Page |1

ACL or Access Control Lists

What is an access control list?
In the Cisco IOS, an access control list is a record that identifies and manages traffic. After identifying that traffic, an
administrator can specify various events that can happen to that traffic.

What's the most common type of ACL?

There are two types of IP ACLs: standard and extended. Standard IP ACLs can only control traffic based on the SOURCE IP
address. Extended IP ACLs are far more powerful; they can identify traffic based on source IP, source port, destination IP,
and destination port.

What are the most common numbers for IP ACLs?

The most common numbers used for IP ACLs are 1 to 99 for standard lists and 100 to 199 for extended lists. However,
many other ranges are also possible.

Standard IP ACLs: 1 to 99 and 1300 to 1999

Extended IP ACLs: 100 to 199 and 2000 to 2699

How can you filter traffic using ACLs?

You can use ACLs to filter traffic according to the "three P's"—per protocol, per interface, and per direction. You can
only have one ACL per protocol (e.g., IP or IPX), one ACL per interface (e.g., FastEthernet0/0), and one ACL per direction
(i.e., IN or OUT).

How can an ACL help protect my network from viruses?

You can use an ACL as a packet sniffer to list packets that meet a certain requirement. For example, if there's a virus on
your network that's sending out traffic over IRC port 194, you could create an extended ACL (such as number 101) to
identify that traffic. You could then use the debug ip packet 101 detail command on your Internet-facing router to list all
of the source IP addresses that are sending packets on port 194.

What's the order of operations in an ACL?

Routers process ACLs from top to bottom. When the router evaluates traffic against the list, it starts at the beginning of
the list and moves down, either permitting or denying traffic as it goes. When it has worked its way through the list, the
processing stops.

That means whichever rule comes first takes precedence. If the first part of the ACL denies traffic, but a lower part of the
ACL allows it, the router will still deny the traffic. Let's look at an example:

Access-list 1 permit any

Access-list 1 deny host 10.1.1.1
Access-list 1 deny any
What does this ACL permit? The first line permits anything. Therefore, all traffic meets this requirement, so the router
will permit all traffic, and processing will then stop.

What about traffic you don't specifically address in an ACL?

At the end of an ACL is an implicit deny statement. Whether you see the statement or not, the router denies all traffic
that doesn't meet a condition in the ACL. Here's an example:

Nexus Education Services Address: Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Globe: 0995-573-8873 ☎ Smart:0999-816-5357 ☎ PLDT: 584-1881 / 788-1420 / 788-1419 website: www.nexusph.net
 Page |2

ACL Hands-On Laboratory

! R1
conf t
hostname R1
no ip domain-lookup
int e0/0
ip address 11.0.0.1 255.0.0.0
no shut
int FastEthernet1/0
speed 100
duplex full
ip address 10.0.0.1 255.0.0.0
no shut
! create a route
router eigrp 10
network 10.0.0.0
network 11.0.0.0
network 12.0.0.0
Nexus Education Services Address: Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Globe: 0995-573-8873 ☎ Smart:0999-816-5357 ☎ PLDT: 584-1881 / 788-1420 / 788-1419 website: www.nexusph.net
 Page |3

end
wr

! R2
conf t
hostname R2
int e0/0
duplex full
speed 100
ip address 11.0.0.2 255.0.0.0
no shut
int FastEthernet1/0
duplex full
speed 100
ip address 12.0.0.1 255.0.0.0
no shut
! create a route
router eigrp 10
network 10.0.0.0
network 12.0.0.0
end
wr

! R3
conf t
hostname R3
no ip domain-lookup
int FastEthernet1/0
duplex full
speed 100
ip address 10.0.0.2 255.0.0.0
no shut
router eigrp 10
network 11.0.0.0
network 12.0.0.0
end

! Setup of Telnet & SSH in R3

conf t
service password-encryption
enable password cisco
enable secret secret
line console 0
password console
login
line vty 0 4
password telnet
login
Nexus Education Services Address: Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Globe: 0995-573-8873 ☎ Smart:0999-816-5357 ☎ PLDT: 584-1881 / 788-1420 / 788-1419 website: www.nexusph.net
 Page |4

username cisco password cisco

ip domain-name nexus.com
crypto key generate rsa
! stop from here and enter 512
line vty 0 4
password cisco
login local
transport input telnet ssh
end

! R4
conf t
hostname R4
no ip domain-lookup
int FastEthernet1/0
duplex full
speed 100
ip address 12.0.0.2 255.0.0.0
no shut
router eigrp 10
network 10.0.0.0
network 11.0.0.0
end

! Setup of Telnet & SSH in R4

conf t
service password-encryption
enable password cisco
enable secret secret
line console 0
password console
login
line vty 0 4
password telnet
login
username cisco password cisco
ip domain-name nexus.com
crypto key generate rsa
! stop from here and enter 512
line vty 0 4
password cisco
login local
transport input telnet ssh
end

Nexus Education Services Address: Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Globe: 0995-573-8873 ☎ Smart:0999-816-5357 ☎ PLDT: 584-1881 / 788-1420 / 788-1419 website: www.nexusph.net
 Page |5

Verify your setup

1. You should be able to ping from R3 to R1, to R2 then R3 if not

review all commands

2. Type sh ip route to all routers there should be a D or EIGRP

C 10.0.0.0/8 is directly connected, FastEthernet1/0

D 11.0.0.0/8 [90/284160] via 10.0.0.1, 00:05:59, FastEthernet1/0
D 12.0.0.0/8 [90/286720] via 10.0.0.1, 00:05:59, FastEthernet1/0

3. Try to Telnet & SSH from R3 to R4 it should be successful

R3#telnet 12.0.0.2
Trying 12.0.0.2 ... Open
User Access Verification
Username: cisco
Password: {type cisco}
R4>en
Password: {secret}
R4#
! type exit to return to R3
R4#exit
[Connection to 12.0.0.2 closed by foreign host]
R3#

4. Try to SSH from R3 to R4 it should be successful

R3#ssh -l cisco 12.0.0.2

Password: {cisco}
R4>en
Password: {secret}
R4#
! type exit to return to R3
R4#exit
[Connection to 12.0.0.2 closed by foreign host]
R3#

! 5. Create an extended Access List in R1 so we can block telnet &

SSH remote connection

conf t
! config name based ACL
ip access-list extended nexus_ACL
deny tcp host 10.0.0.2 host 12.0.0.2 eq telnet
deny tcp host 10.0.0.2 host 12.0.0.2 eq 22
int FastEthernet1/0
ip access-group nexus_ACL in
Nexus Education Services Address: Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Globe: 0995-573-8873 ☎ Smart:0999-816-5357 ☎ PLDT: 584-1881 / 788-1420 / 788-1419 website: www.nexusph.net
 Page |6

! to show the ACL type show access-list

! to delete the ACL, type no ip access-list extended nexus_ACL
end

! 6. now try connecting from R3 to R4 using telnet & SSH it should be

uncreachable

R3#telnet 12.0.0.2
Trying 12.0.0.2 ...
% Destination unreachable; gateway or host down

R3#ssh -l cisco 12.0.0.2

% Destination unreachable; gateway or host down

Nexus Education Services Address: Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Globe: 0995-573-8873 ☎ Smart:0999-816-5357 ☎ PLDT: 584-1881 / 788-1420 / 788-1419 website: www.nexusph.net