Scribd
Upload
16 views11 pages

35 What Is ACL Access Control List Example

The document discusses access control lists (ACLs), which are lists that permit or deny network traffic based on criteria like source/destination addresses and protocols. It covers the basics of standard and extended ACLs, provides configuration examples, and discusses named ACLs. The document contains detailed technical information about network security concepts in ACLs.

Uploaded by

EIH Tech
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
16 views11 pages

35 What Is ACL Access Control List Example

The document discusses access control lists (ACLs), which are lists that permit or deny network traffic based on criteria like source/destination addresses and protocols. It covers the basics of standard and extended ACLs, provides configuration examples, and discusses named ACLs. The document contains detailed technical information about network security concepts in ACLs.

Uploaded by

EIH Tech
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

   

EIHeducation
Learn Everything And Become Master In Your Dream Field

Email:
[email protected]

WhatsApp
+91 8080111315

 Search

What Is ACL – Access


Control List Example

Spread the love

Table of Contents 
1. What Is Access Control List
2. Types of Access Control List
3. Standard Access List
3.1. Standard Access Control List Example
4. Extended Access List
Extended Access Control List Example
4.1. Extended Access Control List Example
5. Named Access List
5.1. Syntax for Standard Named Access List:
6. I hope you find this article helpful, you can
support us by donating just $1. It will really
encourage us. EIHeducation

What Is Access Control List


An ACL (Access List) is a list of statements that are meant to
either permit or deny the movement of data from the network
layer and above. They are used to filter traffic in our networks
as required by the security policy.

Packet filtering: Filtering packets, is a way to check the


incoming packets and outgoing packets against set criteria
so as to determine whether they should be forwarded or
dropped. This is usually accomplished by a router. The traffic
can be filter based on destination and source layer 3 address.
Destination and source port number, as well as the protocol in
use.

The three rules of configuration ACLs: There are three rules


that should always be observed when configuration ACLs.
These rules determine how traffic on a network will flow and
therefore they should not be ignored.

ACL per protocol: This is to control each of the protocols that


you have configured on your router.

ACL per direction: There are two directions in this case;


inbound traffic is the traffic is coming into the router while
outbound traffic is the traffic that is leaving the router.

ACL per interface: This is meant to control traffic from leaving


through a specified interface.

Check Out the Headphones – 50% to 70%


Off

Check Out the Earbuds – 50% to 70% Off

Types of Access Control List


Numbered and Named Access Lists: A Numbered Access
Lists is assigned a unique number among all Access List, but a
Named Access List is defined by a unique name.

Standard and Extended Access Lists: Standard Access Lists


can be used to filter traffic only based on the source IP
address of the IP datagram packet. An extended Access List
can be used to filter traffic based on Source IP address,
Destination IP address, Protocol (TCP, UDP, etc.) port Number,
etc.

Access List type and number

Standard               1-99, 1300-1999

Extended              100-199, 2000-2699

Standard Access List

Standard Access Control List


Example
The full syntax of the standard ACL command is as follow:

Router(config)#access-list<ACLno><deny/permit>
<source_network><wildcard_mast>

Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255


The full syntax of the standard ACL command to filter a
specific host is as follow:

Router(config)#access-list<ACLno><deny/permit>
<source_ip_address><wildcard_mast>

Router(config)#access-list 1 permit 192.168.1.2 0.0.0.0

Or

Router(config)#access-list<ACLno><deny/permit><host>
<source_ip_address>

Router(config)#access-list 1 deny host 192.168.1.2

The command to permit all address is:

Router(config)#access-list<ACLno> permit 0.0.0.0


255.255.255.255

or

Router(config)#access-list<ACLno> permit any

The next command is used to apply the access lists to the


appropriate interface.

Router(config)#ip access-group <ACLno> <out/in>

Router(config)#ip access-group 1 in

Inbound access list: packets are proceed through the access


list by being routed to the outbound interface.

Outbound access list: packet is routed to the outbound


interface and then proceed through the access list

Grammarly – Best Free Grammar checker | Spelling checker |


Mistake-free document writer for Laptop/Desktop

Check Out The LAB Configuration eBook – Class A, Class B,


Class C, MiN worth $78 Get at $18
Extended Access List
It allows you to permit or deny traffic from specific IP
addresses to a specific destination IP address and port.
Extended IP Access Lists are almost identical to standard IP
access lists in their use. The key difference between the two
types is the variety of fields in the packet that can be
compared for matching by extended access lists. The
extended Control list can filter the traffic based on many
other factors.

