Table of Contents
What Is Access Control List
An ACL (Access List) is a list of statements that are meant to either permit or deny the movement of data from the network layer and above. They are used to filter traffic in our networks as required by the security policy.
Packet filtering: Filtering packets, is a way to check the incoming packets and outgoing packets against set criteria so as to determine whether they should be forwarded or dropped. This is usually accomplished by a router. The traffic can be filter based on destination and source layer 3 address. Destination and source port number, as well as the protocol in use.
The three rules of configuration ACLs: There are three rules that should always be observed when configuration ACLs. These rules determine how traffic on a network will flow and therefore they should not be ignored.
ACL per protocol: This is to control each of the protocols that you have configured on your router.
ACL per direction: There are two directions in this case; inbound traffic is the traffic is coming into the router while outbound traffic is the traffic that is leaving the router.
ACL per interface: This is meant to control traffic from leaving through a specified interface.
Check Out the Headphones – 50% to 70% Off
Check Out the Earbuds – 50% to 70% Off
Types of Access Control List
Numbered and Named Access Lists: A Numbered Access Lists is assigned a unique number among all Access List, but a Named Access List is defined by a unique name.
Standard and Extended Access Lists: Standard Access Lists can be used to filter traffic only based on the source IP address of the IP datagram packet. An extended Access List can be used to filter traffic based on Source IP address, Destination IP address, Protocol (TCP, UDP, etc.) port Number, etc.
Access List type and number
Standard 1-99, 1300-1999
Extended 100-199, 2000-2699
Standard Access List
Standard Access Control List Example
The full syntax of the standard ACL command is as follow:
Router(config)#access-list<ACLno><deny/permit><source_network><wildcard_mast>
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
The full syntax of the standard ACL command to filter a specific host is as follow:
Router(config)#access-list<ACLno><deny/permit><source_ip_address><wildcard_mast>
Router(config)#access-list 1 permit 192.168.1.2 0.0.0.0
Or
Router(config)#access-list<ACLno><deny/permit><host><source_ip_address>
Router(config)#access-list 1 deny host 192.168.1.2
The command to permit all address is:
Router(config)#access-list<ACLno> permit 0.0.0.0 255.255.255.255
or
Router(config)#access-list<ACLno> permit any
The next command is used to apply the access lists to the appropriate interface.
Router(config)#ip access-group <ACLno> <out/in>
Router(config)#ip access-group 1 in
Inbound access list: packets are proceed through the access list by being routed to the outbound interface.
Outbound access list: packet is routed to the outbound interface and then proceed through the access list
Grammarly – Best Free Grammar checker | Spelling checker | Mistake-free document writer for Laptop/Desktop
Check Out The LAB Configuration eBook – Class A, Class B, Class C, MiN worth $78 Get at $18
Extended Access List
It allows you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. Extended IP Access Lists are almost identical to standard IP access lists in their use. The key difference between the two types is the variety of fields in the packet that can be compared for matching by extended access lists. The extended Control list can filter the traffic based on many other factors.
Source and destination IP addresses.
A protocol like IP, TCP, UDP, ICMP, etc.
Protocol information Port number for TCP and UDP or message type for ICMP.
Extended Access Control List Example
Router(config)#access-list [ACLno] permit\deny IP_protocol source_address Source-wildcard_mask [source_protocol_information] detination_address destination_wildcard_mask [destination_protocol_information]
ACLno: For Extended Access Control List, the Access list number must be between 100-199 or 2000-2699.
Permit/deny: Whether to permit or deny traffic.
IP_protocol: IP protocol to match. The IP protocols can be IP, ICMP, TCP, etc.
Source_address: Source IP address.
Source_wildcard_mask: Source wildcard mask.
Source_protocol_information: additional source protocol information like TCP or UDP port numbers.
Destination_address: Destination IP address.
Destination_wildcard_mast: destination wildcard mask.
Destination_protocol_information: Additional destination protocol information like TCP or UDP port number.
Wildcard mask: Instead of specifying a single IP address, you can also permit or deny network/subnetwork by using wildcard masks, also known as inverse masks.
Router(config)#access-list 100 deny tcp any host 192.168.0.22 eq 23
the line says to deny source host trying to telnet to destination host 192.168.0.2. keep in mind that the next line is an implicit deny by default. If you apply this access list to an interface, you might as well just shut the interface down because, by default, there’s an implicit deny-all at the end of every access list.
Router(config)#access-list 100 permit ip any any
The IP in this line is important because it will permit the IP stack. If TCP was used instead of IP in this line, then UDP, etc. would all be denied.
Now we need to apply it to an interface with the same command used for the IP standard list:
Router(config)#ip access-group 100 in
Or
Router(config)#ip access-group 100 out
Download Free CCNA Android Apps from Playstore
Named Access List
Name Access Lists are much like standard and extended access lists but with names and the addition of line numbers. You can give names to identify your access lists. Named Access Lists to allow standard and extended ACLs to be given names instead of numbers. That means we can either have a Standard Named Access List or an Extended Named Access List.
Syntax for Standard Named Access List:
R1>enable
R1>configuration terminal
R1(config)#ip access-list standard BLOCK_NETWORK1
R1(config-std-nacl)#deny 172.16.0.0 0.0.255.255
R1(config-std-nacl)#permit any
R1(config-std-nacl)#exit
R1(config)#exit
After this, you have to configure Standard Name Access List on the interface with the “in/out” keyword.
R3>enable
R3#conf t
R3(config)#interface fa0/0
R3(config-if)#ip access-group BLOCK_NETWORK1 out
R3(config-if)#exit
R3(config)#exit
Syntax of Extended Named Access List
R1>enable
R1#conf t
R1(config)#ip access-list extended BLOCK_WS03
R1(config-ext-nacl)#deny tcp host 172.16.0.12 host 172.20.0.5 eq 80
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nal)#exit
R1(config)#exit
There is an implicit “deny any” at the end of every Access List. If there is no “permit ip any any” statement at the end, the above Extended Named Access Lists may filter out all traffic. The “permit ip any any” statement permits any other IP traffic if there is no matching deny in the previous statement. Above Extended Named Access Lists effectively allow all the traffic except the HTTP traffic from 172.16.0.12/16 to 172.20.0.5/16.
Configure interface
R1>enable
R1#conf t
R1(config)#interface fa0/0
R1(config-if)#ip access-group BLOCK_WS03 in
R1(config-if)#exit
R1(config)#exit
Learn MCSA for free – full course with LAB Configuration
Learn Linux for free – full course with LAB Configuration
<==Access CCNA LAB’s for Free==>
