Access Control List ACL

CCNA2 Routing Access Control Module
11
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
Perrine modified by Brierley 01/28/19 Page 1

CCNA2 Routing Access Control Module
11
172.16.2.0 172.16.4.0
Computer e0 e1
172.16.2.2
Computer
172.16.3.1 s0
172.16.4.3
172.16.3.0
Server
s1 172.16.3.2
172.16.4.2

CCNA2 Routing High Level View Module
11
A HIGH LEVEL VIEW of ACLs

CCNA2 Routing Module
11
Access Control Lists

Standard
Extended

CCNA2 Routing High Level View Module
11
• Standard:
• Interface Fa 0/0/0
• ip access-group 1 out
• access-list 1 deny 172.16.4.13 0.0.0.0

• access-list 1 permit any
• ________________________________________________________________
• Extended:
• Interface Fa 0/0/0
• ip access-group 101 in
• access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq www

• access-list 101 permit ip any any

CCNA2 Routing Standard Access Control Lists Module
11
ACLs are instructions that are applied to a router interfaces.

The ACLs describe the kind of packets that are to be permitted
or denied.
Permitted or Denial testing can be based on:
• source address
• destination address
• port number
ACLs are configured on the router Interfaces to control access

to a network.
ACLs must be defined separately for each protocol; Unique for
IP, Unique for IPX; Unique for AppleTalk, etc.
Some
Perrine times
modified by Brierley ACLs are called01/28/19
packet filters. Page 6
CCNA2 Routing Standard Access Control Lists Module
11

CCNA2 Routing Extended ACLs Module
11

CCNA2 Routing Named ACLs Module
11

CCNA2 Routing Placing ACLs Module
11
• Standard ACLs should be placed close to the destination.

• Extended ACLs should be placed close to the source.

CCNA2 Routing Firewalls Module
11
A firewall is an architectural structure that

exists between the user and the outside world
to protect the internal network from intruders.
CCNA2 Routing Restricting Virtual Terminal Module
Access 11

CCNA2 Routing Summary Module
11

CCNA2 Routing ACL - Access Control Lists Module
11
Reasons to create ACLs:
• limit network traffic - hence increase network

performance
• provide traffic flow - limit traffic through the network
• provide for security
• ACLs establish
•which traffic is blocked
•which traffic is not blocked

CCNA2 Routing DETAIL Module
11
A MORE DETAILED VIEW of

ACLs

11
Cisco IOS checks each packet for:

1. destination address
2. source address access-list 1 deny 192.169.1.0
0.0.255.255
3. protocol access-list 1 deny 192.168.1.9
4. port number 0.0.0.0
access-list 1 deny 172.16.4.0
0.0.0.255
Each ACL statement is checked in a sequential
access-list order
1 permit any(first to
last) and when there is a match, no more statements are
checked.
If the results are no matches, then the packet (by default) is
discarded.
Adding addition ACL statements to the end of an existing list is

just a matter of adding the new statement. BUT, if
deleting an existing ACL statement causes the entire access
list to be deleted.
11
When a packet enters a router’s interface:

“IN” (inbound) checking is required. The packet:
1) Is checked against the ACL list (if one exists)
2) Here It can be interrogated to permit or deny.
3) If denied the packet is dropped else,
4) It is matched against the routing table and
passed to an “OUT” (outbound interface)
“OUT” (outbound) checking is required.
1) Here It can be interrogated to permit or deny.
2) If denied the packet is dropped
3) If permitted then packet is allowed “OUT”
(outbound).
The Outbound interface’s ACL is a different list from the

inbound)
11
ACL statements operate in a logical, sequential order. When a

match is made the rest of the statements are not checked.
If none the ACL statements match, then there is an implicit deny
any rule.
access-list 10 { permit | deny } { test conditions }

0.0.255.255
access-list 10 deny any 0.0.0.0
0.0.0.255
Perrine modified by Brierley 01/28/19 access-list 1 permit anyPage 18

11
Two types of IP ACL :

• standard - has access list value of 1- 99
• extended - has access list value of 100 - 199
Must be configured in global configuration mode. Router
(config) #
Steps in creating ACLs:

1) create the ACL (in config mode)
2) apply the ACL to an interface
ACLs are used to filter:

• inbound traffic, or
• outbound traffic

CCNA2 Routing Where to place ACLs Module
11
Standard ACLs are place as close as possible to the

destination.
Extended ACLs are place as close as possible to the source.

