In compliance with ISO-9001 Cost Effective Quality Training Manpower Services

Access Control List

In compliance with ISO-9001 Cost Effective Quality Training Manpower Services

 Objectives
•Explain the purpose of ACLs
•Explain the various applications for ACLs on Cisco
Systems networks
•Describe the different types of ACLs
•Describe how ACLs operate
•Explain how Cisco IOS software processes ACL
statements
•Explain the wildcard masking process

In compliance with ISO-9001 Cost Effective Quality Training Manpower Services

 Why Use ACL ?

•Manage IP traffic as network access grows

•Filter packets as they pass through the router

In compliance with ISO-9001 Cost Effective Quality Training Manpower Services

 ACL Applications

•Permit or deny packets moving through the router.

•Permit or deny vty access to or from the router.
•Without ACLs, all packets could be transmitted onto all parts of your
network.
In compliance with ISO-9001 Cost Effective Quality Training Manpower Services
 Terminology
•Deny : Blocking a Network/Host/Subnet/Service
•Permit : Allowing a Network/Host/Subnet/Service
•Source Address : The address of the PC from where the
request starts.
•Destination address : The address of the PC where the
request ends.
•Inbound : Traffic coming into the interface
•Outbound : Traffic going out of the interface

In compliance with ISO-9001 Cost Effective Quality Training Manpower Services

 Wild Card Mask
•Tells the router which addressing bits must match in
the address of the ACL statement.
•It’s the inverse of the subnet mask, hence is also called
as Inverse mask.
•A bit value of 0 indicates MUST MATCH (Check Bits)
•A bit value of 1 indicates IGNORE (Ignore Bits)
•Wild Card Mask for a Host will be always 0.0.0.0

In compliance with ISO-9001 Cost Effective Quality Training Manpower Services

 Wild Card Mask
•A wild card mask can be calculated using the formula :
Global Subnet Mask
Customized Subnet Mask
-------------------------------
Wild Card Mask

E.g. 255.255.255.255
255.255.255.240
---------------------
0. 0. 0. 15

In compliance with ISO-9001 Cost Effective Quality Training Manpower Services

 Types of ACLs
•Standard ACL
– Checks source address
– Generally permits or denies entire protocol suite
•Extended ACL
– Checks source and destination address
– Generally permits or denies specific protocols
•Two methods used to identify standard and extended
ACLs:
–Number ACLs use a number for identification
–Named ACLs use a descriptive name or number for
identification

In compliance with ISO-9001 Cost Effective Quality Training Manpower Services

 How to Identify ACLs

•Numbered standard IPv4 lists (1-99) test conditions of all IP packets for
source addresses. Expanded range (1300-1999).
•Number extended IPv4 lists (100-199) test conditions of source and
destination addresses, specifiic TCP/IP protocols, and destination ports.
Expanded range (2000-2699)
•Named ACLs identify IP standard and extended ACLS with an alphanumeric
string (name)

In compliance with ISO-9001 Cost Effective Quality Training Manpower Services

 Standard ACL
•The access-list number lies between 1 – 99
•Can block a Network, Host and Subnet
•Two way communication is stopped
•All services are block.
•Implemented closest to the destination

In compliance with ISO-9001 Cost Effective Quality Training Manpower Services

 Testing Packets with
Standard ACLs

In compliance with ISO-9001 Cost Effective Quality Training Manpower Services

 Extended ACL
•The access-list number lies between 100 – 199
•Can block a Network, Host, Subnet and Service
•One way communication is stopped
•Selected services are block.
•Implemented closest to the source.

In compliance with ISO-9001 Cost Effective Quality Training Manpower Services

 Testing Packets with
Extended ACLs

In compliance with ISO-9001 Cost Effective Quality Training Manpower Services

 Named ACL
•Access-lists are identified using Names rather than
Numbers.
•Names are Case-Sensitive
•No limitation of Numbers here.
•One Main Advantage is Editing of ACL is Possible (i.e)
Removing a specific statement from the ACL is possible.
•(IOS version 11.2 or later allows Named ACL)

In compliance with ISO-9001 Cost Effective Quality Training Manpower Services

 Rules of ACL
•All deny statements have to be given First
•There should be at least one Permit statement
•An implicit deny blocks all traffic by default when there is no
match (an invisible statement).
•Can have one access-list per interface per direction. (i.e.) Two
access-list per interface, one in inbound direction and one in
outbound direction.
•Works in Sequential order
•Editing of access-lists is not possible (i.e) Selectively adding or
removing access-list statements is not possible

In compliance with ISO-9001 Cost Effective Quality Training Manpower Services

 Summary
•ACLs can be used for IP packet filtering or to identify traffic to assign
it special handling.
•ACLs perform top-down processing and can be configured for
incoming or outgoing traffic.
•You can create an ACL using a named or numbered ACL. Named or
numbered ACLs can be configured as standard or extended ACLs,
which determines what they can filter.
•Reflexive, dynamic, and time-based ACLs add more functionality to
standard and extended ACLs.
•In a wildcard bit mask, a 0 bit means to match the corresponding
address bit and a 1 bit means to ignore the corresponding address bit.

In compliance with ISO-9001 Cost Effective Quality Training Manpower Services

In compliance with ISO-9001 Cost Effective Quality Training Manpower Services