Access Control Lists (ACLs) · 2020. 5. 7. · An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in

Access Control Lists (ACLs)

© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE I Chapter 6 1

Packet Filtering Packet filtering, sometimes called static packet

filtering, controls access to a network by analyzingthe incoming and outgoing packets and passing orhalting them based on stated criteria.

–These rules are defined using ACLs.–An ACL is a sequential list of permit or deny statements

that apply to IP addresses or upper-layer protocols.

The ACL can extract the following information fromthe packet header, test it against its rules, and make"allow" or "deny" decisions based on:

–Source IP address–Destination IP address–ICMP message type–TCP/UDP source port–TCP/UDP destination port–And ……….

© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 2

Packet filtering, sometimes called static packetfiltering, controls access to a network by analyzingthe incoming and outgoing packets and passing orhalting them based on stated criteria.

–These rules are defined using ACLs.–An ACL is a sequential list of permit or deny statements

that apply to IP addresses or upper-layer protocols.

The ACL can extract the following information fromthe packet header, test it against its rules, and make"allow" or "deny" decisions based on:

–Source IP address–Destination IP address–ICMP message type–TCP/UDP source port–TCP/UDP destination port–And ……….

What is an ACL? By default, a router does not have any ACLs

configured and therefore does not filter traffic.–Traffic that enters the router is routed according to the

routing table.

An ACL is a router configuration script that controlswhether a router permits or denies packets to passbased on criteria found in the packet header.

–As each packet comes through an interface with anassociated ACL, the ACL is checked from top to bottom,one line at a time, looking for a pattern matching theincoming packet.

•[Tony]: It stops when it finds a matching statement.

–The ACL applying a permit or deny rule to determine thefate of the packet.

•[Tony]: If ACL cannot find a matching statement from thelist, the default action is deny the traffic.

–ACLs can be configured to control access to a networkor subnet.

•[Tony]: It can control into and out of the network, or subnet,or, single host.


By default, a router does not have any ACLsconfigured and therefore does not filter traffic.

–Traffic that enters the router is routed according to therouting table.

An ACL is a router configuration script that controlswhether a router permits or denies packets to passbased on criteria found in the packet header.

–As each packet comes through an interface with anassociated ACL, the ACL is checked from top to bottom,one line at a time, looking for a pattern matching theincoming packet.

•[Tony]: It stops when it finds a matching statement.

–The ACL applying a permit or deny rule to determine thefate of the packet.

•[Tony]: If ACL cannot find a matching statement from thelist, the default action is deny the traffic.

–ACLs can be configured to control access to a networkor subnet.

•[Tony]: It can control into and out of the network, or subnet,or, single host.

What is an ACL? Here are some guidelines for using ACLs:

–Use ACLs in firewall routers positioned betweenyour internal network and an external network

•such as the Internet.

–Use ACLs on a router positioned between twoparts of your network

•to control traffic entering or exiting a specific part ofyour internal network.

–Configure ACLs on border routers•routers situated at the edges of your networks.•This provides a very basic buffer from the outsidenetwork, or between a less controlled area of yourown network and a more sensitive area of yournetwork.

–Configure ACLs for each network protocolconfigured on the border router interfaces.

•You can configure ACLs on an interface to filterinbound traffic, outbound traffic, or both.


Here are some guidelines for using ACLs:–Use ACLs in firewall routers positioned betweenyour internal network and an external network

•such as the Internet.

–Use ACLs on a router positioned between twoparts of your network

•to control traffic entering or exiting a specific part ofyour internal network.

–Configure ACLs on border routers•routers situated at the edges of your networks.•This provides a very basic buffer from the outsidenetwork, or between a less controlled area of yourown network and a more sensitive area of yournetwork.

–Configure ACLs for each network protocolconfigured on the border router interfaces.

•You can configure ACLs on an interface to filterinbound traffic, outbound traffic, or both.

ACL: The Three Ps ACL: The Three Ps:

–One ACL per protocol - An ACL must bedefined for each protocol enabled on the interface.–One ACL per direction - ACLs control traffic inone direction at a time on an interface. Twoseparate ACLs must be created to control inboundand outbound traffic.–One ACL per interface - ACLs control traffic foran interface, for example, Fast Ethernet 0/0.

