Vanessa Avalos
Cisco Networking Academy Semester 3

Chapter 6
Access Control Lists

An ACL is a sequential list of statements that permit or deny.  They are used to filter IP addresses or upper layer protocols they are applied to router interfaces.

Access Lists are like filters

Reasons for using an ACL
Limit unneeded traffic and increase network performance
Provide traffic flow control
Provide a basic level of security for network access
Decide which types of traffic will be blocked and which will be allowed.

How an ACL works:

The ACL tells the router what kind of packets to permit or deny.  These packets can be permitted or denied base on source address, destination, and protocol.
ACLs must be defined on a per protocol basis and must have a statement for every protocol.
As the packet enters the interface it is checked for routable or bridgeable protocol.  Then the interface is checked for an ACL.  If there is an ACL the packet is tested against the statements in the ACL.  If the packet makes it through the ACL (permitted) it is then checked against the routing table to see where it is to be sent.

Configuring an Access List:
1. Create list
2. Specify an ACL number
3. Write statements
4. Apply to interface

Two rules for applying an ACL to an interface:  Put the Extended ACL as close as possible to the source.  Put the Standard ACL as close as possible to the destination.

ACL numbers:
IP standard 1-99
IP extended 100-199
Apple talk 600-699
IPX standard 800-899
IPX extended 900-999
IPX SAP 1000-1099

Wildcard masks, kind of like the reverse of a subnet mask.
1 means ignore
0 means check

If we had a class B IP address of 172.30.16.0 and you wanted to test it for subnets to be permitted or denied you would use a wildcard mask or 0.0.15.255  Because you want to check the network portion of the address, the 0’s represent where the network address is and the 1’s are the host portion

The format of an Access List:
Router(config)#access-list {number} {permit/deny} {test conditions} [log]
(log is optional)

A standard ACL (IP 1-99 or IPX 800-899) do one thing and are used when you want to block all traffic from a network.  The syntax for a standard ACL is: 
Router(config)#access-list {number}{permit/deny}{source IP}{wildcard} [log]

To specify a large number of individual addresses you can omit the wildcard if it is all zeros.  Example: Router(config)#access-list 2 permit 36.48.0.3 0.0.0.
 Changed to: Router(config)#access-list 2 permit 36.48.0.3

Extended ACLs (IP 100-199) are used most often because they provide greater flexibility and control.  You use then when you want some protocols to get through but not others, they can check for specific protocols or port numbers.
The syntax for an extended ACL is
Router(config)#access-list {number 100-199}{permit/deny}{protocol}{source IP}{wildcard}{destination IP}{wildcard}{operator}{operand}{established}
Operators are < >  =  ? 
Operands are port numbers or keywords

Some common well known port numbers:
(warning, there is no guarantee that these services will be on these port numbers)
FTP data 20
FTP program 21
Telnet 23
SMTP 25
TFTP 69
DNS 53

Remember: Access lists always end with an invisible deny any statement, so make sure you have statements for everything that you want to be allowed.

If you created an access list and want to change it, you have to delete it and start over using this command:
Router(config)#no access-list {number}

Named Access Lists
Allow standard and extended IP access liststo use a name instead of a number
Can be used to delete individual statements from the ACL instead of deleting the whole list
Use named access lists when:
You want to intuitively identify ACLs using an alphanumeric name
You have more than 99 single to 100 extended ACLS to configured for a given protocol

Using ACLs in firewall routers:
That is a router that is positioned between the Internet and the External net
This provides basic security, typically a network firewall consists of several different machines
Note: using long ACLs on an interface from the internet can cause a bottleneck and slow network performance

Common commands associated with access lists:

Create an access list statement:
Router(config)#access-list {number} {permit/deny} {test-conditions}
Router(config)#access-list {number}{permit/deny}{source IP}{wildcard} [log]
Router(config)#access-list {number 100-199}{permit/deny}{protocol}{source IP}{wildcard}{destination IP}{wildcard}{operator}{operand}[established}

Apply access list to interface:
Router(config-if)#{protocol} access-group {number} {in/out}
Router(config-if)#ip access-group {number} {in/out}

Delete an ACL:
Router(config)#no access-list {number}

Clear logging:
Router(config)#clear logging

To view your access lists:
Router#show access-list

Some example access lists statements:

These 2 statements will do the same job:
Router(config)#access-list 2 permit 36.48.0.3 0.0.0.0
Router(config)#access-list 2 permit 36.48.0.3

These 2 will permit any ip address:
Router(config)#access-list 1 permit 0.0.0.0 255.255.255.255
Router(config)#access-list 1 permit any

These 2 match all the bits in an entire host address:
Router(config)#access-list 1 permit 172.30.16.29 0.0.0.0
Router(config)#access-list 1 permit host 172.30.16.29

 
Main page        Chapter 1        Chapter 2        Chapter  3        Chapter 4        Chapter 5        Chapter 6        Chapter 7        Chapter 8

This web page best viewed at 800x600

Created on September 25, 2001
Updated October 21, 2001

Nothing may be copied from this page unless given permission by the web site owner.

Created by Vanessa Avalos

1