Basic IP Traffic Management with

Access Control Lists

Chapter 8
Chapter Objectives

 Introduce ACL concepts

 Explain the types of ACL
 Configure ACL
 Introduce wildcard masks
 Verify ACL

Chapter 8 2
Recall - I
 IGRP is a distant-vector routing protocol, which implies
that each router sends all or a part of its routing table
in a routing message update
 EIGRP was created using IGRP as the base and
adding additional functionality to enhance IGRP
 The OSPF protocol is designed on the Shortest Path
First (SPF) algorithm, which enables to determine the
shortest route to each destination
 When a network link changes its state, the designated
router sends a notification called Link State
Advertisement (LSA) across the network

Chapter 8 3
Recall - II
 OSPF provides the following advantages:
 Open protocol

 Loop free topology

 Scalable

 Hierarchical design

 Provides multicasting

 There are different OSPF area types that help to handle external
routes:
 Normal area

 Stub area

 Totally stubby area

 Not-so-stubby area

Chapter 8 4
Access Control List - I
 Access Control List (ACL) is a set of commands,
which are grouped together to filter the traffic that
enters or leaves an interface
 The functions of ACLs include the following:
 Reduce the network traffic and increase the

network performance
 Control the flow of traffic in the network

 Provide security for network access

 Make decision about the type of network to be

forwarded or restricted on an interface

Chapter 8 5
Access Control List - II
 You must also specify one of the following directions in
which the traffic should be filtered:
 Inbound

 Outbound

 The Access lists are available in the following two types:

 Numbered ACL

 Named ACL

 Each of the below ACLs supports two types:

 Standard ACL

 Extended ACL

Chapter 8 6
ACL Processing
 ACL are statements, which are grouped together by
using a name or number
 When ACL process a packet on the router from the
group of statements, the router performs a number
of steps to find a match for the ACL statements
 The router processes each ACL in the top-down
approach
 If the router is not able to find a match of packet to
the first ACL statement then the router continues
with the next statement, following the same process

Chapter 8 7
Configuring ACL
 You must know the guidelines to configure the ACL
 You can use the access-list command to create an
ACL
 The syntax to create an ACL is:
access-list ACL_# permit|deny conditions
 To activate ACL on the interface, enter the following
at the command prompt:
interface type slot_#|port_#
ip access-group ACL_# in|out

Chapter 8 8
ACL Numbers and Protocol Types -
I Type Numbers
IP Standard 1-99, 1300-1999
Standard Vines 1-99
IP Extended 100-199, 2000-2699
Extended Vines 100-199
Bridging type code (layer-2) 200-299
DECnet 300-399
Standard XNS 400-499
Extended XNS 500-599
Apple Talk 600-699

Chapter 8 9
ACL Numbers and Protocol Types -
II
Bridging MAC address and vendor code 700-799

IPX Standard 800-899

IPX Extended 900-999

IPX SAP filters 1000-1099

Extended transparent bridging 1100-1199

IPX NLSP 1200-1299

Chapter 8 10
Editing Entries
 You may need to add, delete or modify an entry in
the ACL
 In a numbered ACL, you cannot delete a specific
entry
 The no access-list command allows you to delete an
ACL, The syntax of the command is:
no access-list number
 The no access-list ACL_# command deletes the
entire list

Chapter 8 11
Wildcard Masking
 Wildcard masks can be used for matching a range of
IP addresses in ACL, instead of manually entering it
 A wildcard mask of 0 or 1 in the bit position implies the
following:
 0 - Specifies that the bit position of the ACL

statement address must match the bit position in the

IP address of the packet that is to be examined
 1 - Specifies that the bit position of the ACL

statement address does not have to match the bit

position in the IP address of the packet that is to be
examined

Chapter 8 12
Subnet Masks and Wildcard Masks
Values

Bit Value Subnet Mask Wildcard Mask

0 Host component Must match

1 Network component Ignore

Chapter 8 13
Standard Numbered ACL
 You can create an entry in a standard numbered IP
ACL using the access-list command.The syntax of
this command is:
access-list 1-99|1300-1999 permit|deny
source_address [wildcard_mask] [log]
 After creating the standard ACL, you must activate it
on the router's interface
 The ip access-group command below enables you
to activate the ACL on the interface:
ip access-group ACL_number in|out

Chapter 8 14
Extended Numbered ACLs
 The extended numbered ACLs are more flexible as
compared to the standard ACLs
 The syntax of the command to configure an
extended numbered ACL is:
access-list 100-199|2000-2699 permit|deny
IP_protocol source_address source_wildcard mask
[protocol_information] destination_address
destination_wildcard_mask [protocol_information]
[log]

