TRƯỜNG ĐẠI HỌC CÔNG NGHỆ THÔNG TIN – ĐHQG-HCM

Khoa Mạng máy tính & Truyền thông

Access Control List

NT132 – Quản trị mạng và hệ thống
GV: Đỗ Hoàng Hiển
[email protected]
 Hôm nay học gì?
1. Khái niệm ACL
2. Cấu hình ACL

Nội dung
ACL

NT132 – Quản trị mạng và hệ thống 2

Purpose of ACLs
 Purpose of ACLs
What is an ACL?
An ACL is a series of IOS commands that are used to filter packets based on information found
in the packet header. By default, a router does not have any ACLs configured. When an ACL is
applied to an interface, the router performs the additional task of evaluating all network packets
as they pass through the interface to determine if the packet can be forwarded.
• An ACL uses a sequential list of permit or deny statements, known as access control entries
(ACEs).
Note: ACEs are also commonly called ACL statements.
• When network traffic passes through an interface configured with an ACL, the router
compares the information within the packet against each ACE, in sequential order, to
determine if the packet matches one of the ACEs. This process is called packet filtering.

NT132 – Quản trị mạng và hệ thống 4

 Purpose of ACLs
What is an ACL? (Cont.)
Several tasks performed by routers require the use of ACLs to identify traffic:
• Limit network traffic to increase network performance
• Provide traffic flow control
• Provide a basic level of security for network access
• Filter traffic based on traffic type
• Screen hosts to permit or deny access to network services
• Provide priority to certain classes of network traffic

NT132 – Quản trị mạng và hệ thống 5

 Purpose of ACLs
Packet Filtering
▪ Packet filtering controls access to a
network by analyzing the incoming
and/or outgoing packets and forwarding
them or discarding them based on given
criteria.
▪ Packet filtering can occur at Layer 3 or
Layer 4.
▪ Cisco routers support two types of
ACLs:
• Standard ACLs - ACLs only filter at Layer 3
using the source IPv4 address only.
• Extended ACLs - ACLs filter at Layer 3
using the source and / or destination IPv4
address. They can also filter at Layer 4
using TCP, UDP ports, and optional protocol
type information for finer control.

NT132 – Quản trị mạng và hệ thống 6

 Purpose of ACLs
ACL Operation
• ACLs define the set of rules that give added control for packets that enter inbound
interfaces, packets that relay through the router, and packets that exit outbound interfaces of
the router.
• ACLs can be configured to apply to inbound traffic and outbound traffic.
Note: ACLs do not act on packets that originate from the router itself.
• An inbound ACL filters packets before they are routed to the outbound interface. An inbound
ACL is efficient because it saves the overhead of routing lookups if the packet is discarded.
• An outbound ACL filters packets after being routed, regardless of the inbound interface.

NT132 – Quản trị mạng và hệ thống 7

 Purpose of ACLs
ACL Operation (Cont.)
When an ACL is applied to an interface, it follows a specific operating procedure. Here are the
operational steps used when traffic has entered a router interface with an inbound standard
IPv4 ACL configured:
1. The router extracts the source IPv4 address from the packet header.
2. The router starts at the top of the ACL and compares the source IPv4 address to each
ACE in a sequential order.
3. When a match is made, the router carries out the instruction, either permitting or denying
the packet, and the remaining ACEs in the ACL, if any, are not analyzed.
4. If the source IPv4 address does not match any ACEs in the ACL, the packet is discarded
because there is an implicit deny ACE automatically applied to all ACLs.
The last ACE statement of an ACL is always an implicit deny that blocks all traffic. It is hidden
and not displayed in the configuration.
Note: An ACL must have at least one permit statement otherwise all traffic will be denied due
to the implicit deny ACE statement.