The router in the example has two interfacesconfigured for IP: AppleTalk and IPX.

–This router could require 12 separate ACLs• one ACL for each protocol,• times two for each direction,• times two for the number of ports.• 3 protocols X 2 directions X 2 directions = 12


ACL: The Three Ps:–One ACL per protocol - An ACL must bedefined for each protocol enabled on the interface.–One ACL per direction - ACLs control traffic inone direction at a time on an interface. Twoseparate ACLs must be created to control inboundand outbound traffic.–One ACL per interface - ACLs control traffic foran interface, for example, Fast Ethernet 0/0.

The router in the example has two interfacesconfigured for IP: AppleTalk and IPX.

–This router could require 12 separate ACLs• one ACL for each protocol,• times two for each direction,• times two for the number of ports.• 3 protocols X 2 directions X 2 directions = 12

ACLs perform the following tasks Limit network traffic to increase network performance.

–If corporate policy does not allow video traffic, ACLs can block video traffic.

Provide traffic flow control.–ACLs can restrict the delivery of routing updates.–If updates are not required because of network conditions, bandwidth is preserved.

Provide a basic level of security for network access.–ACLs can allow one host to access a part of the network and prevent others fromaccessing the same area.

Decide which types of traffic to forward or block at the router interfaces.–For example, an ACL can permit e-mail traffic, but block all Telnet traffic.

Control which areas a client can access on a network.

Screen hosts to permit or deny access to network services.–ACLs can permit or deny a user to access file types, such as FTP or HTTP.

ACLs inspect network packets based on criteria, such as source address,destination address, protocols, and port numbers.

ACL can classify traffic to enable priority processing down the line.© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 6

Limit network traffic to increase network performance.–If corporate policy does not allow video traffic, ACLs can block video traffic.

Provide traffic flow control.–ACLs can restrict the delivery of routing updates.–If updates are not required because of network conditions, bandwidth is preserved.

Provide a basic level of security for network access.–ACLs can allow one host to access a part of the network and prevent others fromaccessing the same area.

Decide which types of traffic to forward or block at the router interfaces.–For example, an ACL can permit e-mail traffic, but block all Telnet traffic.

Control which areas a client can access on a network.

Screen hosts to permit or deny access to network services.–ACLs can permit or deny a user to access file types, such as FTP or HTTP.

ACLs inspect network packets based on criteria, such as source address,destination address, protocols, and port numbers.

ACL can classify traffic to enable priority processing down the line.

ACL Operation ACLs are configured either to apply to

inbound traffic or to apply to outboundtraffic.

–Inbound ACLs - An inbound ACL is efficient• it saves the overhead of routing lookups if

packet is discarded.• If the packet is permitted by the tests, it is

then processed for routing.

–Outbound ACLs - Incoming packets arerouted to the outbound interface, and thenthey are processed through the outboundACL.

ACLs do not act on packets thatoriginate from the router itself.


ACLs are configured either to apply toinbound traffic or to apply to outboundtraffic.

–Inbound ACLs - An inbound ACL is efficient• it saves the overhead of routing lookups if

packet is discarded.• If the packet is permitted by the tests, it is

then processed for routing.

–Outbound ACLs - Incoming packets arerouted to the outbound interface, and thenthey are processed through the outboundACL.

ACLs do not act on packets thatoriginate from the router itself.

ACL Operation - Inbound ACLs ACL statements operate in sequential order.

–They evaluate packets against the ACL, from the topdown, one statement at a time.

If a packet header and an ACL statement match, therest of the statements in the list are skipped,

–and the packet is permitted or denied as determined bythe matched statement.

If a packet header does not match an statement, thepacket is tested against the next statement in the list.

–This matching process continues until the end of the list.

A final implied (IMPLICIT) statement covers all packetsfor which conditions did not test true.

–This final statement is often referred to as the "implicitdeny any statement" or the "deny all traffic" statement.–Because of this statement, an ACL should have at leastone permit statement in it; otherwise, the ACL blocks alltraffic.


