You are on page 1of 24

Naveen Patel

Access Control List ( ACL )


Naveen Patel
Access Control List ( ACL )

ACLs are basically a set of commands, grouped together by a number or name,
that are used to filter traffic entering or leaving an interface.
ACL commands define specifically which traffic is permitted and denied.
Thus ACLs are statements that specify conditions of how the router handles
the traffic flow through specified interfaces.
Naveen Patel
Access Control List ( ACL )
There are many reasons to create ACLs. ACLs can be used to:
Limit network traffic and increase network performance
Provide traffic flow control
Provide a basic level of security for network access
Decide which types of traffic are forwarded or blocked at the router interfaces
Packet filtering

Naveen Patel
Access Control List ( ACL )
ACLs operate in two ways:

Inbound ACLs: Incoming packets are processed before they are routed to an
outbound interface. An inbound ACL is efficient because it saves the
overhead of routing lookups if the packet will be discarded after it is denied
by the filtering tests.

Outbound ACLs: Incoming packets are routed to the outbound interface and
then processed through the outbound ACL.
Naveen Patel
Access Control List ( ACL )
Naveen Patel
Access Control List ( ACL )
The types of ACLs can be classified as follows:

Standard ACL
Extended ACL


Naveen Patel
Access Control List ( ACL )

Two methods used to identify Standard and Extended ACLs :

Numbered ACLs
Named ACLs

Naveen Patel
Access Control List ( ACL )
Standard ACLs: Standard IP ACLs check the source addresses of packets that
can be routed. The result either permits or denies the output for an entire
protocol suite, based on the source network, subnet, or host IP address.
Extended ACLs: Extended IP ACLs check both the source and destination
packet addresses. They can also check for specific protocols, port numbers,
and other parameters.
Named ACLs : It use a descriptive name or number for identification.
Naveen Patel
Access Control List ( ACL )
Standard Access List

The access-list number range is 1 99 , 1300 -1999
Can block a Network, Host and Subnet
Two way communication is stopped
All services are blocked.
Implemented closest to the destination. (Guideline)
Checks the source IP address.

Naveen Patel
Access Control List ( ACL )
Standard Access List
Naveen Patel
Access Control List ( ACL )

Extended Access List

The access-list number range is 100 199 , 1300 - 1999
Can block a Network, Host, Subnet and Service
One way communication is stopped
Selected services can be blocked.
Checks source, destination IP address & port number.
Implemented closest to the source. (Guideline).

Naveen Patel
Access Control List ( ACL )
Access Extended List
Naveen Patel
Access Control List ( ACL )
ACL Evaluation
Naveen Patel
Access Control List ( ACL )
ACL Configuration Guidelines

Standard or Extended indicate what can be filtered.
One ACL per interface, per protocol, per direction is allowed,
The order of ACL statement control testing
Place the most restrictive statement at the top of list.
There is an Implicit Deny any statement as the last access list test. Every list need
atleast one permit statement.
Create ACL before applying them to interface
ACL filter traffic going through the router; they do not apply to traffic originating from
router.
Naveen Patel
Access Control List ( ACL )
ACL Wildcard Masking

Address filtering occurs when you use ACL address wildcard masking to
identify how to check or ignore corresponding IP address bits
A 0 in a bit position of the ACL mask indicates that the corresponding bit in
the address must be matched.
A 1 in a bit position of the ACL mask indicates that the corresponding bit in
the address is not interesting and can be ignored.
Naveen Patel
Access Control List ( ACL )
Naveen Patel
Access Control List ( ACL )

Creating an Standard Numbered ACL
Router(config)# access-list no. permit|deny source_IP_address [wildcard_mask]

Activating an ACL
Router(config)# interface type [slot_#]
Router(config-if)# ip access-group ACL no. in|out

Naveen Patel
Access Control List ( ACL )

Creating an Extended Numbered ACL
Router(config)# access-list no. permit|deny tcp|udp source_address
source_wildcard destination_address
destination_wildcard [operator ]

Activating an ACL
Router(config)# interface type [slot_#]
Router(config-if)# ip access-group ACL no. in|out

Naveen Patel
Access Control List ( ACL )
Naveen Patel
Access Control List ( ACL )

Creating an Standard Named ACL
Router(config)# ip access-list standard name
Router(config-std-nacl)# [sequence-number] deny / permit source [ wildcard ]
Router(config-std-nacl)#exit

Activating an ACL
Router(config)# interface type [slot_#]
Router(config-if)# ip access-group ACL no. in|out

Naveen Patel
Access Control List ( ACL )

Creating an Extended Named ACL
Router(config)# ip access-list extended name
Router(config-ext-nacl)# [sequence-number] {deny | permit} protocol source source-
wildcard destination destination-wildcard [option]
Router(config-ext-nacl)#exit

Activating an ACL
Router(config)# interface type [slot_#]
Router(config-if)# ip access-group ACL no. in|out
Naveen Patel
Access Control List ( ACL )
Summary
Access lists offer a powerful tool for network control. These lists add the
flexibility to filter the packet flow into or out of router interfaces. Such control
can help limit network traffic and restrict network use by certain users or
devices.
An IP access list is a sequential list of permit and deny conditions that apply to IP
addresses or upper-layer IP protocols. Access lists filter traffic going through
the router, but they do not filter traffic originated from the router.
Access lists are optional mechanisms in Cisco IOS software that you can
configure to filter or test packets to determine whether to forward them to their
destination or discard them.

Naveen Patel
Access Control List ( ACL )
Summary
Inbound access lists process incoming packets before they are routed to an
outbound interface, while outbound access lists process packets to an
outbound interface.
The Cisco IOS software executes access list statements in sequential
order, so the first statement is processed, then the next, and so on.
Address filtering occurs using access list address wildcard masking to
identify how to check or ignore corresponding IP address bits.

Naveen Patel
Access Control List ( ACL )


The End

You might also like