NT132 – Quản trị mạng và hệ thống 8

Wildcard Masks in
ACLs
 Wildcard Masks in ACLs
Wildcard Mask Overview
A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify which
bits in an IPv4 address to match. Unlike a subnet mask, in which binary 1 is equal to a match
and binary 0 is not a match, in a wildcard mask, the reverse is true.
▪ An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to examine
for a match.
▪ Wildcard masks use the following rules to match binary 1s and 0s:
• Wildcard mask bit 0 - Match the corresponding bit value in the address
• Wildcard mask bit 1 - Ignore the corresponding bit value in the address

NT132 – Quản trị mạng và hệ thống 10

 Wildcard Masks in ACLs
Wildcard Mask Types
▪ Wildcard to Match a Host:
• Assume ACL 10 needs an ACE that only permits the host with IPv4 address 192.168.1.1.
Recall that “0” equals a match and “1” equals ignore. To match a specific host IPv4
address, a wildcard mask consisting of all zeroes (i.e., 0.0.0.0) is required.
• When the ACE is processed, the wildcard mask will permit only the 192.168.1.1 address.
The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.1 0.0.0.0.

Decimal Binary
IPv4 address 192.168.1.1 11000000.10101000.00000001.00000001
Wildcard Mask 0.0.0.0 00000000.00000000.00000000.00000000
Permitted IPv4
192.168.1.1 11000000.10101000.00000001.00000001
Address

NT132 – Quản trị mạng và hệ thống 11

 Wildcard Masks in ACLs
Wildcard Mask Types (Cont.)
Wildcard Mask to Match an IPv4 Subnet
• ACL 10 needs an ACE that permits all hosts in the 192.168.1.0/24 network. The wildcard
mask 0.0.0.255 stipulates that the very first three octets must match exactly but the fourth
octet does not.
• When processed, the wildcard mask 0.0.0.255 permits all hosts in the 192.168.1.0/24
network. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.0
0.0.0.255.

Decimal Binary
IPv4 address 192.168.1.1 11000000.10101000.00000001.00000001
Wildcard Mask 0.0.0.255 00000000.00000000.00000000.11111111
Permitted IPv4
192.168.1.0/24 11000000.10101000.00000001.00000000
Address

NT132 – Quản trị mạng và hệ thống 12

 Wildcard Masks in ACLs
Wildcard Mask Calculation
Calculating wildcard masks can be challenging. One shortcut method is to subtract
the subnet mask from 255.255.255.255. Some examples:
• Assume you wanted an ACE in ACL 10 to permit access to all users in the 192.168.3.0/24
network. To calculate the wildcard mask, subtract the subnet mask (255.255.255.0) from
255.255.255.255. This produces the wildcard mask 0.0.0.255. The ACE would be access-
list 10 permit 192.168.3.0 0.0.0.255.
• Assume you wanted an ACE in ACL 10 to permit network access for the 14 users in the
subnet 192.168.3.32/28. Subtract the subnet (i.e., 255.255.255.240) from 255.255.255.255.
This produces the wildcard mask 0.0.0.15. The ACE would be access-list 10 permit
192.168.3.32 0.0.0.15.
• Assume you needed an ACE in ACL 10 to permit only networks 192.168.10.0 and
192.168.11.0. These two networks could be summarized as 192.168.10.0/23 which is a
subnet mask of 255.255.254.0. Subtract 255.255.254.0 subnet mask from 255.255.255.255.
This produces the wildcard mask 0.0.1.255. The ACE would be access-list 10 permit
192.168.10.0 0.0.1.255.

NT132 – Quản trị mạng và hệ thống 14

 Wildcard Masks in ACLs
Wildcard Mask Keywords
The Cisco IOS provides two keywords to identify the most common uses of wildcard masking.
The two keywords are:
• host - This keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address
bits must match to filter just one host address.
• any - This keyword substitutes for the 255.255.255.255 mask. This mask says to ignore the
entire IPv4 address or to accept any addresses.

NT132 – Quản trị mạng và hệ thống 15

Guidelines for
ACL Creation
 Guidelines for ACL Creation
Limited Number of ACLs per Interface
▪ There is a limit on the number of ACLs that can be applied on a router interface. For
example, a dual-stacked (i.e, IPv4 and IPv6) router interface can have up to four ACLs
applied, as shown in the figure.
▪ Specifically, a router interface can have:
• One outbound IPv4 ACL.
• One inbound IPv4 ACL.
• One inbound IPv6 ACL.
• One outbound IPv6 ACL.

Note: ACLs do not have to be configured in both

directions. The number of ACLs and their direction
applied to the interface will depend on the security
policy of the organization.

