CCNA – Semester2

Module 11
Access Control Lists

Objectives

• Standard and extended ACLs

• The rules for placement of ACLs
• Create and apply named ACLs
 Access Control List
Fundamentals

What are ACLs

• ACLs are lists of conditions that are applied to traffic

traveling across a router's interface.
• These lists tell the router what types of packets to accept
or deny.
• Acceptance and denial can be based on specified
conditions.
ACL

Reasons to create ACLs

• Limit network traffic and increase network

performance.
• Provide traffic flow control.
• Provide a basic level of security for network
access.
• Decide which types of traffic are forwarded or
blocked at the router interfaces.
Testing packets with ACLs

• The order in which you

place ACL statements is
important.
• A packet is checked against
each condition statement,
in the order in which the
statements were created.
• After a match is found, no
more condition statements
are checked.
• If all the ACL statements are
unmatched, an implicit
"deny any" statement is
imposed.

Configuration task list

• ACL are classified as: numbered of named ACL,

each has 2 types: standard and extended.
• Configuration task includes 2 steps:
– Create an ACL
– Apply ACL to interface
Assigning ACL number

• ACL number must be within the specific range

specified for the protocol.
• Modification of a numbered ACL involves deleting the
entire list and creating a new one
• Remove numbered ACL:
no access-list list-number

Apply Access Lists

• An ACL can be assigned to one or more interfaces and

can filter inbound or outbound traffic.
• ACLs must be defined on a per-protocol, per direction,
or per interface basis.
• Eg: Only 1 IP access list on interface s0 inbound
direction
 Types of Access Control Lists

Standard ACL Overview

• When you want to:

– block all traffic from a network,
– allow all traffic from a network,
– permit or deny an entire protocol suite.
• Standard ACLs check the source address of
packets that could be routed.
• Results in either permit or deny of an entire
protocol suite, based on the network, subnet,
and host addresses.
Standard ACL commands

Router (config)#
access-list
access-list access-list-number
access-list-number
{deny
{deny || permit}
permit} source
source [source-wildcard]
[source-wildcard] [log]
[log]

Router (config-if)#
ip
ip access-group
access-group access-list-number
access-list-number {{ in
in || out
out }}

• Access list number: 1 Æ 99 or 1300 Æ 1999 in

recent IOS

Wildcard mask bits

• A wildcard mask is a 32-bit quantity that is divided into

four octets, with each octet containing 8 bits.
• A wildcard mask bit 0 means "check the corresponding
bit value“.
• A wildcard mask bit 1 means "do not check (ignore) that
corresponding bit value".
Wildcard & Subnet mask

• Wildcard mask operate differently from IP

subnet mask.
– Subnet mask: The zeros and ones determine the network
(or subnet) and host portions of the corresponding IP
address.
– Wildcard mask: The zeros and ones determine whether
the corresponding bits in an IP address should be
checked or ignored for ACL purposes.

Wildcard any
Wildcard host

Examples: any, host

• Router(config)# access-list 1 permit 0.0.0.0

255.255.255.255
• Router(config)# access-list 1 permit any

• Router(config)# access-list 1 permit

172.30.16.29 0.0.0.0
• Router(config)# access-list 1 permit host
172.30.16.29
Verifying ACLs

• show ip interface command displays IP interface

information and indicates whether any ACLs are
set.
• show access-lists command displays the
contents of all ACLs on the router.
• show running-config command will also reveal the
access lists on a router and the interface
assignment information.

Show ip interface
Show access-lists

Standard ACL examples

ACL Requirement

1. Do not allow traffic between outside and

network 172.16.3.0
2. - Node 172.16.4.13 can only access Internet
- Network 172.16.4.0 (accept 172.16.4.13) can
not access Internet

Extended ACL Overview

• Provide a greater range of control than standard

ACLs including:
– Protocols (IP, IPX, ICMP, TCP…)
– Source address (IP address, IPX address…)
– Destination address
– Services or ports (Telnet, HTTP, FTP …)
– Other parameters (SYN, ACK, Echo…)
Extended ACL commands
Router (config)#
access-list
access-list ACL-number
ACL-number {permit
{permit || deny}
deny}
protocol
protocol source
source [source-mask
[source-mask operator
operator extended-para]
extended-para]
destination
destination [destination-mask
[destination-mask operator
operator extended-para]
extended-para]
[log
[log || log
log input]
input]
Router (config-if)#
ip
ip access-group
access-group access-list-number
access-list-number {{ in
in || out
out }}

• Access list number: 100 Æ 199 or 2000 Æ 2699 in recent IOS

Extended ACL parameters

Parameters Description
access-list Defines an access list
access-list-number Protocol-dependent ACL number (100-199)
permit/deny Defines a statement to allow/block traffic
protocol The protocol in question, including: IP, TCP, UDP, ICMP, GRE, ICMP

source/destination Source/destination address

source-mask/destination-mask Wildcard mask: zeros Æ must match bit; ones Æ do not match bit

operator Logical operator:

