Scribd
Upload
42 views5 pages

Why Use Access Control Lists (ACL)

Uploaded by

pallavi45bn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
42 views5 pages

Why Use Access Control Lists (ACL)

Uploaded by

pallavi45bn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

2/1/2018 Access control lists: what are them and how to configure

Understanding Access Control Lists (ACL)


 Ingrid Beloša  October 20, 2014
 CCNA, Certification, Configuration Tips, Network Fundamentals, Routing, Switching

Defining an access control list may seem a challenging and complex task, Article Contents
especially to those that have just delved into the world of computer
networking and network security. The aim of this article is to explain the role 1 Why use access control lists (ACL)
2 Types of Access Control Lists
of access control lists and basic concepts used to understand them. The 3 ACL Configuration Guidelines
article also teaches you how to configure them on a Cisco router. 4 ACL Example

Access control list (in further text: ACL) is a set of rules that controls network
traffic and mitigates network attacks. More precisely, the aim of ACLs is to filter traffic based on a given
filtering criteria on a router or switch interface.

Why use access control lists (ACL)


Initially, ACLs were the only means of providing firewall protection. Even though there are many other types
of firewalls and alternatives to ACLs in existence, they are still used today, even in combination with other
technologies (like in virtual private networks to define which traffic should be encrypted and sent via VPN
tunnel) and you should master them in order to achieve success at the CCNA level and beyond.

Reasons why you should use ACLs:

Limit network traffic to increase network performance


Provide traffic flow control
Provide a basic level of security for network access by defining which part of the network/server/service
can be accessed by a host and which cannot
Granular control over traffic entering or existing the network

Types of Access Control Lists


ACLs are primarily divided into two types: standard and extended. We also differentiate between
numbered and named ACLs.

Standard ACLs allow filtering traffic solely based on Layer 3 source address written in the header of the IP
(Internet Protocol) packet.
The command syntax for configuring a standard numbered ACL:

The
Thisfirst value
website {1-99toor
uses cookies 1300-1999}
improve specifies
your experience. the to
By continuing standard ACLwithout
use our website number range.
changing the settings, you are agreeing to our use of cookies.
Read More

http://www.routerfreak.com/understanding-access-control-lists-acl/ 1/5
2/1/2018 Access control lists: what are them and how to configure

The second value specifies whether to permit or deny the configured source IP address traffic.

The third value is the source IP address that must be matched.

The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the
range.

Extended ACLs filter traffic based on Layer 3 and 4 source and destination information thus giving greater
flexibility and control over network access than standard ACLs. The Cisco Extended ACL command guide can
be found here.
The command syntax for configuring an extended numbered ACL:

The first value {100-199 or 2000-2699} specifies the extended ACL number range.

The second value specifies whether to permit or deny traffic according to the criteria that follows.

The third value indicates protocol type, that is, IP, TCP, UDP, ICMP or other IP-sub protocol

The source and destination IP address and their associated wildcard masks determine where traffic
originates and its final destination, respectively.

As already mentioned, it is also possible to create a named ACL, which must be specified as either standard
or extended.
The command syntax for configuring a named standard or extended ACL:

Router(config)# ip access-list [standard | extended] ACL_name

Upon executing this command, a user is placed into subconfiguration mode where permit and deny
commands are entered:

This website uses cookies to improve your experience. By continuing to use our website without changing the settings, you are agreeing to our use of cookies.
Read More

http://www.routerfreak.com/understanding-access-control-lists-acl/ 2/5
2/1/2018 Access control lists: what are them and how to configure

An extended named ACLs offer additional parameters:

After creating the standard or extended ACL, you must apply it to the appropriate interface (or to a VTY line).
The command to apply the ACL to an interface:

ACL Configuration Guidelines


When working with ACL or preparing the CCNA exam, it’s important to remember the following guidelines:

Only one ACL per interface, per protocol, per direction is allowed.
ACLs are processed top-down; the most specific statements must go at the top of the list. Once a packet
meets the ACL criteria, the ACL processing stops and the packet is either permitted or denied.
This website uses cookies to improve your experience. By continuing to use our website without changing the settings, you are agreeing to our use of cookies.
ACLs are created globally and then applied to interfaces. Read More

http://www.routerfreak.com/understanding-access-control-lists-acl/ 3/5
2/1/2018 Access control lists: what are them and how to configure

An ACL can filter traffic going through the router, or traffic to and from the router.
All ACLs have an implicit “deny all” statement at the end. Therefore, every ACL must have at least one
permit statement to allow any traffic to pass.

ACL Example

The idea of this example is to demonstrate the usage of standard and extended numbered ACLs.

On this network, you want to block all remote access to the routers except from PC C2.
First, you should create a numbered ACL on all three routers and then apply it to incoming traffic on the VTY
lines as follows:

R1(config)# access-list 10 permit 192.168.3.10 0.0.0.0


R2(config)# access-list 10 permit 192.168.3.10 0.0.0.0
R3(config)# access-list 10 permit 192.168.3.10 0.0.0.0

R1(config-line)# access-class 10 in
R2(config-line)# access-class 10 in
R3(config-line)# access-class 10 in
44
Shares

Then suppose you want to block all packets containing the source IP address from the following pool of
addresses on R1: any RFC 1918 private addresses and 127.0.0.0/8. The solution is as follows:
39

4 R1(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any


R1(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any
1 R1(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any
R1(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any
R1(config)# access-list 100 permit ip any any

R1(config)# interface s0/0/0


R1(config-if)# ip access-group 100 in

This website uses cookies to improve your experience. By continuing to use our website without changing the settings, you are agreeing to our use of cookies.
Read More

http://www.routerfreak.com/understanding-access-control-lists-acl/ 4/5
2/1/2018 Access control lists: what are them and how to configure

I hope this was enough to get you started with ACL or refresh some important notions when preparing for a
Cisco Exam.

Is there anything related with ACL that you’d like us to dig into?

5 (100%)

Accept

This website uses cookies to improve your experience. By continuing to use our website without changing the settings, you are agreeing to our use of cookies.
Read More

http://www.routerfreak.com/understanding-access-control-lists-acl/ 5/5

You might also like