Jeremy’s IT Lab lecture video:
Commands
Commands List
ACL Show Commands
11. ACL
Link to original
- show access-lists
-->Shows ALL configured access-lists on the router- show ip access-lists
-->Shows IP related access-lists on the routerACL Global Commands
ACL Global
1. General
- access-list number remark description
-->Gives the specified access list a remark/description- ip access-list resequence acl-name/acl-number starting-seq-number increment
-->Modifies the access list’s sequencing numbers according to specified arguments2. Standard
- access-list number { deny
|permit } ip wildcard-mask-->Configures a standard numbered ACL- ip access-list standard acl-name/acl-number
-->Enters standard named ACL configuration mode
- [entry-number] { deny
|permit } ip wildcard-mask3. Extended
Link to original
- access-list number { deny
|permit } protocol src-ip dst-ip-->Configures an extended numbered ACL- ip access-list extended acl-name/acl-number
-->Enters standard named ACL configuration mode
- [entry-number] { deny
|permit } protocol src-ip dst-ip- [entry-number] { deny
|permit } protocol src-ip argument source-port-num dst-ip argument dst-port-num (Arguments: eq/gt/lt/neq/range )ACL Interface Commands
ACL Interface
Link to original
- ip access-group number/name { in
|out }-->Applies the specified access-list onto the interface, either inbound or outbound
ACL Information
What Are Access Control Lists (ACLs)?
Access Control Lists (ACLs) are traffic filters which contain ordered lists of rules called ‘Access Control Entries’ (ACEs).
- ACLs function as a packet filter, as they instruct the router to permit or deny traffic based on the defined ACEs.
- ACLs can filter traffic based on source/destination IP addresses, source/destination Layer 4 ports, and etc.
ACL Config General Info
- ACLs are configured globally on the router (global configuration mode), but they must be applied onto an interface in order to take effect.
- ACLs are applied either inbound or outbound on interfaces.
- When the router checks a packet against the configured ACL, it processes the ACEs in order, from top to bottom.
- If the packet matches one of the ACEs in the ACL, the router will take action (apply the ACE rule) and stops processing the ACL (all entries below the matching entry will be ignored).
Implicit Deny
Implicit Deny is a feature that is present in all ACLs. The implicit deny tells the router to deny all traffic that doesn’t match any of the configured ACEs in the ACL.
ACL Types
There are two types of ACLs with both containing two subtypes:
- Standard ACLs
- Standard ACLs match based on source IP address only
- Standard ACLs can use the number range (1 - 99) and (1300 - 1999)
- They should be applied as close to the destination as possible.
- They include two subtypes:
- Standard numbered ACLs
- Standard named ACLs
- Extended ACLs
- Extended ACLs match based on source/destination IP address, source/destination port address, etc.
- Extended ACLs can use the number range (100 - 199) and (2000 - 2699)
- They should be applied as close to the source as possible.
- They include two subtypes:
- Extended numbered ACLs
- Extended named ACLs
Numbered ACLs
- Different types of numbered ACLs have a different range of numbers that they can use.
- So, each range can be used to identify what type of numbered ACL we’re looking it.
Standard ACL Types
1. Standard Numbered ACLs
Standard numbered ACLs are one of the Standard ACL subtypes. They are identified with a number.
- (Ex. ACL 1, ACL 2)
2. Standard Named ACLs
Standard named ACLs are one of the Standard ACL subtypes. They are identified with a name.
- (Ex. FIRST_ACL, CCNA_ACL)
Standard ACL Configuration
There are two ways to create a standard ACLs:
- Global configuration / directly
- This method only allows you to create numbered ACLs
- Done through the command:
access-list STANDARD-ACL-NUMBER { deny | permit } IP WILDCARD-MASK
- Examples:
- access-list 1 deny 1.1.1.1 0.0.0.0
- access-list 1 deny 1.1.1.1
<--(only possible in Standard ACLs) - access-list 1 deny host 1.1.1.1
- access-list 1 permit any
- access-list 1 permit 0.0.0.0 255.255.255.255
- ACL configuration mode
- Done through the command:
ip access-list standard NAME/NUMBER
- Which puts you in Standard ACL configuration mode. ACEs can be set through the following command format:
- [entry-number] { deny | permit } ip wildcard-mask
- Done through the command:
Access-list arguments
After the ’{ deny | permit }’ part of your command, you usually specify the ip and wildcard-mask. But, there are some arguments you could use as well:
- host
- Instead of specifying a wildcard-mask for a host address (/32) like this:
access-list 1 deny 1.1.1.1 0.0.0.0- You can use the host argument and the router will automatically translate it into a host address (/32):
access-list 1 deny host 1.1.1.1
- any
- Instead of specifying an ip and wildcard-mask to match/deny all traffic like this:
access-list 1 permit 0.0.0.0 255.255.255.255- You could use the any argument, which will match/deny all traffic:
access-list 1 permit any
Notes on how routers handle ACLs
- The router may re-order the /32 entries.
- This improves the efficiency of processing the ACL.
- It does not change the effect of the ACL.
- This applies to both standard named and standard numbered ACLs.