15 - CCNA 200-301 #Access Control List #

Module 4: ACL Concepts
Enterprise Networking, Security, and Automation v7.0

(ENSA)
Purpose of ACLs
What is an ACL?
An ACL is a series of IOS commands that are used to filter packets based on information
found in the packet header. By default, a router does not have any ACLs configured.
When an ACL is applied to an interface, the router performs the additional task of
evaluating all network packets as they pass through the interface to determine if the
packet can be forwarded.
• An ACL uses a sequential list of permit or deny statements, known as access control
entries (ACEs).
Note: ACEs are also commonly called ACL statements.
• When network traffic passes through an interface configured with an ACL, the router
compares the information within the packet against each ACE, in sequential order, to
determine if the packet matches one of the ACEs. This process is called packet
filtering.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Purpose of ACLs
What is an ACL? (Cont.)
Several tasks performed by routers require the use of ACLs to identify
traffic:
• Limit network traffic to increase network performance
• Provide traffic flow control
• Provide a basic level of security for network access
• Filter traffic based on traffic type
• Screen hosts to permit or deny access to network services
• Provide priority to certain classes of network traffic
Purpose of ACLs
Packet Filtering
• Packet filtering controls access to a
network by analyzing the incoming and/or
outgoing packets and forwarding them or
discarding them based on given criteria.
• Packet filtering can occur at Layer 3 or
Layer 4.
• Cisco routers support two types of ACLs:
• Standard ACLs - ACLs only filter at Layer 3
using the source IPv4 address only.
• Extended ACLs - ACLs filter at Layer 3 using
the source and / or destination IPv4 address.
They can also filter at Layer 4 using TCP, UDP
ports, and optional protocol type information for
finer control.
Purpose of ACLs
ACL Operation
• ACLs define the set of rules that give added control for packets that enter inbound
interfaces, packets that relay through the router, and packets that exit outbound
interfaces of the router.
• ACLs can be configured to apply to inbound traffic and outbound traffic.
Note: ACLs do not act on packets that originate from the router itself.
• An inbound ACL filters packets before they are routed to the outbound interface. An
inbound ACL is efficient because it saves the overhead of routing lookups if the packet
is discarded.
• An outbound ACL filters packets after being routed, regardless of the inbound
interface.
Wildcard Masks in ACLs
Wildcard Mask Overview
A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify
which bits in an IPv4 address to match. Unlike a subnet mask, in which binary 1 is equal
to a match and binary 0 is not a match, in a wildcard mask, the reverse is true.
• An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to
examine for a match.
• Wildcard masks use the following rules to match binary 1s and 0s:
• Wildcard mask bit 0 - Match the corresponding bit value in the address
• Wildcard mask bit 1 - Ignore the corresponding bit value in the address
Wildcard Mask Overview (Cont.)
Wildcard Mask Last Octet (in Binary) Meaning (0 - match, 1 - ignore)
0.0.0.0 00000000 Match all octets.

