Professional Documents
Culture Documents
(ACL)
What is ACL (Access Control List)?
• An Access Control List (ACL) is a set of rules that is usually used to
filter network traffic. ACLs can be configured on network devices with
packet filtering capatibilites, such as routers and firewalls.
• ACLs contains a list of conditions that categorize packets and help you
determine when to allow or deny network traffic. They are applied on the
interface basis to packets leaving or entering an interface.
Two types of ACLs are available on a Cisco device:
• standard access lists – allow you to evaluate only the source IP address
of a packet. Standard ACLs are not as powerful as extended access lists,
but they are less CPU intensive for the device.
• extended access lists – allow you to evaluate the source and
destination IP addresses, the type of Layer 3 protocol, source and
destination port, and other parameters. Extended ACLs are more
complex to configure and require more CPU time than the standard ACLs,
but they allow more granular level of control.
ACLs Rules
Here are a few things to have in mind when working with ACLs (both
standard and extended):
• ACLs can contain multiple statements. The packet is always compared
with each line of the access list in sequential order – it starts with the
first line of the access list, move on to line 2, then line 3, etc.
• The packet is compared with lines of the access list only until a match is
made. Once the condition is met, the packet is acted upon and no
further comparisons take place.
• There is an implicit deny all at the end of each access list. This means
that if a packet doesn’t match the condition on any of the lines in the
access list, the packet will be discarded.
• ACLs need to be applied to an interface on the device where you want
the traffic filtered. Y+ou must also specify which direction of traffic you
want the access list applied to. Two directions are available:
• inbound – ACL is applied to the traffic coming into the interface.
• outbound – the ACL is applied to the traffic leaving the interface.
Standard ACLs Configuration
• To create a standard access list, the following command is used
in the router’s global configuration mode:
Router(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
Choosing source IP
Router(config)#access-list 10 deny ?
A.B.C.D Address to match
any any source host
host a A single host address
Examples
-Router(config)#access-list 10 deny host 172.16.30.1
-Router(config)#access-list 12 deny any
-Router(config)#access-list 13 permit 172.16.0.0 0.0.255.255