Access Control List

A B
S0/1
Fa0/0 S0/0

1. Position: interface of the router

2. condition:Permit/deny
3. direction: In /Out
---------------------------------------------------
4-Arrangement of the statement
172.16.20.1
Deny 172.16.20.1 only
A C B
Access-list 5 permit any Access-list 5 deny 172.16.20.1
Access-list 5 deny 172.16.20.1 Access-list 5 permit any
----------------------------------------------------------------------------------
Permit 172.16.20.1 only
A C B
Access-list 5 deny any Access-list 5 permit 172.16.20.1
Access-list 5 permit 172.16.20.1 Access-list 5 deny any
------------------------------------------------------------------------------------
5- Default of the Access Control List (ACL)
Deny
A C B
Access-list 5 deny any Access-list 5 permit 172.16.20.1
Access-list 5 permit 172.16.20.1

6- The ACL must contain at least one permit statement

Deny 172.16.20.1 only

Access-list 9 deny 172.16.20.1
Aceess-list 9 permit any
------------------------------------------------------------------------------------------------------
access-list access-list-number { permit | deny } { test conditions }

interface ????
{ protocol } access-group access-list-number {in | out}
---------------------------------------------------------------------------------------------------
Standard Access list Extended Access list

Permit or deny all TCP stack permit/deny specific application

1.99 100-199
------------------------------------------------------------------------------------------------
Test condition
Wild card Mask

Permit for IP subnets 172.30.16.16 to 172.30.16.31

Access-list 5 permit 172.30.16.16

Access-list 5 permit 172.30.16.17
Access-list 5 permit 172.30.16.18
Access-list 5 permit 172.30.16.19
….
….
Access-list 5 permit 172.30.16.31

============================================================
|<-------------------------------------------- match ---->|<----- don’t care ----->|
172.30.16 0 0 0 1 0 0 0 0 = 16
172.30.16 0 0 0 1 0 0 0 1 = 17
172.30.16 0 0 0 1 0 0 1 0 = 18
: :
172.30.16 0 0 0 1 1 1 1 1 = 31
-------------------------------------------------------------------------------------------------------
Mask: 0. 0 0 0 0 0 0 1 1 1 1
Wild card mask : 0.0.0.15
IP : 172.30.16.0

-------------------------------------------------------------------------------------------
Condition deny traffic from 192.168.5.64 to 192.168.5.191

Access-list 7 deny 192.168.5.64

192.168.5.01000000 64
192.168.5.01000100 68
192.168.5.01100000 96
192.168.5.01111111 191
--------------------------
0. 0 .0.00111111 = 0.0.0.31
Access-list deny 192.168.5.64 0.0.0.31
-------------------------------------------------------------------------------------------
Condition : deny traffic from 192.168.5.0 to 192.168.5.31
Access-list deny 192.168.5.0 0.0.0.31
0 . 0 .0.00111111
192.168.5.01000000
--------------------------------------------------------------
----------------------------------------
000000
192.168.5.01
111111
192.168.5.64 to
192.168.5.191
---------------------------------
Check for IP subnets 172.30.16.0/24 to 172.30.31.0/24

172.30.16.00000000
172.30.31.11111111
00010000 16
00010010 18
00010100 20
00011111 31
----------------
00001111 11111111
Access-list 45 deny 172.30.16.0
0.0.15.255

-------------------------------------------------
Condition deny traffic from
192.168.15.192 to 192.168.15.230
00011111
Access-list 46 deny 192.168.15.192 0.0.31.0
Access-list 46 deny 192.168.15.224 0.0.0.3
Access-list 46 deny 192.168.15.228 0.0.0.0
Access-list 46 deny 192.168.15.229 0.0.0.0
Access-list 46 deny 192.168.15.230 0.0.0.0

192.168.15.11000000
000000
192.168.15.110

111111
192.168.15.192 to 192.168.15.223
From 224 to 230