CCNA (routing and switching)

Access Control Lists



Access lists can be configured for all routed network protocols (IP, AppleTalk, and so on) to filter the packets of those protocols as the packets pass through a router.

Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the router’s interfaces. Your router examines each packet to determine whether to forward or drop the packet, on the basis of the criteria you specified within the access lists.

Access list criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, or other information.

Why You Should Configure Access Lists

1. restrict contents of routing updates

2.  to provide traffic flow control.

3.  to configure access lists is to provide security for your network

4. to decide which types of traffic are forwarded or blocked at the router interfaces

Overview of Access List Configuration

Each protocol has its own set of specific tasks and rules that are required in order for you to provide traffic filtering.

most protocols require at least two basic steps to be accomplished.

  • The first step is to create an access list definition,
  •  the second step is to apply the access list to an interface.

Creating Access Lists

Create access lists for each protocol you wish to filter, per router interface. For some protocols, you create one access list to filter inbound traffic, and one access list to filter outbound traffic.

To create an access list, you specify the protocol to filter, you assign a unique name or number to the access list, and you define packet filtering criteria. A single access list can have multiple filtering criteria statements.

When configuring access lists on a router, you must identify each access list uniquely within a protocol by assigning either a name or a number to the protocol’s access list.

The ACL number ranges.

Cisco IOS knows what type of the ACL you use rom f the number of the ACL.

  • Standard1 to 99 and 1300 to 1999
  • Extended100 to 199 and 2000 to 2699
  • Named – type of extended ACL which uses name instead of a number

Standard ACL

The standard ACL is the simplest incarnation of the ACL. Apart from its number, they are only defined by action that should be taken if a packet from described source turns up

access-list access-list-number {permit|deny}
{host|source source-wildcard|any}



In the case of the standard ACL, it is very important where you apply the ACL.

As you can only permit or deny traffic based on its source when you apply denying statement on the 1st point in the network you will effectively block this traffic from reaching everything in the network above. However when you apply the same access list at any other point in the network it will not block anything before this point along the way from the source to the destination.

Extended ACL

With the extended ACL, as the name might suggest, you have more choice and flexibility comparing to the standard ACL. You can filter traffic by it’s:

  • source or destination – It is usually source or destination IP address, but it could be another type of addressing, for example, the IPX
  • protocol type – IP, IPX, ICMP, IGMP, TCP, UDP are the most popular choices
  • port number – you can filter traffic by use of TCP/UDP port numbers


Processing order

A router always processes each access list from it’s top to bottom. The first statement that fits  the packet in question will be executed and the remaining ones will be ignored. However, you need to be warned about the implicit deny any statement at the end of each access list. In practice, it means if none of the statements which you have configured in the access list will fit the packet in question the router will execute the implicit deny statement blocking everything that wasn’t described in the ACL.

Note 1: Not having the permit statement in the ACL that allows traffic to and from the Internet, could cause the Internet outage or disconnect your telnet/ssh session as soon as you apply such ACL on the internet connecting network interface.

Note 2: You could manually add deny any statement at the end of all your ACL. This way you will see statistics how many times your traffic have matched the statement, which is there anyway visible (manually added) or invisible (implicit deny statement).

The solid wall and a fishnet security

You can use so-called fishnet security that you permit everything except a few forbidden types of traffic. It is called the fishnet, because it only stops a fish of a certain size (certain traffic type) and allows everything smaller than a fish (different than the described traffic).

You can also use so-called solid wall security that is when you deny traffic except a few allowed types of traffic. The name comes from the fact it works like a solid wall that stops everything except a few small holes that you need to drill through it.

To create an standard access list, the following command is used from the router’s global configuration mode:
R1(config)# access-list ACL_NUMBER permit|deny IP_ADDRESS WILDCARD_MASK
ACL number for the standard ACLs has to be between 1–99 and 1300–1999.
You can also use the host keyword to specify the host you want to permit or deny:
R1(config)# access-list ACL_NUMBER permit|deny host IP_ADDRESS
Once the access list is created, it needs to be applied to an interface. You do that by using the ip access-group ACL_NUMBER in|out interface subcommand. inand out keywords specify in which direction you are activating the ACL. in means that ACL is applied to the traffic coming into the interface, while the out keyword means that the ACL is applied to the traffic leaving the interface.
We want to allow traffic from the management LAN to the server S1. First, we need to write an ACL to permit traffic from LAN to S1. We can use the following command on R1:
R1(config)#access-list 1 permit
The command above permits traffic from all IP addresses that begin with 10.0.0. We could also target the specific host, by using the host keyword:
R1(config)#access-list 1 permit host
The command above permits traffic only from the host with the IP address of
Next, we need to apply the access list to an interface. Since the traffic is entering the interface on R1, we need to use the in keyword:
R1(config-if)#access-group 1 in
NOTE – at the end of each ACL there is an implicit deny all statement. That means that all traffic not specified in earlier ACL statements will be forbidden.

Configuring extended ACLs

To be more precise when matching a certain network traffic, extended access lists are used. With extended access lists, you can match more information, such as:
• source and destination IP address
• type of TCP/IP protocol (TCP, UDP, IP…)
• source and destination port numbers
Two steps are required to configure extended access lists:
1. configure extended access lists using the following command:
2. apply an access list to an interface using the following command:
R1(config-if) ip access-group ACL_NUMBER out
NOTE – extended access lists numbers are in ranges from 100 to 199 and from 2000 to 2699
To better understand the usefulness of extended access lists, consider the following example.
R1(config)#access-list 100 permit ip
Next, we need to deny Users the right to access S1 by using the deny statement:
R1(config)#access-list 100 ip deny
 Lastly, we need to apply the access list to the interface on R1:
R1(config) int fa0/0
R1(config-if) #access group 100 in
Again, we have Users network ( On the right side, we have a server that serves as a web server, listening on port 80. We need to permit Users to access web sites on S1, but we also need to deny other type of access, for example a Telnet access.
First, we need to allow traffic from Users network to the web server port of 80. We can do that by using the following command
R1(config)#access-list 100 permit tcp eq 80
By using the TCP keyword, we can filter packets by source and destionation ports. In the example above, we have permited traffic originating from the network to the host on port 80. The last part of the statement,eq 80, specifies the destination port of 80.
Now we need to disable telnet traffic from the network to To do that, we need to create a deny statement:
R1(config)#access-list deny tcp eq  23
Add the configs to the interface
R1(config)#int fa0/0
R1(config-if)# ip access-group 100 in

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s