Access Control List

ACL-Part1

www.halmalki.net ‫حسين المالكي‬

 ACL

o A sequential list of permit or deny statements.

o Router permits or denies packets to pass.
o The ACL is checked from top to bottom.
o To Secure Networks.

www.halmalki.net ‫حسين المالكي‬

 ACL

R1 R4
10.10.10.0 10.10.11.0

R5
10.10.40.0

Deny network 10.10.10.0 to connect network 10.10.11.0

www.halmalki.net ‫حسين المالكي‬

 Steps to Create an ACL

 Create ACL in global configuration.

 Assign to interface.
 Decide the direction
 In
 Out

R1 R4
10.10.10.0 10.10.11.0

R5
10.10.40.0

www.halmalki.net ‫حسين المالكي‬

 Types of ACLs
o Standard ACLs:
 Allow you to permit or deny traffic based on the source IP addresses.

 Use number 1-99 1300-1999.

 Apply it closest to destination. SAD

R1 R4
10.10.10.0 10.10.11.0

R5
10.10.40.0

access-list access-list-number {permit |deny} source-ip-address wildcard-mask [log]

R4(config)#Access-list 10 deny 10.10.10.0 0.0.0.255

R4(config)#Access-list 10 permit any

R4(config)#int s1/0
R4(config-if)#ip access-group 10 out

www.halmalki.net ‫حسين المالكي‬

 Restrict VTY access

Allow only host 172.16.70.100 to access by telnet

R1 R4
172.16.70.100

R4(config)#Access-list 14 permit host 172.16.70.100

R4(config)#line vty 0 4
R4(config-line)#access-class 14 in

www.halmalki.net ‫حسين المالكي‬

 Types of ACLs
o Extended ACLs:
 Protocol , source and/or destination IP address, ports number.

 Use number 100-199 2000-2699.

 Apply it closest to source.

R1 R4
10.10.10.0 10.10.11.0

R5
10.10.40.0

Access-list <number 100-199> <permit | deny> <protocol> <source> < sourcemask>

<operator source port> < destination> <destination-mask> < operator
destination port> <options> < log>

www.halmalki.net ‫حسين المالكي‬

 Types of ACLs
o Extended ACLs:
R1 R4
10.10.10.0 10.10.11.0

R5
10.10.40.0

Access-list <number 100-199> <permit | deny> <protocol> <source> < sourcemask>

<operator source port> < destination> <destination-mask> < operator
destination port> <options> < log>

Access-list 103 permit tcp 10.10.10.0 0.0.0.255 any eq 80

Source Destination
address address

www.halmalki.net ‫حسين المالكي‬

 Types of ACLs
o Extended ACLs:
R1 R4
10.10.10.0 10.10.11.0

R5
10.10.40.0

Access-list <number 100-199> <permit | deny> <protocol> <source> < sourcemask>

<operator source port> < destination> <destination-mask> < operator
destination port> <options> < log>

R4(config)#access-list 101 deny tcp 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

R4(config)#access-list 101 deny tcp 192.168.3.0 0.0.0.255 any eq ftp
R4(config)#access-list 101 permit ip any any

www.halmalki.net ‫حسين المالكي‬

 Types of ACLs

o Named ACL:
o More used .
o Allow you to name an access list.

Router(config)#ip Access-list Standard Hussain

Router(config-std-nacl)#10 permit host 10.10.10.1
Router(config-std-nacl)#10 permit host 10.10.11.1
Router(config-std-nacl)#15 permit host 10.3.3.3

www.halmalki.net ‫حسين المالكي‬

 Verifying ACL

 Show run.

 Show ip interface.

 Show ip access-lists

www.halmalki.net ‫حسين المالكي‬

 Examples of Standard ACLs

To permit traffic from the host 172.16.1.1 only

Access-list 20 permit 172.16.1.1 0.0.0.0

To permit all packets for the network number 172.16.0.0

Access-list 20 permit 172.16.0.0 0.0.255.255

www.halmalki.net ‫حسين المالكي‬

 Examples of Standard ACLs

To permit traffic from any source address.

Access-list 20 permit 0.0.0.0 255.255.255.25

OR
Access-list 20 permit any

Access-list 23 permit 172.16.1.1 0.0.0.0

Access-list 23 permit host 172.16.1.1

www.halmalki.net ‫حسين المالكي‬

 Delete ACL

Router# config t
Router (config)# int s1
Router(config-if)# no ip access-group 100 in
Router(config-if)# exit
Router(config)# no access-list 100

www.halmalki.net ‫حسين المالكي‬