1| Free Learning (Fayyaz Ahmed) CSCO12971267

CLASSROOM IN A BOOK
Topic:

Class 10 : Discuss ACL Security.

Presented by:

Download Free Books at:

at
Whats EasyPeezi? WWW.EasyPeezZi.com
By:
EasyPeezZi.com -------------------This Book is written by Fayyaz Ahmed-------------------
2| Free Learning (Fayyaz Ahmed) CSCO12971267

EasyPeezi?
The idea behind EasyPeezi is that which makes Learning its very Easy for Everyone.
In EasyPeezi we have 2 cartoon character the boy is Easy & the Girl is Peezzi :-p you can see the pic
below which help you to Read books, blogs very easily.
In Easypeezzi site I upload my Education my notes my concept which I have in my field and try to share
with you all guys in Roman so you can also Learn this Concept Quickly & Easily as you know English
or Not..
I invest my lots of Time & Efforts to build site learn this things making all notes and books in Roman
type thousands of words by my self & Share my knowledge with all of you. so take It serious learn things
quickly go ahead and enjoy the show.

For further details visit Site www.Easypeezzi.com hope this site is helpful you and others and its
informative to learn these things Quickly & Easily. So0o its all about EasyPeezzi.

Feedback
Easypeezzi@gmail.com

All contents copyright All rights reserved. No part of this document or the related files may be reproduced
or transmitted in any form, by any means (electronic, photocopying, recording, or otherwise) without the
prior written permission of the publisher.

EasyPeezZi.com -------------------This Book is written by Fayyaz Ahmed-------------------

 Topic Covers in this Book
3| Free Learning (Fayyaz Ahmed) CSCO12971267

Access Control List (ACLs)

U Contant U Page No

Access Control List Overview? 04

Types of ACL?

1) Standard ACL?
o Where to apply standard ACL?
o Important for standard ACL?

2) Extended ACL? 06
a. Where to apply Extended ACL?
b. Advantage of Extended ACL direct HTTP Block? 07
c. Advantage of Extended ACL direct TELNET

3) Named ACL on Cisco Router? 08

a. Benefit of Named ACL?
b. Criteria Of Applying ACL? 09
c. Selection of ACL?
d. Direction & Action of ACL? 10
e. In Bound?
f. Out Bound?

EasyPeezZi.com -------------------This Book is written by Fayyaz Ahmed-------------------

4| Free Learning (Fayyaz Ahmed) CSCO12971267

Access Control List:

Access Control List sy hum Packet Filtering ka function perform karty hy k kis packet ko Allow karna
hai or kessy Deny. ACL Router per configure hoti hy jab tak ACL nahi hy matlab hamary network mai
koi Filtering nahi hy is case mai koi bhi Traffic network k router per throw ho sakti hy per jab hum ACL
apply karty hy tu us my hum packets ki filtering karty hy k kon c Traffic Router py Access hogi or kon
c nahi.
There are Two Type of ACL:

Standard ACL:

Standard ACL my hum filtering kar sakty hy base upon the Source IP Address matlab kessi bhi
computer ki IP dy kar us ki Traffic k access ko block kai ja sakta hy. Standard ACL my hamy control
bhut kam milta hy hum is py blocking kar sakty but sirf us computer ki source IP ki base py k Traffic
kis IP sy aarahi hy kis IP py jaraha hy us py nahi.
To yaha hammy is ka bhut bara disadvantage face karny ko milta hy qk hum Router k interface py is
source IP ko block to kar dyty suppose k ye PC hamary Server ko access na kar saky to is condition my
hum ny 1 ACL laga di or us computer ki Source IP waha define kar di to Disadvantage ye hoga k pher
wo PC server ko access nahi karye ga qk ACL Apply hy per wo PC us k sath sath waha rakhy kessi
Computer ya kessi or server ko bhi Access nahi kar paye.
Reason Standard ACL Source IP dekhti hy Destination nahi ussy sirf ye pata hy k kis IP k Traffic ko
block karna hy ye nahi pata k kis k ley block karna hy to essy my wo us sub computer k ley us PC ki
Traffic ko Block kar dygi jo Router k dosray End py hy qk waha Router us packet ko filter kary ga or
dekhy ga ACL hy sirf Source IP to waha wo us IP ki sari Traffic ko Discard karta rahy ga or Traffic
aggy pass nahi kary ga.
Thats way yaha hammy Router ki Selection bhut dekh k karni parti hy matlab k wo Router hamry
network per to hu per Client side sy na connect hu warna Client side ki bhi Traffic Block hojaye gi TO
essi ley hum zada tar Extended ACL ko Use karty hy qk waha hum pher Source or Destination IP donu
bataty hy manually to waha itni problem nahi hoti Per Router Selection waha bhi bhut important hy k
ACL kis Router, interface or kis direction mai configure karni hai.

