Scribd
Upload
13 views16 pages

ACuytyyiggL WITH PROGRAM

Uploaded by

vetriiivel9
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
13 views16 pages

ACuytyyiggL WITH PROGRAM

Uploaded by

vetriiivel9
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 16

ACCESS CONTROL LIST

(ACL)
WHAT IS ACL?
• In the Cisco IOS, an access control list is
a record that identifies and manages
traffic. After identifying that traffic, an
administrator can specify various events
that can happen to that traffic.
Types Of Access-List
• Standard ACL
• Extended ACL
• Named ACL
Standard Access-list
• Standard access list implement closest to
destination
• It works only with source IP address
• It will not block any protocols or services or
port numbers.
• Standard IP ACLs can filter only on the source
IP address inside a packet.
Standard acl format type
Extended Access-list
• This type of AL is the most preferred one and
the most advanced as well. Using this type of
AL you can filter traffic based on
– Source IP address
– Destination IP address
– Protocol (TCP, UDP)
– Port Numbers (Ftp 21, Telnet 23, etc.)
– Supplementary parameters
Extended acl format type
Named Access-list
• One of the disadvantages of using IP standard and IP extended
ACLs is that you reference them by number, which is not too
descriptive of its use. With a named ACL, this is not the case
because you can name your ACL with a descriptive name. The
ACL named sales is a lot more meaningful than an ACL
simply numbered 1. There are both IP standard and IP
extended named ACLs.

Another advantage to named ACLs is that they allow you to
remove individual lines out of an ACL. With numbered ACLs,
you cannot delete individual statements. Instead, you will need
to delete your existing access list and re-create the entire list
Access List Range

Type Range

IP Standard 1–99

IP Extended 100–199

IP Standard Expanded Range 1300–1999

IP Extended Expanded Range 2000–2699


Inbound and Outbound Rules
• Inbound ACLs:
Incoming packets are processed before they are
routed to an outbound interface. An inbound ACL is
efficient because it saves the overhead of routing
lookups if the packet will be discarded after it is
denied by the filtering tests. If the packet is permitted
by the tests, it is processed for routing.
• Outbound ACLs:
Incoming packets are routed to the outbound interface
and then processed through the outbound ACL
Universal Fact about ACL
• ACLs come in two varieties: Numbered and named
• Each of these references to ACLs supports two types of filtering: standard and
extended.
• Standard IP ACLs can filter only on the source IP address inside a packet.
• Whereas an extended IP ACLs can filter on the source and destination IP
addresses in the packet.
• There are two actions an ACL can take: permit or deny.
• Statements are processed top-down.
• Once a match is found, no further statements are processed—therefore, order is
important.
• If no match is found, the imaginary implicit deny statement at the end of the
ACL drops the packet.
• An ACL should have at least one permit statement; otherwise, all traffic will be
dropped because of the hidden implicit deny statement at the end of every ACL.
Router1 Router2

Se2/0 20.0.0.2
20.0.0.1 Se2/0

Fa0/0 Fa1/0
Fa0/0 10.0.0.1

40
.1

.0.
.0
.0

0.
30

1
Switch Switch
Switch

10.0.0.2 30.0.0.2 30.0.0.3


40.0.0.2 40.0.0.3
HR Server
Sales Client HR Client
Allow: HR Server - HR Client
Deny: HR Server - Sales Client
Allow: HR Client - Sales Client
Router 1 Configuration

Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#host r1
r1(config)#int se2/0
r1(config-if)#ip address 20.0.0.1 255.0.0.0
r1(config-if)#clock rate 64000
r1(config-if)#no shut

%LINK-5-CHANGED: Interface Serial2/0, changed state to down


r1(config-if)#int fa0/0
r1(config-if)#ip address 10.0.0.1 255.0.0.0
r1(config-if)#no shut

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,


changed state to up
r1(config)#router rip
r1(config-router)#network 10.0.0.0
r1(config-router)#network 20.0.0.0
r1(config)#access-list 1 deny 30.0.0.0 0.0.0.255
r1(config)#access-list 1 permit any
r1(config)#int se2/0
r1(config-if)#ip access-group 1 in
Router 2 configuration
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#host r2
r2(config)#int se2/0
r2(config-if)#ip address 20.0.0.2 255.0.0.0
r2(config-if)#no shut

%LINK-5-CHANGED: Interface Serial2/0, changed state to up

r2(config-if)#i
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to
up
r2(config-if)#int fa0/0
r2(config-if)#ip address 30.0.0.1 255.0.0.0
r2(config-if)#no shut

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed


state to up

r2(config-if)#exit
r2(config)#int fa1/0
r2(config-if)#ip address 40.0.0.1 255.0.0.0
r2(config-if)#no shut

%LINK-5-CHANGED: Interface FastEthernet1/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface


FastEthernet1/0, changed state to up

r2(config-if)#exit
r2(config)#router rip
r2(config-router)#network 20.0.0.0
r2(config-router)#network 30.0.0.0
r2(config-router)#network 40.0.0.0
r2(config)#access-list 1 deny 30.0.0.0 0.0.0.255
r2(config)#access-list 1 permit any
r2(config)#int se2/0
r2(config-if)#ip access-group 1 out

You might also like