Sign in Subscribe
CCNA

Cisco Access-lists (ACL's - Access Control Lists)

Jay

2 min read
Cisco Access-lists (ACL's - Access Control Lists)

Access Control Lists (ACLs) are packet filters. They are a list of conditions that categorize packets. They can be helpful for security and for managing traffic flow.

For security, ACLs can allow or deny packets to move through the network. For traffic flow management, ACLs can identify traffic that needs special handling. For example, ACLs can identify voice traffic that should receive priority treatment, or identify traffic that should be limited to a certain bandwidth.

ACLs can examine multiple fields in a packet header and then take an action based on the content of those fields.

ACL Operation:

ACLs work by:

  1. Examine - reading the header fields of each packet
  2. Compare - comparing those fields to the conditions in the ACL
  3. Action - taking the appropriate action (permit or deny)

When a packet is being compared to an ACL, it is compared to each line of the ACL in sequential order (from top to bottom). Once a match is found, the appropriate action is taken and no further comparisons are made.

If no match is found in any line of the ACL, the packet is denied. This is called the implicit deny.

Types of ACLs:

  • Standard ACLs - can only match on source IP address
  • Extended ACLs - can match on source IP, destination IP, protocol, port numbers
  • Named ACLs - can be either standard or extended, but use a name instead of a number

Standard ACLs:

Standard ACLs are numbered 1-99 and 1300-1999. They can only examine the source IP address of a packet.

Basic syntax:

Router(config)# access-list [number] [permit|deny] [source] [wildcard-mask]

Example:

Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 10 deny any

Extended ACLs:

Extended ACLs are numbered 100-199 and 2000-2699. They can examine source IP, destination IP, protocol, and port numbers.

Basic syntax:

Router(config)# access-list [number] [permit|deny] [protocol] [source] [source-wildcard] [destination] [destination-wildcard] [port]

Example:

Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
Router(config)# access-list 100 deny ip any any

Wildcard Masks:

Wildcard masks work opposite to subnet masks:

  • 0 = must match exactly
  • 255 = don't care, ignore this octet

Examples:

  • 0.0.0.0 = match this exact host
  • 0.0.0.255 = match any host in this /24 network
  • 0.0.255.255 = match any host in this /16 network
  • 255.255.255.255 = match any host (same as keyword "any")

Applying ACLs:

ACLs must be applied to an interface to take effect:

Router(config)# interface [interface]
Router(config-if)# ip access-group [ACL-number] [in|out]

Best Practices:

  • Place standard ACLs as close to the destination as possible
  • Place extended ACLs as close to the source as possible
  • ACLs should end with an explicit permit any if you want to allow other traffic
  • Use named ACLs for complex configurations
  • Document your ACLs clearly

Verification Commands:

Router# show access-lists
Router# show ip access-lists
Router# show running-config | include access-list

Sign up for more like this.

Enter your email
Subscribe