Access-list standard vs extended

Types of IPv4 ACLs (4.4)

This section compares IPv4 standard and extended ACLs.

Standard and Extended ACLs (4.4.1)

The previous sections describe the purpose of ACLs as well as guidelines for ACL creation. This section covers standard and extended ACLs and named and numbered ACLs, and it provides examples of placement of these ACLs.

There are two types of IPv4 ACLs:

• Standard ACLs: These ACLs permit or deny packets based only on the source IPv4 address.

• Extended ACLs: These ACLs permit or deny packets based on the source IPv4 address and destination IPv4 address, protocol type, source and destination TCP or UDP ports, and more.

For example, Example 4-3 shows how to create a standard ACL. In this example, ACL 10 permits hosts on the source network 192.168.10.0/24. Because of the implied “deny any” at the end, all traffic except for traffic coming from the 192.168.10.0/24 network is blocked with this ACL.

Example 4-3 Standard ACL Example

In Example 4-4, the extended ACL 100 permits traffic originating from any host on the 192.168.10.0/24 network to any IPv4 network if the destination host port is 80 (HTTP).

Example 4-4 Extended ACL Example

Notice that the standard ACL 10 is only capable of filtering by source address, while the extended ACL 100 is filtering on the source and destination Layer 3 and Layer 4 protocol (for example, TCP) information.

NOTE

Full IPv4 ACL configuration is discussed in Chapter 5, “ACLs for IPv4 Configuration.”

Numbered and Named ACLs (4.4.2)

For IPv4, there are both numbered and named ACLs.

Numbered ACLs

ACLs 1 to 99 and 1300 to 1999 are standard ACLs, while ACLs 100 to 199 and 2000 to 2699 are extended ACLs, as shown in Example 4-5.

Example 4-5 Available ACL Numbers

Named ACLs

Using named ACLs is the preferred method when configuring ACLs. You can name standard and extended ACLs to provide information about the purpose of each ACL. For example, the extended ACL name FTP-FILTER is far easier to identify than the ACL number 100.

The ip access-list global configuration command is used to create a named ACL, as shown in Example 4-6.

NOTE

Numbered ACLs are created using the access-list global configuration command.

Example 4-6 Example of a Named ACL

The following are the general rules to follow for named ACLs:

• Assign a name to identify the purpose of the ACL.

• Names can contain alphanumeric characters.

• Names cannot contain spaces or punctuation.

• It is suggested that a name be written in CAPITAL LETTERS.

• Entries can be added or deleted within an ACL.

Where to Place ACLs (4.4.3)

Every ACL should be placed where it has the greatest impact on efficiency.

Figure 4-5 illustrates where standard and extended ACLs should be located in an enterprise network.

Say that the objective is to prevent traffic originating in the 192.168.10.0/24 network from reaching the 192.168.30.0/24 network. Extended ACLs should be located as close as possible to the source of the traffic to be filtered. This way, undesirable traffic is denied close to the source network, without crossing the network infrastructure.

Figure 4-5 Example of Where to Place ACLs

Standard ACLs should be located as close to the destination as possible. If a standard ACL were placed at the source of the traffic, the “permit” or “deny” would occur based on the given source address, regardless of the traffic destination.

Placement of an ACL and, therefore, the type of ACL used, may also depend on a variety of factors, as listed in Table 4-11.

Table 4-11 ACL Placement Factors

Standard ACL Placement Example (4.4.4)

Following the guidelines for ACL placement, standard ACLs should be located as close to the destination as possible.

In Figure 4-6, the administrator wants to prevent traffic originating in the 192.168.10.0/24 network from reaching the 192.168.30.0/24 network.

Figure 4-6 Standard ACL Example Topology

Following the basic placement guidelines, the administrator would place a standard ACL on router R3. There are two possible interfaces on R3 to which to apply the standard ACL:

• R3 S0/1/1 interface (inbound):The standard ACL can be applied inbound on the R3 S0/1/1 interface to deny traffic from the .10 network. However, it would also filter .10 traffic to the 192.168.31.0/24 (.31 in this example) network. Therefore, the standard ACL should not be applied to this interface.

