What Is ACL – Access Control List Example

What Is ACL - Access Control List Example

What Is Access Control List

An ACL (Access List) is a list of statements that are meant to either permit or deny the movement of data from the network layer and above. They are used to filter traffic in our networks as required by the security policy.

Packet filtering: Filtering packets, is a way to check the incoming packets and outgoing packets against set criteria so as to determine whether they should be forwarded or dropped. This is usually accomplished by a router. The traffic can be filter based on destination and source layer 3 address. Destination and source port number, as well as the protocol in use.

The three rules of configuration ACLs: There are three rules that should always be observed when configuration ACLs. These rules determine how traffic on a network will flow and therefore they should not be ignored.

ACL per protocol: This is to control each of the protocols that you have configured on your router.

ACL per direction: There are two directions in this case; inbound traffic is the traffic is coming into the router while outbound traffic is the traffic that is leaving the router.

ACL per interface: This is meant to control traffic from leaving through a specified interface.

Check Out the Headphones – 50% to 70% Off

Check Out the Earbuds – 50% to 70% Off

Types of Access Control List

Numbered and Named Access Lists: A Numbered Access Lists is assigned a unique number among all Access List, but a Named Access List is defined by a unique name.

Standard and Extended Access Lists: Standard Access Lists can be used to filter traffic only based on the source IP address of the IP datagram packet. An extended Access List can be used to filter traffic based on Source IP address, Destination IP address, Protocol (TCP, UDP, etc.) port Number, etc.

Access List type and number

Standard               1-99, 1300-1999

Extended              100-199, 2000-2699

Standard Access List

Standard Access Control List Example

The full syntax of the standard ACL command is as follow:

Router(config)#access-list<ACLno><deny/permit><source_network><wildcard_mast>

Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255

The full syntax of the standard ACL command to filter a specific host is as follow:

Router(config)#access-list<ACLno><deny/permit><source_ip_address><wildcard_mast>

Router(config)#access-list 1 permit 192.168.1.2 0.0.0.0

Or

Router(config)#access-list<ACLno><deny/permit><host><source_ip_address>

Router(config)#access-list 1 deny host 192.168.1.2

The command to permit all address is:

Router(config)#access-list<ACLno> permit 0.0.0.0 255.255.255.255

or

Router(config)#access-list<ACLno> permit any

The next command is used to apply the access lists to the appropriate interface.

Router(config)#ip access-group <ACLno> <out/in>

Router(config)#ip access-group 1 in

Inbound access list: packets are proceed through the access list by being routed to the outbound interface.

Outbound access list: packet is routed to the outbound interface and then proceed through the access list

Grammarly – Best Free Grammar checker | Spelling checker | Mistake-free document writer for Laptop/Desktop

Check Out The LAB Configuration eBook – Class A, Class B, Class C, MiN worth $78 Get at $18

Extended Access List

It allows you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. Extended IP Access Lists are almost identical to standard IP access lists in their use. The key difference between the two types is the variety of fields in the packet that can be compared for matching by extended access lists. The extended Control list can filter the traffic based on many other factors.

Source and destination IP addresses.

A protocol like IP, TCP, UDP, ICMP, etc.

Protocol information Port number for TCP and UDP or message type for ICMP.

Extended Access Control List Example

Router(config)#access-list [ACLno] permit\deny IP_protocol source_address Source-wildcard_mask [source_protocol_information] detination_address destination_wildcard_mask [destination_protocol_information]

ACLno: For Extended Access Control List, the Access list number must be between 100-199 or 2000-2699.

Permit/deny: Whether to permit or deny traffic.

IP­_protocol: IP protocol to match. The IP protocols can be IP, ICMP, TCP, etc.

Source_address: Source IP address.

Source_wildcard_mask: Source wildcard mask.

Source_protocol_information: additional source protocol information like TCP or UDP port numbers.

Destination_address: Destination IP address.

Destination_wildcard_mast:  destination wildcard mask.

Destination_protocol_information: Additional destination protocol information like TCP or UDP port number.

Wildcard mask: Instead of specifying a single IP address, you can also permit or deny network/subnetwork by using wildcard masks, also known as inverse masks.

Router(config)#access-list 100 deny tcp any host 192.168.0.22 eq 23

the line says to deny source host trying to telnet to destination host 192.168.0.2. keep in mind that the next line is an implicit deny by default. If you apply this access list to an interface, you might as well just shut the interface down because, by default, there’s an implicit deny-all at the end of every access list.

Router(config)#access-list 100 permit ip any any

The IP in this line is important because it will permit the IP stack. If TCP was used instead of IP  in this line, then UDP, etc. would all be denied.

Now we need to apply it to an interface with the same command used for the IP standard list:

Router(config)#ip access-group 100 in

Or

Router(config)#ip access-group 100 out

Download Free CCNA Android Apps from Playstore

Named Access List

Name Access Lists are much like standard and extended access lists but with names and the addition of line numbers. You can give names to identify your access lists. Named Access Lists to allow standard and extended ACLs to be given names instead of numbers. That means we can either have a Standard Named Access List or an Extended Named Access List.

Syntax for Standard Named Access List:

R1>enable

R1>configuration terminal

R1(config)#ip access-list standard BLOCK_NETWORK1

R1(config-std-nacl)#deny 172.16.0.0 0.0.255.255

R1(config-std-nacl)#permit any

R1(config-std-nacl)#exit

R1(config)#exit

After this, you have to configure Standard Name Access List on the interface with the “in/out” keyword.

R3>enable

R3#conf t

R3(config)#interface fa0/0

R3(config-if)#ip access-group BLOCK_NETWORK1 out

R3(config-if)#exit

R3(config)#exit

Syntax of Extended Named Access List

R1>enable

R1#conf t

R1(config)#ip access-list extended BLOCK_WS03

R1(config-ext-nacl)#deny tcp host 172.16.0.12 host 172.20.0.5 eq 80

R1(config-ext-nacl)#permit ip any any

R1(config-ext-nal)#exit

R1(config)#exit

There is an implicit “deny any” at the end of every Access List. If there is no “permit ip any any” statement at the end, the above Extended Named Access Lists may filter out all traffic. The “permit ip any any” statement permits any other IP traffic if there is no matching deny in the previous statement. Above Extended Named Access Lists effectively allow all the traffic except the HTTP traffic from 172.16.0.12/16 to 172.20.0.5/16.

Configure interface

R1>enable

R1#conf t

R1(config)#interface fa0/0

R1(config-if)#ip access-group BLOCK_WS03 in

R1(config-if)#exit

R1(config)#exit

Learn MCSA for free – full course with LAB Configuration

Learn Linux for free – full course with LAB Configuration

<==Access CCNA LAB’s for Free==>

I hope you find this article helpful, you can support us by donating just $1. It will really encourage us. EIHeducation


Leave a Reply

Your email address will not be published. Required fields are marked *