Basic IP Traffic Management with

Access Control Lists

Chapter 8

Release 16/07/2009 Jetking Infotrain Ltd.

Chapter Objectives

 Introduce ACL concepts

 Explain the types of ACL
 Configure ACL
 Introduce wildcard masks
 Verify ACL

Jetking
Release Infotrain Ltd.
16/07/2009
Recall - I
 IGRP is a distant-vector routing protocol, which
implies that each router sends all or a part of its
routing table in a routing message update
 EIGRP was created using IGRP as the base and
adding additional functionality to enhance IGRP
 The OSPF protocol is designed on the Shortest
Path First (SPF) algorithm, which enables to
determine the shortest route to each destination
 When a network link changes its state, the
designated router sends a notification called Link
State Advertisement (LSA) across the network
Jetking
Release Infotrain Ltd.
16/07/2009
Recall - II
 OSPF provides the following advantages:
 Open protocol

 Loop free topology

 Scalable

 Hierarchical design

 Provides multicasting

 There are different OSPF area types that help to handle

external routes:
 Normal area

 Stub area

 Totally stubby area

 Not-so-stubby area

Jetking
Release Infotrain Ltd.
16/07/2009
Access Control List - I
 Access Control List (ACL) is a set of commands,
which are grouped together to filter the traffic that
enters or leaves an interface
 The functions of ACLs include the following:
 Reduce the network traffic and increase the

network performance
 Control the flow of traffic in the network

 Provide security for network access

 Make decision about the type of network to be

forwarded or restricted on an interface

Jetking
Release Infotrain Ltd.
16/07/2009
Access Control List - II
 You must also specify one of the following directions in
which the traffic should be filtered:
 Inbound

 Outbound

 The Access lists are available in the following two

types:
 Numbered ACL

 Named ACL

 Each of the below ACLs supports two types:

 Standard ACL

 Extended ACL

Jetking
Release Infotrain Ltd.
16/07/2009
ACL Processing
 ACL are statements, which are grouped together by
using a name or number
 When ACL process a packet on the router from the
group of statements, the router performs a number
of steps to find a match for the ACL statements
 The router processes each ACL in the top-down
approach
 If the router is not able to find a match of packet to
the first ACL statement then the router continues
with the next statement, following the same process

Jetking
Release Infotrain Ltd.
16/07/2009
Configuring ACL
 You must know the guidelines to configure the ACL
 You can use the access-list command to create an
ACL
 The syntax to create an ACL is:
access-list ACL_# permit|deny conditions
 To activate ACL on the interface, enter the following
at the command prompt:
interface type slot_#|port_#
ip access-group ACL_# in|out

Jetking
Release Infotrain Ltd.
16/07/2009
ACL Numbers and Protocol Types - I
Type Numbers
IP Standard 1-99, 1300-1999
Standard Vines 1-99
IP Extended 100-199, 2000-2699
Extended Vines 100-199
Bridging type code (layer-2) 200-299
DECnet 300-399
Standard XNS 400-499
Extended XNS 500-599
Apple Talk 600-699

Jetking
Release Infotrain Ltd.
16/07/2009
ACL Numbers and Protocol Types - II

Bridging MAC address and vendor code 700-799

IPX Standard 800-899

IPX Extended 900-999

IPX SAP filters 1000-1099

Extended transparent bridging 1100-1199

IPX NLSP 1200-1299

Jetking
Release Infotrain Ltd.
16/07/2009
Editing Entries
 You may need to add, delete or modify an entry in
the ACL
 In a numbered ACL, you cannot delete a specific
entry
 The no access-list command allows you to delete an
ACL, The syntax of the command is:
no access-list number
 The no access-list ACL_# command deletes the
entire list

Jetking
Release Infotrain Ltd.
16/07/2009
Wildcard Masking
 Wildcard masks can be used for matching a range of
IP addresses in ACL, instead of manually entering it
 A wildcard mask of 0 or 1 in the bit position implies the
following:
 0 - Specifies that the bit position of the ACL
statement address must match the bit position in the
IP address of the packet that is to be examined
 1 - Specifies that the bit position of the ACL

statement address does not have to match the bit

position in the IP address of the packet that is to be
examined

Jetking
Release Infotrain Ltd.
16/07/2009
Subnet Masks and Wildcard Masks
Values

Bit Value Subnet Mask Wildcard Mask

0 Host component Must match

1 Network component Ignore

Jetking
Release Infotrain Ltd.
16/07/2009
Standard Numbered ACL
 You can create an entry in a standard numbered IP
ACL using the access-list command.The syntax of
this command is:
access-list 1-99|1300-1999 permit|deny
source_address [wildcard_mask] [log]
 After creating the standard ACL, you must activate it
on the router's interface
 The ip access-group command below enables you
to activate the ACL on the interface:
ip access-group ACL_number in|out

Jetking
Release Infotrain Ltd.
16/07/2009
Extended Numbered ACLs
 The extended numbered ACLs are more flexible as
compared to the standard ACLs
 The syntax of the command to configure an
extended numbered ACL is:
access-list 100-199|2000-2699 permit|deny
IP_protocol source_address source_wildcard mask
[protocol_information] destination_address
destination_wildcard_mask [protocol_information]
[log]

Jetking
Release Infotrain Ltd.
16/07/2009
TCP and UDP
 The extended ACL can filter the traffic on IP
protocols such as TCP and UDP
 The syntax of the command that allows you to
configure an extended ACL for TCP or UDP is:
access-list 100-199|2000-2699 permit|deny tcp|udp
source_address source_wildcard_mask [operator
source_port_#] destination address
destination_wildcard_mask [operator
destination_port_#][established][log]