• R3 G0/0 interface (outbound):The standard ACL can be applied outbound on the R3 G0/0/0 interface. This will not affect other networks that are reachable by R3. Packets from the .10 network will still be able to reach the .31 network. This is the best interface to place the standard ACL to meet the traffic requirements.

Extended ACL Placement Example (4.4.5)

Extended ACLs should be located as close to the source as possible to prevent unwanted traffic from being sent across multiple networks only to be denied when it reaches its destination.

However, an organization can only place ACLs on devices that it controls. Therefore, the extended ACL placement must be determined in the context of where organizational control extends.

In Figure 4-7, for example, Company A wants to deny Telnet and FTP traffic to Company B’s 192.168.30.0/24 network from its 192.168.11.0/24 network while permitting all other traffic.

Figure 4-7 Extended ACL Example Topology

There are several ways to accomplish these goals. An extended ACL on R3 would accomplish the task, but the administrator does not control R3. In addition, this solution would allow unwanted traffic to cross the entire network, only to be blocked at the destination, which would affect overall network efficiency.

The solution is to place on R1 an extended ACL that specifies both source and destination addresses. There are two possible interfaces on R1 to apply the extended ACL:

• R1 S0/1/0 interface (outbound): The extended ACL can be applied outbound on the S0/1/0 interface. However, this solution would process all packets leaving R1, including packets from 192.168.10.0/24.

• R1 G0/0/1 interface (inbound): The extended ACL can be applied inbound on the G0/0/1, and only packets from the 192.168.11.0/24 network are subject to ACL processing on R1. Because the filter is to be limited to only those packets leaving the 192.168.11.0/24 network, applying the extended ACL to G0/1 is the best solution.

CHECK YOUR UNDERSTANDING—GUIDELINES FOR ACL PLACEMENT (4.4.6)

Refer to the online course to complete this activity.

8. Summary (4.5) | Next Section Previous Section

Standard Access-List

Prerequisite – Access-lists (ACL)
Access-list (ACL) is a set of rules defined for controlling network traffic and reducing network attacks. ACLs are used to filter traffic based on the set of rules defined for the incoming or outgoing of the network.

Standard Access-list –
These are the Access-list which are made using the source IP address only. These ACLs permit or deny the entire protocol suite. They don’t distinguish between the IP traffic such as TCP, UDP, HTTPS, etc. By using numbers 1-99 or 1300-1999, the router will understand it as a standard ACL and the specified address as the source IP address.

Features –

1. Standard Access-list is generally applied close to destination (but not always).
2. In a standard access list, the whole network or sub-network is denied.
3. Standard access-list uses the range 1-99 and extended range 1300-1999.
4. Standard access-list is implemented using source IP address only.
5. If numbered with standard Access-list is used then remember rules can’t be deleted. If one of the rules is deleted then the whole access list will be deleted.
6. If named with standard Access-list is used then you have the flexibility to delete a rule from the access list.
   

Note – Standard Access-list are less used as compared to extended access-list as the entire IP protocol suite will be allowed or denied for the traffic as it can’t distinguish between the different IP protocol traffic.

Configuration –

Here is a small topology in which there are 3 departments namely sales, finance, and marketing. The sales department has a network of 172.16.40.0/24, the Finance department has a network of 172.16.50.0/24, and the marketing department has a network of 172.16.60.0/24. Now, want to deny connection from the sales department to the finance department and allow others to reach that network.

Now, first configuring numbered standard access – list for denying any IP connection from sales to finance department.

Here, like extended access-list, you cannot specify the particular IP traffic to be permitted or denied. Also, note that wildcard mask has been used (0.0.0.255 which means Subnet mask 255.255.255.0). 10 is used from the number standard access-list range.

