Cisco ACL Revision
On May 11, 2018 by TechTipsAccess Control Lists (ACL)
Access Control Lists are used to:
- Prioritise traffic
- Restrict or reduce updates
- Provide basic security
- Block types of traffic
Access control list placement
- Standard ACLs – Place as close to destination as possible.
- Extended ACLs – Place as close to source of traffic as possible.
- Only one ACL per port per direction is allowed.
- ACL are more efficient on outbound port.
- If a packet does not match the ACL statement then it will be implicitly denied.
- Once a packet matches an ACL statement no other checks are made, it is permitted.
ACL IOS commands
Standard ACLs – Used to permit or deny an entire protocol suite.
The following two statements have the same effect:
Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255 Router(config)# access-list 1 permit any
The following two statements also have the same effect:
Router(config)# access-list 1 permit 172.30.16.29 0.0.0.0 Router(config)# access-list 1 permit host 172.30.16.29
Extended ACLs – Used to permit or deny specific protocols
Protocol ranges are used in ACL statements to deny specific protocols. Below are the ones you will need for your CCNA.
Protocol | Range |
---|---|
IP | 1-99 |
Extended IP | 100-199 |
Appletalk | 600-699 |
IPX | 800-899 |
Extended IPX | 900-999 |
IPX SAP | 1000-1099 |
Use the following table to permit or deny specific protocols, ports or ranges of port numbers, an example ACL follows.
lt | Less than |
gt | Greater than |
neq | Not equal to |
eq | Equal to |
Router(config)# access-list 101 deny tcp 172.16.4.0 0.0.255.255 any eq 23 Router(config)# access-list 101 permit ip any any established – Established keyword used to connect with a TCP established connection.
Named ACLs
Named access control lists are another way of creating ACLs, any example follows.
Router(config)# ip access-list standard Nik Router(config std-nacl)# deny any log – used to deny log packets.
Viewing ACLs
Router(config)# show access-lists – shows all access lists. Router(config)# show access-list 101 – shows access list 101. Router(config)# show ip interface – used to find out which access lists are on which interfaces.
Configuring ACLs on an interface
Router(config)# interface s1 Router(config-if)# ip access-group 1 out /in – out bound is the default.
Removal of ACLs
Router(config)# no access-list 1
- 3G
- Adobe Acrobat
- Apple
- Avaya
- Backup
- Backup
- BES Server
- Bitlocker
- Blackberry
- Cisco
- Control Guard
- ControlGuard
- Data Recovery
- Desktop
- Document Template
- Documents
- Email Template
- Enterprise Services
- Exchange
- Fixes
- FoxIT
- General
- Google+
- Guides
- Hardware
- Headset
- Helpdesk
- Home Assistant
- Home Automation
- IIS7
- Information
- Java
- KeyLogger
- Laptop
- Log Off
- Logon
- Mobile
- Mobile / 3G
- Multifunction Printers
- Networks
- Objectives and KPI's
- Operating Systems
- OSX
- Outlook 2007
- Outlook 2010
- PGP Encryption
- Phishing
- Port/Device Control
- Powershell
- Printers & Imaging
- Robocopy
- RSA Security Console
- Scripting
- Security
- Social Media
- Software
- Spiceworks
- Support Apps
- Teamviewer
- Teamviewer
- Troubleshooting
- Two-Step Verification
- Virtualization
- VoIP
- VPN
- Web and Internet
- Windows
- WordPress
- Workstation
- XAMPP – Apache
address automatic complete Avaya Backup basic Blackberry Blackberry Enterprise Server CCNA cisco commands config configuration Desktop Support email Email Signature Email Template Error Exchange Facebook Factory Defaults feature file Fix How to KPI Laptop Microsoft Office Outlook 2007 Microsoft Outlook Outlook Outlook 2007 Outlook 2010 password security Phishing Phishing Scams router S.M.A.R.T Security start Startup/Shutdown Template Tips troubleshooting windows Windows 7 Windows XP