1

Why Use Access Lists?

Manage IP traffic as network access grows

Filter packets as they pass through the router
 What are ACLs?

ACLs are lists of conditions that are applied to traffic

traveling across a router's interface.

These lists tell the router what types of packets to accept or

deny.

Acceptance and denial can be based on specified conditions.

ACLs can be configured at the router to control access to a

network.

Some ACL decision points are source and destination

addresses, protocols, and upper-layer port numbers.

3
 Reasons to Create ACLs

The following are some of the primary reasons to

create ACLs:

Limit network traffic and increase network performance.

Provide traffic flow control.
Provide a basic level of security for network access.
Decide which types of traffic are forwarded or blocked at the
router interfaces
For example: Permit e-mail traffic to be routed, but block all
telnet traffic.
If ACLs are not configured on the router, all packets passing
through the router will be allowed onto all parts of the network.

4
 ACL’s
 There are two types of ACL
 Standard
 Extended
 There are two places we can put the ACL
 Inbound
 Outbound

5
Types of Access Lists

Standard
Checks source address
Permits or denies entire protocol suite
Extended
Checks source and destination address
Generally permits or denies specific protocols
6
 How to Identify Access
Lists

 Standard IP lists (1-99) test conditions of all IP packets from

source addresses.
 Extended IP lists (100-199) test conditions of source and
destination addresses, specific TCP/IP protocols, and
destination ports.
 Standard IP lists (1300-1999) (expanded range).
 Extended IP lists (2000-2699) (expanded range).
 Standard ACLs

The full syntax of the standard ACL command is:

Router(config)#access-list access-list-number {deny | permit}

source [source-wildcard ]

The no form of this command is used to remove a standard ACL.

This is the syntax:
Router(config)#no access-list access-list-number

R(Config)# Access-list 1 deny 192.168.1.0 0.0.0.255

R(Config)# access-list 1 permit any
R(Config)# interface Serial
R(Config)# ip access-group 1 [out|in]

8
The ANY and HOST keyword
Access-list 1 permit 0.0.0.0
255.255.255.255
Or
permit any
Access-list 1 permit 200.0.0.9 0.0.0.0
Or
permit host 200.0.0.9

9
Testing Packets with
Standard Access Lists
 Outbound ACL Operation

• If no access list statement matches, then discard the packet.

 Reading an ACL
1. Access-list 99 deny host 192.168.1.1 0.0.0.0
access-list 99 permit any 255.255.255.255

2. Access-list 99 permit 192.168.1.0 0.0.0.255

Access-list 99 deny host 192.168.1.1
access-list 99 permit any

3. Access-list 99 deny host 192.168.1.1

12
 Creating ACLs
ACLs are created in the global configuration mode.
There are many different types of ACLs including standard,
extended.
ACL must be uniquely identified by assigning a number to it.
This number must fall within the specific range of numbers that is
valid for that type of list.
ACL Numbers :

Standard IP: (1 - 99) Extended ( 1300-1999 )

Extended IP: (100 - 199) Extended (2000-2699)

13
 The ip access-group
command

{ in | out }

14
 ACL Guidelines
• One access list per interface, • End ACLs with a permit
per protocol, or per direction any command
• More specific tests at the top • Create ACLs & then apply
of the ACL them to an interface
• New lists are placed at the • ACLs do not filter traffic
bottom of the ACL originated from the router
• Individual lines cannot be • Put Standard ACLs close
removed to the destination
• Put Extended ACLs close
the the source
 Standard ACL Example

how to use a standard access list to stop specific users from

gaining access to the Finance department LAN? Users on the
Sales LAN should not have access to the Finance LAN, but they
should be able to access the Internet and the marketing
department files. The Marketing LAN needs to access the
Finance LAN for application services

apply this access list is on the Fa0/1 interface as an outbound

Stop the Accounting users from accessing the Human
Resources server attached to the Lab_B router but
allow all other users access to that LAN using a
standard ACL.
What kind of standard access list would we need to
create and where would we place it to achieve our
goals?
 IP standard access list example 3
you need to write an access list that will stop access
from each of the four LANs shown in the diagram to the
Internet. Each of the LANs reveals a single host’s IP
address,?

could have done this with one line

If you actually applied this ACL on the router, you’d effectively shut down
access to the Internet, so why even have an Internet con-nection?
 Exercise – Standard Access
List

1- design the network

2- do the needed configuration using static or dynamic routing
3- Create a standard Access list
4- Apply ACL to proper interface inbound or outbound

19
 Extended ACLs
Extended ACLs are used more often than standard ACLs because they
provide a greater range of control.

Extended ACLs check the source and destination packet addresses as

well as being able to check for protocols and port numbers.

At the end of the extended ACL statement, additional precision is gained
from a field that specifies the optional Transmission Control Protocol (TCP)
or User Datagram Protocol (UDP) port number.

Logical operations may be specified such as, equal (eq) , that the
extended ACL will perform on specific protocols.

Extended ACLs use an access-list-number in the range 100 to 199 (also

from 2000 to 2699 in recent IOS).

20
 Configuration
• Protocol
• Access-list acl# {permit/Deny}
• Src IP
• Dst IP
• port
• Protocol
– OSPF
– EIGRP
– ICMP
IP – TCP
– UDP

21
Testing Packets with
Extended Access Lists
Extended ACL Syntax

23
 Exercise – Extended Access
List

1- design the network

2- do the needed configuration using static or dynamic routing
3- Create a standard Access list
4- Apply ACL to proper interface inbound or outbound

24
Exampl In this example, we’re going to allow HTTP
access to the Finance server from source
e Host B only. All other traffc will be permitted.
 Deny FTP
access-list 101 deny tcp any any eq 21
access-list 101 permit ip any any

or

access-list 101 deny tcp any any eq ftp

access-list 101 permit ip any any

26
 Rules
For extended access list apply near
to the source
For standard access list apply near to
the destination

27
 Named ACLs
IP named ACLs were introduced in Cisco IOS Software Release
11.2, allowing ACLs to be given names instead of numbers.

The characteristics of named access list:

 Identify an ACL using an alphanumeric name.
 Named access lists must be specified as standard or
extended
 You can use the ip access-list command to create
named access lists.

The same name may not be used for multiple ACLs.

28
 Named ACL’s
 Numbered Access list did not give you any hint,
What is filtered

 Named ACL’s are both basic and advanced filtering

tool

 Name cannot start with a number or !

 Cannot have space in the name

 Should not have ? Character anywhere in the name

 Name is case sensitive

29
 Named ACL Example
R1(config)#ip access-list standard blocksales
• R1(config-std-nacl)#deny 172.16.40.0 0.0.0.255
• R1(config-std-nacl)#permit any
• R1(config-std-nacl)#exit
• R1(config)#^Z
• R1#

#Int e 0
#Ip access-group blocksales out

30
Verify Access List

31
 Basic Rules for ACLs
 Standard IP access lists should be applied closest to the
destination.
 Extended IP access lists should be applied closest to the
source.
 Use the inbound or outbound interface reference as if looking
at the port from inside the router.
 Statements are processed sequentially from the top of list to
the bottom
until a match is found, if no match is found then the packet is
denied.
 Access list entries should filter in the order from specific to
general.
 Specific hosts should be denied first, and groups or general
filters should
come last.
 Never work with an access list that is actively applied. 32
 New lines are always added to the end of the access list.