Jetking
Release Infotrain Ltd.
16/07/2009
Operators for TCP and UDP
Connection
Operator Description

lt Less than

gt Greater than

neq Not equal to

eq Equal to

range Range of port numbers

Jetking
Release Infotrain Ltd.
16/07/2009
TCP Port Names and Numbers

Name Command Parameter Number

FTP Data ftp-data 20

FTP Control ftp 21

Telnet telnet 23

SMTP smtp 25

WWW www 80

Jetking
Release Infotrain Ltd.
16/07/2009
UDP Port Names and Numbers

Name Command Parameter Number

DNS Query dns 53

TFTP tftp 69

SNMP snmp 161

IP RIP Rip 520

Jetking
Release Infotrain Ltd.
16/07/2009
ICMP
 ICMP is one of the protocols used with extended
ACL
 The ICMP does not use ports like the TCP and UDP
 The syntax for filtering ICMP traffic is:
access-list 100-199|2000-2699 permit|deny icmp
source_address source_wildcard_mask [operator
source_port_#] destination address
destination_wildcard_mask [icmp_message][log]
 ICMP enables you to enter ICMP messages

Jetking
Release Infotrain Ltd.
16/07/2009
ICMP Messages
Message Type Description

administratively-prohibited Specifies that the packet is filtered

echo Enables to check the destination

echo-reply Displays a message in response to the

echo message created by ping
host-unreachable Specifies that the subnet is reachable,
but the host is not responding
net-unreachable Specifies that the network or subnet is
not reachable
traceroute Enables to filter based on the
traceroute information

Jetking
Release Infotrain Ltd.
16/07/2009
Controlling Telnet Access to a Router
 The standard IP ACLs controls the telnet access to
the router. The access-class command enables you
to accomplish this. The syntax of this command is:
access-class standard_ACL_# in|out
 Cisco routers enable you to restrict telnet access for
the normal users
 You can configure your router to allow telnet access
only for the networks administrators

Jetking
Release Infotrain Ltd.
16/07/2009
Named ACL’s
 Named ACLs support both IP and IPX protocols
 The ip access-list allows you to create a named ACL
 The syntax for this command is:
ip access-list standard/extended ACL_name
 After creating a named ACL, you have to activate it
on the router interface
 The ip access-group command given below enables
you to activate the named ACL:
ip access-group ACL_name in|out

Jetking
Release Infotrain Ltd.
16/07/2009
Verifying and Monitoring Access
Control List
 To view the ACLs that are activated on the router’s
interfaces, use the following command:
show ip interfaces
 Cisco allows you to monitor each statement in the
ACL. To view the statements in the ACL, use the
following commands:
show access-lists [ACL_#_or_name]
show ip access-list [ACL_#_or_name]

Jetking
Release Infotrain Ltd.
16/07/2009
Placing ACL’s
 You have to decide the placement of the ACL
depending on the source and destination address to
be filtered
 You must consider the following while placing the
ACLs:
 Standard ACL

 Extended ACL

Jetking
Release Infotrain Ltd.
16/07/2009
Case Study
The Blue Diamond steel company, Gujarat branch has
recruited a few engineers in the Software
Management department. The company gets a new
project from their client in Delhi. The new engineers
need to work only on the software application
assigned to them and should access the server data.
To accomplish this, the network administrator Robert
uses the standard ACL. The network of the
organization appears as shown in the Figure.

Jetking
Release Infotrain Ltd.
16/07/2009
Network of the Organization

Jetking
Release Infotrain Ltd.
16/07/2009
Problem

Placement of the standard ACL on the router

Jetking
Release Infotrain Ltd.
16/07/2009
Suggested Solution

You can use standard ACL to prevent the users from

accessing the server data. However, the placement
of the ACL is a very important. The engineers
should be allowed to access the all other computers
in the network but not the server

Jetking
Release Infotrain Ltd.
16/07/2009
Summary - I
 The access control list is a set of commands, which are
grouped together, to filter the traffic that enters or leaves
an interface
 ACL are the statements, which are grouped together by
using a name or number. When ACL process a packet on
the router from the group of statements, the router
performs a number of steps to find a match for the ACL
statements
 After building IP ACL, you have to apply it to a process in
the IOS
 The extended numbered ACL’s are more flexible as
compared to the standard ACLs
Jetking
Release Infotrain Ltd.
16/07/2009
Summary - II
 If the router locates a match between the packet and
statement then the router executes one of the two
actions that are included with the statement. The actions
are:
 Permit

 Deny

 A need may arise to add, delete or modify an entry in the

ACL. You cannot delete a specific entry in an ACL
 To handle the IP addresses in ACL statements, wildcard
masks can be used for matching a range of address
instead of manually entering it

Jetking
Release Infotrain Ltd.
16/07/2009
Summary - III
 A wildcard is similar to an inverted subnet mask. If you
want to match on any address in a subnet or network
then you have to take the subnet mask and invert the bit
values
 You must consider the following while placing the ACLs:
 Standard ACL - Needs to be placed close to the
destination device that you want to prevent the source
from reaching.
 Extended ACL - Needs to be placed close to the
source device. The extended ACL can filter on both
the source as well as destination address

Jetking
Release Infotrain Ltd.
16/07/2009