CCNA2 Routing Where to place ACLs Module
11
Configuring an Access List:
Router(config)# access-list <ACL number> { permit | deny } { test
conditions }
Router(config)# access-list 1 permit { test conditions }
Router(config)# access-list 50 deny { test conditions }
To delete all ACL statements of an access-list

Router(config)# no access-list <ACL number>
Applying the Access List:

At an interface:
Router(config)# int E0
Router(config-if)# { protocol } access-group <ACL number> [IN |
OUT]
Out is the default if not mentioned
Router(config-if)# ip access-group 1
Router(config-if)# ip access-group 50
To delete an ACL group statement (this will not delete the associated list):
Perrine Router(config)#
modified by Brierley 01/28/19<ACL number>
no access-group Page 21
CCNA2 Routing Wildcard Module
11
A wildcard is matched with an IP address or protocol address.

It is a 32 bit mask divided into 4 octet, each containing 8 bits.
A 0 in the wildcard means to check the bit in the IP you are

testing.
A 1 in the wildcard means ignore the bit in the IP you are testing.
NOTE!!!
Do NOT think subnet mask – that is a totally
different meaning not related to the WILDCARD

CCNA2 Routing Abbreviations Module
11
To permit or deny any address:

0.0.0.0 255.255.255.255
Address Wildcard
Use the abbreviation any
Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255

Router(config)# access-list 1 permit any
Router(config)# access-list 1 deny 0.0.0.0

255.255.255.255
Router(config)# access-list 1 deny any

CCNA2 Routing Abbreviations Module
11
To match all the bits of IP address use host:
EX: 172. 30.16. 29 0. 0. 0. 0

Router(config)# access-list 1 permit 172.30.16.29 0.0.0.0
Router(config)# access-list 1 permit host 172.30.16.29

CCNA2 Routing Standard ACLs Module
11
Criteria:
• block all traffic from a network
• allow all traffic from a network
• deny entire protocol suits
Standard ACLs only check the source address.
Router(config)# access-list <ACL number> { deny | permit } source [ source wildcard]

[log]

11
What does this statement accomplish?
Access-list 33 permit 172.16.0.0 0.0.255.255 log
Permits all traffic from 172.16.0.0 and sends messages to the

console every time the access list is executed.

11
Access-list 44 deny 172.16.13.7 0.0.0.0 log
Denies traffic from host 172.16.13.7 and sends message to the

console every time the access list is hit.

11
Access-list 55 deny 172.16.64.3 0.0.0.255
Denies all traffic from network 172.16.64.0

11
The log command:
Prints messages to the console which includes the ACL

number, whether the packet was permitted or denied, the
source address, and the number of packets.
The message is generated for the first packet that matches,
and then at five-minute intervals, including the number of
packets permitted or denied in the prior five-minute interval.
Log is used for debugging only not to be left active on live

networks.

11
Example of applying the access-list:
Router(config-if)# ip access-group 33 in
Router(config-if)# ip access-group 44 out

11
To monitor IP access list: (in EXEC mode)

show access-list
Displays all access lists & their parameters configured on the
router. (Does not show you which interface the list is set on.)
show access-list <ACL number>
Shows only the parameters for the access list <ACL number>.
(Does not show you the interface the list is set on. )
show ip access-list
Shows only the IP access lists configured on the router
show ip interface
Shows which interfaces have access lists set (containing an
access-group).
show running-config
Shows the routers entire configuration
11
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
R(config)# Interface e0
R(config-if)# ip access-group 1 out
R(config)# access-list 1 permit 172.16.0.0 0.0.255.255
What does it do?

11
One Access list used by multiple

Interfaces
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
R(config)# access-list 1 permit 172.16.0.0 0.0.255.255

Allows only traffic from source network 172.16.0.0 to be forwarded &
and non-172.16.0.0 traffic is blocked.
11
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
R(config)# access-list 1 deny 172.16.4.13 0.0.0.0

R(config)# access-list 1 permit any
What does this do?