Now, as you already know there is an implicit deny at the end of every access list which means that if the traffic doesn’t match any of the rules of the access list then the traffic will be dropped.
By specifying any means that source having any IP address traffic will reach the finance department except the traffic which it matches the above rules that you have made.

Now, you have to apply the access list on the interface of the router:

As you remember that the standard access-list is generally applied to the destination and here also if you apply access-list close to the destination, it will satisfy our need, therefore, outbound to interface fa0/1 has been applied.

Named standard Access-list example –

Now, considering the same topology, you will make a named standard access list.

By using this command you have made an access-list named blockacl.

And then the same configuration you have done in numbered access-list.

Standard access-list for Telnet example –
As you know, you cannot specify particular IP traffic to be denied in standard access-list but telnet connection can be permitted or denied using standard access-list by applying access-list on line vty lines.

Here, in the given figure, you want to deny telnet to the Finance department from any network. Configuring for the same:

Article Tags :

Computer Networks

Practice Tags :

Computer Networks

Read Full Article

Extended Access-List

Prerequisite – Access-lists (ACL), Standard Access-list
Access-list (ACL) is a set of rules defined for controlling network traffic and reducing network attacks. ACLs are used to filter traffic based on the set of rules defined for the incoming or outgoing of the network.

Extended Access-list –
It is one of the types of Access-list which is mostly used as it can distinguish IP traffic therefore the whole traffic will not be permitted or denied like in standard access-list. These are the ACL that uses both source and destination IP address and also the port numbers to distinguish IP traffic. In this type of ACL, we can also mention which IP traffic should be allowed or denied. These use range 100-199 and 2000-2699.

Features –

1. Extended access-list is generally applied close to the source but not always.
2. In the Extended access list, packet filtering takes place on the basis of source IP address, destination IP address, port numbers.
3. In an extended access list, particular services will be permitted or denied.
4. Extended ACL is created from 100 – 199 & extended range 2000 – 2699.
5. If numbered with extended Access-list is used then remember rules can’t be deleted. If one of the rules is deleted then the whole access list will be deleted.
6. If named with extended Access-list is used then we have the flexibility to delete a rule from the access list.
   

Configuration –

Here is a small topology in which there are 3 departments namely sales, finance, and marketing. The sales department has a network of 172.16.10.40/24, the Finance department has a network of 172.16.50.0/24, and the marketing department has a network of 172.16.60.0/24. Now, we want to deny the FTP connection from the sales department to finance department and deny telnet to the Finance department from both the sales and marketing departments.

Now, first configuring numbered extended access – list for denying FTP connection from sales to finance department.

Here, we first create a numbered Access-list in which we use 110 (used from extended access-list range) and deny the sales network (172.16.40.0) to make an FTP connection to the finance network (172.16.50.0).

Note – Here, as FTP uses TCP and port number 21. Therefore, we have to specify the permit or deny the condition according to the need. Also, after eq, we have to use the port number for the specified application layer protocol.

Now, we have to deny telnet connection to finance department from both sales and Marketing department which means no one should telnet to finance department. Configuring for the same.

Here, we have used the keyword any which means 0.0.0.0 0.0.0.0 i.e any IP address from any subnet mask. As telnet uses port number 23 therefore, we have to specify the port number 23 after eq.

Now, this is the most important part. As we already know there is an implicit deny at the end of every access list which means that if the traffic doesn’t match any of the rules of Access-list then the traffic will be dropped.

By specifying any any means that source having any IP address traffic will reach finance department except the traffic which it matches the above rules that we have made. Now, we have to apply the access-list on the interface of the router:

As we remember, we have to apply the extended access-list as close as possible to source but here we have applied it to close to the destination because we have to block the traffic from both sales and marketing department, therefore, we have to apply it close to the destination here otherwise we have to make separate access-list for fa0/0 and fa1/0 inbound.

Named access-list example –

Now, considering the same topology, we will make a named extended access list.

By using this command we have made an access-list named blockacl.

And then the same configuration we have done in numbered access-list.

Article Tags :

Computer Networks

Practice Tags :

Computer Networks

Read Full Article