•lt: less than
•gt: greater than
•eq: equal to
•neq: not equal to

extended-para Extended parameter of the protocols used, eg : port (for TCP/UDP),

echo (for ICMP)
log [log input] Records all ACL matches including violations

in|out applies this access list to inbound or outbound traffic

Extended ACL: TCP/UDP protocol

Router (config)#
access-list
access-list access-list-number
access-list-number {permit
{permit || deny}
deny}
[tcp
[tcp || udp]
udp] source
source [s-mask
[s-mask operator
operator s-port]
s-port]
destination
destination [d-mask
[d-mask operator
operator d-port]
d-port] [established]
[established]
[log
[log || log
log input]
input]
established: only match if ACK bit is set
Router (config-if)#
ip
ip access-group
access-group access-list-number
access-list-number {{ in
in || out
out }}

Reserved port numbers

Extended ACL: ICMP protocol
Router (config)#
access-list
access-list access-list-number
access-list-number {permit
{permit || deny}
deny}
icmp
icmp source
source [source-mask
[source-mask destination
destination
destination-mask]
destination-mask] [icmp-type
[icmp-type || [[icmp-type
[[icmp-type icmp-
icmp-
code]
code] || [icmp-message]]
[icmp-message]] [log
[log || log
log input]
input]

Router (config-if)#
ip
ip access-group
access-group access-list-number
access-list-number {{ in
in || out
out }}

Extended ACL: ICMP parameters

Parameters Description
Icmp type (Optional) A number from between 0 and 255
specifying the ICMP message type
Icmp code (Optional) ICMP packets that are filtered by ICMP
message type can also be filtered by the ICMP
message code. The code is a number from 0 to
255.

icmp-message (Optional) ICMP packets can be filtered by an

ICMP message type name or ICMP message type
and code name.
Named ACL Overview

• Uses a name string to identify standard and

extended IP ACLs instead of the numeric (1 to
199) representation.
• Considerations:
– Named ACLs are not compatible with Cisco IOS releases
prior to Release 11.2.
– You cannot use the same name for multiple ACLs.

Named ACLs vs. Numbered ACLs

• Named ACLs have individual configuration

mode with shorter and clearer command line.
• Named ACLs can be used to remove individual
entries from a specific ACL.
• Using name is more understandable than using
number
• Eliminate the limit of 798 simple and 799
extended ACLs
Named ACL commands

• Router(config)# ip access-list {standard |

extended} name
• Router(config {std- | ext-}nacl)# deny
{source [source-wildcard] | any}
• Router(config {std- | ext-}nacl)# permit
{source [source-wildcard] | any}.
• Router(config-if)# ip access-group name {in |
out}
• Router# show access-lists

Named ACL example

Inbound and Outbound

• If the ACL is inbound, when the router receives

a packet and prior to the routing process, router
checks the ACL's statements for a match.
• If the ACL is outbound, after receiving and
routing a packet to the outbound interface,
router checks the ACL's statements for a match.

Recommended Rule

• Place extended ACLs as close to the source of

the traffic denied as possible.
• Place the standard ACL as close to the
destination as possible.
• Place ACLs on the inbound interfaces may help
to reduce routing processing tasks.
• Place ACLs on the outbound interfaces may
avoid filterring unnessecary traffic.
Firewall architecture

Control VTY access with Access list

• Instead of applying ACL on all router interfaces to filter telnet
sessions to router interfaces, use ACL on vty lines.
• Access into and out of virtual terminal line ports can be controlled
by IP numbered ACLs.

line vty 0 4
login
password cisco
access-class access-list-number {in|out}

• Interface access lists are applied only to traffics passing the router,
not to traffics originated from the router.
VTY Control Example

Extended ACL examples

RA
172.16.3.100
Access List Requirements
1. Prevents telnet and ftp access from Internet to 172.16.3.100 and
172.16.4.13
2. Prevents all hosts except 172.16.4.13 on network 172.16.4.0 to
access server 65.10.13.133
3. Prevents all hosts, except 172.16.3.100, on network 172.16.3.0 to
access 172.16.4.13 using web and tftp
4. Allow all hosts on local network as well as Internet to access
company’s web site on server 172.16.4.13. Block all other types of
access to this server.

ACL Challenge
•Outer-network can’t ping into inner-
network
Internet
•Do not allow outer-network to access
inner-network except web service in E0

Web Server(.66). R_1

S0 S1
•Traffic between Net1 and Net3 is not
allowed
Net3
•Other networks can only access web S1 192.169.10.0/24 S0
.96
service in Web Server E1
R_2 S0 S1 R_3
•Packets between PC1(.48) and PC3 E0
E0
(.80) are only allowed if routed across
the direct serial link
•Telnet to routers only from PC1 PC1 PC2 PC3 Web
•All other kind of traffic is allowed Net1 Net2
.32 .64
Summary

• ACL definition
• How ACL works
• Wild-card mask
• Standard numbered ACL configuration
• Extended numbered ACL configuration
• Named numbered ACL configuration
• Placing ACLs

CCNA2 – Module11