5.1.

1 Create an ACL​
When configuring a complex ACL, it is suggested that you:
●​ Use a text editor and write out the specifics of the policy to be implemented.
●​ Add the IOS configuration commands to accomplish those tasks.
●​ Include remarks to document the ACL.
●​ Copy and paste the commands onto the device.
●​ Always thoroughly test an ACL to ensure that it correctly applies the desired policy.

5.1.2 Numbered Standard IPv4 ACL Syntax

To create a numbered standard ACL:​

Router(config)# access-list access-list-number {deny | permit | remark text} source [source-wildcard] [log]

* no access-list access-list-number global configuration command to remove a numbered standard ACL.

5.1.3 Named Standard IPv4 ACL Syntax

To create a named standard ACL

Router(config)# ip access-list standard access-list-name

*Use the no ip access-list standard access-list-name global configuration command to remove a named
standard IPv4 ACL.

5.1.4 Apply a Standard IPv4 ACL

The following command can be used to bind a numbered or named standard IPv4 ACL to an interface:

Router(config-if) # ip access-group {access-list-number | access-list-name} {in | out}

*To remove an ACL from an interface, first enter the no ip access-group interface configuration command.
However, the ACL will still be configured on the router. To remove the ACL from the router, use the no
access-list global configuration command.

5.2.1 Two Methods to Modify an ACL

two methods to use when modifying an ACL:

●​ Use a Text Editor

●​ Use Sequence Numbers

5.2.2 Text Editor Method

ACLs with multiple ACEs should be created in a text editor. This allows you to plan the required ACEs, create
the ACL, and then paste it into the router interface. It also simplifies the tasks to edit and fix an ACL.

To correct the error:

●​ Copy the ACL from the running configuration and paste it into the text editor.
●​ Make the necessary edits changes.
●​ Remove the previously configured ACL on the router otherwise, pasting the edited ACL commands will
only append (i.e., add) to the existing ACL ACEs on the router.
●​ Copy and paste the edited ACL back to the router.

5.2.3 Sequence Numbers Method

An ACL ACE can also be deleted or added using the ACL sequence numbers. Sequence numbers are
automatically assigned when an ACE is entered. These numbers are listed in the show access-lists command.
The show running-config command does not display sequence numbers.

Use the ip access-list standard command to edit an ACL. Statements cannot be overwritten using the same
sequence number as an existing statement. Therefore, the current statement must be deleted first with the no
10 command. Then the correct ACE can be added using sequence number 10 is configured. Verify the
changes using the show access-lists command.
5.2.4 Modify a Named ACL Example

Named ACL Named ACLs can also use sequence numbers to delete and add ACEs. Refer to the example for
ACL NO-ACCESS.

Use the show access-lists command to verify the ACL now has a new ACE

5.2.5 ACL Statistics

Notice that the show access-lists command in the example shows statistics for each statement that has been
matched. The deny ACE in the NO-ACCESS ACL has been matched 20 times and the permit ACE has been
matched 64 times.

Note that the implied deny any the last statement does not display any statistics. To track how many implicit
denied packets have been matched, you must manually configure the deny any command at the end of the
ACL.

Use the clear access-list counters command to clear the ACL statistics. This command can be used alone or
with the number or name of a specific ACL.

5.3.1 The access-class Command

an ACL can also be used to secure remote administrative access to a device using the vty lines.

Use the following two steps to secure remote administrative access to the vty lines:

●​ Create an ACL to identify which administrative hosts should be allowed remote access.
●​ Apply the ACL to incoming traffic on the vty lines.

R1(config-line)# access-class {access-list-number | access-list-name} { in | out }

The in keyword is the most commonly used option to filter incoming vty traffic. The out parameter filters
outgoing vty traffic and is rarely applied.

The following should be considered when configuring access lists on vty lines:

●​ Both named and numbered access lists can be applied to vty lines.
●​ Identical restrictions should be set on all the vty lines, because a user can attempt to connect to any of
them.

5.3.2 Secure VTY Access Example

Telnet is used here for demonstration purposes only. SSH should be used in a production environment.

To increase secure access, a username and password will be created, and the login local authentication
method will be used on the vty lines. The command in the example creates a local database entry for a user
ADMIN and password class.

The vty lines are configured to use the local database for authentication, permit Telnet traffic, and use the
ADMIN-HOST ACL to restrict traffic.
5.3.3 Verify the VTY Port is Secured

To verify the ACL statistics, issue the show access-lists command. Notice the informational message
displayed on the console regarding the admin user. An informational console message is also generated when
a user exits the vty line.