ACL statements operate in sequential order.–They evaluate packets against the ACL, from the topdown, one statement at a time.

If a packet header and an ACL statement match, therest of the statements in the list are skipped,

–and the packet is permitted or denied as determined bythe matched statement.

If a packet header does not match an statement, thepacket is tested against the next statement in the list.

–This matching process continues until the end of the list.

A final implied (IMPLICIT) statement covers all packetsfor which conditions did not test true.

–This final statement is often referred to as the "implicitdeny any statement" or the "deny all traffic" statement.–Because of this statement, an ACL should have at leastone permit statement in it; otherwise, the ACL blocks alltraffic.

ACL Operation - Outbound ACLs Before a packet is forwarded to an outbound

interface, the router checks the routing table to see ifthe packet is routable.

–If the packet is not routable, it is dropped.

Next, the router checks to see whether the outboundinterface is grouped to an ACL.

If the outbound interface is not grouped to an ACL,–The packet is sent directly to the outbound interface.

If the outbound interface is grouped to an ACL,–the packet is not sent out on the outbound interfaceuntil it is tested by the combination of ACL statementsthat are associated with that interface.

A final implied (IMPLICIT) statement covers allpackets for which conditions did not test true.

–This final statement is often referred to as the "implicitdeny any statement" or the "deny all traffic" statement.


Before a packet is forwarded to an outboundinterface, the router checks the routing table to see ifthe packet is routable.

–If the packet is not routable, it is dropped.

Next, the router checks to see whether the outboundinterface is grouped to an ACL.

If the outbound interface is not grouped to an ACL,–The packet is sent directly to the outbound interface.

If the outbound interface is grouped to an ACL,–the packet is not sent out on the outbound interfaceuntil it is tested by the combination of ACL statementsthat are associated with that interface.

A final implied (IMPLICIT) statement covers allpackets for which conditions did not test true.

–This final statement is often referred to as the "implicitdeny any statement" or the "deny all traffic" statement.

2 Types of Cisco ACLs: standard and extended Standard ACLs

– Standard ACLs allow you to permit or deny traffic fromsource IP addresses.

– The destination of the packet and the ports involved donot matter.

– The example allows all traffic from network192.168.30.0/24 network.

• Because of the implied "deny any" at the end, all othertraffic is blocked with this ACL.

Extended ACLs– Extended ACLs filter IP packets based on several

attributes, for example, protocol type, source and IPaddress, destination IP address, source TCP or UDPports, destination TCP or UDP ports, and optionalprotocol type information for finer granularity of control.

– In the figure, ACL 103 permits traffic originating fromany address on the 192.168.30.0/24 network to anydestination host port 80 (HTTP).


Standard ACLs– Standard ACLs allow you to permit or deny traffic from

source IP addresses.– The destination of the packet and the ports involved do

not matter.– The example allows all traffic from network

192.168.30.0/24 network.• Because of the implied "deny any" at the end, all other

traffic is blocked with this ACL.

Extended ACLs– Extended ACLs filter IP packets based on several

attributes, for example, protocol type, source and IPaddress, destination IP address, source TCP or UDPports, destination TCP or UDP ports, and optionalprotocol type information for finer granularity of control.

– In the figure, ACL 103 permits traffic originating fromany address on the 192.168.30.0/24 network to anydestination host port 80 (HTTP).

How a Standard ACL Works A standard ACL is a sequential collection of permit and deny conditions that

apply to source IP addresses.– The destination of the packet and the ports involved are not covered.– Because the software stops testing conditions after the first match, the order of the

conditions is critical.– If no conditions match, the address is rejected.

The two main tasks involved in using ACLs are as follows:– Step 1. Create an access list by specifying an access list number or name and access

conditions.– Step 2. Apply the ACL to interfaces or terminal lines.


A standard ACL is a sequential collection of permit and deny conditions thatapply to source IP addresses.

– The destination of the packet and the ports involved are not covered.– Because the software stops testing conditions after the first match, the order of the

conditions is critical.– If no conditions match, the address is rejected.

