Acl Time Slots
- Airport Coordination Limited (ACL), which co-ordinates slot allocation for UK airports for the purposes of various EU regulations, was due to allocate slots for summer 2018 at the end of October 2017. However, two days before the slot allocation date, ACL informed MAL that it had decided not to allocate MAL’s summer 2018 slots to it.
- Slot monitoring is predominantly carried out by comparing actual slot usage (supplied by the Airports we coordinate) with allocated slots in the ACL system. Monitoring is normally carried out weekly for all ACL coordinated airports. ACL also monitors the use of slots using a variety of third party data sources (e.g.
- An access control list (ACL) is a set of rules for identifying traffic based on criteria such as source IP address, destination IP address, and port number. The rules are also called permit or deny statements. ACLs are primarily used for packet filtering. You can also use ACLs in QoS, security, routing, and other modules for identifying traffic.
This tutorial explains Standard Access Control List configuration commands (with options, parameters and arguments) in detail with examples. Learn how to build a standard ACL (Numbered and Named) condition or statement and how to calculate the wildcard mask for Standard ACL configuration commands step by step.
A standard ACL can be created in two ways:
. warrior leader course (wlc) name changed to basic leader course (blc). mlc, master leader course, effective fy 18. Basic leader course (blc) scheduling: blc is scheduled at the installation level.
- Classical approach (numbered)
- Modern approach (numbered or named)
This tutorial is the second part of our article “Cisco IP ACL Configuration Guide”. You can read other parts of this article here:-
This tutorial is the first part of this article. In this part I provided a brief introduction to Cisco IP ACLs such as what is ACL and how it works including ACLs direction and locations.
This tutorial is the third part of this article. In this part I will provide a step by step configuration guide for Standard Access Control List.
This tutorial is the fourth part of this article. In this part I will explain Extended Access Control List configuration commands and its parameters in detail with examples.
This tutorial is the last part of this article. In this part I will provide a step by step configuration guide for Extended Access Control List.
Classical approach (numbered ACL)
To create a standard numbered ACL following global configuration mode command is used:-
Router(config)#
This command prompt indicates that we are in global configuration mode.
access-list
Through this parameter we tell router that we are creating or accessing an access list.
ACL_Identifier_number
With this parameter we specify the type of access list. We have two types of access list; standard and extended. Both lists have their own unique identifier numbers. Standard ACL uses numbers range 1 to 99 and 1300 to 1999. We can pick any number from this range to tell the router that we are working with standard ACL. This number is used in groping the conditions under a single ACL. This number is also a unique identifier for this ACL in router.
permit/deny
As we know an ACL condition has two actions; permit and deny. If we use permit keyword, ACL will allow all packets from the source address specified in next parameter. If we use deny keyword, ACL will drop all packets from the source address specified in next parameter.
matching-parameters
This parameter allows us to specify the contents of packet that we want to match. In a standard ACL condition it could be a single source address or a range of addresses. We have three options to specify the source address.
- Any
- host
- A.B.C.D
Any
Any keyword is used to match all sources. Every packet compared against this condition would be matched.
Host
Host keyword is used to match a specific host. To match a particular host, type the keyword host and then the IP address of host.
A.B.C.D
Through this option we can match a single address or a range of addresses. To match a single address, simply type its address. To match a range of addresses, we need to use wildcard mask.
Wildcard mask
Just like subnet mask, wildcard mask is also used to draw a boundary in IP address. Where subnet mask is used to separate network address from host address, wildcard mask is used to distinguish the matching portion from the rest. Wildcard mask is the invert of Subnet mask. Wildcard can be calculated in decimal or in binary from subnet mask.
Different authors use different approaches while calculating wildcard mask. Among these approaches following method is the simplest one.
Subtract subnet mask from 255.255.255.255.
255.255.255.255 – Subnet mask = Wildcard mask
Once we got the wildcard mask, next logics are relatively simple.
- Decimal 0 :- Router must compare this octet.
- Decimal 255 :- Router ignores this octet.
- Decimal range 1- 254 :- Router matches the listed block size in this octet.
Calculating wildcard mask could be confusing even with the simplest method mentioned above. To understand this concept more clearly lets have some examples:-
What wildcard mask would you use to match following addresses?
- All addresses from all networks
- Single host address 200.100.1.10/24
- All addresses from network 10.0.0.0/8
- All addresses from network 172.168.0.0/16
- All addresses from network 192.168.0.0/24
- All address from network range 192.168.1.5/25
- All address from network range 195.160.1.20/26
- All address from network range 20.30.40.50/15
All addresses from all networks
To match this requirement we need an address that represents all networks. In IPv4 address 0.0.0.0 represents all networks. Now we need a proper wildcard mask that ignores everything from all octets. And we know that decimal value 255 tells ACL to ignore everything from octet and match all addresses. So if we want match all addresses from all network then we should use 0.0.0.0 network address with 255.255.255.255 wildcard mask.
