Sie sind auf Seite 1von 24

Access Control List ( ACL )

Naveen Patel

Access Control List ( ACL )

ACLs are basically a set of commands, grouped together by a number or name, that are used to filter traffic entering or leaving an interface. ACL commands define specifically which traffic is permitted and denied. Thus ACLs are statements that specify conditions of how the router handles the traffic flow through specified interfaces.

Naveen Patel

Access Control List ( ACL )

There are many reasons to create ACLs. ACLs can be used to: Limit network traffic and increase network performance Provide traffic flow control Provide a basic level of security for network access Decide which types of traffic are forwarded or blocked at the router interfaces Packet filtering

Naveen Patel

Access Control List ( ACL )

ACLs operate in two ways: Inbound ACLs: Incoming packets are processed before they are routed to an outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet will be discarded after it is denied by the filtering tests. Outbound ACLs: Incoming packets are routed to the outbound interface and then processed through the outbound ACL.

Naveen Patel

Access Control List ( ACL )

Naveen Patel

Access Control List ( ACL )

The types of ACLs can be classified as follows:

Standard ACL Extended ACL

Naveen Patel

Access Control List ( ACL )

Two methods used to identify Standard and Extended ACLs :

Numbered ACLs Named ACLs

Naveen Patel

Access Control List ( ACL )

Standard ACLs: Standard IP ACLs check the source addresses of packets that can be routed. The result either permits or denies the output for an entire protocol suite, based on the source network, subnet, or host IP address. Extended ACLs: Extended IP ACLs check both the source and destination packet addresses. They can also check for specific protocols, port numbers, and other parameters. Named ACLs : It use a descriptive name or number for identification.

Naveen Patel

Access Control List ( ACL )

Standard Access List


The access-list number range is 1 99 , 1300 -1999 Can block a Network, Host and Subnet Two way communication is stopped All services are blocked. Implemented closest to the destination. (Guideline) Checks the source IP address.

Naveen Patel

Access Control List ( ACL )

Standard Access List

Naveen Patel

Access Control List ( ACL )

Extended Access List The access-list number range is 100 199 , 1300 - 1999 Can block a Network, Host, Subnet and Service One way communication is stopped Selected services can be blocked. Checks source, destination IP address & port number. Implemented closest to the source. (Guideline).

Naveen Patel

Access Control List ( ACL )

Access Extended List

Naveen Patel

Access Control List ( ACL )

ACL Evaluation

Naveen Patel

Access Control List ( ACL )

ACL Configuration Guidelines


Standard or Extended indicate what can be filtered. One ACL per interface, per protocol, per direction is allowed, The order of ACL statement control testing Place the most restrictive statement at the top of list. There is an Implicit Deny any statement as the last access list test. Every list need atleast one permit statement. Create ACL before applying them to interface ACL filter traffic going through the router; they do not apply to traffic originating from router.

Naveen Patel

Access Control List ( ACL )

ACL Wildcard Masking


Address filtering occurs when you use ACL address wildcard masking to identify how to check or ignore corresponding IP address bits A 0 in a bit position of the ACL mask indicates that the corresponding bit in the address must be matched. A 1 in a bit position of the ACL mask indicates that the corresponding bit in the address is not interesting and can be ignored.

Naveen Patel

Access Control List ( ACL )

Naveen Patel

Access Control List ( ACL )

Creating an Standard Numbered ACL


Router(config)# access-list no. permit|deny source_IP_address [wildcard_mask]

Activating an ACL
Router(config)# interface type [slot_#] Router(config-if)# ip access-group ACL no. in|out

Naveen Patel

Access Control List ( ACL )

Creating an Extended Numbered ACL


Router(config)# access-list no. permit|deny tcp|udp source_address source_wildcard destination_address destination_wildcard [operator ]

Activating an ACL
Router(config)# interface type [slot_#] Router(config-if)# ip access-group ACL no. in|out

Naveen Patel

Access Control List ( ACL )

Naveen Patel

Access Control List ( ACL )

Creating an Standard Named ACL Router(config)# ip access-list standard name Router(config-std-nacl)# [sequence-number] deny / permit source [ wildcard ] Router(config-std-nacl)#exit

Activating an ACL Router(config)# interface type [slot_#] Router(config-if)# ip access-group ACL no. in|out

Naveen Patel

Access Control List ( ACL )

Creating an Extended Named ACL Router(config)# ip access-list extended name Router(config-ext-nacl)# [sequence-number] {deny | permit} protocol source sourcewildcard destination destination-wildcard [option] Router(config-ext-nacl)#exit Activating an ACL Router(config)# interface type [slot_#] Router(config-if)# ip access-group ACL no. in|out

Naveen Patel

Access Control List ( ACL )

Summary
Access lists offer a powerful tool for network control. These lists add the flexibility to filter the packet flow into or out of router interfaces. Such control can help limit network traffic and restrict network use by certain users or devices. An IP access list is a sequential list of permit and deny conditions that apply to IP addresses or upper-layer IP protocols. Access lists filter traffic going through the router, but they do not filter traffic originated from the router. Access lists are optional mechanisms in Cisco IOS software that you can configure to filter or test packets to determine whether to forward them to their destination or discard them.

Naveen Patel

Access Control List ( ACL )

Summary
Inbound access lists process incoming packets before they are routed to an outbound interface, while outbound access lists process packets to an outbound interface. The Cisco IOS software executes access list statements in sequential order, so the first statement is processed, then the next, and so on. Address filtering occurs using access list address wildcard masking to identify how to check or ignore corresponding IP address bits.

Naveen Patel

Access Control List ( ACL )

The End

Naveen Patel