Access Control List Explained with Examples

This tutorial explains how to configure Cisco access control lists. Learn Cisco ACLs
configuration commands with their arguments, options, and parameters.

There are eight types of ACLs. These types are standard-numbered, standard-named,
standard-numbered with the sequence editing feature, standard-named with the
sequence editing feature, extended-numbered, extended-named, extended-numbered
with the sequence editing feature, and extended-named with the sequence editing
feature.

To create and configure these access lists, we have two commands. These commands
are 'access-list' and 'ip access-list'. The main difference between both commands is
the first command supports only the standard-numbered and extended-numbered while
the second command supports all eight types.

In this part, we will discuss the meaning of the arguments, options, and parameters of
the 'access-list' command. We will also learn how to use the 'access-list' command to
create and manage access lists. We will discuss the 'ip access-list' command in the next
part of this article.

This tutorial is the seventh part of the article 'Cisco Access Lists Explained with
Examples.'. Other parts of this article are the following.
Definition, purposes, benefits, and functions of ACL
Basic concepts and fundamentals of ACLs
How Access Lists work on Cisco routers
Types of access control lists explained
Wildcard masks in ACLs Explained
Rules and configuration guidelines for Cisco ACLs
Access Control List Explained with Examples
The ip access-list command options and arguments
Standard ACL Configuration Commands Explained
Configure Standard Access Control List Step by Step Guide
How to secure VTY access to the Router
Extended ACL Configuration Commands Explained
Configure Extended Access Control List Step by Step Guide
How to block ICMP Ping on Cisco Routers

The 'access-list' command

This is a global configuration mode command. This command allows us to create a

standard-numbered ACL and an extended-numbered ACL. This command uses the
following syntax.

Router(config)# access-list ACL_# permit|deny conditions

ACL_#: - It is a numerical argument. The router uses this number for the following
purposes.

• To identify the type of protocol

• To identify the type of ACL
• To group all the statements in the ACL

Each network layer protocol is assigned a range of numbers. For the IP protocol, the
following ranges are defined. 1-99, 100-199, 1300-1999, and 2000-2699. From these
ranges, the ranges 1-99 and 1300-1999 are used for standard access lists, and the
ranges 100-199 and 2000-2699 are used for extended access lists.
To create an IP access list, you must specify a number from the above pre-defined
number ranges. For example, to create a standard IP access list, you can choose any
number between 1-99 and 1300-1999. Similarly, to create an extended IP access list, you
can select any number between 100-199 and 2000-2699.

While selecting a number for the ACL, you must follow the following two principles.

1. To create a new ACL, use an unused number from the range. If you use an
existing number, the router will append the ACL related to the specified number.
2. To update an existing ACL, specify the number of the ACL. If you use a new
number, the router will create a new ACL.

Permit|deny

It is an option with two values. If you use the permit option, the router will allow the packet
that matches the condition defined next to it. If you use the deny option, the router will
block the packet that matches the condition defined next to it.

Conditions

These are the condition that the router uses to match the packet. A standard ACL and an
extended ACL use different criteria to match a packet. The available options in this section
depend on the value of the ACL_# argument.

Standard ACL conditions

If you have specified a number that belongs to the standard ACL, the command will use
the following syntax.
Router(config)# access-list 1-99|1300-1999 permit|deny
source_IP_address
[wildcard_mask] [log]
We have already discussed the options and arguments till the action option. Now, let's
discuss the remaining arguments and options.

source_IP_address

It is an argument. It accepts the source address. You can use a host address or a network
address. If you use a host address, the router will match that particular host. Or if you use
a network address, the router will match all hosts of the specified network.

wildcard_mask

It is also an argument. It allows us to define the type of source address. You can define
a particular IP address or a range of IP addresses. I have already explained wildcard
masks in the previous part of this article. You can check that article to learn what wildcard
masks are and how they are used.

log

It is an optional parameter. If you specify this parameter, the router will print any match of
this statement on the console port. By default, the router does not print log messages on
a non-console connection. For example, if you use a VTY connection, you will not see log
messages on the console port. If you want to see log messages on a non-console
connection, you must use the following command.

Router# terminal monitor

This command works on the current session only. It means you have to execute this
command each time to see logging messages on your VTY or TTY session. For
debugging and security purposes, you can also forward these messages to a Syslog
server.

Extended ACL conditions

If you have specified a number that belongs to the extended ACL, the command will use
the following syntax.

Router(config)# access-list 100-199|2000-2699 permit|deny

IP_protocol
source_address source_wildcard_mask
[protocol_information]
destination_address destination_wildcard_mask
[protocol_information] [log]
We have already discussed the syntax till the action option. Let's discuss the rest of the
syntax.

Unlike a standard ACL that supports only the source address, an extended ACL supports
many options in the condition field. An extended ACL allows you to filter traffic based on
supported IP protocols. The supported IP protocols are ICMP, TCP, GRE, UDP, IGRP,
EIGRP, IGMP, IPINP, NOS, and OSPF.

The options available after this argument depend on the protocol you select. For example,
if you select the 'ip' protocol, you will see the options for the 'ip' protocol. Or if you select
the 'tcp' protocol, you will see the options for the 'tcp' protocol.