To match all addresses from all networks we will use 0.0.0.0 255.255.255.255.
Single host address 200.100.1.10/8
To match a single host we use exact match wildcard mask. As we know decimal value 0 in wildcard mask octet asks router to match exact octet in IP address. So our answer wildcard mask for this question will be 0.0.0.0.
To match this host we will use 200.100.1.10 0.0.0.0
All addresses from network 10.0.0.0/8
In this requirement we need to match all addresses from given network. To match an address range, we use subtract method. In subtract method we subtract subnet mask from 255.255.255.255 to get required wildcard mask.
First write down the address with subnet mask.
10.0.0.0/8 = 10.0.0.0 255.0.0.0
Now subtract subnet mask from 255.255.255.255
To match all addresses from this network we will use 10.0.0.0 0.255.255.255
All addresses from network 172.168.0.0/16
This requirement also needs to match an addresses range. Use same subtract method to calculate the answer wildcard mask.
Write down the address with subnet mask
172.168.0.0/16 = 170.168.0.0 255.255.0.0
Now subtract subnet mask from 255.255.255.255
255.255.255.255 – 255.255.0.0 = 0.0.255.255
Our answer for this question will be 172.168.0.0 0.0.255.255
All addresses from network 192.168.0.0/24
Again we are matching an addresses range, so our method would be same.
Write down the address with subnet mask.
192.168.0.0/24 = 192.168.0.0 255.255.255.0
Now subtract subnet mask from 255.255.255.255
255.255.255.255 – 255.255.255.0 = 0.0.0.255
Our answer for this question will be 192.168.0.0 0.0.0.255
In remaining questions we will also match an address range, but this time we will match a Subnetted network. Subnetted network is a smaller network created from default network via Subnetting.
To represent all addresses from network we have to use network address. But in questions we are given host addresses instead of network addresses. So we have to go through one more steps in these types of question. We need to find out the network address from given address.
For this tutorial I assume that you know Subnetting and its concepts, especially finding network ID from given host.
I have already explained Subnetting and finding network ID and broadcast ID from given host in detail with examples. You can read that tutorial here
Subnetting Explained with examples
All address from network range 192.168.1.5/25
Write down the address with subnet mask
192.168.1.5/25 = 192.168.1.5 255.255.255.128
Find the network address from given host
192.168.1.0 255.255.255.128
Now subtract subnet mask from 255.255.255.255
255.255.255.255 – 255.255.255.128 = 0.0.0.127
Our answer for this question will be 192.168.1.0 0.0.0.127
All address from network range 195.160.1.20/26
Write down the address with subnet mask
195.160.1.20/26 = 195.160.1.20 255.255.255.192
Find the network address from given host
195.160.1.0 255.255.255.192
Now subtract subnet mask from 255.255.255.255
255.255.255.255 – 255.255.255.192 = 0.0.0.63
Our answer for this question will be 195.160.1.0 0.0.0.63
All address from network range 20.30.40.50/15
Write down the address with subnet mask
20.30.40.50/15 = 20.30.40.50 255.254.0.0
Find the network address from given host
20.30.0.0 255.254.0.0
Now subtract subnet mask from 255.255.255.255
Acl Time Slots Game
255.255.255.255 – 255.254-0.0 = 0.1.255.255
Our answer for this question will be 20.30.0.0 0.1.255.255
Wildcard mask examples
IP Address With Wildcard Mask | Matches | Network Address with Subnet Mask |
0.0.0.0 255.255.255.255 | Special wildcard mask that matches every packet which compared against it.(equal to Any keyword) | |
172.168.1.15 0.0.0.0 | Match exact host address (equal to host keyword) | |
172.168.1.15 | If we omit wildcard mask, a default wild card 0.0.0.0 (exact match) will be used. | |
10.0.0.0 0.255.255.255 | Match all addresses from network 10.0.0.0/8 | 10.0.0.0 255.0.0.0 |
172.168.1.0 0.0.255.255 | Match all addresses from network 172.168.0.0/16 | 172.168.0.0 255.255.0.0 |
192.168.1.0 0.0.0.255 | Match all addresses from network 192.168.1.0/24 | 192.168.1.0 255.255.255.0 |
50.0.0.10 0.0.0.255 | Match all addresses from network 50.0.0.0/24 | 50.0.0.0 255.255.255.0 |
50.0.0.10 0.0.0.127 | Match all addresses from network 50.0.0.0/25 | 50.0.0.0 255.255.255.128 |
50.0.0.10 0.0.127.255 | Match all addresses from network 50.0.0.0/17 | 50.0.0.0 255.255.128.0 |
50.0.0.10 0.63.255.255 | Match all addresses from network 50.0.0.0/10 | 50.0.0.0 255.192.0.0 |
Okay now we have basic understanding of IP ACL command and its parameters, let’s put all these together and create a real ACL.