11
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
R(config)# access-list 1 deny 172.16.4.13 0.0.0.0

R(config)# access-list 1 permit any
Denies traffic from a specific device, 172.16.4.13 & allows all other
traffic thru e0 to network 172.16.3.0.

11
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
Interface e0
ip access-group 1 out
access-list 1 deny 172.16.4.0 0.0.0.255

access-list 1 permit any
What does this do?

11
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
Interface e0
ip access-group 1 out
access-list 1 deny 172.16.4.0 0.0.0.255

access-list 1 permit any
Denies traffic from the subnet, 172.16.4.0 & allows all other traffic thru
e0 to network 172.16.3.0.

11
Criteria:
• checks both the packet’s source & destination addresses
• check for specific protocol
• check for specific port numbers
• permit or denied applications – pings, telnets, FTP, etc.
•ACL values range between 100 – 199 (for IP)

11
Port Numbers (decimal) IP Protocol

20 FTP data [TCP]
21 FTP program (control) [TCP]
23 Telnet [TCP]
25 Simple Mail Transport Protocol
[TCP] (SMTP)
53 DNS [TCP, UDP]
69 TFTP [UDP]
80 HTTP [TCP]

11
Router(config)# access-list <ACL number> { permit | deny } protocol source source-

mask
destination destination-mask operator operand {established}
ACL number
100 – 199
permit | deny
Packet is allowed or blocked
protocol
IP, TCP, UDP, ICMP, GRE or IGRP
source -- Source address source-wildcard mask
destination -- Destination address destination-wildcard mask
Continued 
11
Router(config)# access-list <ACL number> { permit | deny } protocol source source-

mask
destination destination-mask
operator operand {established}
operator
lt, gt, eq, neq
Operand
Port number
established
Allows TCP traffic to pass if the packet uses an established connection ( for
example, has ACK bits set ).
access-list 101 permit tcp 172.16.4.0 0.0.0.255 any eq 25

11
Configuring an extended ACL to an interface:
Router(config-if)# ip access-group <ACL number> { in |

out }
Router(config)# int E0

11
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
Interface e0
ip access-group 101
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq

21
access-list 101 permit ip any any
What does this do?

11
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
Interface e0
ip access-group 101
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0

0.0.0.255 eq 21
Blocks FTP traffic from all hosts on 172.16.4.0 to any device on

172.16.3.0 & allows all other traffic.
11
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
Interface e0
ip access-group 101
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq

23
What does this do?

11
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
Interface e0
ip access-group 101
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0

0.0.0.255 eq 23
Denies only telnet traffic from 172.16.4.0 to 172.16.3.0 network, and

permits all other traffic thru e0 to any address.
CCNA2 Routing
Extended/Standard ACL numbers for IP Module
11
NOTE:
Standard ACL numbers: 1-99; 1300-1999
Extended ACL numbers: 100-199; 2000-2699

CCNA2 Routing Standard/Extended ACL Module
11
You can not add ACL statements into the body of the
access-list (ONLY at the end of the list).
Otherwise the access list must be deleted first, and then
rewritten.
Therefore it is prudent to write your access-list in text

format using “notepad”, and then transfer it to your router.

CCNA2 Routing Configuring Named ACLs Module
11
NOTE:
• A NAMED ACL is an alphanumeric string instead of the

ACL number (1 - 199 )
• NAMED ACLs are not compatible with Cisco IOS release
prior to Release 11.2
• Named ACLs can be used for either standard & extended
•You cannot configure the same name for multiple ACLs.
•use Name ACL when you want to intuitively identify ACLs
•use Name ACL when you have more than 99 standard &
100 extended ACLs have been configured on a router for a
given protocol

CCNA2 Routing Configuring Named ACLs Module
11
Router(config)# ip access-list { standard | extended } name { deny | permit }

{ commands }
ip access-list standard internetfilter

deny 172.10.15.0 0.0.0.255
permit 128.88.0.0 0.0.255.255
permit 36.0.0.0 0.0.255.255
ip access-list extended marketing-group

permit tcp any 171.69.0.0 0.255.255.255 eq
telnet
deny udp any 171.69.0.0 0.255.255.255 lt 1024

CCNA2 Routing Named ACL Module
11
A named ACL will allow the deletion of statements, but will

only allow for the statements to be inserted a the end of the
list.