The two main tasks involved in using ACLs are as follows:– Step 1. Create an access list by specifying an access list number or name and access

conditions.– Step 2. Apply the ACL to interfaces or terminal lines.

Example of the order of the conditions is critical. Because the software stops testing conditions after the first match, the order of

the conditions is critical.

access-list 101 permit IP host 10.1.1.2 host 172.16.1.1access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1access-list 101 permit udp host 10.1.1.2 host 172.16.1.1


access-list 101 permit IP host 10.1.1.2 host 172.16.1.1access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1access-list 101 permit udp host 10.1.1.2 host 172.16.1.1

Numbering and Naming ACLs Using numbered ACLs is an effective method

for determining the ACL type on smallernetworks.

–Regarding numbered ACLs, in case you arewondering why numbers 200 to 1299 areskipped, it is because those numbers are usedby other protocols.

–This course focuses only on IP ACLs. Forexample, numbers 600 to 699 are used byAppleTalk, and numbers 800 to 899 are used byIPX.

–However, a number does not inform you of thepurpose of the ACL.

Starting with Cisco IOS Release 11.2, you canuse a name to identify a Cisco ACL.


Using numbered ACLs is an effective methodfor determining the ACL type on smallernetworks.

–Regarding numbered ACLs, in case you arewondering why numbers 200 to 1299 areskipped, it is because those numbers are usedby other protocols.

–This course focuses only on IP ACLs. Forexample, numbers 600 to 699 are used byAppleTalk, and numbers 800 to 899 are used byIPX.

–However, a number does not inform you of thepurpose of the ACL.

Starting with Cisco IOS Release 11.2, you canuse a name to identify a Cisco ACL.

Where to Place ACLs ACLs can act as firewalls to filter packets and eliminate unwanted traffic. Every

ACL should be placed where it has the greatest impact on efficiency.

The basic rules are:–Locate extended ACLs as close as possible to the source of the traffic denied. Thisway, undesirable traffic is filtered without crossing the network infrastructure.–Because standard ACLs do not specify destination addresses, place them as close tothe destination as possible.


Source Destination

General Guidelines for Creating ACLs Using ACLs requires attention to detail and great care. Mistakes can be

costly in terms of downtime, troubleshooting efforts, and poor networkservice.

Before starting to configure an ACL, basic planning is required.

The figure presents guidelines that form the basis of an ACL bestpractices list.


Entering Criteria Statements Recall that when traffic comes into the router, it is

compared to ACL statements based on the order thatthe entries occur in the router. The router continuesto process the ACL statements until it has a match.

–For this reason, you should have the most frequentlyused ACL entry at the top of the list.

–If no matches are found when the router reaches theend of the list, the traffic is denied because there is animplied deny for traffic.

–A single-entry ACL with only one deny entry has theeffect of denying all traffic. You must have at least onepermit statement in an ACL or all traffic is blocked.

For example, the two ACLs (101 and 102) in thefigure have the same effect.

–Network 192.168.10.0 would be permitted to accessnetwork 192.168.30.0 while 192.168.11.0 would not beallowed.


Recall that when traffic comes into the router, it iscompared to ACL statements based on the order thatthe entries occur in the router. The router continuesto process the ACL statements until it has a match.

–For this reason, you should have the most frequentlyused ACL entry at the top of the list.

–If no matches are found when the router reaches theend of the list, the traffic is denied because there is animplied deny for traffic.

–A single-entry ACL with only one deny entry has theeffect of denying all traffic. You must have at least onepermit statement in an ACL or all traffic is blocked.

For example, the two ACLs (101 and 102) in thefigure have the same effect.

–Network 192.168.10.0 would be permitted to accessnetwork 192.168.30.0 while 192.168.11.0 would not beallowed.

Standard ACL Logic In the figure, packets that come in Fa0/0 are checked for their source addresses:

–access-list 2 deny 192.168.10.1–access-list 2 permit 192.168.10.0 0.0.0.255–access-list 2 deny 192.168.0.0 0.0.255.255–access-list 2 permit 192.0.0.0 0.255.255.255

If packets are permitted, they are routed through the router to an output interface.If packets are not permitted, they are dropped at the incoming interface.