Building Standard IP ACL condition with classical approach (Number method)
Suppose we want to allow only one host address 20.0.0.10 255.0.0.0 blocking all others. To meet with this requirement we need to create two ACL conditions.
- 1. Permit 20.0.0.10 255.0.0.0.0
- 2. Block All
Order of conditions plays big role in filtration. If we have created denied condition first then we would have blocked entire traffic from all hosts including 20.0.0.10. For example have look on following conditions.
This ACL will block all traffic from all hosts. Why this happened?
Because conditions are matched in top to down order and once a match is found, no further conditions are matched. First condition in this ACL will match all packets from all hosts including 20.0.0.10. First condition has a block action. In block action packet will be dropped immediately. Thus all packets from all hosts will dropped in first condition. No packets will remain to match the second condition. This way, order of conditions play important role in packet filtration process.
To understand the order of conditions we have created two conditions otherwise we do not need to create a block condition for all traffic as it is already created and placed in the end of all ACLs. It is called Implicit deny statement.
For this requirement we only need to create one condition.
Acl Time Slots App
Router(config)#access-list 10 permit 20.0.0.10 0.0.0.0
Or
Router(config)#access-list 10 permit host 20.0.0.10
For single host entry we can use both 0.0.0.0 wildcard mask or host keyword.
Okay now we know how to create a standard ACL with classic approach. In next section we will create same condition with modern approach.
Modern approach (numbered or named)
Or
In modern approach, configuration style is different from classical approach. In modern style we start command with ip access-list instead of access-list. It tells router that we are creating a modern ACL.
Acl Time Slots
In next parameter we have to specify whether we are creating a standard ACL or extended ACL.
In next parameter we need to define a unique identifier for this ACL. We can use either a number or name here. If we are using modern approach, we should use a descriptive name here instead of number.
After assigning the name or number hit the Enter key to enter in access list configuration mode.
From access-list configuration mode we can specify what to allow or what to block.
When finished, use exit command to return in global configuration mode.
Okay now we know the both classical and modern approach to create standard ACL. Before we move forward let’s have quick look on advantages which modern approach provides over classic approach.
- In classic method we are allowed to insert new condition only at end of the ACL. We cannot insert a new condition in the middle of ACL. The only way to insert new line in middle is to delete existing ACL and create new ACL with modification. In modern method we can insert new condition in ACL wherever we want without recreating entire ACL.
- In classic method we are not allowed to remove a condition from ACL. The only way to remove condition is delete entire ACL and recreate it. In modern method we can delete any condition from ACL.
- Modern approach uses sequence numbers for conditions that we create. With these sequence numbers we can modify an existing ACL without recreating it.
No matter which method we use to create a standard ACL, implanting process will be same.
Enabling Standard IP ACL
Following commands are used to activate ACL in interface.
First command is used to enter in interface configuration mode.
Second command is used to enable ACL. It accepts two parameters; first ACL_# and second in out.
ACL_# Through this parameter we specify which ACL we want to associate with this interface. In our case we need to use either 10 (Numbered unique identifier) or Secure_telnet (Named unique identifier).
in out With this parameter we specify the direction of filter. in keyword is used to filter the inbound traffic. out keyword is used to filter the outbound traffic.
Following commands will activate Standard ACL number 10 on Serial 0/0/0 interface in inbound direction.
Following commands will activate Standard ACL name Secure_telnet on Serial 0/0/1 interface in outbound direction.
Key points
Acl Time Slots Online
- We can apply same ACL to multiple interfaces.
- We can enable same ACL twice on same interface in separate direction inbound and outbound.
- We cannot enable same ACL twice on same interface in same direction.
- An empty ACL will permit all traffic.
- Implicit deny condition will works only if ACL has at least one user defined condition.
- We should place only one ACL on same interface, same direction and same type. For example there is no use of placing two standard ACLs on same interface in same direction.
Acl Time Slots Games
That’s all for this part. In next part of this article we will practically implement what we have learned from this part.