Professional Documents
Culture Documents
Version 3.0
Cisco Regional Networking Academy
Objectives
IP IP
IPX IPX
Apple Talk Apple Talk
No
ACLs Route
Layer2 Yes on Yes Yes Yes
Statement Permit Packet to
Address Interface? List packet? Outbound
match
Match? interface
No No No
Default
Deny
Default
Deny
Yes No
Send ACLs
Yes Yes
To the Permit Statement on
device packet? List Interface?
Match?
No
Creating ACLs: Step 1
Router (config)#
access-list access-list-number
access-list access-list-number {{ permit
permit || deny
deny }} {{test-conditions
test-conditions}}
• Defines an ACL
• Alert an ACL use no access-list access-list-number
Router (config-if)#
• New lines are always added to the end of the access list. A
no access-list x command will remove the whole list. It is
not possible to selectively add and remove lines with
numbered ACLs.
• An IP access list will send an ICMP host unreachable
message to the sender of the rejected packet and will
discard the packet in the bit bucket.
• Care should be used when removing an access list. If the
access list is applied to a production interface and the access
list is removed, depending on the version of the IOS, there
may be a default deny any applied to the interface, and all
traffic will be halted.
• Outbound filters do not affect traffic originating from the
local router.
The function of a wildcard mask
No No
Is
Is this Yes there a Yes Does source Yes Permit or
Permit Route Packet
an IP Standard access list Address match ACL to proper
Deny condition
packet On this List entry outbound
interface interface
No Deny
Move to next
statement
Is
No This the Yes
Last entry in the
ACL
Send
Destination
Not found
message
Standard ACL commands
Router (config)#
access-list access-list-number
access-list access-list-number
{deny permit} source
{deny || permit} source [[source-wildcard
source-wildcard]] [log]
[log]
Router (config-if)#
ip
ip access-group
access-group access-list-number
access-list-number {{ in
in || out
out }}
No No
Does Permit
Does Yes destination
Yes
Does
Yes
Is there Yes source address address match Protocol and Permit or Route Packet
an ACL on Port Deny to proper
Match ACL ACL list
This interface match condition outbound
list entry entry
interface
No Deny
Is
Move to next No This the Yes
Send
statement Last entry in the
Destination
ACL
Not found
message
Extended ACL commands
Router (config)#
access-list access-list-number
access-list access-list-number {permit
{permit || deny}
deny}
protocol
protocol source
source [source-mask
[source-mask destination
destination
destination-mask
destination-mask operator
operator operand]
operand] [established]
[established]
Router (config-if)#
ip access-group access-list-number
ip access-group access-list-number {{ in
in || out
out }}
Router (config-if)#
ip
ip access-list
access-list {standard
{standard || extended}
extended} name
name
Router(config-if)#
ip
ip access-group
access-group name
name {in
{in || out}
out}
Router#
show
show access-lists
access-lists
Name ACL examples
Placing ACLs
Firewall architecture
Restricting virtual terminal access
Physical port
FastEthernet0/0
0 1 2 3 4
Virtual port
(VTY 0-4)
Summary