EasyPeezZi.com -------------------This Book is written by Fayyaz Ahmed-------------------

5| Free Learning (Fayyaz Ahmed) CSCO12971267

ACL my hum 1 single IP ko bhi Block kar sakty hy or ACL ki 1 Statement sy pory Network ki IP ko
bhi block kia ja sakta hy agar us Source IP my apny Pory Network ki IP lekh dy ya Range define kardy
like 192.168.0.10/20 Deny is tarha sy to 10 sy ly kar 20 tak k PC ki Traffic Block hojaye gi 1 single
Statement sy. Or is tarha k Range ko Block karny k ley hum Wildcard Mask use karty hy.
Range of Standard ACL is 1 to 99 & 1300 to 1999 (Expended Range)
Matlab hum jo bhi statement configure kary gy Router per us k statement number ki range 1 sy ly kar 99
tak hogi or hum 1 hi statement per different actions laga sakty hy like IN/OUT. Matlab k statement ka
number 1 hi rahy or us py action change ho yani Deny or Permit.

Where to Apply standard ACL?

As close as possible to Destination Host

Important for ACL:

ACL my hum jab bhi koi Statement lagaty ho like Deny ki to us k bad Router khud sy us Statement k
bad 1 Statement or add karta hy All Traffic deny to agar hum ny koi 1 ACL lagai hy Deny ki to wo ACL
apki sari Traffic ko hi Deny kar dygi qk ap ny Router ko ye to bata diye kis IP ki Traffic ko Block karna
hy per ye nahi bataya k or Kon c IPs ko Permit karna hy.
Agar ap essa samjhty hy k Router bs unhy IPs ko Deny kary ga jinhy hum forcefully ACL my deny kary
gy or bakki sub ko khud hi Permit kar dyga to essa bilkul nahi hy 1 Deny list create k bad Router us
Statement k bad 1 apni statement laga dyga or sari hi traffic ko Deny kar dyga. Is problem sy bachny k
ley hum Deny statement k bad 1 statement or lekhty hy jis my hum bakki ki Traffic ko Permit karty hy
jis sy Router ko pata lag jata hy or wo bakki ki IPs permit karni hai.
Router ACL list ko hamesha Oper sy Nechy ki taraf Check karta hy. Or jaha humari koi bhi statement
ACL sy match karti hy Router foren Action Dekhta hy Deny hy to Discard or Permit hy to traffic ko
Allow kar dyta hy thats it so thats the concept of ACL & now see the configuration of ACL which
mention below.

