Why Use Access Lists?

Manage IP traffic as network access grows

Filter packets as they pass through the router
 What are ACLs?

ACLs are lists of conditions that are applied to traffic traveling across
a router's interface.

These lists tell the router what types of packets to accept or deny.

Acceptance and denial can be based on specified conditions.

ACLs can be configured at the router to control access to a network

or subnet.

Some ACL decision points are source and destination addresses,

protocols, and upper-layer port numbers.
 Reasons to Create ACLs

The following are some of the primary reasons to create

ACLs:

Limit network traffic and increase network performance.

Provide traffic flow control.
Provide a basic level of security for network access.
Decide which types of traffic are forwarded or blocked at the router
interfaces
For example: Permit e-mail traffic to be routed, but block all telnet traffic.
If ACLs are not configured on the router, all packets passing through the
router will be allowed onto all parts of the network.
 ACL’s
 Different access list for Telnet
 When configuring ISDN you need to use access list
 Implicit deny at bottom
 All restricted statements should be on first
 There are two types
 Standard
 Extended
 Network
192.168.12.2 N1 192.168.12.0 N2
192.168.12.3

B C

192.168.34.0
N3 N4 N5 192.168.56.0 N6
Types of Access Lists

Standard
Checks source address
Permits or denies entire protocol suite
Extended
Checks source and destination address
Generally permits or denies specific protocols
 How to Identify Access Lists

 Standard IP lists (1-99) test conditions of all IP packets from

source addresses.
 Extended IP lists (100-199) test conditions of source and destination
addresses, specific TCP/IP protocols, and destination ports.
 Standard IP lists (1300-1999) (expanded range).
 Extended IP lists (2000-2699) (expanded range).
 Standard ACLs

The full syntax of the standard ACL command is:

Router(config)#access-list access-list-number {deny | permit} source

[source-wildcard ]

The no form of this command is used to remove a standard ACL. This is

the syntax:
Router(config)#no access-list access-list-number

Config# Access-list 1 deny 192.168.1.0 0.0.0.255

Config# access-list 1 permit any
 Wildcard Mask
Access-list 99 permit 192.168.1.1 wildcard mask
All 32 bits of an IP Address can be filtered
Wildcard inverse mask
0=must match
1= ignore
MASK (192.168.1.1) Matching IP
0.0.0.0 (host) 192.168.1.1
0.0.0.255 192.168.1.0-255
0.0.255.255 192.168.0-255.0-255
0.255.255.255 192.0-255.0-255.0-255
255.255.255.255 0-255.0-255.0-255.0-255 (any)
 The ANY and HOST keyword
Access-list 1 permit 0.0.0.0 255.255.255.255
Or
permit any

Access-list 1 permit 200.0.0.9 0.0.0.0

Or
permit host 200.0.0.9
 Testing Packets with
Standard Access Lists
 Outbound ACL Operation

• If no access list statement matches, then discard the packet.

 Reading an ACL
 First Hit or Best Fit?
1. Access-list 99 deny host 192.168.1.1 0.0.0.0
access-list 99 permit any 255.255.255.255

2. Access-list 99 permit 192.168.1.0 0.0.0.255

Access-list 99 deny host 192.168.1.1
access-list 99 permit any

3. Access-list 99 deny host 192.168.1.1

 Implicit deny at the end of every ACL

 Creating ACLs
ACLs are created in the global configuration mode. There are many
different types of ACLs including standard, extended, IPX, AppleTalk, and
others. When configuring ACLs on a router, each ACL must be uniquely
identified by assigning a number to it. This number identifies the type of
access list created and must fall within the specific range of numbers that
is valid for that type of list.

Since IP is by far the most

popular routed protocol,
addition ACL numbers have
been added to newer
router IOSs.
Standard IP: 1300-1999
Extended IP: 2000-
2699
The ip access-group command

{ in | out }
 Exercise – Standard Access List
192.168.0.5 192.168.0.9
255.255.255.252 255.255.255.252
192.168.0.33
E0 255.255.255.240

192.168.0.17 S0 S1 S0 E0
A 255.255.255.248 S0
192.168.0.10 B
255.255.255.252
192.168.0.6
192.168.0.18 192.168.0.34
255.255.255.252
255.255.255.248 255.255.255.240

Account should be denied access to Sales

To steps to configure
•Create a standard Access list
•Apply ACL to proper interface inbound or outbound
 Exercise – Standard Access List
192.168.0.5 192.168.0.9
255.255.255.252 255.255.255.252
192.168.0.33
E0 255.255.255.240

192.168.0.17 S0 S1 S0 E0
A 255.255.255.248 S0
192.168.0.10 B
255.255.255.252
192.168.0.6
192.168.0.18 192.168.0.34
255.255.255.252
255.255.255.248 255.255.255.240

Config# Access-list 1 deny 192.168.0.18 0.0.0.7

Config# access-list 1 permit any

Config#int e 0
Config-if# ip access-group 1 out
 Extended ACLs
Extended ACLs are used more often than standard ACLs because they provide a
greater range of control.

