Professional Documents
Culture Documents
ACLs are lists of conditions that are applied to traffic traveling across
a router's interface.
These lists tell the router what types of packets to accept or deny.
B C
192.168.34.0
N3 N4 N5 192.168.56.0 N6
Types of Access Lists
Standard
Checks source address
Permits or denies entire protocol suite
Extended
Checks source and destination address
Generally permits or denies specific protocols
How to Identify Access Lists
{ in | out }
Exercise – Standard Access List
192.168.0.5 192.168.0.9
255.255.255.252 255.255.255.252
192.168.0.33
E0 255.255.255.240
192.168.0.17 S0 S1 S0 E0
A 255.255.255.248 S0
192.168.0.10 B
255.255.255.252
192.168.0.6
192.168.0.18 192.168.0.34
255.255.255.252
255.255.255.248 255.255.255.240
To steps to configure
•Create a standard Access list
•Apply ACL to proper interface inbound or outbound
Exercise – Standard Access List
192.168.0.5 192.168.0.9
255.255.255.252 255.255.255.252
192.168.0.33
E0 255.255.255.240
192.168.0.17 S0 S1 S0 E0
A 255.255.255.248 S0
192.168.0.10 B
255.255.255.252
192.168.0.6
192.168.0.18 192.168.0.34
255.255.255.252
255.255.255.248 255.255.255.240
Config#int e 0
Config-if# ip access-group 1 out
Extended ACLs
Extended ACLs are used more often than standard ACLs because they provide a
greater range of control.
Extended ACLs check the source and destination packet addresses as well as
being able to check for protocols and port numbers.
At the end of the extended ACL statement, additional precision is gained from a
field that specifies the optional Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP) port number.
Logical operations may be specified such as, equal (eq), not equal (neq), greater
than (gt), and less than (lt), that the extended ACL will perform on specific
protocols.
Extended ACLs use an access-list-number in the range 100 to 199 (also from
2000 to 2699 in recent IOS).
Configuration
• Protocol
• Access-list acl# {permit/Deny}
• Src IP src WCM
• Dst IP dst WCM
• Opetrator port
• Protocol
– OSPF RP If you need to Block a routing protocol
– EIGRP
– ICMP
• Operator
IP – TCP
– eq
– UDP
– gt
– lt
– neq
Testing Packets with
Extended Access Lists
Extended ACL Syntax
Extended ACL LAB
Internet
A B
Fa0/0 Fa0/1
200.0.0.10 200.0.0.9 200.0.0.17 200.0.0.18
255.255.255.248 255.255.255.248 255.255.255.240 255.255.255.240
Config# Access-list 100 deny tcp 200.0.0.10 0.0.0.7 200.0.0.18 0.0.0.15 eq www
Config# access-list 100 permit IP any any
192.168.0.34
255.255.255.240
A B
192.168.0.18
255.255.255.248
192.168.0.34 should be denied FTP of 192.168.0.18 192.168.0.18 should be denied website of 192.168.0.34
On Router R1 On Router R3
Config# Access-list 100 deny tcp 192.168.0.34 0.0.0.0 192.168.0.18 Config# Access-list 100 deny tcp 192.168. 0.18 0.0.0.0 192.168.0.34
0.0.0.0 eq 21 0.0.0.0 eq 80
Config# access-list 100 permit IP any any Config# access-list 100 permit IP any any
Config#int s0 Config#int s0
Config-if# ip access-group 100 IN Config-if# ip access-group 100 IN
Deny FTP
access-list 101 deny tcp any any eq 21
access-list 101 permit ip any any
or
Named ACLs are not compatible with Cisco IOS releases prior to Release
11.2.
#Int e 0
#Ip access-group blocksales out
Verify Access List
Basic Rules for ACLs
Standard IP access lists should be applied closest to the destination.
Extended IP access lists should be applied closest to the source.
Use the inbound or outbound interface reference as if looking at the port
from inside the router.
Statements are processed sequentially from the top of list to the bottom
until a match is found, if no match is found then the packet is denied.
There is an implicit deny at the end of all access lists. This will not appear
in the configuration listing.
Access list entries should filter in the order from specific to general.
Specific hosts should be denied first, and groups or general filters should
come last.
Never work with an access list that is actively applied.
New lines are always added to the end of the access list.
A no access-list x command will remove the whole list. It is not possible
to selectively add and remove lines with numbered ACLs.
Outbound filters do not affect traffic originating from the local router.