Configuring a Standard ACL To configure a standard ACLs, you must

–First: create the standard ACL–Second: activate the ACL on an interface.

The access-list global configuration command definesa standard ACL with a number in the range of 1 to 99.

–Cisco IOS Software Release 12.0.1 extended these numbers byallowing 1300 to 1999 to provide a maximum of 798 possiblestandard ACLs. These additional numbers are referred to asexpanded IP ACLs.

Router(config)#access-list access-list-number [deny| permit | remark] source [source-wildcard] [log]

For example, to create a numbered ACL designated10 that would permit network 192.168.10.0 /24, youwould enter:

–R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255


To configure a standard ACLs, you must–First: create the standard ACL–Second: activate the ACL on an interface.

The access-list global configuration command definesa standard ACL with a number in the range of 1 to 99.

–Cisco IOS Software Release 12.0.1 extended these numbers byallowing 1300 to 1999 to provide a maximum of 798 possiblestandard ACLs. These additional numbers are referred to asexpanded IP ACLs.

Router(config)#access-list access-list-number [deny| permit | remark] source [source-wildcard] [log]

For example, to create a numbered ACL designated10 that would permit network 192.168.10.0 /24, youwould enter:

–R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255

Remove and Remark a Standard ACL Remove ACL

–To remove the ACL, the global configuration noaccess-list command is used.

–Issuing the show access-list command confirmsthat access list 10 has been removed.


ACL Wildcard Masking ACLs statements include wildcard masks.

–A wildcard mask is a string of binary digits telling therouter which parts of the subnet number to look at.

–The numbers 1 and 0 in the mask identify how to treatthe corresponding IP address bits.

–Wildcard masks are referred to as an inverse mask.•Unlike a subnet mask in which binary 1 is equal to a matchand binary 0 is not a match, the reverse is true.

Wildcard masks and subnet masks differ in the waythey match binary 1s and 0s. Wildcard masks use thefollowing rules to match binary 1s and 0s:

–Wildcard mask bit 0 - Match the corresponding bitvalue in the address–Wildcard mask bit 1 - Ignore the corresponding bitvalue in the address

The table in the figure shows the results of applying a0.0.255.255 wildcard mask to a 32-bit IP address.


ACLs statements include wildcard masks.–A wildcard mask is a string of binary digits telling the

router which parts of the subnet number to look at.–The numbers 1 and 0 in the mask identify how to treat

the corresponding IP address bits.–Wildcard masks are referred to as an inverse mask.

•Unlike a subnet mask in which binary 1 is equal to a matchand binary 0 is not a match, the reverse is true.

Wildcard masks and subnet masks differ in the waythey match binary 1s and 0s. Wildcard masks use thefollowing rules to match binary 1s and 0s:

–Wildcard mask bit 0 - Match the corresponding bitvalue in the address–Wildcard mask bit 1 - Ignore the corresponding bitvalue in the address

The table in the figure shows the results of applying a0.0.255.255 wildcard mask to a 32-bit IP address.

Another key point ofwildcard mask is which it

does not has to becontiguous 1 and 0 like

subnetmask.

ACL Wildcard Masks to Match IP Subnets The first example the wildcard mask stipulates that every bit

in the IP 192.168.1.1must match exactly.– The wildcard mask is 0.0.0.0.

In the second example, the wildcard mask stipulates thatanything will match.

– The wildcard mask is 255.255.255.255.

In the third example, the wildcard mask stipulates that it willmatch any host within the 192.168.1.0 /24 network.


The second figure are more complicated.

In example 1, the first two octets and first four bits of thethird octet must match exactly.

–This checks for 192.168.16.0 to 192.168.31.0–The wildcard mask is 0.0.15.255.

Example 2 , a wildcard mask that matches the first twooctets, and the least significant bit in the third octet.

– The result is a mask that would permit or deny all hosts fromodd subnets (/24) from the 192.168.0.0 major network.



The first example the wildcard mask stipulates that every bitin the IP 192.168.1.1must match exactly.


In the second example, the wildcard mask stipulates thatanything will match.