NT132 – Quản trị mạng và hệ thống 17

Types of IPv4
ACLs
 Types of IPv4 ACLs
Standard and Extended ACLs

There are two types of IPv4 ACLs:

• Standard ACLs - These permit or deny packets based only on the source IPv4 address.
• Extended ACLs - These permit or deny packets based on the source IPv4 address and
destination IPv4 address, protocol type, source and destination TCP or UDP ports and more.

NT132 – Quản trị mạng và hệ thống 20

 Types of IPv4 ACLs
Numbered and Named ACLs
Numbered ACLs
• ACLs numbered 1-99, or 1300-1999 are standard ACLs, while ACLs numbered 100-199, or
2000-2699 are extended ACLs.

R1(config)# access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
rate-limit Simple rate-limit specific access list
template Enable IP template acls
Router(config)# access-list

NT132 – Quản trị mạng và hệ thống 21

 Types of IPv4 ACLs
Numbered and Named ACLs (Cont.)
Named ACLs
• Named ACLs are the preferred method to use when configuring ACLs. Specifically, standard
and extended ACLs can be named to provide information about the purpose of the ACL. For
example, naming an extended ACL FTP-FILTER is far better than having a numbered ACL
100.
• The ip access-list global configuration command is used to create a named ACL, as shown
in the following example.

R1(config)# ip access-list extended FTP-FILTER

R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp-data
R1(config-ext-nacl)#

NT132 – Quản trị mạng và hệ thống 22

 Types of IPv4 ACLs
Where to Place ACLs

• Every ACL should be placed

where it has the greatest
impact on efficiency.
• Extended ACLs should be
located as close as possible
to the source of the traffic to
be filtered.
• Standard ACLs should be
located as close to the
destination as possible.

NT132 – Quản trị mạng và hệ thống 23

 Types of IPv4 ACLs
Standard ACL Placement Example
In the figure, the
administrator wants to
prevent traffic originating in
the 192.168.10.0/24 network
from reaching the
192.168.30.0/24 network.

Following the basic

placement guidelines, the
administrator would place a
standard ACL on router R3.

NT132 – Quản trị mạng và hệ thống 24

 Types of IPv4 ACLs
Standard ACL Placement Example (Cont.)
There are two possible interfaces on
R3 to apply the standard ACL:
• R3 S0/1/1 interface (inbound) - The
standard ACL can be applied inbound
on the R3 S0/1/1 interface to deny
traffic from .10 network. However, it
would also filter .10 traffic to the
192.168.31.0/24 (.31 in this example)
network. Therefore, the standard ACL
should not be applied to this interface.

• R3 G0/0 interface (outbound) - The

standard ACL can be applied outbound
on the R3 G0/0/0 interface. This will not
affect other networks that are
reachable by R3. Packets from .10
network will still be able to reach the
.31 network. This is the best interface
to place the standard ACL to meet the
traffic requirements.

NT132 – Quản trị mạng và hệ thống 25

 Types of IPv4 ACLs
Extended ACL Placement Example
• Extended ACLs should be
located as close to the source
as possible.
• However, the organization can
only place ACLs on devices that
they control. Therefore, the
extended ACL placement must
be determined in the context of
where organizational control
extends.
• In the figure, for example,
Company A wants to deny
Telnet and FTP traffic to
Company B’s 192.168.30.0/24
network from their
192.168.11.0/24 network, while
permitting all other traffic.

NT132 – Quản trị mạng và hệ thống 26

 Types of IPv4 ACLs
Extended ACL Placement Example (Cont.)
▪ An extended ACL on R3 would accomplish the
task, but the administrator does not control R3. In
addition, this solution allows unwanted traffic to
cross the entire network, only to be blocked at the
destination.

▪ The solution is to place an extended ACL on R1

that specifies both source and destination
addresses.

▪ There are two possible interfaces on R1 to apply

the extended ACL:
• R1 S0/1/0 interface (outbound) - The extended ACL
can be applied outbound on the S0/1/0 interface. This
solution will process all packets leaving R1 including
packets from 192.168.10.0/24.

• R1 G0/0/1 interface (inbound) - The extended ACL

can be applied inbound on the G0/0/1 and only
packets from the 192.168.11.0/24 network are subject
to ACL processing on R1. Because the filter is to be
limited to only those packets leaving the
192.168.11.0/24 network, applying the extended ACL
to G0/1 is the best solution.

