Access Control Lists (ACL) are a very powerful security feature of the Cisco IOS. By using Access Control Lists (ACL), we can deny unwanted access to the network while allowing internal users appropriate access to necessary services. Access Control Lists (ACL) are a set of commands, grouped together (by a number or name), that are used to filter traffic entering or leaving an interface. Access Control Lists (ACL) commands define which traffic is permitted and which is denied.
We have already discussed that an Access Control Lists (ACL) is a group of statements that define whether packets are accepted or rejected coming into an interface or leaving an interface. Access Control Lists (ACL) statements operate in sequential, logical order. If a condition match is true, the packet is permitted or denied and the rest of the Access Control Lists (ACL) statements are not checked. If all the Access Control Lists (ACL) statements are unmatched, an implicit "deny any" statement is placed at the end of the list by default. Access list statements operate in sequential, logical order and they evaluate packets from the top down. Once there is an access list statement match, the packet skips the rest of the statements. If a condition match is true, the packet is permitted or denied. You should remember that there is an implicit "deny any" at the end of every Access Control Lists (ACL).
We can classify Access Control Lists (ACL) as
• Numbered and named Access Control Lists (ACL): A Numbered ACL is assigned a unique number among all Access Control Lists (ACL), but a Named Access Control Lists (ACL) is identified by a unique name.
• Standard and extended Access Control Lists (ACL): Standard IP Access Control Lists (ACL) can be used filter traffic only based on the source IP address of the IP datagram packet. An extended Access Control Lists (ACL) can be used to filter traffic based on Source IP address, Destination IP address, Protocol (TCP, UDP etc), Port Numbers etc.
The following table shows the Access Control Lists (ACL) Types and related Numbers which can be used to number an Access Control Lists (ACL)
Access Control Lists (ACL) Type |
Access Control Lists (ACL) Numbers |
IP Standard |
1–99, 1300–1999 |
IP Extended |
100–199, 2000–2699 |
Standard Access Control Lists
As we discussed above,
Standard IP access lists are used to permit/deny traffic based on IP addresses.
The generic format of the standard access list is as shown below.
access-list [list number] [permit | deny] [IP address] [wildcard mask
(optional)]
The arguments are explained in detail below.
Access list number: For Standard
Access list number from 1–99 or 1300–1999.
permit | deny:
Whether to permit or deny traffic.
IP address:
An IP address to filter the traffic.
wildcard mask:
Instead of specifying a single IP address, you can also permit or deny networks/subnets entirely or partly by using wildcard masks, also known as inverse masks. When using a wildcard mask, a 0 in a bit position means that the corresponding bit position in the address of the ACL statement must match the bit position in the IP address in the examined packet. A "0" bit in the wild card mask means that corresponding part in the IP address should exactly match and "1" bit means that the corresponding part in IP address should be ignored. Wild card mask is optional.
A simple example of creating a Standard Access List is shown below. The "access-group" command can be used to bind the access list to an interface.
router(config)#access-list 1 deny 192.168.15.100
router(config)#access-list 1 permit any
router(config)#interface ethernet 0
router(config-if)#ip access-group 1 in
Extended Access Control Lists
Extended IP access lists offer more granular control than standard access control. Extended access lists allow you to control TCP/IP traffic based on the Transport Layer protocol being used (TCP or UDP) and the service or application (e.g. SMTP, Telnet) from source addresses and destination addresses.