In the third example, the wildcard mask stipulates that it willmatch any host within the 192.168.1.0 /24 network.


The second figure are more complicated.

In example 1, the first two octets and first four bits of thethird octet must match exactly.

–This checks for 192.168.16.0 to 192.168.31.0–The wildcard mask is 0.0.15.255.

Example 2 , a wildcard mask that matches the first twooctets, and the least significant bit in the third octet.

– The result is a mask that would permit or deny all hosts fromodd subnets (/24) from the 192.168.0.0 major network.


Wildcard Bit Mask Keywords The keywords host and any help identify the most

common uses of wildcard masking.–The host option substitutes for the 0.0.0.0 mask. Thismask states that all IP address bits must match or onlyone host is matched.–The any option substitutes for the IP address and255.255.255.255 mask.

•This mask says to ignore the entire IP address or to acceptany addresses.

Example for keyword any:–Instead of entering

•R1(config)# access-list 1 permit 0.0.0.0 255.255.255.255,–you can use

•R1(config)# access-list 1 permit any

Example for keyword host:–Instead of entering


•R1(config)# access-list 1 permit host 192.168.10.10.


The keywords host and any help identify the mostcommon uses of wildcard masking.

–The host option substitutes for the 0.0.0.0 mask. Thismask states that all IP address bits must match or onlyone host is matched.–The any option substitutes for the IP address and255.255.255.255 mask.

•This mask says to ignore the entire IP address or to acceptany addresses.

Example for keyword any:–Instead of entering


•R1(config)# access-list 1 permit any

Example for keyword host:–Instead of entering


•R1(config)# access-list 1 permit host 192.168.10.10.

Applying Standard ACL to Interfaces After a standard ACL is configured, it is linked to an

interface using the ip access-group command:–Router(config-if)#ip access-group {access-list-number |

access-list-name} {in | out}

To remove an ACL from an interface,–Use the no ip access-group command on the interface,–then enter the global no access-list command to remove

the entire ACL.

Example 1: use an ACL to permit a single network.–This ACL allows only traffic from source network 192.168.10.0 to

be forwarded out on S0/0/0. Traffic from networks other than192.168.10.0 is blocked.

–The first line identifies the ACL as access list 1. It permits trafficthat matches the selected parameters.

•access-list 1 permit 192.168.10.0 0.0.0.255•The unseen implicit deny all other traffic.

–The ip access-group 1 out interface configuration command linksand ties ACL 1 to the Serial 0/0/0 interface as an outbound filter.


After a standard ACL is configured, it is linked to aninterface using the ip access-group command:

–Router(config-if)#ip access-group {access-list-number |access-list-name} {in | out}

To remove an ACL from an interface,–Use the no ip access-group command on the interface,–then enter the global no access-list command to remove

the entire ACL.

Example 1: use an ACL to permit a single network.–This ACL allows only traffic from source network 192.168.10.0 to

be forwarded out on S0/0/0. Traffic from networks other than192.168.10.0 is blocked.

–The first line identifies the ACL as access list 1. It permits trafficthat matches the selected parameters.

•access-list 1 permit 192.168.10.0 0.0.0.255•The unseen implicit deny all other traffic.

–The ip access-group 1 out interface configuration command linksand ties ACL 1 to the Serial 0/0/0 interface as an outbound filter.

Creating Standard Named ACLs Naming an ACL makes it easier to understand.

–For example, an ACL to deny FTP could be calledNO_FTP.

–When you identify your ACL with a name, theconfiguration command syntax are slightly different.

The steps to create a standard named ACL.–Step 1. Starting from the global configuration mode, use the ip

access-list command to create a named ACL.•ACL names are alphanumeric, must be unique and mustnot begin with a number.

–Step 2. From the named ACL configuration mode, use the permitor deny statements to specify one or more conditions fordetermining if a packet is forwarded or dropped.

–Step 3. Return to privileged EXEC mode with the end command.

In the figure, the screen output shows the commandsused to configure a standard named ACL on routerR1, interface Fa0/0 that denies host 192.168.11.10access to the 192.168.10.0 network.