CCNA2 Routing More Details Module
11
access-list 1 permit 172.16.0.0 0.0.255.255
10101100.00010000.00000000.00000000
00000000.00000000.xxxxxxxx. xxxxxxxx
10101100.00010000.xxxxxxxx. xxxxxxxx Matched value
Incoming packet with address of 172.18.4.2. Will it be permitted?

Source : 10101100.00010010.00000100.00000010
Wildcard mask: 00000000.00000000.xxxxxxxx. xxxxxxxx
10101100.00010010.xxxxxxxx. xxxxxxxx Result

11
10101100.00010000.00000000.00000000
10101100.00010000.xxxxxxxx. xxxxxxxx Match value

Source : 10101100.00010010.00000100.00000010
Does the result equal the match value?
No! Hence the incoming packet will not be permitted.

11
10101100.00010000.00000000.00000000
10101100.00010000.xxxxxxxx. xxxxxxxx Match value

Source : 10101100.00010000.00000100.00000010
Does the result equal the match value?
Yes! Hence the incoming packet will be permitted.

11
10101100.00010000.00000000.00000000
00000000.00000000.xxxxxxxx. xxxxxxx0
10101100.00010000.xxxxxxxx. xxxxxxx0 Matched value

Source : 10101100.00010000.00000100.00000001
Wildcard mask: 00000000.00000000. xxxxxxxx. xxxxxxx0
Result
Source : 10101100.00010000.00000100.00000100
Wildcard mask: 00000000.00000000. xxxxxxxx. xxxxxxx0
10101100.00010000. xxxxxxxx. xxxxxxx0 Result
11
10101100.00010000.00000000.00000000
10101100.00010000.xxxxxxxx. xxxxxxx0 Matched value

Source : 10101100.00010000.00000100.00000101
Wildcard mask: 00000000.00000000.xxxxxxxx. xxxxxxx0
10101100.00010000.xxxxxxxx. xxxxxxx1 Result
So the access list perform what operation? Permits 172.16.4.4, and

denies 172.16.4.1 and 172.16.4.5
Permits all even addresses from the network 172.16.0.0

CCNA2 Routing Permit/Deny BLOCKS of addresses Module
11
One can permit or deny a block of addresses. However, the blocks

must be a power of 2! (Example, 2, 4, 8, 16, 32, 64, 128, etc.)
When you need to specify a range of addresses, you choose the
closet block size for your needs.
You want to block access to part of network that is in the range
from 198.16.99.0 through 198.16.99.7. This is a block size of 8.
Hence:
198.16.99.0 0.0.0.7
Also in this case for a block of 8, the beginning address must
either start at 0, 8, 16, etc.

11
One has a subnet whose addresses range from 200.17.2.128 to

200.17.2.191. One wants to divide this network so the top half are
permitted and the bottom half is denied to any other network.
What is the access lists?
The block range 64
is:
What is the access-list for the
bottom?
access-list 101 deny ip 200.17.2.128 0.0.0.31 any
What is the access-list for the top?
access-list 101 permit ip 200.17.2.160 0.0.0.31 any

11
What does this do?

access-list 10 deny 200.16.88.64 0.0.0.63
Denies a block of 64 address starting at 200.16.88.64

CCNA2 Routing Virtual Terminal ACL Module
11
You can control access via the VTY ports controlling telnet
sessions coming into the router.
You write the ACL as usual, but use access-class to apply it.
As an example:
Router(config t)# access-list 1 permit 172.16.1.0 0.0.0.255
Router(config t)# line vty 0 4

Router(config-line)# login
Router(config-line)# password cisco
Router(config-line)# access-class 1 in
Note: only numbered access lists can be applied to VTY virtual

lines!
CCNA2 Routing Established option Module
11
The ‘establish’ option in an access-list used only with TCP

datagrams. There are cases when you want to stop host B
from initiating a connection with a host A while permitting A
to initiate connections with B.
establish
¾ Macintosh SE
¾ Macintosh SE
A response B
establish

11
As a practical example:
172.16.3.0
e0 e1
INTERNET
172.16.4.0
172.16.3.13
Allow host 172.16.3.13 with Internet connection, but don’t allow

the internet to initialize any sessions.

