acl

Access Control List (ACL) in Cisco IOS

ACL– Access Control List is used for filtering traffic or packet based on a given filtering criteria on a router or switch interface. As per ACL statement, a packet is allowed or blocked from further movement.

There are two types of ACL:- 1. Standard Access Lists. 2. Extended Access Lists.

Standard Access Control Lists

A Standard Access List  allows you to permit or deny traffic from specific IP addresses. The destination of the packet and the ports involved can be anything.

Standard IP ACLs range from 1–99, 1300–1999

Syntax –

access-list access-list-number {permit|deny}{host|source source-wildcard|any}

Traffic Filtered direction “in/out”

The “in” keyword is used to specify that the traffic should be filtered when it arrive the router via an interface.

The “out” keyword is used to specify that the traffic should be filtered as it leaves the router via an interface.

Syntax –

Router(config)# interface interface_no
Router01(config-if)#ip access-group <access_list_number> <in/out>

Where to place Standerd ACL –

Standard ACL filters the traffic based on source IP address. Therefore a Standard Access Control List (ACL) must be placed on the router which is near to the destination network/host where it is denied. If we place the Standard Access Control List (ACL) near to source, there is a chance for denial or other legitimate traffic from the source network to some other network.

LAB example Diagram

Case 1. Deny the workstations located at 192.168.10.0/24 network from accessing the servers at 192.168.50.0/24 network, using Standard Access Control List.

Solve- As destination denied servers present in R3, standard ACL should configure here. Also assign to Fa 0/0 as out bound direction. 

 R3> enable
 R3# configure terminal
 R3(config)# access-list 5 deny 192.168.10.0 0.0.0.255
 R3(config)# access-list 5 permit any
 

 R3(config)# interface fa 0/0

 R3(config-if)# ip access-group 5 out

 R3(config-if)# exit

To disable Standard ACL –

R3(config)# no access-list 5

R3(config-if)# no ip access-group 5 out

Case 2. Deny the PC1 (192.168.10.1) from accessing the servers at 192.168.50.0/24 network, using Standard Access Control List.

Solve-

 R3> enable
 R3# configure terminal
 R3(config)# access-list 5 deny 192.168.10.1 255.255.255.0
 R3(config)# access-list 5 permit any
 

 R3(config)# interface fa 0/0

 R3(config-if)# ip access-group 5 out

 R3(config-if)# exit

Case 3. Only PC3 (192.168.30.1) can telnet to R3.

Solve-

 R3> enable
 R3# configure terminal
 R3(config)# access-list 55 permit 192.168.30.1 0.0.0.0
 R3(config)# access-list 55 deny any
 R3(config)#line vty 0 4
 R3(config-line)#access-class 55 in
 R3(config-line)#exit

Extended Access Control Lists

Extended Access Control Lists (ACL) can be used to filter traffic based on Source IP address, Destination IP address, Protocol (TCP, UDP etc), Port Numbers etc.

Extended IP ACLs range from 100–199, 2000–2699

The syntax for IP Extended ACL is given below:-

access-list  access-list-number  {deny | permit}  protocol  source  source-wildcard  destination destination-wildcard [precedence precedence]

Where to place Extended ACL –

Extended ACL can filter the traffic based many factors like source IP address, destination IP address, Protocol, TCP or UDP port numbers etc. Since an Extended Access Control List can filter the IP datagram packet based on the destination IP address, it must be placed on the router which is near to the source network/host. If we place the Extended Access Control List (ACL) near to destination, the unwanted traffic may consume the bandwidth, and it will get filtered near destination.

In Extended ACL, To filter the traffic based on TCP or UDP port numbers, we can use an operator. The operator is used to match the port number or numbers in Access Control Lists. The following table lists important Extended Access Control List operators.

OperatorDescription
ltLess than
gtGreater than
neqNot equal to
eqEqual to
rangeRange of port numbers

The “established” keyword is used to indicate an established connection for TCP protocol. An established connection can be considered as the TCP traffic originating inside your network, not from an external network.

This means that the packets belong to an existing connection if the Transmission Control Protocol (TCP) segment has the Acknowledgment (ACK) or Reset (RST) bit set.

Example:

Router03(config)#access-list 102 permit tcp any any eq www established

Case1. Deny PC1 (192.168.10.1/24) from accessing the Web Server (192.168.50.1/24)

R1>enable
R1#configure terminal
R1(config)#access-list 105 deny tcp host 192.168.10.1 host 192.168.50.1 eq 80
R1(config)#access-list 105 permit ip any any

R1(config)#interface fa0/0
R1(config-if)#ip access-group 105 in
R1(config-if)#exit

Case2. Deny PC4 (192.168.30.2/24) from accessing the Mail Server (192.168.50.1/24)

R1>enable
R1#configure terminal
R1(config)#access-list 105 deny tcp host 192.168.30.2 host 192.168.50.2 eq 25
R1(config)#access-list 105 permit ip any any

R1(config)#interface fa0/0
R1(config-if)#ip access-group 105 in
R1(config-if)#exit

Named Access Control List

Named Access Control Lists (ACLs) allows standard and extended ACLs to be given names instead of numbers. Unlike in numbered Access Control Lists (ACLs), we can edit Named Access Control Lists.

Standard Named Access Control List (ACL) :-

Case1. Deny the workstations located at 192.168.30.0/24 network from accessing the servers at 192.168.50.0/24 network, using Standard Access Control List.

Solve-

 R3> enable
 R3# configure terminal

 R3(config)# ip access-list standard BLOCK_NETWORK2

Router03(config-std-nacl)# deny 192.168.30.0 0.0.0.255
Router03(config-std-nacl)# permit any
Router03(config-std-nacl)# exit


 R3(config)# interface fa 0/0

R3(config-if)# ip access-group BLOCK_NETWORK2 in
R3(config-if)# exit

To remove named ACL

Router03(config)# no access-list BLOCK_NETWORK2

Router01(config-if)# no ip access-group BLOCK_NETWORK2 in

Extended Named Access Control List (ACL) :-

Case1. Deny PC1 (192.168.10.1/24) from accessing the Web Server (192.168.50.1/24)

 R1> enable
 R1# configure terminal
 R1(config)# ip access-list extended BLOCK_WS01
 R1(config-ext-nacl)# deny tcp host 192.168.10.1 host 192.168.50.1 eq 80
 R1(config-ext-nacl)# permit ip any any
 R1(config-ext-nacl)# exit
 

 R1(config)# interface fa0/0
 R1(config-if)# ip access-group BLOCK_WS01 in
 R1(config-if)# exit

To show existing Named Access Control Lists (ACL)

 R1# show ip access-lists BLOCK_WS01

Edit ACL

To add a new Access Control List entry in an existing Named Extended Access Control List

Now you can add a new entry to deny the PC3 (IP Address – 192.168.30.1) in above Named Extended Access Control List (ACL name BLOCK_WS01), from accessing the File Server (IP Address – 192.168.50.3) using FTP.

 R1>enable
 R1# configure terminal
 R1(config)# ip access-list extended BLOCK_WS01
 R1(config-ext-nacl)# deny tcp host 192.168.30.1 host 192.168.50.3 eq ftp
 R1(config-ext-nacl)# exit

To view the altered Named Access Control List (ACL name BLOCK_WS01)

 R1# show access-lists

Leave a Reply

//
Our customer support team is here to answer your questions. Ask us anything!
👋 Hi, how can I help?
Scroll to Top

Institute Registration

National Program for Information Technology & Skill Development


Address of your academy:


Submit Documents


Documentation Fee