Source and destination IP addresses.

A protocol like IP, TCP, UDP, ICMP, etc.

Protocol information Port number for TCP and UDP or


message type for ICMP.

Extended Access Control List


Example
Router(config)#access-list [ACLno] permit\deny
IP_protocol source_address Source-wildcard_mask
[source_protocol_information] detination_address
destination_wildcard_mask
[destination_protocol_information]

ACLno: For Extended Access Control List, the Access list


number must be between 100-199 or 2000-2699.

Permit/deny: Whether to permit or deny traffic.

IP_protocol: IP protocol to match. The IP protocols can be IP,


ICMP, TCP, etc.

Source_address: Source IP address.

Source_wildcard_mask: Source wildcard mask.


Source_protocol_information: additional source protocol
information like TCP or UDP port numbers.

Destination_address: Destination IP address.

Destination_wildcard_mast:  destination wildcard mask.

Destination_protocol_information: Additional destination


protocol information like TCP or UDP port number.

Wildcard mask: Instead of specifying a single IP address, you


can also permit or deny network/subnetwork by using
wildcard masks, also known as inverse masks.

Router(config)#access-list 100 deny tcp any host


192.168.0.22 eq 23

the line says to deny source host trying to telnet to


destination host 192.168.0.2. keep in mind that the next line is
an implicit deny by default. If you apply this access list to an
interface, you might as well just shut the interface down
because, by default, there’s an implicit deny-all at the end of
every access list.

Router(config)#access-list 100 permit ip any any

The IP in this line is important because it will permit the IP


stack. If TCP was used instead of IP  in this line, then UDP, etc.
would all be denied.

Now we need to apply it to an interface with the same


command used for the IP standard list:

Router(config)#ip access-group 100 in

Or

Router(config)#ip access-group 100 out

Download Free CCNA Android Apps


from Playstore
Named Access List
Name Access Lists are much like standard and extended
access lists but with names and the addition of line numbers.
You can give names to identify your access lists. Named
Access Lists to allow standard and extended ACLs to be given
names instead of numbers. That means we can either have a
Standard Named Access List or an Extended Named Access
List.

Syntax for Standard Named


Access List:
R1>enable

R1>configuration terminal

R1(config)#ip access-list standard BLOCK_NETWORK1

R1(config-std-nacl)#deny 172.16.0.0 0.0.255.255

R1(config-std-nacl)#permit any

R1(config-std-nacl)#exit

R1(config)#exit

After this, you have to configure Standard Name Access List


on the interface with the “in/out” keyword.

R3>enable

R3#conf t

R3(config)#interface fa0/0

R3(config-if)#ip access-group BLOCK_NETWORK1 out

R3(config-if)#exit
R3(config)#exit

Syntax of Extended Named Access List

R1>enable

R1#conf t

R1(config)#ip access-list extended BLOCK_WS03

R1(config-ext-nacl)#deny tcp host 172.16.0.12 host 172.20.0.5


eq 80

R1(config-ext-nacl)#permit ip any any

R1(config-ext-nal)#exit

R1(config)#exit

There is an implicit “deny any” at the end of every Access List.


If there is no “permit ip any any” statement at the end, the
above Extended Named Access Lists may filter out all traffic.
The “permit ip any any” statement permits any other IP traffic
if there is no matching deny in the previous statement. Above
Extended Named Access Lists effectively allow all the traffic
except the HTTP traffic from 172.16.0.12/16 to 172.20.0.5/16.

Configure interface

R1>enable

R1#conf t

R1(config)#interface fa0/0

R1(config-if)#ip access-group BLOCK_WS03 in

R1(config-if)#exit

R1(config)#exit

Learn MCSA for free – full course with


LAB Configuration
Learn Linux for free – full course with
LAB Configuration

<==Access CCNA LAB’s for Free==>

I hope you find this article


helpful, you can support us
by donating just $1. It will
really encourage us.
EIHeducation

Spread the love

Leave a Reply
Your email address will not be published. Required fields are
marked *

Comment
Name *

Email *

Website

Save my name, email, and website in this browser for the next time I
comment.

Post Comment

Previous

Next

BEST SELLER CCNA BOOKS 2021


Privacy Policy

About Us

Contact Us

Disclaimer

Education WordPress Theme © Copyright EIHeducation, All rights


reserved

You might also like