IP ACCESS CONTROL LIST

(ACL)
What is ACL (Access Control List)?
• An Access Control List (ACL) is a set of rules that is usually used to
filter network traffic. ACLs can be configured on network devices with
packet filtering capatibilites, such as routers and firewalls.

• ACLs contains a list of conditions that categorize packets and help you
determine when to allow or deny network traffic. They are applied on the
interface basis to packets leaving or entering an interface.
Two types of ACLs are available on a Cisco device:
• standard access lists – allow you to evaluate only the source IP address
of a packet. Standard ACLs are not as powerful as extended access lists,
but they are less CPU intensive for the device.
• extended access lists – allow you to evaluate the source and
destination IP addresses, the type of Layer 3 protocol, source and
destination port, and other parameters. Extended ACLs are more
complex to configure and require more CPU time than the standard ACLs,
but they allow more granular level of control.
ACLs Rules
Here are a few things to have in mind when working with ACLs (both
standard and extended):
• ACLs can contain multiple statements. The packet is always compared
with each line of the access list in sequential order – it starts with the
first line of the access list, move on to line 2, then line 3, etc.
• The packet is compared with lines of the access list only until a match is
made. Once the condition is met, the packet is acted upon and no
further comparisons take place.
• There is an implicit deny all at the end of each access list. This means
that if a packet doesn’t match the condition on any of the lines in the
access list, the packet will be discarded.
• ACLs need to be applied to an interface on the device where you want
the traffic filtered. Y+ou must also specify which direction of traffic you
want the access list applied to. Two directions are available:
• inbound – ACL is applied to the traffic coming into the interface.
• outbound – the ACL is applied to the traffic leaving the interface.
Standard ACLs Configuration
• To create a standard access list, the following command is used
in the router’s global configuration mode:
Router(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list

 Choosing Permit or deny?

Router(config)#access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward

 Choosing source IP

Router(config)#access-list 10 deny ?
A.B.C.D Address to match
any any source host
host a A single host address
 Examples
-Router(config)#access-list 10 deny host 172.16.30.1
-Router(config)#access-list 12 deny any
-Router(config)#access-list 13 permit 172.16.0.0 0.0.255.255

To apply an access list to an interface using the following command:

R1(config-if) ip access-group ACL_NUMBER in | out
 Extended ACLs
these steps are required to configure extended ACLs:
1: Select the access list number :
RouterA(config)#access-list 110
2: Decide on deny or permit:
RouterA(config)#access-list 110 deny
3: Choose the protocol type:
RouterA(config)#access-list 110 deny tcp
4: Choose source IP address of the host or network:
RouterA(config)#access-list 110 deny tcp any
5: Choose destination IP address of the host or network
RouterA(config)#access-list 110 deny tcp any host 172.16.30.2
6: Choose the type of service, port
RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 80

To apply an access list to an interface using the following command:

R1(config-if) ip access-group ACL_NUMBER in | out
Extended access lists numbers are in ranges from 100 to 199.
Examples :
RouterA(config)#access-list 110 deny tcp host 172.16.30.1 host 172.16.30.2 eq 80
Monitoring IP Access Lists
• Display all access lists & their parameters
show access-list
• Show only the parameters for the access list 110
show access-list 110
• Shows only the IP access lists configured
show ip access-list
• Shows which interfaces have access lists set
show ip interface
• Shows the access lists & which interfaces have access
lists set
show running-config