5.4.1 Extended ACLs

Extended ACLs are used more often than standard ACLs because they provide a greater degree of control.
They can filter on source address, destination address, protocol (i.e., IP, TCP, UDP, ICMP), and port number.
This provides a greater range of criteria on which to base the ACL.

Like standard ACLs, extended ACLs can be created as:

●​ Numbered Extended ACL - Created using the access-list access-list-number global configuration
command.
●​ Named Extended ACL - Created using the ip access-list extended access-list-name.

5.4.2 Numbered Extended IPv4 ACL Syntax

To create a numbered extended ACL

Router(config)# access-list access-list-number {deny | permit | remark text} protocol source source-wildcard
[operator {port}] destination destination-wildcard [operator {port}] [established] [log]

Use the no access-list access-list-number global configuration command to remove an extended ACL.
The command to apply an extended IPv4 ACL to an interface is the same as the command used for standard
IPv4 ACLs.

Router(config-if)# ip access-group {access-list-number | access-list-name} {in | out}

To remove an ACL from an interface, first enter the no ip access-group interface configuration command. To
remove the ACL from the router, use the no access-list global configuration command.
5.4.3 Protocols and Ports

1.Protocol Options

The four highlighted protocols are the most popular options.

Note: Use the ? to get help when entering a complex ACE.

Note: If an internet protocol is not listed, then the IP protocol number could be specified. For instance, the
ICMP protocol number 1, TCP is 6, and UDP is 17.

2.Port Keyword Options

Selecting a protocol influences port options. For instance, selecting the:

●​ tcp protocol would provide TCP related ports options

●​ udp protocol would provide UDP specific ports options
●​ icmp protocol would provide ICMP related ports (i.e., message) options

Again, notice how many TCP port options are available. The highlighted ports are popular options.

Port names or number can be specified. However, port names make it easier to understand the purpose of an
ACE. Notice how some common ports names (e.g., SSH and HTTPS) are not listed. For these protocols, port
numbers will have to be specified.
5.4.6 TCP Established Extended ACL

TCP can also perform basic stateful firewall services using the TCP established keyword. The keyword
enables inside traffic to exit the inside private network and permits the returning reply traffic to enter the inside
private network

The established keyword can be used to permit only the return HTTP traffic from requested websites, while
denying all other traffic.

Without the established parameter in the ACL statement, clients could send traffic to a web server, and
receive traffic returning from the web server. All traffic would be permitted.

5.4.7 Named Extended IPv4 ACL Syntax

Naming an ACL makes it easier to understand its function. To create a named extended ACL

Router(config)# ip access-list extended access-list-name

5.4.8 Named Extended IPv4 ACL Example

The topology in the figure is used to demonstrate configuring and applying two named extended IPv4 ACLs to
an interface:

●​ SURFING - This will permit inside HTTP and HTTPS traffic to exit to the internet.
 ●​ BROWSING - This will only permit returning web traffic to the inside hosts while all other traffic exiting
the R1 G0/0/0 interface is implicitly denied.

5.4.9 Edit Extended ACLs

Like standard ACLs, an extended ACL can be edited using a text editor when many changes are required.
Otherwise, if the edit applies to one or two ACEs, then sequence numbers can be used.

5.4.10 Another Named Extended IPv4 ACL Example

The figure shows another scenario for implementing a named extended IPv4 ACL. Assume that PC1 in the
inside private network is permitted FTP, SSH, Telnet, DNS, HTTP, and HTTPS traffic. However, all other users
in the inside private network should be denied access.

Two named extended ACLs will be created:

●​ PERMIT-PC1 - This will only permit PC1 TCP access to the internet and deny all other hosts in the
private network.
●​ REPLY-PC1 - This will only permit specified returning TCP traffic to PC1 implicitly deny all other traffic.

There are many factors to consider when applying an ACL including:

●​ The device to apply it on

●​ The interface to apply it on
●​ The direction to apply it

5.4.11 Verify Extended ACLs

●​ show ip interface

The show ip interface command is used to verify the ACL on the interface and the direction in which it was
applied, as shown in the output.

The command generates quite a bit of output but notice how the capitalized ACL names stand out in the
output.

To reduce the command output, use filtering techniques,

●​ show access-lists

The show access-lists command can be used to confirm that the ACLs work as expected. The command
displays statistic counters that increase whenever an ACE is matched.

Note: Traffic must be generated to verify the operation of the ACL.

●​ show running-config

The show running-config command can be used to validate what was configured. The command also
displays configured remarks.

The command can be filtered to display only pertinent information