•Match the first three octets
0.0.0.63 00111111 •Match the two left most bits of the last octet
•Ignore the last 6 bits
0.0.0.15 00001111 •Match the four left most bits of the last octet
•Ignore the last 4 bits of the last octet
0.0.0.248 11111100 •Ignore the six left most bits of the last octet
•Match the last two bits
•Match the first three octet
0.0.0.255 11111111
•Ignore the last octet
Wildcard Mask Types
Wildcard to Match a Host:
• Assume ACL 10 needs an ACE that only permits the host with IPv4 address
192.168.1.1. Recall that “0” equals a match and “1” equals ignore. To match a specific
host IPv4 address, a wildcard mask consisting of all zeroes (i.e., 0.0.0.0) is required.
• When the ACE is processed, the wildcard mask will permit only the 192.168.1.1
address. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.1
0.0.0.0.
Decimal Binary
IPv4 address 192.168.1.1 11000000.10101000.00000001.00000001
Wildcard Mask 0.0.0.0 00000000.00000000.00000000.00000000
Permitted IPv4
192.168.1.1 11000000.10101000.00000001.00000001
Address
Wildcard Mask Types (Cont.)
Wildcard Mask to Match an IPv4 Subnet
• ACL 10 needs an ACE that permits all hosts in the 192.168.1.0/24 network. The
wildcard mask 0.0.0.255 stipulates that the very first three octets must match exactly
but the fourth octet does not.
• When processed, the wildcard mask 0.0.0.255 permits all hosts in the 192.168.1.0/24
network. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.0
0.0.0.255.
Decimal Binary
IPv4 address 192.168.1.1 11000000.10101000.00000001.00000001
Wildcard Mask 0.0.0.255 00000000.00000000.00000000.11111111
Permitted IPv4
192.168.1.0/24 11000000.10101000.00000001.00000000
Address
Wildcard Mask Types (Cont.)
Wildcard Mask to Match an IPv4 Address Range
• ACL 10 needs an ACE that permits all hosts in the 192.168.16.0/24, 192.168.17.0/24,
…, 192.168.31.0/24 networks.
• When processed, the wildcard mask 0.0.15.255 permits all hosts in the
192.168.16.0/24 to 192.168.31.0/24 networks. The resulting ACE in ACL 10 would
be access-list 10 permit 192.168.16.0 0.0.15.255.
Decimal Binary
IPv4 address 192.168.16.0 11000000.10101000.00010000.00000000
Wildcard Mask 0.0.15.255 00000000.00000000.00001111.11111111

192.168.16.0/24 11000000.10101000.00010000.00000000
Permitted IPv4
to
Address
192.168.31.0/24 11000000.10101000.00011111.00000000
4.3 Guidelines for ACL
Creation
Guidelines for ACL Creation
Limited Number of ACLs per Interface
There is a limit on the number of ACLs that can be applied on a router interface. For
example, a dual-stacked (i.e, IPv4 and IPv6) router interface can have up to four ACLs
applied, as shown in the figure.
Specifically, a router interface can have:
• One outbound IPv4 ACL.
• One inbound IPv4 ACL.
• One inbound IPv6 ACL.
• One outbound IPv6 ACL.
Note: ACLs do not have to be configured in both

directions. The number of ACLs and their direction
applied to the interface will depend on the security
policy of the organization.
4.4 Types of IPv4 ACLs
Types of IPv4 ACLs
Standard and Extended ACLs
There are two types of IPv4 ACLs:
• Standard ACLs - These permit or deny packets based only on the source IPv4
address.
• Extended ACLs - These permit or deny packets based on the source IPv4 address
and destination IPv4 address, protocol type, source and destination TCP or UDP ports
and more.
Types of IPv4 ACLs
Numbered and Named ACLs
Numbered ACLs
• ACLs numbered 1-99, or 1300-1999 are standard ACLs, while ACLs numbered 100-
199, or 2000-2699 are extended ACLs.
R1(config)# access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
rate-limit Simple rate-limit specific access list
template Enable IP template acls
Router(config)# access-list
Types of IPv4 ACLs
Numbered and Named ACLs (Cont.)
Named ACLs
• Named ACLs are the preferred method to use when configuring ACLs. Specifically,
standard and extended ACLs can be named to provide information about the purpose
of the ACL. For example, naming an extended ACL FTP-FILTER is far better than
having a numbered ACL 100.
• The ip access-list global configuration command is used to create a named ACL, as
shown in the following example.
R1(config)# ip access-list extended FTP-FILTER

R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp-data
R1(config-ext-nacl)#
Types of IPv4 ACLs
Where to Place ACLs
• Every ACL should be placed where it
has the greatest impact on efficiency.
• Extended ACLs should be located as
close as possible to the source of the
traffic to be filtered.
• Standard ACLs should be located as
close to the destination as possible.
Types of IPv4 ACLs
Where to Place ACLs (Cont.)
Factors Influencing ACL Placement Explanation