NT132 – Quản trị mạng và hệ thống 27

Configure
Standard IPv4
ACLs
 Configure Standard IPv4 ACLs
Numbered Standard IPv4 ACL Syntax
To create a numbered standard ACL, use the access-list command.

Parameter Description
access-list-number Number range is 1 to 99 or 1300 to 1999
deny Denies access if the condition is matched
permit Permits access if the condition is matched
remark text (Optional) text entry for documentation purposes
source Identifies the source network or host address to filter
source-wildcard (Optional) 32-bit wildcard mask that is applied to the source
log (Optional) Generates and sends an informational message when the ACE is matched

Note: Use the no access-list access-list-number global configuration command to remove a numbered standard ACL.

NT132 – Quản trị mạng và hệ thống 29

 Configure Standard IPv4 ACLs
Named Standard IPv4 ACL Syntax
To create a named standard ACL, use the ip access-list standard command.
• ACL names are alphanumeric, case sensitive, and must be unique.
• Capitalizing ACL names is not required but makes them stand out when viewing the
running-config output.

NT132 – Quản trị mạng và hệ thống 30

 Configure Standard IPv4 ACLs
Apply a Standard IPv4 ACL
After a standard IPv4 ACL is configured, it must be linked to an interface or feature.
• The ip access-group command is used to bind a numbered or named standard IPv4 ACL
to an interface.
• To remove an ACL from an interface, first enter the no ip access-group interface
configuration command.

NT132 – Quản trị mạng và hệ thống 31

 Configure Standard IPv4 ACLs
Numbered Standard ACL Example
The example ACL permits traffic from host 192.168.10.10 and all hosts on the 192.168.20.0/24
network out interface serial 0/1/0 on router R1.

NT132 – Quản trị mạng và hệ thống 32

 Configure Standard IPv4 ACLs
Numbered Standard ACL Example (Cont.)
• Use the show running-config command to review the ACL in the configuration.
• Use the show ip interface command to verify the ACL is applied to the interface.

NT132 – Quản trị mạng và hệ thống 33

 Configure Standard IPv4 ACLs
Named Standard ACL Example
The example ACL permits traffic from host 192.168.10.10 and all hosts on the 192.168.20.0/24
network out interface serial 0/1/0 on router R1.

NT132 – Quản trị mạng và hệ thống 34

 Configure Standard IPv4 ACLs
Named Standard ACL Example (Cont.)
• Use the show access-list command to review the ACL in the configuration.
• Use the show ip interface command to verify the ACL is applied to the interface.

NT132 – Quản trị mạng và hệ thống 35

Modify IPv4 ACLs
 Modify IPv4 ACLs
Two Methods to Modify an ACL
After an ACL is configured, it may need to be modified. ACLs with multiple ACEs can be
complex to configure. Sometimes the configured ACE does not yield the expected behaviors.
There are two methods to use when modifying an ACL:
• Use a text editor.
• Use sequence numbers.

NT132 – Quản trị mạng và hệ thống 37

 Modify IPv4 ACLs
Text Editor Method
ACLs with multiple ACEs should be created in a text editor. This allows you to plan the required
ACEs, create the ACL, and then paste it into the router interface. It also simplifies the tasks to
edit and fix an ACL.
To correct an error in an ACL:
• Copy the ACL from the running configuration and paste it into the text editor.
• Make the necessary edits or changes.
• Remove the previously configured ACL on the router.
• Copy and paste the edited ACL back to the router.

NT132 – Quản trị mạng và hệ thống 38

 Modify IPv4 ACLs
Sequence Number Method
An ACL ACE can be deleted or
added using the ACL sequence
numbers.
• Use the ip access-list
standard command to edit
an ACL.
• Statements cannot be
overwritten using an
existing sequence number.
The current statement must
be deleted first with the no
10 command. Then the
correct ACE can be added
using sequence number.

NT132 – Quản trị mạng và hệ thống 39

 Modify IPv4 ACLs
Modify a Named ACL Example
Named ACLs can also use sequence numbers to delete and add ACEs. In the example an ACE
is added to deny hosts 192.168.10.11.

NT132 – Quản trị mạng và hệ thống 40

 Modify IPv4 ACLs
ACL Statistics
The show access-lists command in the example shows statistics for each statement that has
been matched.
• The deny ACE has been matched 20 times and the permit ACE has been matched 64 times.

