implement ACLs.
 Create and apply ACLs to control specific types of
traffic.
 Log ACL activity and integrate ACL best practices.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 2

3. Describe Traffic Filtering
 Analyze the contents of a packet
 Allow or block the packet
 Based on source IP, destination IP, MAC address,
protocol, application type
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 3

4. Describe Traffic Filtering
Devices providing traffic filtering:
 Firewalls built into integrated routers
 Dedicated security appliances
 Servers
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 4

5. Describe Traffic Filtering
Uses for ACLs:
 Specify internal hosts for NAT
 Classify traffic for QoS
 Restrict routing updates, limit debug outputs, control
virtual terminal access
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 5

6. Describe Traffic Filtering
Possible issues with ACLs:
 Increased load on router
 Possible network disruption
 Unintended consequences from incorrect placement
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 6

7. Describe Traffic Filtering
 Standard ACLs filter based on source IP address
 Extended ACLs filter on source and destination, as well
as protocol and port number
 Named ACLs can be either standard or extended
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 7

8. Describe Traffic Filtering
 ACLs consist of statements
 At least one statement must be a permit statement
 Final statement is an implicit deny
 ACL must be applied to an interface in order to work
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 8

9. Describe Traffic Filtering
 ACL is applied inbound or outbound
 Direction is from the router’s perspective
 Each interface can have one ACL per direction for each
network protocol
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 9

10. Analyze the Use of Wildcard Masks
 Wildcard mask can block a range of addresses or a
whole network with one statement
 0s indicate which part of an IP address must match the
ACL
 1s indicate which part does not have to match
specifically
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 10

11. Analyze the Use of Wildcard Masks
 Use the host parameter in place of a 0.0.0.0 wildcard
 Use the any parameter in place of a 255.255.255.255
wildcard
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 11

12. Configure and Implement Access
Control Lists
 Determine traffic filtering requirements
 Decide which type of ACL to use
 Determine the router and interface on which to apply
the ACL
 Determine in which direction to filter traffic
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 12

13. Configure and Implement Access Control
Lists: Numbered Standard ACL
 Use access-list command to enter statements
 Use the same number for all statements
 Number ranges: 1-99, 1300-1999
 Apply as close to the destination as possible
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 13

14. Configure and Implement Access Control
Lists: Numbered Extended ACL
 Use access-list command to enter statements
 Use the same number for all statements
 Number ranges: 100-199, 2000-2699
 Specify a protocol to permit or deny
 Place as close to the source as possible
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 14

15. Configure and Implement Access
Control Lists: Named ACLs
 Descriptive name replaces number range
 Use ip access-list command to enter initial statement
 Start succeeding statements with either permit or deny
 Apply in the same way as standard or extended ACL
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 15

16. Configure and Implement Access
Control Lists: VTY access
 Create the ACL in line configuration mode
 Use the access-class command to initiate the ACL
 Use a numbered ACL
 Apply identical restrictions to all VTY lines
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 16

17. Create and Apply ACLs to Control Specific
Types of Traffic
 Use a specified condition when filtering on port
numbers: eq, lt, gt
 Deny all appropriate ports for multi-port applications like
FTP
 Use the range operator to filter a group of ports
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 17

18. Create and Apply ACLs to Control Specific
Types of Traffic
 Block harmful external traffic while allowing internal
users free access
 Ping: allow echo replies while denying echo requests
from outside the network
 Stateful Packet Inspection
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 18

19. Create and Apply ACLs to Control Specific
Types of Traffic
 Account for NAT when creating and applying ACLs to a
NAT interface
 Filter public addresses on a NAT outside interface
 Filter private addresses on a NAT inside interface
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 19

20. Create and Apply ACLs to Control Specific
Types of Traffic
 Examine every ACL one line at a time to avoid
unintended consequences
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 20

21. Create and Apply ACLs to Control Specific
Types of Traffic
 Apply ACLs to VLAN interfaces or subinterfaces just as
with physical interfaces
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 21

22. Log ACL Activity and ACL Best Practices
 Logging provides additional details on packets denied
or permitted
 Add the log option to the end of each ACL statement to
be tracked
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 22

23. Log ACL Activity and ACL Best Practices
Syslog messages:
 Status of router interfaces
 ACL messages
 Bandwidth, protocols in use, configuration events
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 23

24. Log ACL Activity and ACL Best Practices
 Always test basic connectivity before applying ACLs
 Add deny ip any to the end of an ACL when logging
 Use reload in 30 when testing ACLs on remote routers
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 24

25. Summary
 ACLs enable traffic management and secure access to
and from a network and its resources
 Apply an ACL to filter inbound or outbound traffic
 ACLs can be standard, extended, or named
 Using a wildcard mask provides flexibility
 There is an implicit deny statement at the end of an
ACL
 Account for NAT when creating and applying ACLs
 Logging provides additional details on filtered traffic
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 25

26. © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 26