Placement of the ACL can depend on whether or not the
The extent of organizational control organization has control of both the source and
destination networks.
It may be desirable to filter unwanted traffic at the source
Bandwidth of the networks involved
to prevent transmission of bandwidth-consuming traffic.
•It may be easier to implement an ACL at the destination,
but traffic will use bandwidth unnecessarily.
•An extended ACL could be used on each router where
Ease of configuration
the traffic originated. This would save bandwidth by
filtering the traffic at the source, but it would require
creating extended ACLs on multiple routers.
Types of IPv4 ACLs
Standard ACL Placement Example
In the figure, the administrator
wants to prevent traffic originating in
the 192.168.10.0/24 network from
reaching the 192.168.30.0/24
network.
Following the basic placement

guidelines, the administrator would
place a standard ACL on router R3.
Types of IPv4 ACLs
Standard ACL Placement Example (Cont.)
There are two possible interfaces on R3 to
apply the standard ACL:
• R3 S0/1/1 interface (inbound) - The
standard ACL can be applied inbound on the
R3 S0/1/1 interface to deny traffic from .10
network. However, it would also filter .10
traffic to the 192.168.31.0/24 (.31 in this
example) network. Therefore, the standard
ACL should not be applied to this interface.
• R3 G0/0 interface (outbound) - The
standard ACL can be applied outbound on
the R3 G0/0/0 interface. This will not affect
other networks that are reachable by R3.
Packets from .10 network will still be able to
reach the .31 network. This is the best
interface to place the standard ACL to meet
the traffic requirements.
Types of IPv4 ACLs
Extended ACL Placement Example
• Extended ACLs should be located as close
to the source as possible.
• However, the organization can only place
ACLs on devices that they control.
Therefore, the extended ACL placement
must be determined in the context of
where organizational control extends.
• In the figure, for example, Company A
wants to deny Telnet and FTP traffic to
Company B’s 192.168.30.0/24 network
from their 192.168.11.0/24 network, while
permitting all other traffic.
Types of IPv4 ACLs
Extended ACL Placement Example (Cont.)
An extended ACL on R3 would accomplish the task,
but the administrator does not control R3. In addition,
this solution allows unwanted traffic to cross the entire
network, only to be blocked at the destination.
The solution is to place an extended ACL on R1 that
specifies both source and destination addresses.
There are two possible interfaces on R1 to apply the
extended ACL:
• R1 S0/1/0 interface (outbound) - The extended ACL can be
applied outbound on the S0/1/0 interface. This solution will
process all packets leaving R1 including packets from
192.168.10.0/24.
• R1 G0/0/1 interface (inbound) - The extended ACL can be
applied inbound on the G0/0/1 and only packets from the
192.168.11.0/24 network are subject to ACL processing on
R1. Because the filter is to be limited to only those packets
leaving the 192.168.11.0/24 network, applying the extended
ACL to G0/1 is the best solution.
5.1 Configure Standard IPv4
ACLs
Configure Standard IPv4 ACLs
Create an ACL
All access control lists (ACLs) must be planned. When configuring a complex ACL, it is
suggested that you:
• Use a text editor and write out the specifics of the policy to be implemented.
• Add the IOS configuration commands to accomplish those tasks.
• Include remarks to document the ACL.
• Copy and paste the commands onto the device.
• Always thoroughly test an ACL to ensure that it correctly applies the desired policy.