• Note that the implied deny any statement does not display any statistics. To track how many implicit
denied packets have been matched, you must manually configure the deny any command.

• Use the clear access-list counters command to clear the ACL statistics.

NT132 – Quản trị mạng và hệ thống 41

Secure VTY Ports
with a Standard
IPv4 ACL
 Secure VTY Ports with a Standard IPv4 ACL
The access-class Command
A standard ACL can secure remote administrative access to a device using the vty lines by
implementing the following two steps:
• Create an ACL to identify which administrative hosts should be allowed remote access.

• Apply the ACL to incoming traffic on the vty lines.

NT132 – Quản trị mạng và hệ thống 43

 Secure VTY Ports with a Standard IPv4 ACL
Secure VTY Access Example
This example demonstrates how to configure an ACL to filter vty traffic.
• First, a local database entry for a user ADMIN and password class is configured.
• The vty lines on R1 are configured to use the local database for authentication, permit SSH
traffic, and use the ADMIN-HOST ACL to restrict traffic.

NT132 – Quản trị mạng và hệ thống 44

 Secure VTY Ports with a Standard IPv4 ACL
Verify the VTY Port is Secured
After an ACL to restrict access to the vty lines is configured, it is important to verify it works as
expected.
To verify the ACL statistics, issue the show access-lists command.
• The match in the permit line of the output is a result of a successful SSH connection by host
with IP address 192.168.10.10.
• The match in the deny statement is due to the failed attempt to create a SSH connection
from a device on another network.

NT132 – Quản trị mạng và hệ thống 45

Configure
Extended IPv4
ACLs
 Configure Extended IPv4 ACLs
Extended ACLs

Extended ACLs provide a greater degree of control. They can filter on source
address, destination address, protocol (i.e., IP, TCP, UDP, ICMP), and port number.
Extended ACLs can be created as:
• Numbered Extended ACL - Created using the access-list access-list-number global
configuration command.
• Named Extended ACL - Created using the ip access-list extended access-list-name.

NT132 – Quản trị mạng và hệ thống 47

 Configure Extended IPv4 ACLs
Protocols and Ports
Extended ACLs can filter on internet protocols and ports. Use the ? to get help when entering a
complex ACE. The four highlighted protocols are the most popular options.

Protocol Options

NT132 – Quản trị mạng và hệ thống 48

 Configure Extended IPv4 ACLs
Protocols and Ports (Cont.)
Selecting a protocol influences port options. Many TCP port options are available, as shown in
the output.

NT132 – Quản trị mạng và hệ thống 49

 Configure Extended IPv4 ACLs
Protocols and Port Numbers Configuration Examples
Extended ACLs can filter on different port number and port name options.
This example configures an extended ACL 100 to filter HTTP traffic. The first ACE uses the
www port name. The second ACE uses the port number 80. Both ACEs achieve exactly the
same result.

Configuring the port number is required when there is not a specific protocol name listed
such as SSH (port number 22) or an HTTPS (port number 443), as shown in the next
example.

NT132 – Quản trị mạng và hệ thống 50

 Configure Extended IPv4 ACLs
Apply a Numbered Extended IPv4 ACL

In this example, the ACL permits both HTTP and HTTPS traffic from the 192.168.10.0 network
to go to any destination.
Extended ACLs can be applied in various locations. However, they are commonly applied close
to the source. Here ACL 110 is applied inbound on the R1 G0/0/0 interface.

NT132 – Quản trị mạng và hệ thống 51

 Configure Extended IPv4 ACLs
TCP Established Extended ACL
TCP can also perform basic stateful firewall services using the TCP established keyword.
• The established keyword enables inside traffic to exit the inside private network and permits
the returning reply traffic to enter the inside private network.
• TCP traffic generated by an outside host and attempting to communicate with an inside host
is denied.

NT132 – Quản trị mạng và hệ thống 52

 Configure Extended IPv4 ACLs
TCP Established Extended ACL (Cont.)
• ACL 120 is configured to only permit returning web traffic to the inside hosts. The ACL is then
applied outbound on the R1 G0/0/0 interface.
• The show access-lists command shows that inside hosts are accessing the secure web
resources from the internet.
Note: A match occurs if the returning TCP segment has the ACK or reset (RST) flag bits set,
indicating that the packet belongs to an existing connection.

