Professional Documents
Culture Documents
Access Control Lists (ACLs)
Access Control Lists (ACLs)
Access Control Lists (ACLs)
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
172.16.2.0 172.16.4.0
Computer e0 e1
172.16.2.2
Computer
172.16.3.1 s0
172.16.4.3
172.16.3.0
Server
s1 172.16.3.2
172.16.4.2
Extended
• Standard:
• Interface Fa 0/0/0
• ip access-group 1 out
• Extended:
• Interface Fa 0/0/0
• ip access-group 101 in
Each ACL statement is checked in a sequential order (first to last) and when
there is a match, no more statements are checked.
If the results are no matches, then the packet (by default) is discarded.
Adding addition ACL statements to the end of an existing list is just a matter of
adding the new statement. BUT, if
deleting an existing ACL statement causes the entire access list to be deleted.
Router(config-if)# ip access-group 1
Router(config-if)# ip access-group 50
To delete an ACL group statement (this will not delete the associated list):
Router(config)# no access-group <ACL number>
A 0 in the wildcard means to check the bit in the IP you are testing.
A 1 in the wildcard means ignore the bit in the IP you are testing.
NOTE!!!
Do NOT think subnet mask – that is a totally different
meaning not related to the WILDCARD
Criteria:
• block all traffic from a network
• allow all traffic from a network
• deny entire protocol suits
Router(config)# access-list <ACL number> { deny | permit } source [ source wildcard] [log]
Permits all traffic from 172.16.0.0 and sends messages to the console every
time the access list is executed.
Denies traffic from host 172.16.13.7 and sends message to the console every
time the access list is hit.
Prints messages to the console which includes the ACL number, whether
the packet was permitted or denied, the source address, and the number
of packets.
The message is generated for the first packet that matches, and then at
five-minute intervals, including the number of packets permitted or
denied in the prior five-minute interval.
Log is used for debugging only not to be left active on live networks.
Router(config-if)# ip access-group 33 in
Router(config-if)# ip access-group 44 out
show ip access-list
Shows only the IP access lists configured on the router
show ip interface
Shows which interfaces have access lists set (containing an access-
group).
show running-config
Shows the routers entire configuration
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
R(config)# Interface e0
R(config-if)# ip access-group 1 out
R(config)# Interface e1
R(config-if)# ip access-group 1 out
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
R(config)# Interface e0
R(config-if)# ip access-group 1 out
R(config)# Interface e1
R(config-if)# ip access-group 1 out
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
R(config)# Interface e0
R(config-if)# ip access-group 1 out
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
R(config)# Interface e0
R(config-if)# ip access-group 1 out
Denies traffic from a specific device, 172.16.4.13 & allows all other traffic thru e0 to
network 172.16.3.0.
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
Interface e0
ip access-group 1 out
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
Interface e0
ip access-group 1 out
Denies traffic from the subnet, 172.16.4.0 & allows all other traffic thru e0 to
network 172.16.3.0.
Criteria:
• checks both the packet’s source & destination addresses
• check for specific protocol
• check for specific port numbers
• permit or denied applications – pings, telnets, FTP, etc.
•ACL values range between 100 – 199 (for IP)
ACL number
100 – 199
permit | deny
Packet is allowed or blocked
protocol
IP, TCP, UDP, ICMP, GRE or IGRP
Continued
Perrine modified by Brierley 1/23/2018 Page 40
CCNA2 Routing Extended ACLs Module 11
operator
lt, gt, eq, neq
Operand
Port number
established
Allows TCP traffic to pass if the packet uses an established connection ( for example, has
ACK bits set ).
Router(config)# int E0
Router(config-if)# ip access-group 101 in
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
Interface e0
ip access-group 101
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
Interface e0
ip access-group 101
Blocks FTP traffic from all hosts on 172.16.4.0 to any device on 172.16.3.0 & allows
all other traffic.
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
Interface e0
ip access-group 101
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
Interface e0
ip access-group 101
Denies only telnet traffic from 172.16.4.0 to 172.16.3.0 network, and permits all
other traffic thru e0 to any address.
NOTE:
You can not add ACL statements into the body of the access-list
(ONLY at the end of the list).
Otherwise the access list must be deleted first, and then rewritten.
NOTE:
A named ACL will allow the deletion of statements, but will only allow
for the statements to be inserted a the end of the list.
10101100.00010000.00000000.00000000
00000000.00000000.xxxxxxxx. xxxxxxxx
10101100.00010000.xxxxxxxx. xxxxxxxx Matched value
10101100.00010000.00000000.00000000
00000000.00000000.xxxxxxxx. xxxxxxxx
10101100.00010000.xxxxxxxx. xxxxxxxx Match value
10101100.00010000.00000000.00000000
00000000.00000000.xxxxxxxx. xxxxxxxx
10101100.00010000.xxxxxxxx. xxxxxxxx Match value
10101100.00010000.00000000.00000000
00000000.00000000.xxxxxxxx. xxxxxxx0
10101100.00010000.xxxxxxxx. xxxxxxx0 Matched value
10101100.00010000.00000000.00000000
00000000.00000000.xxxxxxxx. xxxxxxx0
10101100.00010000.xxxxxxxx. xxxxxxx0 Matched value
So the access list perform what operation? Permits 172.16.4.4, and denies
172.16.4.1 and 172.16.4.5
Permits all even addresses from the network 172.16.0.0
One can permit or deny a block of addresses. However, the blocks must be
a power of 2! (Example, 2, 4, 8, 16, 32, 64, 128, etc.)
When you need to specify a range of addresses, you choose the closet
block size for your needs.
You want to block access to part of network that is in the range from
198.16.99.0 through 198.16.99.7. This is a block size of 8. Hence:
198.16.99.0 0.0.0.7
Also in this case for a block of 8, the beginning address must either start at
0, 8, 16, etc.
You can control access via the VTY ports controlling telnet sessions
coming into the router.
You write the ACL as usual, but use access-class to apply it.
As an example:
Note: only numbered access lists can be applied to VTY virtual lines!
A response B
establish
As a practical example:
172.16.3.0
e0 e1
INTERNET
172.16.4.0
172.16.3.13
Allow host 172.16.3.13 with Internet connection, but don’t allow the
internet to initialize any sessions.
172.16.3.0
e0 e1
INTERNET
172.16.4.0
172.16.3.13
Router(config)# int e1
Router(config-if)# ip access-group 101 in
172.16.3.0
e0 e1
INTERNET
172.16.4.0
172.16.3.13
Router(config)# int e1
Router(config-if)# ip access-group 101 in
Router(config)# access-list 101 permit tcp any host 172.16.3.13 eq www established
172.16.3.0
e0 e1
INTERNET
172.16.4.0
172.16.3.13
Note: established argument is limited to tcp which means UDP, ICMP and all
other IP protocols will not match, and will be denied, unless specifically
allowed. Hence
Router(config)# int e1
Router(config-if)# ip access-group 101 in
Router(config)# access-list 101 permit tcp any 172.16.3.0 0.0.0.255 eq www established
Router(config)# access-list 101 permit icmp any any
Router(config)# access-list 101 permit udp any any eq 53
ACL Rules:
Standard ACL
Place the ACL as near the destination as possible.
Extended ACL
Put the ACL as close as possible to the source
Access Lists
Standard
Extended
End of Session