Why Use Access Lists?

Manage IP traffic as network access grows Filter packets as they pass through the router

What are ACLs?
ACLs are lists of conditions that are applied to traffic traveling across a router's interface. These lists tell the router what types of packets to accept or deny. Acceptance and denial can be based on specified conditions. ACLs can be configured at the router to control access to a network or subnet. Some ACL decision points are source and destination addresses, protocols, and upper-layer port numbers.

Provide traffic flow control. Decide which types of traffic are forwarded or blocked at the router interfaces For example: Permit e-mail traffic to be routed. Provide a basic level of security for network access. all packets passing through the router will be allowed onto all parts of the network. but block all telnet traffic. . If ACLs are not configured on the router.Reasons to Create ACLs The following are some of the primary reasons to create ACLs: Limit network traffic and increase network performance.

ACL’s  Different access list for Telnet  When configuring ISDN you need to use access list  Implicit deny at bottom  All restricted statements should be on first  There are two types  Standard  Extended .

56.168.2 N1 192.34.0 N6 .0 N4 N5 A B C N3 192.168.168.Network N2 192.

Types of Access Lists Standard Checks source address Permits or denies entire protocol suite Extended Checks source and destination address Generally permits or denies specific protocols .

and destination ports.How to Identify Access Lists  Standard IP lists (1-99) test conditions of all IP packets from source addresses.  Extended IP lists (100-199) test conditions of source and destination addresses. .  Standard IP lists (1300-1999) (expanded range).  Extended IP lists (2000-2699) (expanded range). specific TCP/IP protocols.

This is the syntax: Router(config)#no access-list access-list-number Config# Access-list 1 deny 192.1.0.Standard ACLs The full syntax of the standard ACL command is: Router(config)#access-list access-list-number {deny | permit} source [source-wildcard ] The no form of this command is used to remove a standard ACL.0.255 Config# access-list 1 permit any .0 0.168.

0-255.255 0.0 (host) Mask Access-list 99 permit 192.0- 192.255 (any) .0-255 0-255.1 192.0.0-255.255.1 wildcard mask All 32 bits of an IP Address can be filtered Wildcard inverse mask 0=must match 1= ignore MASK (192.0.0-255 192.0- Matching IP 255.

255.255 Or permit any Access-list 1 permit ANY and HOST keyword Access-list 1 permit 0.0.0 Or permit host 0.255.0 255.9 .0.

Testing Packets with Standard Access Lists .

then discard the packet. .Outbound ACL Operation • If no access list statement matches.

1.168.255 Access-list 99 permit 192.0 access-list 99 permit any 255.0 0.1 Implicit deny at the end of every ACL 2.168.255 Access-list 99 deny host 192. First Hit or Best Fit? Access-list 99 deny host 192.255.1.Reading an ACL  1. 3.1.1 access-list 99 permit any Access-list 99 deny host  .1.

Standard IP: 1300-1999 Extended IP: 20002699 . IPX.Creating ACLs ACLs are created in the global configuration mode. Since IP is by far the most popular routed protocol. When configuring ACLs on a router. extended. There are many different types of ACLs including standard. addition ACL numbers have been added to newer router IOSs. each ACL must be uniquely identified by assigning a number to it. and others. AppleTalk. This number identifies the type of access list created and must fall within the specific range of numbers that is valid for that type of list.

The ip access-group command { in | out } . E0 192.248 S0 192.252 – Standard Access List 192.18 255.240 A S0 192.5 255.252 E0 B 192.255.9 Account should be denied access to Sales To steps to configure •Create a standard Access list •Apply ACL to proper interface inbound or outbound .34 255.0.6 255.0.17 255.10 255.252 S1 S0

0.248 S0 192.255.34 S0 192.252 E0 E0 B A 192.9 255.18 255.168.252 192.0.240 Config# Access-list 1 deny 192.33 255.7 Config# access-list 1 permit any Config#int e 0 Config-if# ip access-group 1 out .0.168.5 255.255.10 S1 S0 192.255.Exercise – Standard Access List 192.0.

