ACL
Access control lists control the access control to the network.
Introduction
ACLs function as a packet filter, instructing the router to permit or discard specific traffic.
ACLs can filter traffic based on source/destination IP addresses, source/destination Layer 4 ports, etc.
Hosts in 192.168.1.0/24 should be able to access the 10.0.1.0/24 network.
Hosts in the 192.168.2.0/24 should not be able to access the 10.0.1.0/24 network.
ACLs are configured globally on the router. (global config mode)
They are an ordered sequence of ACEs. (Access Control Entries)
Configuring an ACL in global config mode will not make the ACL take effect.
The ACL must be applied to an interface.
ACLs are applied either inbound or outbound.
ACLs are made up of one or more ACEs.
When the router checks a packet against the ACL, it processes the ACEs in order, from top to bottom.
If the packet matches one of the ACEs in the ACL, the router takes the action and stops processing the ACL. All entries below the matching entry will be ignored.
A maximum of one ACL can be applied to a single interface per direction.
Implicit deny
What will happen if a packet does not match any of the entries in an ACL?
The router will deny the packet, not forward it.
There is an implicit deny at the end of all ACLs.
The implicit deny tell the router to deny all traffic that does not match any of the configured entries in the ACL.
ACL Types
Standard ACL : match based on Source IP address only
Standard Numbered ACLs
Standard Named ACLs
Extended ACL: match based on Source/Destination IP, Source/Destination port, etc.
Extended Numbered ACLs
Extended Named ACLs
Standard ACLs
Match traffic based only on the source IP address of the packet.
Numbered ACLs are identified with a number (ie. ACL 1, ACL 2, etc).
Different types of ACLs have a different range of numbers that can be used.
Standard ACLs can use 1-99 and 1300-1999.
The basic command to configure a standard numbered ACL is:
R1(config)# access-list number { deny | permit } ip wildcard-maskR1(config)# access-list 1 deny 1.1.1.1 0.0.0.0
R1(config)# access-list 1 deny 1.1.1.1
R1(config)# access-list 1 deny host 1.1.1.1
R1(config)# access-list 1 permit any
R1(config)# access-list 1 permit 0.0.0.0 255.255.255.255
R1(config)# access-list 1 remark ## BLOCK ADELIN FROM ACCOUNTING ## ! Apply an ACL to an interface
R1(config-if)# ip access-group number { in | out }Standard named ACL
Match traffic based only on the source IP address of the packet.
Named ACLs are identified with a name (ie. 'GIANT_TREE')
Standard named ACLs are configured by entering 'standard named ACL config mode', and then configuring each entry within that config mode.
R1(config)# ip access-list standard acl-name
R1(config-std-nacl)# [entry-number] {deny | permit} ip wildcard-mask
R1(config-if)# ip access-group GROUP_NAME { in | out }Standard ACLs should be applied as close to the destination as possible.
Numbered ACLs with subcommands
R1(config)# ip access-list standard acl-number
R1(config-std-nacl)# [entry-number] {deny | permit} ip wildcard-maskYou can easily delete individual entries in the ACL with
no [entry-number]
Resequencing ACLs
There is a resequencing function that helps edit ACLs.
The command is
ip access-list resequence acl-id starting-seq-num increment
Extended ACLs
Extended ACLs function mostly the same as standard ACLs.
They can be numbered or named, just like standard ACLs.
Numbered ACLs use the following ranges:
100-199
200 - 2699
They are processed from top to bottom, just like standard ACLs.
However, it can match traffic based on more parameters, so they are more precise (and more complex) than standard ACLs.
R1(config)# access-list number [permit | deny] protocol src-ip dest-ip
R1(config)# ip access-list extended {name | number}
R1(config-ext-nacl)# [seq-num] [permit | deny] protocol src-ip dest-ip Matching the source/destination IP address
deny tcp any 10.0.0.0 0.0.0.255 Matching the TCP/UDP port numbers
When matching TCP/UDP, you can optionally specify the source and/or destination port numbers to match.
R1(config-ext-nacl)#deny tcp any host 1.1.1.1 eq <port-number | keyword>Last updated
Was this helpful?