Professional Documents
Culture Documents
Types of ACL
Outline
ACL component
Wildcard mask
Or
255.255.255.255
255.255.224. 0 –
0 .0 . 31.255 wildcard mask from subnet /19
Wildcard mask types
---wildcard to match a host---
• Assume ACL 10 needs an ACE that only permits the host with IPv4
address 192.168.1.1. Recall that “0” equals a match and “1” equals
ignore. To match a specific host IPv4 address, a wildcard mask
consisting of all zeroes (i.e., 0.0.0.0) is required.
• When the ACE is processed, the wildcard mask will permit only the
192.168.1.1 address.
• The resulting ACE in ACL 10 would be access-list 10 permit
192.168.1.1 0.0.0.0.
• Single ip address use /32 255.255.255.255
Wildcard mask types
---wildcard to match an ipv4 subnet---
• ACL 10 needs an ACE that permits all hosts in the 192.168.1.0/24 network. The
wildcard mask 0.0.0.255 stipulates that the very first three octets must match
exactly but the fourth octet does not.
• When processed, the wildcard mask 0.0.0.255 permits all hosts in the
192.168.1.0/24 network. The resulting ACE in ACL 10 would be access-list 10
permit 192.168.1.0 0.0.0.255.
255.255.255.255
255.255.255. 0 –
0. 0. 0.255 wildcard mask /24
192.168.1.0 0.0.0.255
Wildcard mask types
---wildcard to match an ipv4 address range--
The host address range from
192.168.1.1 - 192.168.1.14 will match
on wildcard mask 0.0.0.15 ?
192.168.1.0 0.0.0.15
• host address range from 192.168.4.1
- 192.168.4.2 will match on wildcard
mask…?
• host address range from 172.16.1.33
- 172.16.1.38 will match on wildcard
mask..?
• Host address range from
192.168.10.0 – 192.168.11.0 will
match on wildcard …?
• Host address range from 192.168.16.0
- 192.168.31.0 will match on wildcard..?
Wildcard mask keyword
The Cisco IOS provides two keywords to identify the most common
uses of wildcard masking. The two keywords are:
• host - This keyword substitutes for the 0.0.0.0 mask. This mask states
that all IPv4 address bits must match to filter just one host address.
• any - This keyword substitutes for the 255.255.255.255 mask. This
mask says to ignore the entire IPv4 address or to accept any
addresses.
How to implement ACL
The router is the optimal place to apply ACL rules,
so knowing the router traffic flow is essential for
proper ACL implementation.
• Ingress traffic is the traffic flowing into the
router.
• Egress traffic is the traffic that leaves the router.
What is the Source if you want to Block Traffic
coming from the Internet?
• Remember that inbound traffic is coming from
the outside network to your router interface.
So, the source is an IP address from the Internet
(a web server public IP address) or everything
(wildcard mask of 0.0.0.0), and the destination
is an internal IP address.
What if you what to Block a Specific Host to
connect to the Internet?
• The inbound traffic is coming from the inside
network to your router interface and going out
to the Internet. So, the source is the IP from the
internal host, and the destination is the IP
address on the Internet.
• ACLs are often placed on the edge routers of a network because they border the public
internet. This gives the ACL a chance to filter traffic before it reaches the rest of the network.
• Edge routers with ACLs can be placed in the demilitarized zone (DMZ) between the public
internet and the rest of the network.
• DMZs may contain different network resources, like application servers, web servers, domain
name servers or virtual private networks. The configuration of the ACL on the routing device is
different, depending on the devices behind it and the categories of user that need access to
those devices.
The basic syntax used to create a standard numbered access control list on a Cisco router is as follows:
Router (config)# access-list (1-99 or 1300-1999) (permit | deny) source-addr (source-wildcard)
access-list 99 deny host 172.33.1.1 0.0.0.0
• https://community.cisco.com/t5/networking-knowledge-base/access-control-lists-acl-explained/ta-
p/4182349
• https://www.ittsystems.com/access-control-list-acl/#wbounce-modal
• https://phoenixnap.com/kb/acl-network
• ENSA Cisco Academy
• https://www.techtarget.com/searchnetworking/definition/access-control-list-
ACL#:~:text=Access%20control%20lists%20are%20used%20for%20controlling%20permissions%20to%20a,de
vices%20that%20users%20access%20directly.
• https://www.imperva.com/learn/data-security/access-control-list-
acl/#:~:text=Reasons%20to%20use%20an%20ACL,exiting%20and%20entering%20the%20system