Packet Filtering using Access Control Lists (ACLS)

July 26, 2021

Networks tend to be vulnerable (to security risks) due to the incoming and outgoing unwanted and dangerous traffic. A security mechanism is needed to control the flow of traffic and provide a secure remote administrative access. We can do this by restricting, permitting, and denying unnecessary traffic.

This article will cover how the Access Control Lists (ACLs) can be used to control traffic flow by filtering all the incoming and outgoing packets. We use various types of control lists and we will go over how they can be used to configure the ACLs on the router interface.

Table of contents

Prerequisites

To follow along with this tutorial, the reader should:

  • Have a good understanding of how to configure networks and their components using any network simulation tool.
  • Have a prior understanding of the basic networking concepts.
  • Know how to operate the Cisco packet tracer.

Go to this page to download and install the Cisco packet tracer on your PC.

Terminologies

  • Access Control List (ACLs) refers to a set of rules that allow/permit or deny any traffic flow through the routers. It works at layer 3 to provide security by filtering and controlling the flow of traffic from one router to another.

By default, the ACLs are not configured on the routers, so the network user has to configure each of the router’s interfaces.

  • Access Control Entries (ACEs) refers to a collection of rules used to permit or deny traffic. When creating ACLs the order of these rules must be considered.
  • The traffic flowing into the router is referred to as ingress.
  • Egress refers to the traffic flowing out of the router.
  • Packet filtering refers to the controlled access to networks by analyzing the ingress and egress packets flowing through the networks by either forwarding them or discarding them depending on the given criteria. It occurs both at layers 3 and 4 of the OSI model.

Access Control List operations

Once a particular ACL is configured on an interface, it follows an operational procedure to filter the traffic flowing into the router.

  • The router extracts the source IP address from the packet header first.

  • Starting at the top of the ACLs, the router compares the address against each Access Control Entries (ACE) in order.

  • If a match is found, the router carries out the instructions either permitting or blocking the packet. The other control entries are not analyzed.

  • If a match is not found in the control entries, the packet is discarded since there is always an implicit deny control entry applied automatically to all Access Control Lists.

Access Control Lists types

There are two types of Access Control Lists: numbered and named ACLs.

  • Numbered refers to those ACLs specified using a number.

  • Named are the ACLs configured using names.

Both the named and numbered ACLs are divided into two categories:

  • Standard ACLs - this type filters traffic based only on the source IP address. They range from 1-99 and are implemented closest to the destination to block all the services like FTP, HTTP, Telnet.

  • Extended ACLs - packet filtering is done based on the source IP, destination IP, protocol types, and port numbers.

They range from 100-199 and are implemented closest to the source to block a selected number of services specified by the network administrator.

A command access list is used to show the available ACLs that can be configured on the router interface.

R1(config)# access-list ?
 <1-99> IP standard access list
 <100-199> IP extended access list
 <1100-1199> Extended 48-bit MAC address access list
 <1300-1999> IP standard access list (expanded range)
 <200-299> Protocol type-code access list
 <2000-2699> IP extended access list (expanded range)
 <700-799> 48-bit MAC address access list
 rate-limit Simple rate-limit specific access list
 template Enable IP template acls
Router(config)# access-list

Access Control Lists tasks

Routers use ACLs to perform the following tasks:

  • Increase network performance by limiting the network traffic.
  • Prioritizing certain network traffic.
  • Defining network security access rules.
  • Traffic flow control.

Access Control List configuration

Moving on, we will learn how to create and configure standard IPv4 ACLs and how they filter the traffic. To create a named standard ACL, we use the following global configuration command:

Router(config)# ip access-list standard access-list-name

For instance, we have an access list called PERMIT-ACCESS of a standard type.

R1(config)# ip access-list standard PERMIT-ACCESS
R1(config-std-nacl)# remark ACE permits host 192.168.10.10
R1(config-std-nacl)# permit host 192.168.10.10
R1(config-std-nacl)#

For the numbered ACL, we use;

Router(config)# access-list access-list-number {deny | permit | remark text} source [source-wildcard] [log]

For instance, we have created ACL 10 which permits a particular host to the internet.

R1(config)# access-list 10 remark ACE permits ONLY host 192.168.10.10 to the internet
R1(config)# access-list 10 permit host 192.168.10.10
R1(config)# do show access-lists
Standard IP access list 10
    10 permit 192.168.10.10
R1(config)#

Let’s consider the Local Area Network below:

CDP-LLDP Network Configuration

We will create one numbered ACL, ACL 20 that denies host 192.168.10.10 but permits all other hosts on network 192.168.10.0/24.

Start by configuring the ACL 20 ACE that denies the 192.168.10.10 host using the host keyword, then create the ACL that permits all other hosts.

R1(config)#access-list 20 deny host 192.168.10.10
R1(config)#access-list 20 permit 192.168.10.0 0.0.0.255

Since ACL 20 only apply to traffic from LAN 1, the ACL can be applied to the incoming traffic to the G0/0/0 R1’s interface. Enter interface G0/0/0 mode, apply ACL 20 inbound and return to global configuration mode.

R1(config)#interface g0/0/0
R1(config-if)#ip access-group 20 in
R1(config-if)#exit

We will then create a named standard ACL that permits host 192.168.10.10 but denies all other hosts on network 192.168.20.0/24. Start by creating a named standard ACL named LAN2-FILTER.

R1(config)#ip access-list standard LAN2-FILTER

Create an ACE that permits host 192.168.10.10, and deny all other hosts using the any keyword.

R1(config-std-nacl)#permit host 192.168.10.10
R1(config-std-nacl)#deny any
R1(config-std-nacl)#exit

The LAN2-FILTER will be applied to the outgoing traffic to LAN 2. Enter interface G0/0/1 mode, apply ACL LAN2-FILTER outbound and return to global configuration mode.

R1(config)#interface g0/0/1
R1(config-if)#ip access-group LAN2-FILTER out
R1(config-if)#exit

NOTE: After creating and configuring the ACLs you can use the show access-lists or show run | section ip access-list commands in the priviledge exec mode to verify your configurations.

To remove an ACLs use the no access-list command followed by the name or number of the access list. For instance no access-list 10 to remove ACL 10.

Conclusion

As we have seen, Access Control Lists play a crucial role in traffic flow control and the network’s security at large. This makes the network less vulnerable to unwanted and dangerous traffic.

To summarize, we have:

  • Learned what Access Control Lists are, their operations, and how to create and configure them.
  • Explored different types of ACLs used in packet filtering.
  • Configured a network, created, and configured the standard named and numbered ACLs.
  • Learned how the configured ACLs can be used to permit or deny traffic.

One can find more information about network management here.

Happy coding!


Peer Review Contributions by: Eric Gacoki


About the author

Atonya Dennis

Atonya Dennis is a Computer Technology student at Jomo Kenyatta University Of Agriculture and Technology. His interests are web development and networking. Dennis has a great passion for developing web applications and configuring networks.

This article was contributed by a student member of Section's Engineering Education Program. Please report any errors or innaccuracies to enged@section.io.