Infrastructure Access List (iACL)

As we know, the main purpose of private IP address range (RFC 1918) is that they are used only for internal network (LAN). Therefore private IP address range should not be advertised on internet cloud.

Another IP address range is organization’s own public IP pool, purchased from IANA or provided by ISP, which is used for NAT. That range normally used for web server, mail server, LAN users etc. Hence this unique IP address range should not be seen as a source IP address on outside interface of the gateway router.

But still it’s not possible that everyone has configured their internet facing router perfectly. Mistakes do happens and that’s why we need iACL.


In our example:

Company A using Class A range, Company B using Class B range and Company C using Class C for their LAN users.

When LAN users try to connect outside network (ex. Internet), their actual IP address (private range) will translate to public IP address range means company A, B and C will use 12.1.2.X, 50.45.46.X, and 129.54.2.X public IP addresses respectively. That means private IP address range will not advertised on internet cloud. We have configured our gateway router properly but what if someone, somewhere else misconfigured their router then private IP range can leak on internet cloud. To protect routers from such accidental configuration and malicious risks iACL will be very effective.

I have actually configured iACL and got below output. As you can see I got matches of private IP addresses and even that organization’s own public IP pool. (75713 matches).

iACL - 2



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s