NT132 – Quản trị mạng và hệ thống 53

 Configure Extended IPv4 ACLs
Named Extended IPv4 ACL Syntax
Naming an ACL makes it easier to understand its function. To create a named extended ACL,
use the ip access-list extended configuration command.
In the example, a named extended ACL called NO-FTP-ACCESS is created and the prompt
changed to named extended ACL configuration mode. ACE statements are entered in the
named extended ACL sub configuration mode.

NT132 – Quản trị mạng và hệ thống 54

 Configure Extended IPv4 ACLs
Named Extended IPv4 ACL Example
The topology below is used to demonstrate configuring and applying two named extended IPv4
ACLs to an interface:
• SURFING - This will permit inside HTTP and HTTPS traffic to exit to the internet.

• BROWSING - This will only permit returning web traffic to the inside hosts while all other traffic exiting the
R1 G0/0/0 interface is implicitly denied.

NT132 – Quản trị mạng và hệ thống 55

 Configure Extended IPv4 ACLs
Named Extended IPv4 ACL Example (Cont.)
• The SURFING ACL
permits HTTP and
HTTPS traffic from inside
users to exit the G0/0/1
interface connected to
the internet. Web traffic
returning from the
internet is permitted back
into the inside private
network by the
BROWSING ACL.
• The SURFING ACL is
applied inbound and the
BROWSING ACL is
applied outbound on the
R1 G0/0/0 interface.

NT132 – Quản trị mạng và hệ thống 56

 Configure Extended IPv4 ACLs
Named Extended IPv4 ACL Example (Cont.)
The show access-lists command is used to verify the ACL statistics. Notice that the permit
secure HTTPS counters (i.e., eq 443) in the SURFING ACL and the return established counters
in the BROWSING ACL have increased.

NT132 – Quản trị mạng và hệ thống 57

 Configure Extended IPv4 ACLs
Edit Extended ACLs
An extended ACL can be edited using a text editor when many changes are required. Or, if the
edit applies to one or two ACEs, then sequence numbers can be used.
Example:
• The ACE sequence number 10 in the SURFING ACL has an incorrect source IP networks
address.

NT132 – Quản trị mạng và hệ thống 58

 Configure Extended IPv4 ACLs
Edit Extended ACLs (Cont.)
• To correct this error the original statement is removed with the no sequence_# command
and the corrected statement is added replacing the original statement.
• The show access-lists command output verifies the configuration change.

NT132 – Quản trị mạng và hệ thống 59

 Configure Extended IPv4 ACLs
Another Extended IPv4 ACL Example

Two named extended ACLs will be created:

• PERMIT-PC1 - This will only permit PC1 TCP access to the internet and deny all other hosts in the private
network.

• REPLY-PC1 - This will only permit specified returning TCP traffic to PC1 implicitly deny all other traffic.

NT132 – Quản trị mạng và hệ thống 60

 Configure Extended IPv4 ACLs
Another Extended IPv4 ACL Example (Cont.)
• The PERMIT-PC1 ACL
permits PC1
(192.168.10.10) TCP
access to the FTP, SSH,
Telnet, DNS , HTTP, and
HTTPS traffic.
• The REPLY-PC1 ACL will
permit return traffic to PC1.
• The PERMIT-PC1 ACL is
applied inbound and the
REPLY-PC1 ACL applied
outbound on the R1 G0/0/0
interface.

NT132 – Quản trị mạng và hệ thống 61

 Configure Extended IPv4 ACLs
Verify Extended ACLs
The show ip interface
command is used to verify
the ACL on the interface and
the direction in which it was
applied.

NT132 – Quản trị mạng và hệ thống 62

 Configure Extended IPv4 ACLs
Verify Extended ACLs (Cont.)
The show access-lists command can be used to confirm that the ACLs work as expected. The
command displays statistic counters that increase whenever an ACE is matched.
Note: Traffic must be generated to verify the operation of the ACL.

NT132 – Quản trị mạng và hệ thống 63

 Configure Extended IPv4 ACLs
Verify Extended ACLs (Cont.)
The show running-config command can be used to validate what was configured. The
command also displays configured remarks.

NT132 – Quản trị mạng và hệ thống 64

Today end,
See you
next week!