Example & Confirmation of Standard ACL:

Router(config)# Access-list 1 Deny 192.168.0.1 0.0.255.255
Router(config)# Access-list 1 Deny 192.168.0.2 0.0.255.255
Router(config)# Access-list1 permit 0.0.0.0 255.255.255.255

Router(config)# int fa0/0

Router(int-config)# ip access-group 1 out (Router(int-config)# exit)

EasyPeezZi.com -------------------This Book is written by Fayyaz Ahmed-------------------

6| Free Learning (Fayyaz Ahmed) CSCO12971267

Extended ACL:

Extended ACL is good for implementation because Extended ACL my hum filtering kar sakty hy base
upon the.
1) Source IP Address.
2) Destination IP Address.
3) Protocol Base Blocking like HTTP, FTP, ICMP, UDP, TCP.
4) Blocking via Port Number.
To is my hammy control bhut zada milta hy is ley ye zada use hoti hy & this is the 2nd type of ACL.
Range of Extendard ACL is 100 to 199 & 2000 to 2699 (Expended Range)

Where to apply Extended ACL?

As close as possible to Source Host

Configuration of Extended ACL:

Router(config)# Access-list 100 deny ip host 192.168.0.1 host
192.168.0.10 (1st Source & 2nd Destination IP)
Router(config)# Access-list 100 Permit Any Any

Router(config)# int fa0/0

Router(int-config)# ip access-group 100 in
Router(int-config)# exit

1st Advantage of Extended ACL:

The 1st advantage is hum direct hi us ki Destination IP ko Block kar sakty hy sirf ussi PC k ley or bakki
ki Communication permit hi rahy gi or bs us Destination IP k ley hi deny hojaye gi.

2nd Advantage of Extended ACL:

The 2nd advantage is Extended ACL ka k hum protocol base blocking bhi kar sakty hy jessy koi ping na
kar saky to waha hum ny ICMP ko Deny kar diya. Or 2nd k koi Browsing na kar saky to waha hum ny
port number 80 dy HTTP ko Block kar diya matlab pori connectivity nahi block hoi just protocol ko
block kia jo hum chaty thy.

EasyPeezZi.com -------------------This Book is written by Fayyaz Ahmed-------------------

7| Free Learning (Fayyaz Ahmed) CSCO12971267

Configuration Deny HTTP Protocol in Extended ACL:

Router(config)# Access-list 100 deny ICMP host 192.168.0.2 host
192.168.0.10 (1st Source & 2nd Destination IP)
Router(config)# Access-list 100 deny tcp host 192.168.0.3 host
192.168.0.10 eq 80 (HTTP Protocol Blocking here)
Router(config)# Access-list 100 Permit ip Any Any

Router(config)# int fa0/0

Router(int-config)# ip access-group 100 in
Router(int-config)# exit

Bad Way To Configure This Type of Telnet:

Is Configuration mai problem ye hy k hum ny Telnet ko is my block kia per is my Problem ye hy agar is
router my koi Dosra interface Up hoga to waha sy Telnet hojaye ga wo kessi dosray interface sy telnet
ka console ly lyga to agar hammy Telnet rokna hoga to hum pher 1 Statement configure kary gy or pher
waha us interface ki destination IP ko configure kary gy to ye koi good solution nahi hy matlab Router
per jitney bhi interfaces hongy hammy utni hi Statement Again & Again Configure karni pary gi Telnet
ko block karny k ley.

Configuration Deny Telnet Protocol in Extended ACL:

Router(config)# Access-list 100 deny tcp host 192.168.0.3 host
192.168.0.10 eq 23 (Telnet Protocol Blocking here)
Router(config)# Access-list 100 Permit ip Any Any
Router(config)# int fa0/0
Router(int-config)# ip access-group 100 in
Router(int-config)# exit

Best Way to configure telnet here:

Bajaye is k k hum her interface per blocking kary telnet ka 1 simple or best way ye hy k hum us line ko
hi block kar dy jaha telnet use hoti hy or wo line hy line vty jaha telnet use hoti hy to best way ye hy k
hum us Router per us line ko hi Deny kar dy to jitney bhi interfaces hongy us Router per sub py auto hi
Telnet deny hojaye ga.