CCNA exam syllabus includes four IP protocols. These protocols are ip, tcp, udp, and
icmp.

Before we discuss the options of these protocols, let's understand the type of filtering.

There are two types of filtering: host-level filtering and application-level filtering. Host-level
filtering is used to filter all the traffic from the host. Application-level filtering is used to
filter specific traffic from the host.

For example, if you want to filter all traffic from host 10.0.0.10/8, you would use host-level
filtering. But if you want to filter only web traffic from host 10.0.0.10/8, you would use
application-level filtering. In other words, host-level filtering checks "whether host A is
allowed to access host B" while application-level filtering checks "how much host A
is allowed to access host B?".
Let's discuss both types in detail.

Host level filtering

To filter all the traffic from the host, we use the IP address of the host. To use an IP
address, we need to specify the 'IP' keyword after the action argument. The 'IP' keyword
instructs the command that we want to filter the traffic based on the host address.

Unlike a standard access list that allows us to use only the source IP address, an
extended access list allows us to use both the source and destination IP addresses. Since
you can use both addresses, you can filter the exact traffic.

This feature makes extended access lists more flexible than standard access lists. To use
host-level filtering, use the following syntax.

Router(config)#access-list 100-199|2000-2699 permit|deny ip

source_address source_wildcard_mask
destination_address destination_wildcard_mask [log]
After the 'ip' keyword, we have two fields to specify the source address and the
destination address. We can specify a single host address or a range of IP addresses in
both fields. We can use wildcard masks with both addresses.

Application-level filtering

To filter a specific type of traffic coming from a host or going to a host, we use the name
of the protocol that transports the traffic. On an IP network, an application can send its
traffic by using one of two protocols. These protocols are TCP and UDP.

Both protocols can simultaneously transport data of many applications. Both protocols
use a unique number for each application to keep its data separate from other
applications. These numbers are known as port numbers.
Both protocols use different port numbers for applications.

The following table lists some of the most common port numbers and their associated
applications.

TCP UDP
Port Number Application ACL Keyword Port Number
20 FTP (Data) ftp-data 53
21 FTP (Control) ftp 67,68
22 SSH 69
23 Telnet telnet 123
25 SMTP SMTP 161
53 DNS domain
80 HTTP www
110 POP3 pop3
443 SSL (HTTPs)
To filter traffic based on an application, we use the following syntax.

Router(config)#access-list 100-199|2000-2699 permit|deny

tcp|udp
source_address source_wildcard_mask [operator source_port_#]
destination_address destination_wildcard_mask
[operator destination_port_#]
[established] [log]
Operators

Operators allow us to match ports more specifically. You can use operators to define a
range of ports or a particular port. Extended access lists support five operators. The
following table lists them.

Operator Description
Lt Less than
Gt Greater than
Neq Not equal to
Eq equal to
Range Range of port numbers
Operators are optional. Only TCP/UDP uses operators. Other IP protocols do not use
them.

Established

The Established keyword allows traffic to pass through only if it is generated from inside.
It is used only with TCP packets. With this keyword, we can control the direction of the
data flow. If we use this keyword, the ACL will allow only those TCP packets which have
the 'Established' flag bit set in their header.

Log

This keyword instructs the router to log a message every time an ACL entry is hit.

ICMP

Sending a packet is not a guarantee of the packet being delivered. Sometimes packets
get lost on the way to the destination. In such a case, the nearest device sends the error
message back to the sender. From the message, the sender can know about the
undelivered packets and their possible reasons. Networking devices use the ICMP
protocol to send error messages.

An adversary may use the ICMP protocol to reveal information about the network.
Extended access lists allow us to control what error messages devices can send. To filter
ICMP error messages, the command uses the following syntax.

Router(config)# access-list 100-199|2000-2699 permit|deny

ICMP
source_address source_wildcard_mask
destination_address destination_wildcard_mask
[icmp_message] [log]
If we do not specify a particular message type, ACL will match all message types.

The following table lists some of the most common ICMP messages.

Message (Keyword) Description

Echo Used to check the status of destination (up/down)
echo-reply Reply from the destination on echo request
host-unreachable The network is reachable, but the particular host is not respond
net-unreachable The network is not reachable
Traceroute Filter traceroute information
administrativelyprohibited Packet filtered by ACL
Enabling an access list

An ACL does nothing until it is applied to an interface. To apply an ACL to an interface,

use the following commands.

Router(config)#interface interface_number
Router(config-if)#ip access-group ACL_# in|Out
To apply ACL, we need to enter the interface mode. The first command allows us to enter
the interface mode. We use the second command to activate the ACLs on the interface.
The second command accepts one argument and one option. Let's discuss them.

ACL_#:- It is the ACL that we want to activate on the interface. Specify the ACL number
here as the argument.

in|out:- It is the direction in which we want to activate the ACL. If you want to filter
incoming traffic, specify the keyword 'in' here. If you want to filter outgoing traffic, specify
the keyword 'out' here.

Deleting access lists

To delete an access list, use the following global configuration command.

Router(config)#no access-list ACL_#