c

Access Control Lists

KHAWAR BUTT
CCI E # 12353 [R/S, SECURI TY, SP, DC, V OI CE, STORAGE & CCDE]
Overview
 Access Control Lists Overview
 ACL Types
 Standard ACL c

 Standard ACL Example

 Extended ACLs
 Extended ACL Example
Access Control Lists Overview
 Access-list (ACL) is a set of rules defined for identifying network traffic.
 Identified traffic can receive different treatment depending on the function that is calling
the ACL.
 Examples of Functions that can call thec ACL are Traffic Filtering, Quality of Service
(QoS), VPNs etc.
 An ACL consists of statements known as Access Control Entries(ACE).
 An ACE is a statement that will either permit or deny identifying of traffic.
 An ACL is consulted in a top-down order with the first match execution methodology.
Once an ACE is matched, further ACL statements are not processed.
 There is an implicit Deny All statement at the end of each ACL. This statement comes
into affect when none of the ACEs match the traffic.
ACL Types
 There are 2 main types of ACLs:

• Standard ACL - It can permit orc deny traffic based only on the source
address field of the packet.

• Extended ACL – It can permit or deny traffic based on the following:

o Source / Destination IP Address Field
o Protocol : TCP/UDP/ICMP
o Application Protocol / Port Numbers : WWW [80], Telnet [23], DNS [53]
Standard ACLs
 Standard ACLs are used to filter traffic by matching traffic based on the
Source IP Address field in an IP Packet.
 Standard ACLs can either be Numbered
c or Named.
 Numbered ACLs uses numbers between (1 – 99) or (1300 – 1999).
 Named ACLs uses names to identify the ACLs.
 Entries within the ACL are known as an Access Control Entry (ACE).
 There is an implicit “Deny Any” statement at the end of each ACL.
 The implicit Deny statement is not visible in your configuration.
Inverse Mask
 A classify / match a network, you need to use a Wild Card Mask.
 The Wild Card mask specifies the bits to match in the incoming packet.
 The Wild Card mask uses the “0” bit to match
c the bit and “1” to ignore the bit.
 If you would like to block an entire network, the network bits will be turned to “0” in the
wildcard mask and the host bits will be set to “1”.
 This will match any host on that network.
 Use the following table to find the Wild card mask for a network.
255 255 255 255
255 255 255 0 Subnet Mask
0 0 0 255 Wildcard Mask (Subract Subnet Mask from 255.255.255.255)
Network Diagram:
192.1.10.0/24 192.1.20.0/24 192.1.30.0/24

.5 .5 .5

E0/1 E0/2 E0/1

E0/0 E0/0 E0/1 E0/0

192.1.12.0/24 192.1.23.0/24
R1 R2 R3
Standard ACL Examples:
Example#1: Blocking the 192.1.10.0/24 network from Accessing the 192.1.30.0/24 using an
Numbered ACL. Permit the rest of the traffic.
Access-list 1 deny 192.1.10.0 0.0.0.255
Access-list 1 permit any
!
c
Interface E 0/1
ip access-group 1 out

Example#2: Blocking the host 192.1.10.5/24 network from Accessing the 192.1.20.0/24
using an Named ACL. Permit the rest of the traffic.
Ip access-list standard ACL-1
deny host 192.1.10.5
permit any
!
Interface E 0/2
ip access-group ACL-1 out
Extended ACLs
 Extended ACLs are used to filter traffic by matching traffic based on following:
• Source / Destination IP Address Field
• Protocol : TCP/UDP/ICMP
• Application Protocol / Port Numbers : WWW [80], Telnet [23], DNS [53]
c
 Extended ACLs can either be Numbered or Named.
 Numbered ACLs uses numbers between (100 – 199) or (2000 – 2699).
 Named ACLs uses names to identify the ACLs.
 Just like the Standard ACL, the Extended ACLs also have an implicit “Deny”
statement at the end of each ACL.
 The implicit deny statement will use the Protocol as IP to indicate all protocols,
“any” to indicate any source and a “any” to indicate any destination.
 The implicit Deny statement for extended is “Deny IP any any”.
Network Diagram:
192.1.10.0/24 192.1.20.0/24 192.1.30.0/24

.5 .5 .5

E0/1 E0/2 E0/1

E0/0 E0/0 E0/1 E0/0

192.1.12.0/24 192.1.23.0/24
R1 R2 R3
Extended ACL Examples:
Example#1: Blocking the 192.1.10.0/24 network from Accessing the 192.1.20.0/24 &
192.1.30.0/24 networks for Telnet and ICMP using an Numbered ACL. Permit the rest of the
traffic. Configure R1 for the block.

Access-list 100 deny tcp 192.1.10.0 0.0.0.255 192.1.20.0

c 0.0.0.255 eq 23
Access-list 100 deny icmp 192.1.10.0 0.0.0.255 192.1.20.0 0.0.0.255 echo
Access-list 100 deny tcp 192.1.10.0 0.0.0.255 192.1.30.0 0.0.0.255 eq 23
Access-list 100 deny icmp 192.1.10.0 0.0.0.255 192.1.30.0 0.0.0.255 echo
Access-list 100 permit ip any any
!
Interface E 0/1
ip access-group 100 in
Extended ACL Examples:
Example#2: Blocking the 192.1.20.0/24 network from Accessing the 192.1.10.0/24 &
192.1.30.0/24 networks for HTTP and ICMP using an Named ACL. Permit the rest of the
traffic. Configure R2 for the block.

Ip access-list extended ACL-1 c

deny tcp 192.1.20.0 0.0.0.255 192.1.10.0 0.0.0.255 eq 80
deny icmp 192.1.20.0 0.0.0.255 192.1.10.0 0.0.0.255 echo
deny tcp 192.1.20.0 0.0.0.255 192.1.30.0 0.0.0.255 eq 80
deny icmp 192.1.20.0 0.0.0.255 192.1.30.0 0.0.0.255 echo
permit ip any any
!
Interface E 0/2
ip access-group ACL-1 in
Whiteboard