Access Control List (ACL)
- Malik Zaib
- Mar 14, 2018
- 1 min read
Set of rules which allow or deny the specific traffic passing through the router.
It’s Layer 3 Security which control flow of traffic from one to other router.
It’s also called packet filtering firewall.
Types of Access Control List (ACL)
Standard Access List:
The access-list number range is 1-99
We can block the network, host and subnet
All services are blocked
Implement closest to the destination
Filtering is done based on only source IP address
Extended Access-list:
The access-list number range is 100-199
We can block network, host, subnet and services
Selected services can be blocked
Implement closest to the source.
Filtering is done based on source IP, destination IP, port number, protocol.
Access-list rules:
Works in sequential order
All deny statements have to be given first (preferable most cases)
There should be at least one permit statement (mandatory)
By default implicit deny block all traffic, when there is no match invisible statement)
Can have one access-list per interface per direction. One inbound and one outbound direction.
If we add new entry to access-list, it will be placed at the bottom of the list
We can’t remove one statement from access-list
Creation of standard Access-list:
R2(config)#access-list <acl no> <permit/deny> <source address> <source wildcard mask>
Understanding IN/OUT:
In to the router
Out from the router
R2(config)#access-list <acl no> <permit/deny> <source address> <source wildcard mask>
Creating ACL rules:
R2(config)#access-list 10 deny 192.168.1.1 0.0.0.0
R2(config)#access-list 10 deny host 192.168.1.2
R2(config)#access-list 10 deny 192.168.3.0 0.0.0.255
R2(config)#access-list 10 permit any
Implementation:
R2(config)#int eth0/0
R2(config-if)#ip access-group 10 out
Verification:
R2#show access-lists
Standard IP access list 10
10 deny 192.168.1.1
20 deny 192.168.1.2
30 deny 192.168.3.0, wildcard bits 0.0.0.255
40 permit any
Comments