acl new

8/11/2019 ACL NEW

1/24

aveen Patel

Access Control List ( ACL )

8/11/2019 ACL NEW

2/24

aveen Patel


ACLs are basically a set of commands, grouped together by a number or name,

that are used to filter traffic entering or leaving an interface.

ACL commands define specifically which traffic is permitted and denied.

Thus ACLs are statements that specify conditions of how the router handlesthe traffic flow through specified interfaces.

8/11/2019 ACL NEW

3/24

aveen Patel


There are many reasons to create ACLs. ACLs can be used to:

Limit network traffic and increase network performance

Provide traffic flow control

Provide a basic level of security for network accessDecide which types of traffic are forwarded or blocked at the router interfaces

Packet filtering

8/11/2019 ACL NEW

4/24

aveen Patel


ACLs operate in two ways:

Inbound ACLs: Incoming packets are processed before they are routed to anoutbound interface. An inbound ACL is efficient because it saves theoverhead of routing lookups if the packet will be discarded after it is denied

by the filtering tests.

Outbound ACLs: Incoming packets are routed to the outbound interface andthen processed through the outbound ACL.

8/11/2019 ACL NEW

5/24

aveen Patel


8/11/2019 ACL NEW

6/24

aveen Patel


The types of ACLs can be classified as follows:

Standard ACL

Extended ACL

8/11/2019 ACL NEW

7/24

aveen Patel


Two methods used to identify Standard and Extended ACLs :

Numbered ACLs

Named ACLs

8/11/2019 ACL NEW

8/24

aveen Patel


Standard ACLs: Standard IP ACLs check the source addresses of packets thatcan be routed. The result either permits or denies the output for an entire

protocol suite, based on the source network, subnet, or host IP address.

Extended ACLs: Extended IP ACLs check both the source and destination

packet addresses. They can also check for specific protocols, port numbers,and other parameters.

Named ACLs: It use a descriptive name or number for identification.

8/11/2019 ACL NEW

9/24

aveen Patel


Standard Access List

The access-list number range is 199 , 1300 -1999

Can block a Network, Host and SubnetTwo way communication is stopped

All services are blocked.

Implemented closest to the destination. (Guideline)

Checks the source IP address.

8/11/2019 ACL NEW

10/24

aveen Patel


Standard Access List

8/11/2019 ACL NEW

11/24

aveen Patel


Extended Access List

The access-list number range is 100199 , 1300 - 1999

Can block a Network, Host, Subnet and Service

One way communication is stopped

Selected services can be blocked.

Checks source, destination IP address & port number.

Implemented closest to the source. (Guideline).

8/11/2019 ACL NEW

12/24

aveen Patel


Access Extended List

8/11/2019 ACL NEW

13/24

aveen Patel


ACL Evaluat ion

8/11/2019 ACL NEW

14/24

aveen Patel


ACL Configuration Guidelines

Standard or Extended indicate what can be filtered.

One ACL per interface, per protocol, per direction is allowed,

The order of ACL statement control testingPlace the most restrictive statement at the top of list.

There is an Implicit Deny any statement as the last access list test. Every list needatleast one permit statement.

Create ACL before applying them to interface

ACL filter traffic going through the router; they do not apply to traffic originating fromrouter.

8/11/2019 ACL NEW

15/24

aveen Patel


ACL Wildcard Masking

Address filtering occurs when you use ACL address wildcard masking toidentify how to check or ignore corresponding IP address bits

A 0 in a bit position of the ACL mask indicates that the corresponding bit inthe address must be matched.

A 1 in a bit position of the ACL mask indicates that the corresponding bit inthe address is not interesting and can be ignored.

8/11/2019 ACL NEW

16/24

aveen Patel


8/11/2019 ACL NEW

17/24

aveen Patel


Creating an Standard Numbered ACL

Router(config)# access-list no. permit|denysource_IP_address [wildcard_mask]

Activating an ACLRouter(config)# interface type [slot_#]

Router(config-if)# ip access-groupACL no. in|out

8/11/2019 ACL NEW

18/24

aveen Patel


Creating an Extended Numbered ACL

Router(config)# access-list no.permit|deny tcp|udpsource_address

source_wildcard destination_address

destination_wildcard [operator ]

Activating an ACL

Router(config)# interface type [slot_#]


8/11/2019 ACL NEW

19/24

aveen Patel


8/11/2019 ACL NEW

20/24

aveen Patel


Creating an Standard Named ACL

Router(config)# ip access-list standard name

Router(config-std-nacl)# [sequence-number] deny / permit source [ wildcard ]

Router(config-std-nacl)#exit

Activating an ACL



8/11/2019 ACL NEW

21/24

aveen Patel


Creating an Extended Named ACL

Router(config)# ip access-list extended name

Router(config-ext-nacl)# [sequence-number] {deny | permit} protocol source source-wildcard destination destination-wildcard [option]

Router(config-ext-nacl)#exit

Activating an ACL



8/11/2019 ACL NEW

22/24

aveen Patel


SummaryAccess lists offer a powerful tool for network control. These lists add the

flexibility to filter the packet flow into or out of router interfaces. Such controlcan help limit network traffic and restrict network use by certain users ordevices.

An IP access list is a sequential list of permit and deny conditions that apply to IPaddresses or upper-layer IP protocols. Access lists filter traffic going throughthe router, but they do not filter traffic originated from the router.

Access lists are optional mechanisms in Cisco IOS software that you canconfigure to filter or test packets to determine whether to forward them to theirdestination or discard them.

8/11/2019 ACL NEW

23/24

aveen Patel


SummaryInbound access lists process incoming packets before they are routed to an

outbound interface, while outbound access lists process packets to an

outbound interface.The Cisco IOS software executes access list statements in sequential

order, so the first statement is processed, then the next, and so on.

Address filtering occurs using access list address wildcard masking toidentify how to check or ignore corresponding IP address bits.

8/11/2019 ACL NEW

24/24

aveen Patel


The End

acl new

Documents