Extended ACLs check the source and destination packet addresses as well as
being able to check for protocols and port numbers.

At the end of the extended ACL statement, additional precision is gained from a
field that specifies the optional Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP) port number.

Logical operations may be specified such as, equal (eq), not equal (neq), greater
than (gt), and less than (lt), that the extended ACL will perform on specific
protocols.

Extended ACLs use an access-list-number in the range 100 to 199 (also from
2000 to 2699 in recent IOS).
 Configuration
• Protocol
• Access-list acl# {permit/Deny}
• Src IP src WCM
• Dst IP dst WCM
• Opetrator port
• Protocol
– OSPF RP If you need to Block a routing protocol
– EIGRP
– ICMP
• Operator
IP – TCP
– eq
– UDP
– gt
– lt
– neq
 Testing Packets with
Extended Access Lists
Extended ACL Syntax
 Extended ACL LAB
Internet

A B
Fa0/0 Fa0/1
200.0.0.10 200.0.0.9 200.0.0.17 200.0.0.18
255.255.255.248 255.255.255.248 255.255.255.240 255.255.255.240

 Account should be denied Sales Web site

Config# Access-list 100 deny tcp 200.0.0.10 0.0.0.7 200.0.0.18 0.0.0.15 eq www
Config# access-list 100 permit IP any any

Config#int Fastethernet 0/0

Config-if# ip access-group 100 IN
 Extended ACL LAB -2
192.168.0.9
192.168.0.5 255.255.255.252
255.255.255.252
S0 S0
S1
192.168.0.33
S0 192.168.0.6 192.168.0.10 E0 255.255.255.240
192.168.0.17 E0 255.255.255.252 255.255.255.252
255.255.255.248

192.168.0.34
255.255.255.240
A B
192.168.0.18
255.255.255.248

192.168.0.34 should be denied FTP of 192.168.0.18 192.168.0.18 should be denied website of 192.168.0.34

On Router R1 On Router R3
Config# Access-list 100 deny tcp 192.168.0.34 0.0.0.0 192.168.0.18 Config# Access-list 100 deny tcp 192.168. 0.18 0.0.0.0 192.168.0.34
0.0.0.0 eq 21 0.0.0.0 eq 80
Config# access-list 100 permit IP any any Config# access-list 100 permit IP any any

Config#int s0 Config#int s0
Config-if# ip access-group 100 IN Config-if# ip access-group 100 IN
 Deny FTP
access-list 101 deny tcp any any eq 21
access-list 101 permit ip any any

or

access-list 101 deny tcp any any eq ftp

access-list 101 permit ip any any
 Rules
For extended access list apply near to the
source
For standard access list apply near to the
destination
 Named ACLs
IP named ACLs were introduced in Cisco IOS Software Release 11.2,
allowing standard and extended ACLs to be given names instead of
numbers.

The characteristics of named accesslist:

 Identify an ACL using an alphanumeric name.
 You can delete individual statements in a named access list
 Named access lists must be specified as standard or extended
 You can use the ip access-list command to create named
access lists.

Named ACLs are not compatible with Cisco IOS releases prior to Release
11.2.

The same name may not be used for multiple ACLs.

 Named ACL’s
 Numbered Access list did not give you any hint, What is
filtered

 Named ACL’s are both basic and advanced filtering tool

 Name cannot start with a number or !

 Cannot have space in the name

 Should not have ? Character anywhere in the name

 Name is case sensitive

 Named ACL Example
R1(config)#ip access-list standard blocksales
• R1(config-std-nacl)#deny 172.16.40.0 0.0.0.255
• R1(config-std-nacl)#permit any
• R1(config-std-nacl)#exit
• R1(config)#^Z
• R1#

#Int e 0
#Ip access-group blocksales out
Verify Access List
 Basic Rules for ACLs
 Standard IP access lists should be applied closest to the destination.
 Extended IP access lists should be applied closest to the source.
 Use the inbound or outbound interface reference as if looking at the port
from inside the router.
 Statements are processed sequentially from the top of list to the bottom
until a match is found, if no match is found then the packet is denied.
 There is an implicit deny at the end of all access lists. This will not appear
in the configuration listing.
 Access list entries should filter in the order from specific to general.
Specific hosts should be denied first, and groups or general filters should
come last.
 Never work with an access list that is actively applied.
 New lines are always added to the end of the access list.
 A no access-list x command will remove the whole list. It is not possible
to selectively add and remove lines with numbered ACLs.
 Outbound filters do not affect traffic originating from the local router.