Access Lists – Cisco

1
347
ACL(Access Lists ) is a set of rules which will allow or deny the specific traffic moving through the router. It is a Layer 3 security which controls the flow of traffic from one router to another. It is also called as Packet Filtering Firewall.

STANDARD ACCESS LIST:

  • The access-list number range is 1 –99
  • Can block a Network, Host and Subnet
  • All services are blocked.
  • Implemented closest to the destination.
  • Filtering is done based on only source IP address

 EXTENDED ACCESS LIST:

  • The access-list number range is 100 – 199
  • Can block a Network, Host,Subnet and Service
  • Selected services can be blocked.
  • Implemented closest to the source.
  •  Checks source, destination protocol, port no

Wild Card Mask

• Tells the router which addressing bits must match in the address of the ACL statement.
• It’s the inverse of the subnet mask, hence is also called as Inverse mask.
• A bit value of 0 indicates MUST MATCH (Check Bits)
• A bit value of 1 indicates IGNORE (Ignore Bits)
• Wild Card Mask for a Host will be always 0.0.0.0
• A wild card mask can be calculated using the formula :

Global Subnet Mask
– Customized Subnet Mask
——————————-
Wild Card Mask

E.g.
255.255.255.255
– 255.255.255.192
———————
0. 0. 0. 63

Creation of Standard Access List

Router(config)# access-list <acl no> <permit/deny> <source address>
<source WCM>


Implementation of Standard Access List

Router(config)# interface <interface type> <interface no>
Router(config-if)# ip access-group <number> <out/in>

To Verify :

Router# show access-list
Router# show access-list <no>

Creation of Extended Access List

Router(config)# access-list <acl no> <permit/deny> <protocol>
<source address> <source wildcard mask>
<destination address> < destination wildcard mask> <operator>
<service>

Implementation of Extended Access List

Router(config)#interface <interface type> <interface no>
Router(config-if)#ip access-group <number> <out/in>

Named Access List

• Access-lists are identified using Names rather than Numbers.
• Names are Case-Sensitive
• No limitation of Numbers here.
• One Main Advantage is Editing of ACL is Possible (i.e) Removing a specific statement
from the ACL is possible.

(IOS version 11.2 or later allows Named ACL)

Creation of Standard Named Access List

Router(config)# ip access-list standard <name>
Router(config-std-nacl)# <permit/deny> <source address> <source wildcard mask>

Implementation of Standard Named Access List

Router(config)#interface <interface type><interface no>
Router(config-if)#ip access-group <name> <out/in>

Creation of Extended Named Access List

 Router(config-ext-nacl)# <permit/deny> <protocol> <source address>
<source wildcard mask> <destination address>
< destination wildcard mask> <operator> <service>

Implementation of Extended Named Access List

Router(config)#interface <interface type><interface no>
Router(config-if)#ip access-group <name> <out/in> 

Comments

comments