Naming an ACL makes it easier to understand.–For example, an ACL to deny FTP could be called

NO_FTP.–When you identify your ACL with a name, the

configuration command syntax are slightly different.

The steps to create a standard named ACL.–Step 1. Starting from the global configuration mode, use the ip

access-list command to create a named ACL.•ACL names are alphanumeric, must be unique and mustnot begin with a number.

–Step 2. From the named ACL configuration mode, use the permitor deny statements to specify one or more conditions fordetermining if a packet is forwarded or dropped.

–Step 3. Return to privileged EXEC mode with the end command.

In the figure, the screen output shows the commandsused to configure a standard named ACL on routerR1, interface Fa0/0 that denies host 192.168.11.10access to the 192.168.10.0 network.

Creating Standard Named ACLs Capitalizing ACL names is not required, but

makes them stand out when viewing therunning-config output.

–ACL names can be up to 31 characters in length;–ACL names are case sensitive–ACL names can include the dash (-), the underscore (_),

and the period (.).–ACL names must start with an alphabetic character, and

must be unique from all other ACLs of all types on theswitch router.

–You cannot use keywords from any command as anACL name.


Capitalizing ACL names is not required, butmakes them stand out when viewing therunning-config output.

–ACL names can be up to 31 characters in length;–ACL names are case sensitive–ACL names can include the dash (-), the underscore (_),

and the period (.).–ACL names must start with an alphabetic character, and

must be unique from all other ACLs of all types on theswitch router.

–You cannot use keywords from any command as anACL name.

http://www.cisco.com/univercd/cc/td/doc/product/l3sw/8540/12_1/lhouse/sw_confg/8500acl.htm

Monitoring and Verifying ACLs When you finish an ACL configuration, use Cisco IOS show commands

to verify the configuration.–In the figure the top example shows the Cisco IOS syntax to display thecontents of all ACLs.

–The bottom example shows the result of issuing the show access-listscommand on router R1. The capitalized ACL names, SALES and ENGstand out in the screen output.


Extended ACLs Extended ACLs are used more often than standard ACLs because they provide a greater

range of control and, therefore, add to your security solution.– Extended ACLs check the source packet addresses,– They also check the destination address, protocols and port numbers (or services).– For example, an extended ACL can simultaneously allow e-mail traffic from a network to a

specific destination while denying file transfers and web browsing.– The ACL first filters on the source address, then on the port and protocol of the source. It then

filters on the destination address, then on the port and protocol of the destination, and makes afinal permit-deny decision.

For more precise traffic-filtering control, you can use extended ACLs numbered 100 to 199and 2000 to 2699 providing a total of 799 possible extended ACLs.


Extended ACLs are used more often than standard ACLs because they provide a greaterrange of control and, therefore, add to your security solution.

– Extended ACLs check the source packet addresses,– They also check the destination address, protocols and port numbers (or services).– For example, an extended ACL can simultaneously allow e-mail traffic from a network to a

specific destination while denying file transfers and web browsing.– The ACL first filters on the source address, then on the port and protocol of the source. It then

filters on the destination address, then on the port and protocol of the destination, and makes afinal permit-deny decision.

For more precise traffic-filtering control, you can use extended ACLs numbered 100 to 199and 2000 to 2699 providing a total of 799 possible extended ACLs.

The sameprocessrepeatedagain for theoutgoinginterface

Extended ACLs: Ports and Services The ability to filter on protocol and port

number allows you to build very specificextended ACLs.

– The figure shows some examples ofhow an administrator specifies a TCP orUDP port number by placing it at theend of the extended ACL statement.

– Logical operations can be used, suchas equal (eq), not equal (neq), greaterthan (gt), and less than (lt).


The ability to filter on protocol and portnumber allows you to build very specificextended ACLs.

– The figure shows some examples ofhow an administrator specifies a TCP orUDP port number by placing it at theend of the extended ACL statement.

– Logical operations can be used, suchas equal (eq), not equal (neq), greaterthan (gt), and less than (lt).

Configuring Extended ACLs The procedural steps for configuring extended ACLs

are the same as for standard ACLs– first create the extended ACL– then activate it on an interface.

