Router and Routing Basics

Access Control List

(ACLs)

Version 3.0
Cisco Regional Networking Academy
Objectives

• Describe the differences between standard and

extended ACLs
• Explain the rules for placement of ACLs
• Create and apply named ACLs
• Describe the function of firewalls
• Use ACLs to restrict virtual terminal access
Table of Content

1 Access Control List Fundamentals

2 Access Control Lists (ACLs)
ACCESS CONTROL LIST
FUNDAMENTALS
What are ACLs
What are ACLs

• ACLs are lists of conditions that are applied to traffic

traveling across a router's interface.
• These lists tell the router what kinds of packets to
accept and what kinds of packets to deny.
• Acceptance and denial can be based on specified
conditions.
• ACLs can be created for all routed network
protocols to filter packets, such a IP, IPX.
• ACLs can be configured at the router to control
access to a network or subnet.
ACLs check the packet and header
How ACLs control traffic flow

IP IP
IPX IPX
Apple Talk Apple Talk

One list, per port, per direction, per protocol

The primary reasons to create ACLs

• Limit network traffic and increase network

performance.
• Provide traffic flow control.
• Provide a basic level of security for network
access.
• Decide which types of traffic are forwarded or
blocked at the router interfaces.
• Allow an administrator to control what areas a
client can access on a network.
• Screen certain hosts to either allow or deny access
to part of a network
How the ACL work: order of ACL statements
ACL and Routing process in a router

No
ACLs Route
Layer2 Yes on Yes Yes Yes
Statement Permit Packet to
Address Interface? List packet? Outbound
match
Match? interface

No No No

Default
Deny

Default
Deny

Yes No

Send ACLs
Yes Yes
To the Permit Statement on
device packet? List Interface?
Match?

No
Creating ACLs: Step 1
Router (config)#

access-list access-list-number
access-list access-list-number {{ permit
permit || deny
deny }} {{test-conditions
test-conditions}}

• Defines an ACL
• Alert an ACL use no access-list access-list-number

ACL command Description

access-list defines an access list

access-list-number protocol-dependent ACL number

Permit defines a statement to allow traffic

Deny defines a statement to disallow traffic

test-conditions ACL test conditions

ACL numbers
Creating ACLs: Step 2

Router (config-if)#

{{protocol access-group access-list-number

protocol}} access-group access-list-number

• Applies access list to interface

ACL command Description

protocol a protocol specified for the interface

access-group any packets that pass the ACL test

conditions can be permitted to use any
interface in the access group of interfaces
access-list-number the ACL identified by this ACL number to
be associated to this interface
These basic rules should be followed (1)

• One access list per protocol per direction.

• Standard access lists should be applied closest to
the destination.
• Extended access lists should be applied closest to
the source.
• Use the inbound or outbound interface reference as
if looking at the port from inside the router.
• Statements are processed sequentially from the top
of list to the bottom until a match is found, if no
match is found then the packet is denied.
• There is an implicit deny at the end of all access
lists.
These basic rules should be followed (2)

• Access list entries should filter in the order from

specific to general. Specific hosts should be denied
first, and groups or general filters should come last.
• The match condition is examined first. The permit
or deny is examined ONLY if the match is true.
• Never work with an access list that is actively
applied.
• Use a text editor to create comments outlining the
logic, then, fill in the statements that perform the
logic.
These basic rules should be followed (3)

• New lines are always added to the end of the access list. A
no access-list x command will remove the whole list. It is
not possible to selectively add and remove lines with
numbered ACLs.
• An IP access list will send an ICMP host unreachable
message to the sender of the rejected packet and will
discard the packet in the bit bucket.
• Care should be used when removing an access list. If the
access list is applied to a production interface and the access
list is removed, depending on the version of the IOS, there
may be a default deny any applied to the interface, and all
traffic will be halted.
• Outbound filters do not affect traffic originating from the
local router.
The function of a wildcard mask

• A wildcard mask is a 32-bit quantity that is divided

into four octets, with each octet containing 8 bits.
• A wildcard mask bit 0 means "check the
corresponding bit value“.
• A wildcard mask bit 1 means "do not check (ignore)
that corresponding bit value".
Wildcard mask bits <2>
The function of a wildcard mask: Example

No match – Packet rejected

The function of a wildcard mask : Example
Wildcard any
Wildcard host
Verifying ACLs: show ip interface
Verifying ACLs: show access-lists
Verifying ACLs: show running-config
STANDARD ACLs
Standard ACLs: Overview
How the Standard ACL work?

No No

Is
Is this Yes there a Yes Does source Yes Permit or
Permit Route Packet
an IP Standard access list Address match ACL to proper
Deny condition
packet On this List entry outbound
interface interface

No Deny
Move to next
statement

Is
No This the Yes
Last entry in the
ACL

Send
Destination
Not found
message
Standard ACL commands

Router (config)#
access-list access-list-number
access-list access-list-number
{deny permit} source
{deny || permit} source [[source-wildcard
source-wildcard]] [log]
[log]

Router (config-if)#
ip
ip access-group
access-group access-list-number
access-list-number {{ in
in || out
out }}

• Access list number: 1  99

• Commands:
– Router# show access-lists
Standard ACL examples
EXTENDED ACLs
Extended ACLs: Overview
How the Extended ACL work?

No No
Does Permit
Does Yes destination
Yes
Does
Yes
Is there Yes source address address match Protocol and Permit or Route Packet
an ACL on Port Deny to proper
Match ACL ACL list
This interface match condition outbound
list entry entry
interface

No Deny

Is
Move to next No This the Yes
Send
statement Last entry in the
Destination
ACL
Not found
message
Extended ACL commands
Router (config)#
access-list access-list-number
access-list access-list-number {permit
{permit || deny}
deny}
protocol
protocol source
source [source-mask
[source-mask destination
destination
destination-mask
destination-mask operator
operator operand]
operand] [established]
[established]
Router (config-if)#
ip access-group access-list-number
ip access-group access-list-number {{ in
in || out
out }}

• Access list number: 100  199

• Commands:
– Router# show access-lists
Reserved port numbers
Extended ACL examples
NAME ACLs
Name ACLs: Overview
• Intuitively identify an ACL using an alphanumeric
name.
• Eliminate the limit of 798 simple and 799 extended
ACLs
• Named ACLs provide the ability to modify ACLs
without deleting and then reconfiguring them.
• Considerations:
–IP named ACLs were introduced in Cisco IOS
Software Release 11.2.
–Only allow for statements to be inserted at the
end of a list.
–You cannot use the same name for multiple ACLs.
In addition, ACLs of different types cannot have
the same name.
Name ACL commands

Router (config-if)#
ip
ip access-list
access-list {standard
{standard || extended}
extended} name
name

Router(config {std- | ext-}nacl)#

deny
deny {source
{source [source-wildcard]
[source-wildcard] || any}
any}
permit
permit {source
{source [source-wildcard]
[source-wildcard] || any}
any}

Router(config-if)#
ip
ip access-group
access-group name
name {in
{in || out}
out}

Router#
show
show access-lists
access-lists
Name ACL examples
Placing ACLs
Firewall architecture
Restricting virtual terminal access
Physical port
FastEthernet0/0

0 1 2 3 4

Virtual port
(VTY 0-4)
Summary

• An ACL sequential list of permit or deny statements

that apply to addresses or upper-layer protocols
• The order in which ACL statements are placed is
important.
• Standard ACLs check the source address of IP
packets that are routed
• Extended ACLs are used more often than standard
ACLs because the provide a greater range of
control.
Q&A