ACL– Access Control List is used for filtering traffic or packet based on a given filtering criteria on a router or switch interface. As per ACL statement, a packet is allowed or blocked from further movement.
There are two types of ACL:- 1. Standard Access Lists. 2. Extended Access Lists.
Standard Access Control Lists
A Standard Access List allows you to permit or deny traffic from specific IP addresses. The destination of the packet and the ports involved can be anything.
Standard IP ACLs range from 1–99, 1300–1999
Syntax –
access-list access-list-number {permit|deny}{host|source source-wildcard|any}
Traffic Filtered direction “in/out”
The “in” keyword is used to specify that the traffic should be filtered when it arrive the router via an interface.
The “out” keyword is used to specify that the traffic should be filtered as it leaves the router via an interface.
Syntax –
Router(config)# interface interface_no
Router01(config-if)#ip access-group <access_list_number> <in/out>
Where to place Standerd ACL –
Standard ACL filters the traffic based on source IP address. Therefore a Standard Access Control List (ACL) must be placed on the router which is near to the destination network/host where it is denied. If we place the Standard Access Control List (ACL) near to source, there is a chance for denial or other legitimate traffic from the source network to some other network.
LAB example Diagram
Case 1. Deny the workstations located at 192.168.10.0/24 network from accessing the servers at 192.168.50.0/24 network, using Standard Access Control List.
Solve- As destination denied servers present in R3, standard ACL should configure here. Also assign to Fa 0/0 as out bound direction.
R3> enable
R3# configure terminal
R3(config)# access-list 5 deny 192.168.10.0 0.0.0.255
R3(config)# access-list 5 permit any
R3(config)# interface fa 0/0
R3(config-if)# ip access-group 5 out
R3(config-if)# exit
To disable Standard ACL –
R3(config)# no access-list 5
R3(config-if)# no ip access-group 5 out
Case 2. Deny the PC1 (192.168.10.1) from accessing the servers at 192.168.50.0/24 network, using Standard Access Control List.
Solve-
R3> enable
R3# configure terminal
R3(config)# access-list 5 deny 192.168.10.1 255.255.255.0
R3(config)# access-list 5 permit any
R3(config)# interface fa 0/0
R3(config-if)# ip access-group 5 out
R3(config-if)# exit
Case 3. Only PC3 (192.168.30.1) can telnet to R3.
Solve-
R3> enable
R3# configure terminal
R3(config)# access-list 55 permit 192.168.30.1 0.0.0.0
R3(config)# access-list 55 deny any
R3(config)#line vty 0 4
R3(config-line)#access-class 55 in
R3(config-line)#exit
Extended Access Control Lists
Extended Access Control Lists (ACL) can be used to filter traffic based on Source IP address, Destination IP address, Protocol (TCP, UDP etc), Port Numbers etc.
Extended IP ACLs range from 100–199, 2000–2699
The syntax for IP Extended ACL is given below:-
access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence]
Where to place Extended ACL –
Extended ACL can filter the traffic based many factors like source IP address, destination IP address, Protocol, TCP or UDP port numbers etc. Since an Extended Access Control List can filter the IP datagram packet based on the destination IP address, it must be placed on the router which is near to the source network/host. If we place the Extended Access Control List (ACL) near to destination, the unwanted traffic may consume the bandwidth, and it will get filtered near destination.
In Extended ACL, To filter the traffic based on TCP or UDP port numbers, we can use an operator. The operator is used to match the port number or numbers in Access Control Lists. The following table lists important Extended Access Control List operators.
| Operator | Description |
| lt | Less than |
| gt | Greater than |
| neq | Not equal to |
| eq | Equal to |
| range | Range of port numbers |
The “established” keyword is used to indicate an established connection for TCP protocol. An established connection can be considered as the TCP traffic originating inside your network, not from an external network.
This means that the packets belong to an existing connection if the Transmission Control Protocol (TCP) segment has the Acknowledgment (ACK) or Reset (RST) bit set.
Example:
Router03(config)#access-list 102 permit tcp any any eq www established
Case1. Deny PC1 (192.168.10.1/24) from accessing the Web Server (192.168.50.1/24)
R1>enable
R1#configure terminal
R1(config)#access-list 105 deny tcp host 192.168.10.1 host 192.168.50.1 eq 80
R1(config)#access-list 105 permit ip any any
R1(config)#interface fa0/0
R1(config-if)#ip access-group 105 in
R1(config-if)#exit
Case2. Deny PC4 (192.168.30.2/24) from accessing the Mail Server (192.168.50.1/24)
R1>enable
R1#configure terminal
R1(config)#access-list 105 deny tcp host 192.168.30.2 host 192.168.50.2 eq 25
R1(config)#access-list 105 permit ip any any
R1(config)#interface fa0/0
R1(config-if)#ip access-group 105 in
R1(config-if)#exit
Named Access Control List
Named Access Control Lists (ACLs) allows standard and extended ACLs to be given names instead of numbers. Unlike in numbered Access Control Lists (ACLs), we can edit Named Access Control Lists.
Standard Named Access Control List (ACL) :-
Case1. Deny the workstations located at 192.168.30.0/24 network from accessing the servers at 192.168.50.0/24 network, using Standard Access Control List.
Solve-
R3> enable
R3# configure terminal
R3(config)# ip access-list standard BLOCK_NETWORK2
Router03(config-std-nacl)# deny 192.168.30.0 0.0.0.255
Router03(config-std-nacl)# permit any
Router03(config-std-nacl)# exit
R3(config)# interface fa 0/0
R3(config-if)# ip access-group BLOCK_NETWORK2 in
R3(config-if)# exit
To remove named ACL
Router03(config)# no access-list BLOCK_NETWORK2
Router01(config-if)# no ip access-group BLOCK_NETWORK2 in
Extended Named Access Control List (ACL) :-
Case1. Deny PC1 (192.168.10.1/24) from accessing the Web Server (192.168.50.1/24)
R1> enable
R1# configure terminal
R1(config)# ip access-list extended BLOCK_WS01
R1(config-ext-nacl)# deny tcp host 192.168.10.1 host 192.168.50.1 eq 80
R1(config-ext-nacl)# permit ip any any
R1(config-ext-nacl)# exit
R1(config)# interface fa0/0
R1(config-if)# ip access-group BLOCK_WS01 in
R1(config-if)# exit
To show existing Named Access Control Lists (ACL)
R1# show ip access-lists BLOCK_WS01
Edit ACL
To add a new Access Control List entry in an existing Named Extended Access Control List
Now you can add a new entry to deny the PC3 (IP Address – 192.168.30.1) in above Named Extended Access Control List (ACL name BLOCK_WS01), from accessing the File Server (IP Address – 192.168.50.3) using FTP.
R1>enable
R1# configure terminal
R1(config)# ip access-list extended BLOCK_WS01
R1(config-ext-nacl)# deny tcp host 192.168.30.1 host 192.168.50.3 eq ftp
R1(config-ext-nacl)# exit
To view the altered Named Access Control List (ACL name BLOCK_WS01)
R1# show access-lists
