Access Control Layer (ACL)
Access Control Layer (ACL)
ACL
1. ACL is a set of rules which will allow or deny
the specific traffic moving through the
router
2. It is a Layer 3 security which controls the
flow of traffic from one router to another
3. These lists tell the router OS what types of
packets to accept or deny
4. It is also called packet filtering firewall
ACLs benefits
Limit network traffic and increase network
performance
Provide traffic flow control
Provide a basic level of security for network
access
Traffic decision (forwarded or blocked) at the
router interfaces
To permit or deny screen hosts to access a
network segment
Network Topology
Types of ACL
Numbered ACL
1. ACL can be expressed by numbers
2. Numbers can be 1-99 or 100-199
3. In addition numbers can be 1300-1999 and 2000-
2699
Standard ACL
The ACL number range is 1-99 or 1300-1999
Can block/allow a network, host and subnet
Two way communication is stopped
All services are blocked by default
Implemented closest to the destination
Filtering is done based on source address only
Extended ACL
The ACL number range is 100-199 and
2000-2699
Can block/allow a network, host, subnet,
Protocols
-IP
-TCP
-UDP
-ICMP
Operators
#show access-list
#show access-list <acl no>
Wild Card Mask
Tells the router which addressing bits must match
in the address of the ACL statement
It’s the inverse of the subnet mask, hence is also
called as inverse musk
A bit value of 0 indicates MUST MATCH (check bits)
A bit value of 1 indicates IGNORE (uncheck bits)
Wild Card Mask for a host will be always 0.0.0.0
A wild card mask can be calculated using the
formula:
WCM Examples
Extended ACL Configuration
Extended ACL Creation
(config)#access-list <acl no> <permit/deny>
<protocol> <src add> <src WCM> <dest add>
<dest WCM> <operator> <service/port no>