11
172.16.3.0
e0 e1
INTERNET
172.16.4.0
172.16.3.13
Router(config)# int e1
Router(config)# access-list 101 permit tcp any 172.16.3.0

0.0.255.255 established

11
172.16.3.0
e0 e1
INTERNET
172.16.4.0
172.16.3.13
Router(config)# access-list 101 permit tcp any host 172.16.3.13 eq www

established

11
172.16.3.0
e0 e1
INTERNET
172.16.4.0
172.16.3.13
Note: established argument is limited to tcp which means UDP,

ICMP and all other IP protocols will not match, and will be denied,
unless specifically allowed. Hence
Router(config)# access-list 101 permit tcp any 172.16.3.0 0.0.0.255 eq www

established
Router(config)# access-list 101 permit icmp any any
Router(config)# access-list 101 permit udp any any eq 53

CCNA2 Routing Where to Place ACLs? Module
11
ACL Rules:
Standard ACL
Place the ACL as near the destination as possible.
Extended ACL
Put the ACL as close as possible to the source

11
Access Lists
Standard
Extended
End of Session

Access Control List ACL

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Access Control List ACL

Uploaded by

Copyright:

Available Formats

CCNA2 Routing Access Control Module

Perrine modified by Brierley 01/28/19 Page 1

Perrine modified by Brierley 01/28/19 Page 2

A HIGH LEVEL VIEW of ACLs

Perrine modified by Brierley 01/28/19 Page 3

Access Control Lists

Perrine modified by Brierley 01/28/19 Page 4

• access-list 1 deny 172.16.4.13 0.0.0.0

• access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq www

Perrine modified by Brierley 01/28/19 Page 5

ACLs are instructions that are applied to a router interfaces.

ACLs are configured on the router Interfaces to control access

Perrine modified by Brierley 01/28/19 Page 7

Perrine modified by Brierley 01/28/19 Page 8

Perrine modified by Brierley 01/28/19 Page 9

• Standard ACLs should be placed close to the destination.

Perrine modified by Brierley 01/28/19 Page 10

A firewall is an architectural structure that

Perrine modified by Brierley 01/28/19 Page 12

Perrine modified by Brierley 01/28/19 Page 13

Reasons to create ACLs:

• limit network traffic - hence increase network

Perrine modified by Brierley 01/28/19 Page 14

A MORE DETAILED VIEW of

Perrine modified by Brierley 01/28/19 Page 15

Cisco IOS checks each packet for:

Adding addition ACL statements to the end of an existing list is

When a packet enters a router’s interface:

The Outbound interface’s ACL is a different list from the

ACL statements operate in a logical, sequential order. When a

access-list 10 { permit | deny } { test conditions }

access-list 10 { permit | deny } { test conditions }

access-list 10 { permit | deny } { test conditions }

access-list 10 { permit | deny } { test conditions }

Perrine modified by Brierley 01/28/19 access-list 1 permit anyPage 18

Two types of IP ACL :

Steps in creating ACLs:

ACLs are used to filter:

Perrine modified by Brierley 01/28/19 Page 19

Standard ACLs are place as close as possible to the

Extended ACLs are place as close as possible to the source.

Perrine modified by Brierley 01/28/19 Page 20

To delete all ACL statements of an access-list

Applying the Access List:

A wildcard is matched with an IP address or protocol address.

A 0 in the wildcard means to check the bit in the IP you are

Perrine modified by Brierley 01/28/19 Page 22

To permit or deny any address:

Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255

Router(config)# access-list 1 deny 0.0.0.0

Perrine modified by Brierley 01/28/19 Page 23

To match all the bits of IP address use host:

EX: 172. 30.16. 29 0. 0. 0. 0

Perrine modified by Brierley 01/28/19 Page 24

Standard ACLs only check the source address.

Router(config)# access-list <ACL number> { deny | permit } source [ source wildcard]

Perrine modified by Brierley 01/28/19 Page 25

What does this statement accomplish?

Access-list 33 permit 172.16.0.0 0.0.255.255 log

Permits all traffic from 172.16.0.0 and sends messages to the

Perrine modified by Brierley 01/28/19 Page 26

What does this statement accomplish?

Access-list 44 deny 172.16.13.7 0.0.0.0 log

Denies traffic from host 172.16.13.7 and sends message to the