For example, the network administrator needs torestrict Internet access to allow only web browsing.

– ACL 103 applies to traffic leaving 192.168.10.0network,

• It allows traffic to go to any destination ports 80 (HTTP)and 443 (HTTPS) only.

– ACL 104 applies to traffic coming into the network.• ACL 104 blocking all incoming traffic, except for the

established connections.• HTTP establishes connections starting with the request

and then exchange of ACK, FIN, and SYN messages.• A match occurs if the TCP datagram has the ACK or

reset (RST) bits set, which indicates that the packetbelongs to an existing connection.

• This parameter allows responses to traffic that originatesfrom the 192.168.10.0 /24 network to return to s0/0/0.


The procedural steps for configuring extended ACLsare the same as for standard ACLs

– first create the extended ACL– then activate it on an interface.

For example, the network administrator needs torestrict Internet access to allow only web browsing.

– ACL 103 applies to traffic leaving 192.168.10.0network,

• It allows traffic to go to any destination ports 80 (HTTP)and 443 (HTTPS) only.

– ACL 104 applies to traffic coming into the network.• ACL 104 blocking all incoming traffic, except for the

established connections.• HTTP establishes connections starting with the request

and then exchange of ACK, FIN, and SYN messages.• A match occurs if the TCP datagram has the ACK or

reset (RST) bits set, which indicates that the packetbelongs to an existing connection.

• This parameter allows responses to traffic that originatesfrom the 192.168.10.0 /24 network to return to s0/0/0.

Applying Extended ACLs to Interfaces Recall that we want to allow users to

browse both insecure and securewebsites.

First consider whether the traffic you wantto filter is going in or out.

– In the example in the figure, R1 has twointerfaces. It has a serial port, S0/0/0,and a Fast Ethernet port, Fa0/0.

• The Internet traffic coming in is going inthe S0/0/0 interface,

• but is going out the Fa0/0 interface toreach PC1.

– The example applies the ACL to theserial interface in both directions.


Recall that we want to allow users tobrowse both insecure and securewebsites.

First consider whether the traffic you wantto filter is going in or out.

– In the example in the figure, R1 has twointerfaces. It has a serial port, S0/0/0,and a Fast Ethernet port, Fa0/0.

• The Internet traffic coming in is going inthe S0/0/0 interface,

• but is going out the Fa0/0 interface toreach PC1.

– The example applies the ACL to theserial interface in both directions.

Applying Extended ACLs to Interfaces Example: Deny FTP

– Denying FTP traffic from subnet 192.168.11.0 goingto 192.168.10.0, but permitting all other traffic.

– Remember that FTP requires ports 20 and 21,therefore you need to specify to deny FTP.

– With extended ACLs, you can choose to use portnumbers as in the example, or to call out a well-known port by name.

• access-list 114 permit tcp 192.168.20.0 0.0.0.255 anyeq ftp

• access-list 114 permit tcp 192.168.20.0 0.0.0.255 anyeq ftp-data

Example: Deny Telnet– Denies Telnet traffic from 192.168.11.0 going out

interface Fa0/0, but allows all other IP traffic fromany other source to any destination out Fa0/0.

– Note the use of the any keywords, meaning fromanywhere going to anywhere.


Example: Deny FTP– Denying FTP traffic from subnet 192.168.11.0 going

to 192.168.10.0, but permitting all other traffic.– Remember that FTP requires ports 20 and 21,

therefore you need to specify to deny FTP.– With extended ACLs, you can choose to use port

numbers as in the example, or to call out a well-known port by name.

• access-list 114 permit tcp 192.168.20.0 0.0.0.255 anyeq ftp

• access-list 114 permit tcp 192.168.20.0 0.0.0.255 anyeq ftp-data

Example: Deny Telnet– Denies Telnet traffic from 192.168.11.0 going out

interface Fa0/0, but allows all other IP traffic fromany other source to any destination out Fa0/0.

– Note the use of the any keywords, meaning fromanywhere going to anywhere.

Documents

Access Control Lists (ACLs) · 2020. 5. 7. · An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in