Extended ACLs Extended ACLs are used more often than standard ACLs because they provide a greater range of control. greater than (gt). Extended ACLs check the source and destination packet addresses as well as being able to check for protocols and port numbers. and less than (lt). Extended ACLs use an access-list-number in the range 100 to 199 (also from 2000 to 2699 in recent IOS). At the end of the extended ACL statement. additional precision is gained from a field that specifies the optional Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number. equal (eq). Logical operations may be specified such as. that the extended ACL will perform on specific protocols. not equal (neq). .

Configuration • Access-list acl# {permit/Deny} • Protocol – – – – – OSPF EIGRP ICMP TCP UDP • • • • Protocol Src IP src WCM Dst IP dst WCM Opetrator port RP If you need to Block a routing protocol IP • Operator – – – – eq gt lt neq .

Testing Packets with Extended Access Lists .

Extended ACL Syntax . 0.255.248 B Fa0/1 200.0.10 eq www Config# access-list 100 permit IP any any Config#int Fastethernet 0/0 Config-if# ip access-group 100 IN .10  Account should be denied Sales Web site Config# Access-list 100 deny tcp 200.9 255.Extended ACL LAB Internet A Fa0/0 200.18 255.255.248 255.

34 0.0 eq 21 Config# access-list 100 permit IP any any Config#int s0 Config-if# ip access-group 100 IN 192.168.5 255.17 255.0.10 S0 E0 192.9 255.252 S1 S0 255.0.168.Extended ACL LAB -2 192.240 0.248 B 192.0.34 should be denied FTP of 192.0 On Router R1 Config# Access-list 100 deny tcp 192.34 On Router R3 Config# Access-list 100 deny tcp 192.0.240 A should be denied website of 192.252 E0 192.168.33 S0 192.255.0 eq 80 Config# access-list 100 permit IP any any Config#int s0 Config-if# ip access-group 100 IN .168.6 255.255.0.

Deny FTP access-list 101 deny tcp any any eq 21 access-list 101 permit ip any any or access-list 101 deny tcp any any eq ftp access-list 101 permit ip any any .

Rules For extended access list apply near to the source For standard access list apply near to the destination .

The characteristics of named accesslist:     Identify an ACL using an alphanumeric name.2. .2. The same name may not be used for multiple ACLs. Named ACLs are not compatible with Cisco IOS releases prior to Release 11.Named ACLs IP named ACLs were introduced in Cisco IOS Software Release 11. You can delete individual statements in a named access list Named access lists must be specified as standard or extended You can use the ip access-list command to create named access lists. allowing standard and extended ACLs to be given names instead of numbers.

Named ACL’s  Numbered Access list did not give you any hint. What is filtered  Named ACL’s are both basic and advanced filtering tool  Name cannot start with a number or !  Cannot have space in the name  Should not have ? Character anywhere in the name  Name is case sensitive .

40.0.Named ACL Example R1(config)#ip access-list standard blocksales • • • • • R1(config-std-nacl)#deny 172.255 R1(config-std-nacl)#permit any R1(config-std-nacl)#exit R1(config)#^Z R1# #Int e 0 #Ip access-group blocksales out .0 0.0.16.

Verify Access List .

Basic Rules for ACLs       Standard IP access lists should be applied closest to the destination. and groups or general filters should come last. New lines are always added to the end of the access list.     . Specific hosts should be denied first. Outbound filters do not affect traffic originating from the local router. This will not appear in the configuration listing. Statements are processed sequentially from the top of list to the bottom until a match is found. Extended IP access lists should be applied closest to the source. A no access-list x command will remove the whole list. It is not possible to selectively add and remove lines with numbered ACLs. There is an implicit deny at the end of all access lists. if no match is found then the packet is denied. Never work with an access list that is actively applied. Use the inbound or outbound interface reference as if looking at the port from inside the router. Access list entries should filter in the order from specific to general.

Sign up to vote on this title
UsefulNot useful