CCNA – Cisco Certified Network Associates

Access Control List (ACL)

By Roshan Chaudhary

Lecturer

Islington College

Access Control List (ACL)ACL to Secure Networks

• ACLs are used to stop traffic or permit only specified traffic while

stopping all other traffic on their networks.

• ACLs enable us to control traffic into and out of your network. This

control can be as simple as permitting or denying network hosts or

addresses. However, ACLs can also be configured to control network

traffic based on the port being used.

• ACL is a sequential list of permit or deny statements that apply to IP

addresses or upper-layer protocols.

Access Control List (ACL)Packet Filtering

• Packet filtering, sometimes called static packet filtering, controls access

to a network by analyzing the incoming and outgoing packets and

passing or halting them based on stated criteria.

Access Control List (ACL)

ACL Operation

• ACLs are configured either to apply to inbound traffic or to apply to

outbound traffic.

• Inbound ACLs - Incoming packets are processed before they are routed

to the outbound interface. An inbound ACL is efficient because it saves

the overhead of routing lookups if the packet is discarded. If the packet

is permitted by the tests, it is then processed for routing.

• Outbound ACLs - Incoming packets are routed to the outbound

interface, and then they are processed through the outbound ACL.

Types of Cisco ACLsStandard ACLs

• Standard ACLs allow us to permit or deny traffic from source IP

address. The destination of the packet and the ports involved do not

matter.

Router(config)#access-list <ACL number> <permit/deny> <source

network/host address> <wildcard mask>

Types of Cisco ACLsExtended ACLs

• Extended ACLs filter IP packets based on several attributes, for

example, protocol type, source and destination IP address, source TCP

or UDP ports, destination TCP or UDP ports, and optional protocol type

information for finer granularity of control.

Router(config)#access-list <ACL number> <permit/deny> <Protocol>

<source network/host address> <wildcard mask> <destination

network/host address> <wildcard mask> <eq> <port number/name>

Types of Cisco ACLsNumbered and Named ACL

Types of Cisco ACLsACL-List Numbers

ACL Keywords

Standard ACL Command Syntax

ACL Example

ACLRemoving ACL

Router(config)#no access-list <ACL Number>

Wildcard Mask

Wildcard mask bit 0 - Match the corresponding bit value in the address.

Wildcard mask bit 1 - Ignore the corresponding bit value in the address.

Procedure for Configuring Standard ACL

ACL Tips• An implicit DENY statement is hard-coded into every ACL. We cannot

see it, but it says "deny everything not already permitted". This is always

the last line of any ACL. If we want to defeat this implicit DENY, should

put a PERMIT ANY statement in our standard ACLs or PERMIT IP ANY

ANY in our extended ACLs as the last line.

• Access lists can be applied in either an inbound direction (keyword IN)

or in an outbound direction (keyword OUT).

• Apply a standard ACL as close as possible to the destination network or

device.

• Only one access list can be applied per interface, per direction.

ACL Examples

ACL Examples

ACL Examples

Named ACL Configuration

ACL Examples

Extended ACL Configuration

ACL Examples

ACL Examples

ACL Examples

ACL Examples