Numbered Standard IPv4 ACL Syntax
To create a numbered standard ACL, use the access-list command.
Parameter Description
access-list-number Number range is 1 to 99 or 1300 to 1999
deny Denies access if the condition is matched
permit Permits access if the condition is matched
remark text (Optional) text entry for documentation purposes
source Identifies the source network or host address to filter
source-wildcard (Optional) 32-bit wildcard mask that is applied to the source
log (Optional) Generates and sends an informational message when the ACE is matched
Note: Use the no access-list access-list-number global configuration command to remove a numbered standard ACL.
Named Standard IPv4 ACL Syntax
To create a named standard ACL, use the ip access-list standard command.
• ACL names are alphanumeric, case sensitive, and must be unique.
• Capitalizing ACL names is not required but makes them stand out when viewing the
running-config output.
Apply a Standard IPv4 ACL
After a standard IPv4 ACL is configured, it must be linked to an interface or feature.
• The ip access-group command is used to bind a numbered or named standard IPv4
ACL to an interface.
• To remove an ACL from an interface, first enter the no ip access-group interface
configuration command.
Numbered Standard ACL Example
The example ACL
permits traffic
from host
192.168.10.10
and all hosts on
the
192.168.20.0/24
network out
interface serial
0/1/0 on router
R1.
Numbered Standard ACL Example (Cont.)
• Use the show running-config command to review the ACL in the configuration.
• Use the show ip interface command to verify the ACL is applied to the interface.
Named Standard ACL Example
The example ACL permits traffic
from host 192.168.10.10 and all
hosts on the 192.168.20.0/24
network out interface serial 0/1/0 on
router R1.
Named Standard ACL Example (Cont.)
• Use the show access-list
command to review the ACL
in the configuration.
• Use the show ip interface
command to verify the ACL is
applied to the interface.
5.2 Modify IPv4 ACLs
Modify IPv4 ACLs
Two Methods to Modify an ACL
After an ACL is configured, it may need to be modified. ACLs with multiple ACEs can be
complex to configure. Sometimes the configured ACE does not yield the expected
behaviors.
There are two methods to use when modifying an ACL:
• Use a text editor.
• Use sequence numbers.
Modify IPv4 ACLs
Text Editor Method
ACLs with multiple ACEs should be created in a text editor. This allows you to plan the
required ACEs, create the ACL, and then paste it into the router interface. It also simplifies
the tasks to edit and fix an ACL.
To correct an error in an ACL:
• Copy the ACL from the running configuration and paste it into the text editor.
• Make the necessary edits or changes.
• Remove the previously configured ACL on the router.
• Copy and paste the edited ACL back to the router.
Modify IPv4 ACLs
Sequence Number Method
An ACL ACE can be deleted or added using
the ACL sequence numbers.
• Use the ip access-list standard
command to edit an ACL.
• Statements cannot be overwritten using
an existing sequence number. The
current statement must be deleted first
with the no 10 command. Then the
correct ACE can be added using
sequence number.
Modify IPv4 ACLs
Modify a Named ACL Example
Named ACLs can also use sequence numbers to delete and add ACEs. In the example
an ACE is added to deny hosts 192.168.10.11.
5.4 Configure Extended IPv4
ACLs
Configure Extended IPv4 ACLs
Extended ACLs
Extended ACLs provide a greater degree of control. They can filter on source
address, destination address, protocol (i.e., IP, TCP, UDP, ICMP), and port
number.
Extended ACLs can be created as:

