IT212

Data Communications and Networking 2

(Cisco 2)

Chapter 9
Access Control Lists
Objectives
• Creating an ACL
• Matching on Addresses: Wildcard Masks
• Activating an ACL
• Configuring Standard Numbered ACLs
• Extended Numbered ACLs
• Creating Named ACLs
• Implementing IPv6 ACLs
1. Introduction
• Access Control List (ACL) are filters that enable you to control which routing updates or
packets are permitted or denied in or out of a network.
• They are specifically used by network administrators to filter traffic and to provide extra
security for the network.
• ACLs provide a powerful way to control traffic into and out of your network; this control
can be as simple as permitting or denying network hosts or addresses. You can
configure ACLs for all routed network protocols.
• The most important reason to configure ACLs is to provide security for your network.
However, ACLs can also be configured to control network traffic based on the TCP port
being used.
Why Use ACLs
* Limits network traffic to increase network performance.
* ACLs provides traffic flow control by restricting the delivery of
routing updates.
* It can be used as additional security.
* Controls which type of traffic are forwarded or blocked by the
router.
* Ability to control which areas a client access.
ACL Number Ranges
Protocol Range
Standard 1–99 and 1300–1999
Extended 100–199 and 2000–2699
Ethernet type code 200–299
Ethernet address 700–799
Transparent bridging (protocol type) 200–299
Transparent bridging (vendor code) 700–799
Extended transparent bridging 1100–1199
DECnet and extended DECnet 300–399
Xerox Network Systems (XNS) 400–499
Extended XNS 500–599
AppleTalk 600–699
Source-route bridging (protocol type) 200–299
Source-route bridging (vendor code) 700–799
Internetwork Packet Exchange (IPX) 800–899
Extended IPX 900–999
IPX Service Advertising Protocol (SAP) 1000–1099
Standard Virtual Integrated Network Service 1–100
(VINES)
Extended VINES 101–200
Simple VINES 201–300
2. Standard Access Control Lists (1 – 99 and 1300 - 1999)
In earlier days simple filtering was sufficient. Standard ACLs are used for normal filtering. Standard
ACLs filter the packet based on its source IP address.
Standard ACLs create filters based on source addresses and are used for server based filtering.
Address based access lists distinguish routes on a network you want to control by using network
address number (IP).

Example of the command syntax for configuring a standard numbered IP ACL:

R1(config)# access-list {1-99} {permit | deny} source-addr [source-wildcard]
i. The first value {1-99} specifies the standard ACL number range.
ii. The second value specifies whether to permit or deny the configured source IP address traffic.
iii. The third value is the source IP address that must be matched.
iv. The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the
range.
3. Extended Access Control Lists (100 – 199 and 2000 - 2699)
To mitigate current security threats, advance filtering is required. Extended ACLs takes this
responsibility. Extended ACLs can filter a packet based on its sources address, destination address,
port number, protocol and much more.
Extended access lists create filters based on source addresses, destination addresses, protocol, port
number and other features and are used for packet based filtering for packets that traverse the
network.
Example of the command syntax for configuring an extended numbered IP ACL:
Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-wildcard] [operator
operand] destination-addr [destination-wildcard] [operator operand] [established]
i. Like the standard ACLs, the first value {100-199 or 2000 – 2699} specifies the ACL number range.
ii. The next value specifies whether to permit or deny according to the criteria that follows.
iii. The third value specifies protocol type ( IP, TCP, UDP, or other specific IP sub-protocols). The source IP
address and wildcard mask determine traffic source.
Masks
Masks are used with IP addresses in IP ACLs to specify what should be permitted and denied. Masks in
order to configure IP addresses on interfaces start with 255 and have the large values on the left side, for
example, IP address 172.16.2.14 with a 255.255.255.0 mask. Masks for IP ACLs are the reverse, for
example, mask 0.0.0.255.
This is sometimes called an inverse mask or a wildcard mask.

Note these ACL equivalents.

· The source/source-wildcard of 0.0.0.0/255.255.255.255 means “any”.
· The source/wildcard of 10.1.1.2/0.0.0.0 is the same as “host 10.1.1.2”.
If you subtract 255.255.255.0 (normal mask) from 255.255.255.255, it yields 0.0.0.255.

The command below defines an ACL that permits this network 192.168.1.0 0.0.0.255.
access-list acl_permit permit ip 192.168.1.0 0.0.0.255
4. Named Access Control Lists
Named Access Control Lists (ACLs) allows standard and extended ACLs to be given
names instead of numbers. Unlike in numbered Access Control Lists (ACLs), we can edit
Named Access Control Lists.
Sample configuration:
R1(config)#ip access-list standard INSIDE_IN
R1(config-std-nacl)#
R1(config-std-nacl)#10 permit 10.1.1.0 0.0.0.255
R1(config-std-nacl)#500 deny any log

R1(config-std-nacl)#exit
R1(config)#int f0/1
R1(config-if)#ip access-group INSIDE_IN in
You can verify your access-list configuration by executing the show access-list command;
R1(config-if)#do show access-list
Standard IP access list INSIDE_IN
10 permit 10.1.1.0, wildcard bits 0.0.0.255
500 deny any log
R1(config-if)#
5. IPv4 ACLs Examples (Standard, Extended and Named)
Network Diagram

This is an example of the use of a standard ACL in order to block all traffic except that from source 10.1.1.x.