Chapter 8 15
TCP and UDP
 The extended ACL can filter the traffic on IP
protocols such as TCP and UDP
 The syntax of the command that allows you to
configure an extended ACL for TCP or UDP is:
access-list 100-199|2000-2699 permit|deny tcp|udp
source_address source_wildcard_mask [operator
source_port_#] destination address
destination_wildcard_mask [operator
destination_port_#][established][log]

Chapter 8 16
Operators for TCP and UDP
Connection
Operator Description

lt Less than

gt Greater than

neq Not equal to

eq Equal to

range Range of port numbers

Chapter 8 17
TCP Port Names and Numbers

Name Command Parameter Number

FTP Data ftp-data 20

FTP Control ftp 21

Telnet telnet 23

SMTP smtp 25

WWW www 80

Chapter 8 18
UDP Port Names and Numbers

Name Command Parameter Number

DNS Query dns 53

TFTP tftp 69

SNMP snmp 161

IP RIP Rip 520

Chapter 8 19
ICMP
 ICMP is one of the protocols used with extended
ACL
 The ICMP does not use ports like the TCP and UDP
 The syntax for filtering ICMP traffic is:
access-list 100-199|2000-2699 permit|deny icmp
source_address source_wildcard_mask [operator
source_port_#] destination address
destination_wildcard_mask [icmp_message][log]
 ICMP enables you to enter ICMP messages

Chapter 8 20
ICMP Messages
Message Type Description
administratively-prohibited Specifies that the packet is filtered

echo Enables to check the destination

echo-reply Displays a message in response to the

host-unreachable
net-unreachable
traceroute
echo message created by ping
Specifies that the subnet is reachable,
but the host is not responding
Specifies that the network or subnet is
not reachable
Enables to filter based on the
traceroute information

Chapter 8 21
Controlling Telnet Access to a
Router
 The standard IP ACLs controls the telnet access to

the router. The access-class command enables you

to accomplish this. The syntax of this command is:
access-class standard_ACL_# in|out
 Cisco routers enable you to restrict telnet access for
the normal users
 You can configure your router to allow telnet access
only for the networks administrators

Chapter 8 22
Named ACL’s
 Named ACLs support both IP and IPX protocols
 The ip access-list allows you to create a named ACL
 The syntax for this command is:
ip access-list standard/extended ACL_name
 After creating a named ACL, you have to activate it
on the router interface
 The ip access-group command given below enables
you to activate the named ACL:
ip access-group ACL_name in|out

Chapter 8 23
Verifying and Monitoring Access
Control List
 To view the ACLs that are activated on the router’s
interfaces, use the following command:
show ip interfaces
 Cisco allows you to monitor each statement in the
ACL. To view the statements in the ACL, use the
following commands:
show access-lists [ACL_#_or_name]
show ip access-list [ACL_#_or_name]

Chapter 8 24
Placing ACL’s
 You have to decide the placement of the ACL
depending on the source and destination address to
be filtered
 You must consider the following while placing the
ACLs:
 Standard ACL

 Extended ACL

Chapter 8 25
Case Study
The Blue Diamond steel company, Gujarat branch has
recruited a few engineers in the Software
Management department. The company gets a new
project from their client in Delhi. The new engineers
need to work only on the software application
assigned to them and should access the server data.
To accomplish this, the network administrator Robert
uses the standard ACL. The network of the
organization appears as shown in the Figure.

Chapter 8 26
Network of the Organization

Chapter 8 27
Problem

Placement of the standard ACL on the router

Chapter 8 28
Suggested Solution

You can use standard ACL to prevent the users from

accessing the server data. However, the placement
of the ACL is a very important. The engineers
should be allowed to access the all other computers
in the network but not the server

Chapter 8 29
Summary - I
 The access control list is a set of commands, which are
grouped together, to filter the traffic that enters or leaves an
interface
 ACL are the statements, which are grouped together by
using a name or number. When ACL process a packet on
the router from the group of statements, the router performs
a number of steps to find a match for the ACL statements
 After building IP ACL, you have to apply it to a process in
the IOS
 The extended numbered ACL’s are more flexible as
compared to the standard ACLs

Chapter 8 30
Summary - II
 If the router locates a match between the packet and
statement then the router executes one of the two
actions that are included with the statement. The actions
are:
 Permit

 Deny

 A need may arise to add, delete or modify an entry in the

ACL. You cannot delete a specific entry in an ACL
 To handle the IP addresses in ACL statements, wildcard
masks can be used for matching a range of address
instead of manually entering it

Chapter 8 31
Summary - III
 A wildcard is similar to an inverted subnet mask. If you
want to match on any address in a subnet or network
then you have to take the subnet mask and invert the bit
values
 You must consider the following while placing the ACLs:
 Standard ACL - Needs to be placed close to the

destination device that you want to prevent the source

from reaching.
 Extended ACL - Needs to be placed close to the

source device. The extended ACL can filter on both

the source as well as destination address

Chapter 8 32