• Numbered Extended ACL - Created using the access-list access-list-number global
configuration command.
• Named Extended ACL - Created using the ip access-list extended access-list-
name.
Protocols and Ports Protocol Options
Extended ACLs
can filter on
internet
protocols and
ports. Use the
? to get help
when entering
a complex
ACE. The four
highlighted
protocols are
the most
popular
options.
Protocols and Ports (Cont.)
Selecting a
protocol
influences port
options. Many
TCP port
options are
available, as
shown in the
output.
Protocols and Port Numbers Configuration Examples
Extended ACLs can filter on different port number and port name options.
This example configures an extended ACL 100 to filter HTTP traffic. The first ACE uses
the www port name. The second ACE uses the port number 80. Both ACEs achieve
exactly the same result.
Configuring the port number is required when there is not a specific protocol name listed
such as SSH (port number 22) or an HTTPS (port number 443), as shown in the next
example.
Apply a Numbered Extended IPv4 ACL
In this example, the ACL permits both HTTP and HTTPS traffic from the 192.168.10.0
network to go to any destination.
Extended ACLs can be applied in various locations. However, they are commonly applied
close to the source. Here ACL 110 is applied inbound on the R1 G0/0/0 interface.
TCP Established Extended ACL
TCP can also perform basic stateful firewall services using the TCP established keyword.
• The established keyword enables inside traffic to exit the inside private network and
permits the returning reply traffic to enter the inside private network.
• TCP traffic generated by an outside host and attempting to communicate with an
inside host is denied.
TCP Established Extended ACL (Cont.)
• ACL 120 is configured to only permit returning web traffic to the inside hosts. The ACL
is then applied outbound on the R1 G0/0/0 interface.
• The show access-lists command shows that inside hosts are accessing the secure
web resources from the internet.
Note: A match occurs if the returning TCP segment has the ACK or reset (RST) flag bits set, indicating
that the packet belongs to an existing connection.
Named Extended IPv4 ACL Syntax
Naming an ACL makes it easier to understand its function. To create a named extended
ACL, use the ip access-list extended configuration command.
In the example, a named extended ACL called NO-FTP-ACCESS is created and the
prompt changed to named extended ACL configuration mode. ACE statements are
entered in the named extended ACL sub configuration mode.
Named Extended IPv4 ACL Example
The topology below is used to demonstrate configuring and applying two named extended
IPv4 ACLs to an interface:
• SURFING - This will permit inside HTTP and HTTPS traffic to exit to the internet.
• BROWSING - This will only permit returning web traffic to the inside hosts while all other traffic
exiting the R1 G0/0/0 interface is implicitly denied.
Named Extended IPv4 ACL Example (Cont.)
• The SURFING ACL permits
HTTP and HTTPS traffic
from inside users to exit the
G0/0/1 interface connected
to the internet. Web traffic
returning from the internet is
permitted back into the
inside private network by the
BROWSING ACL.
• The SURFING ACL is
applied inbound and the
BROWSING ACL is applied
outbound on the R1 G0/0/0
interface.
Named Extended IPv4 ACL Example (Cont.)
The show access-lists command is used to verify the ACL statistics. Notice that the
permit secure HTTPS counters (i.e., eq 443) in the SURFING ACL and the return
established counters in the BROWSING ACL have increased.
Edit Extended ACLs
An extended ACL can be edited using a text editor when many changes are required. Or,
if the edit applies to one or two ACEs, then sequence numbers can be used.
Example:
• The ACE sequence number 10 in the SURFING ACL has an incorrect source IP
networks address.
Edit Extended ACLs (Cont.)
• To correct this error the original statement is removed with the no sequence_#
command and the corrected statement is added replacing the original statement.
• The show access-lists command output verifies the configuration change.
Another Extended IPv4 ACL Example
Two named extended ACLs will be created:
• PERMIT-PC1 - This will only permit PC1 TCP access to the internet and deny all other hosts in the
private network.
• REPLY-PC1 - This will only permit specified returning TCP traffic to PC1 implicitly deny all other
traffic.
Another Extended IPv4 ACL Example (Cont.)
• The PERMIT-PC1 ACL
permits PC1 (192.168.10.10)
TCP access to the FTP, SSH,
Telnet, DNS , HTTP, and
HTTPS traffic.
• The REPLY-PC1 ACL will
permit return traffic to PC1.
• The PERMIT-PC1 ACL is
applied inbound and the
REPLY-PC1 ACL applied
outbound on the R1 G0/0/0
interface.
Verify Extended ACLs
The show ip interface command is used
to verify the ACL on the interface and the
direction in which it was applied.
Verify Extended ACLs (Cont.)
The show access-lists command can be used to confirm that the ACLs work as
expected. The command displays statistic counters that increase whenever an ACE is
matched.
Note: Traffic must be generated to verify the operation of the ACL.

15 - CCNA 200-301 #Access Control List #

Uploaded by

Copyright:

Available Formats

15 - CCNA 200-301 #Access Control List #

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

15 - CCNA 200-301 #Access Control List #

Uploaded by

Copyright:

Available Formats

Module 4: ACL Concepts

Enterprise Networking, Security, and Automation v7.0

0.0.0.0 00000000 Match all octets.

Wildcard Mask 0.0.15.255 00000000.00000000.00001111.11111111

Note: ACLs do not have to be configured in both

R1(config)# ip access-list extended FTP-FILTER

Factors Influencing ACL Placement Explanation

Following the basic placement

Extended ACLs can be created as:

You might also like