Standard Access List (1-99)(1300-1999) Example:

interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip access-group 1 in

access-list 1 permit 10.1.1.0 0.0.0.255

IPv4 ACLs Examples (Standard, Extended and Named) continuation . . .
Network Diagram

This extended ACL is used to permit traffic on the 10.1.1.x network (inside) and to receive ping responses from the outside while it prevents
unsolicited pings from people outside, permitting all other traffic.

Extended Access List (100-199) (2000-2699) Example:

interface Ethernet0/1
ip address 172.16.1.2 255.255.255.0
ip access-group 101 in

access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo

access-list 101 permit ip any 10.1.1.0 0.0.0.255
IPv4 ACLs Examples (Standard, Extended and Named) continuation . . .
Network Diagram

This is an example of the use of a Named ACL in order to block all traffic except the Telnet connection from host 10.1.1.2 to host
172.16.1.1.

Named Access List Example:

interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip access-group ABC in

ip access-list extended ABC

permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet
IPV4 Access List Demo
6. IPv6 ACLs Explained with Examples
There are similarities in operation and configuration of IPv6 ACLs and its predecessor IPv4 ACLs. If you are
familiar with the basic operation and configuration of IPv4 access controls list, you will find IPv6 ACLs easy
to understand and configure too, the only difference is just the IPv6 addressing.
IPv6 has only one type of ACL, which is comparable to anIPv4 extended named ACL.
IPv6 uses the ipv6 traffic-filter command to perform the ACLs function, unlike IPv4 that uses the command
ip access-group to apply ACL to an interface.
IPv6 ACLs do not use wildcard masks. Instead, the prefix-length is used to indicate how much of an IPv6
source or destination address should be matched.
IPv6 ACLs Explained with Examples continuation . . .

You use the ipv6 access-class command to apply the ACL to the VTY lines.

IPv6 ACL Configuration Example.

From the configuration example below, the permit statement only allows the PC1 to telnet into R1.
Apply the ACL to the VTY lines, using the ipv6 access-class command and with in as the direction.
R1(config)#ipv6 access-list NO_TELNET
R1(config-ipv6-acl)#permit tcp host 2001:db8:FC31e:1::1 any eq 23
R1(config-ipv6-acl)#exit
R1(config)#line vty 0 15
R1(config-line)#ipv6 access-class NO_TELNET in
R1(config-line)#exit
R1(config)#
IPv6 ACLs Explained with Examples continuation . . .
VERIFY IPV6 ACLS
To verify all ACLs configured on the router, use the show access-lists command, this will display both
IPv4 and IPv6 ACLs configured on the router.
To verify all IPv6 ACLs configured on the router, use the show ipv6 access-list command, this will
display all configured IPv6 access lists and their name.

R1#show ipv6 access-list

IPv6 access list NO_TELNET
permit tcp host 2001:DB8:FC31E:1::1 any eq telnet
7. General Guidelines for Access Control Lists
 ACLs are always processed from top to down in sequential order.
 A packet is compared with ACL conditions until it finds a match.
 Every ACL has a default deny statement at end of it.
 If a packet does not meet with any condition, it will be destroyed (by the last deny condition).
 Standard ACL can filter only the source IP address.
 Standard ACL should be placed near the destination devices.
 Extended ACL should be placed near the source devices.
 Each ACL needs a unique number or name.
 We can have only one ACL applied to an interface in each direction; inbound and outbound.
8. Summary of ACLs Operation
• ACLs can be used for IP packet filtering or to identify traffic to assign it special handling.
• ACLs perform top-down processing and can be configured for incoming or outgoing traffic.
• You can create an ACL using a named or numbered ACL. Named or numbered ACLs can be
configured as standard or extended ACLs, which determines what they can filter.
• Standard IPv4 ACLs allow filtering based on source address.
• Extended IPv4 ACLs allow filtering based on source and destination addresses, as well as
protocol and port number.
• IP access list entry sequence numbering allows you to delete individual statements from an ACL
to add statements anywhere in the ACL.
• The show access-lists and show ip interface commands are useful for troubleshooting
common ACL configuration errors. Show access-list displays all access lists and their parameters
configured on the router including the ipx access-lists. Show ip access-list shows only the IP access
lists configured on the router. This command doesn't show which interface the list is configured on.
• In a wildcard bit mask, a 0 bit means to match the corresponding address bit, and a 1 bit means
to ignore the corresponding address bit.
THE END