Configuration Deny Telnet Protocol in Extended ACL in Best Way:

Router(config)# access-list 1 deny host 192.168.0.1 (Here is
Source PC IP Which You Want to Block Telnet)
Router(config)# access-list 1 permit any
Router(config)# line vty 0 4
Router(config)#access-class 1 in (Router(int-config)# exit)

EasyPeezZi.com -------------------This Book is written by Fayyaz Ahmed-------------------

 8| Free Learning (Fayyaz Ahmed) CSCO12971267

o Named ACL on Cisco

Router:
Wessy to ACL ki 2 hi type hy 1st Standard or 2nd Extended but in donu ACl my hi hum editing ya
kessi 1 statement ko delete ya edit nahi kar skty agar koi new statement add bhi karni hotu to dobara sy
sari ACL ko list wise dobara configure karna parta hy or agar delete bhi karna hotu koi 1 single statement
ko hum delete nahi kar sakty to essi ley CISCO ny hamari Aasani k ley inhe ACL ko Modify kar k 1 new
ACL ka Concept diya hammy jessy hum Named ACL khty hy or ye sirf CISCO k Routers per hi work
karti hy.

Benefit of Named ACL:

Named ACL ka sub sy bara benefit ye hy k hum is my Editing bhi kar sakty hy or kessi 1 single statement
ko Delete bhi kar sakty hy. Standard or Extended my tu hum us k number ki range dyty hy jis sy router
ko pata lagta hy k ye Standard ACL hy ya Extended ACL hy per Named ACL my hum ACL ka 1 Name
dyty hy hy jis sy router us name ko dekhta hy or us k bad hum ACL ki type lekhty hy hum jo bhi use
karna chahye Standard ya Extended or pher us ACL ko 1 number dyty hy. Named ACL ko use karty
howay hum Apni sari ACL ko edit bhi kar sakty hy or kessi single statement ko Delete bhi kar sakty hy
ussi configuration my rehty howay dobora sy pori Configuration karny ki zarorat nahi parti.

Configuration of Named ACL for Standard ACL:

Router(config)#ip access-list standard Blocking-List
(Blocking-List is the Name of ACL)

Router(config-std-nacl)# deny host 192.168.0.1

(Suppose ACL number is 10)

Router(config-std-nacl)# 12 deny host 192.168.0.3

(ACL number is 12)

Router(config-std-nacl)# deny host 192.168.0.2

(Suppose ACL number is 20)

Router(config-std-nacl)# Permit any

(Suppose ACL number is 30)

Router(config-std-nacl)# show access-list

Router(config-std-nacl)# 12 deny host 192.168.0.3
(Editing in ACL after Configuration)

Router(config-std-nacl)# no deny host 192.168.0.1

(1st Method of Delete Single Statement)

EasyPeezZi.com -------------------This Book is written by Fayyaz Ahmed-------------------

9| Free Learning (Fayyaz Ahmed) CSCO12971267

Router(config-std-nacl)# no 10
(2nd Method of Delete Single Statement with ACL number)

Router(config)# int fa0/0

Router(int-config)# ip access-group Blocking-List in
Router(int-config)# exit

Note That:

Cisco ny named ACL my her ACL ko 1 number diya hy wo jab hum Show access-list ki command
chalaty hy to hammy wo number dekhty hy. or ye 10 sy start hoty hy or aagyee barhty jaty hy. Ye gape
is ley hota hy taky agar hammy koi statement bad my add karani hoi to hum us sy phly ka number use
kar k us statement ki placement waha kar sakty hy agar hum essa nahi kary gy or koi statement configure
kar dygy to wo statement us list k last my ja kar lag jaye gi jo permit statement k bad hogi or ussy number
bhi us k bad ka hi milly ga to wo run nahi hi hopaye gi essi ley hummy number bhi ussi gape ko use
karty howy dyna hota hy jaha hammy wo statement place karni hu jaisy my ny oper diya hy 10 or 20 k
bech ka number taky wo statement jo my ny bad my configure ki hy wo waha ja k place ho saky.

Operator in Extended ACL:

Operator in the access-list command Meaning
Eq Equals to
Neq Not equals to
it Less Then
gt Greater Then
range Range of port Numbers

Criteria of Applying ACL:

ACL ko Apply karny k ley hammy phly hammy network diagram ko samjhna hota hy k jis computer ki
Traffic ko hum block karna chty hy to kitny essy Rasty hy hamary network ki Topology my jaha sy wo
Traffic access ho rahi hy ya throw ho rahi hy qk agar hum essa nahi kary gy to suppose jis computer ko
hum block karna chty thy us ki traffic k ley multiple links sy throw hoti hu. Right or
ye bhi dekhna hota hy k Traffic k entrance kaha sy ho rahi hy to ussy point py matlab

EasyPeezZi.com -------------------This Book is written by Fayyaz Ahmed-------------------

10 | F r e e L e a r n i n g ( F a y y a z A h m e d ) CSCO12971267

Router k ussi interface py jaha wo traffic access ho rahi hoti hy ussi interface py ACL laga k hammy
ussy Block karna hota hy.

Configuration Of Named ACL for Extended ACL:

Router(config)# ip access-list extended Blocking-HTTP
(Blocking-HTTP is the Name of ACL)
Router(config-etd-nacl)# deny tcp host 192.168.0.1 host 192.168.0.10
eq 80
Router(config-etd-nacl)# Permit any

Router(config)# int fa0/0

Router(int-config)# ip access-group Blocking-HTTP in
Router(int-config)# exit

Selection/Planning of ACL:
1) Step k kon sy Router py ACL lagani hy agar ap k Network my multiple Router hy to phly to Router
ki selection hogi k kon sa router py ACL Apply karni hy.
2) Step k us Router k kon sy interface py ACL ko Apply karna hy like agar apky Rotuer per Multiple
Ports hy to waha apko ye bhi dekhna hoga k Router k kis interface py ap ACL ko Apply karo gy.

Direction & Action of ACL:

Kessi bhi tarha ki ACL ho Standard ya pher Extended donu hi ACL sirf (2) Direction py hi lagti hy.

1) In Bound:

Means traffic jaha sy aarahi hu agar wo side Block karni hy tu waha hum InBound Direction ko
use karty hy ACL Apply karny k ley. Inbound direction ki ACL work karti hy Routing Decision sy
phly. Jab koi bhi packet Router py in hoti hy to phly wo ussy match karta hy apny Routing table my
or pher ACL statement ko check karta hy k wo Deny hy ya Permit Deny hota hy Packet Discard kar
dyta hy or Permit hota hy to Packet aagye Forward kar dyta hy.

2) Out Bound:

Means traffic jaha sy Bahar ja rahi hu us side py Blocking lagany k ley hum Outbound Direction
ko use karty hy ACL Apply karny k ley. Or outbound direction ki ACL work karti hy Routing
Decision k Baad.

EasyPeezZi.com -------------------This Book is written by Fayyaz Ahmed-------------------

 11 | F r e e L e a r n i n g ( F a y y a z A h m e d ) CSCO12971267

Router k her (1) Single interface py hum sirf (2) ACL ko hi use kar sakty hy wo bhi jab un donu ki
directions different hu yani 1 interface py 1 hi ACL lagi ho incoming Traffic ko Block karny k ley or 1
ACL lagi hu Outgoing Traffic ko Block karny k ley.

Yess you Learn ACLs:-) Now Plan your Another Day & Learn NAT Terminology Ahead

YES Finally you Complete your ACL Topic Hope this is

Informative for you & Easy to Learn.
For More Learning & Notes Visite www.easypeezzi.com

75% Completed just 25% Left on your CCNA!

Feedback
Easypeezzi@gmail.com

Visit Site www.EasypeezZi.com & Download Other Topics & Modules & Learn with FUN

EasyPeezZi.com -------------------This Book is written by Fayyaz Ahmed-------------------