Access List Tutorial
In this tutorial we will learn about access list.
Access control lists (ACLs) provide a means to filter packets by allowing a user to permit or deny IP packets from crossing specified interfaces. Just imagine you come to a fair and see the guardian checking tickets. He only allows people with suitable tickets to enter. Well, an access list’s function is same as that guardian.
Access lists filter network traffic by controlling whether packets are forwarded or blocked at the router’s interfaces based on the criteria you specified within the access list.
To use ACLs, the system administrator must first configure ACLs and then apply them to specific interfaces. There are 3 popular types of ACL: Standard, Extended and Named ACLs.
Standard IP Access List
Standard IP lists (1-99) only check source addresses of all IP packets.
Configuration Syntax
| access-list access-list-number {permit | deny} source {source-mask} |
Apply ACL to an interface
| ip access-group access-list-number {in | out} |
Example of Standard IP Access List
Configuration:
In this example we will define a standard access list that will only allow network 10.0.0.0/8 to access the server (located on the Fa0/1 interface)
Define which source is allowed to pass:
Router(config)#access-list 1 permit 10.0.0.0 0.255.255.255
(there is always an implicit deny all other traffic at the end of each ACL so we don’t need to define forbidden traffic)
Apply this ACL to an interface:
Router(config)#interface Fa0/1
Router(config-if)#ip access-group 1 out
The ACL 1 is applied to permit only packets from 10.0.0.0/8 to go out of Fa0/1 interface while deny all other traffic. So can we apply this ACL to other interface, Fa0/2 for example? Well we can but shouldn’t do it because users can access to the server from other interface (s0 interface, for example). So we can understand why an standard access list should be applied close to the destination.
Note: The “0.255.255.255″ is the wildcard mask part of network “10.0.0.0″. We will learn how to use wildcard mask later.
Extended IP Access List
Extended IP lists (100-199) check both source and destination addresses, specific UDP/TCP/IP protocols, and destination ports.
Configuration Syntax
| access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port] |
Example of Extended IP Access List
In this example we will create an extended ACL that will deny FTP traffic from network 10.0.0.0/8 but allow other traffic to go through.
Note: FTP uses TCP on port 20 & 21.
Define which protocol, source, destination and port are denied:
Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 21
Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 20
Router(config)#access-list 101 permit ip any any
Apply this ACL to an interface:
Router(config)#interface Fa0/1
Router(config-if)#ip access-group 101 out
Notice that we have to explicit allow other traffic (access-list 101 permit ip any any) as there is an “deny all” command at the end of each ACL.
As we can see, the destination of above access list is “187.100.1.6 0.0.0.0″ which specifies a host. We can use “host 187.100.1.6″ instead. We will discuss wildcard mask later.
In summary, below is the range of standard and extended access list
| Access list type | Range |
| Standard | 1-99, 1300-1999 |
| Extended | 100-199, 2000-2699 |
can we apply access-list to sub intererfaces???
on the exhibit above about wilcard mask..why is 00010011= 18? i think it should 19
/28 should have been 255.255.255.240
and since its is a wildcard mask it should have been 0.0.0.15
good example
Ethiolion after reading the extended acl example i also wonder why it is not implemented on
Fa 0/0 in , i m agree with ur point and this implementation will satisfy both the theory and our requirement
if any one disagree or want to give any comment pls give on this point why it is not implemnented on Fa0/0 in
it will clear my big doubt and i wil get a clear idea about the implementation of acl
pls help me out
@dinesh patni,
i think it should be applied on interface access-group fa0/0 in, best practice in ACL is that if you use standard ACL it should be placed closest to destination while extended ACL usually placed closest to source.
Dinesh and Drry – you are correct. It should have been applied to the in side of the router.
Thanks it helps lot
thanx ,its realy helpfull
Hello Guys,
I hate all of u that have just passed d ccna.I failled 2day,So am back in the books.Got eigrp,acl and Nat.
Goodluck to u guys that are doing it soon.
Guys if any one has latest dumps for ccna , kindly send it to rubin.shane@yahoo.co.in
great info
thanks a lot………….
hi friends anyone help me ..still i dont understand IN and OUT
If u need to find the wildcard mask of the subnet mask,the u can follow my easy system.
just imagine your subnet is 255.255.255.240……………
then u can reduce the subnet mask from the 255.255.255.255………
answer is 255.255.255.255 – 255.255.255.240 =0.0.0.15
Thanx for that Jahuta can you please now hel p me with this subnet
255.128.0.0 using ur easy system
255.128.0.0 – 255.255.255.255 = 0.127.0.0
Correction*
0.127.255.255, my bad. It will only check the first 8 bits from the first octet, and the first bit on the second octet.
@aJmAL
Define In, Out, Inbound, Outbound, Source, and Destination
This topic is very simple if u draws it from the following scenario
The router uses the terms in, out, source, and destination as references. Traffic on the router can be compared to traffic on the highway. If you were a law enforcement officer in Pennsylvania and wanted to stop a truck going from Maryland to New York, the source of the truck is Maryland and the destination of the truck is New York. The roadblock could be applied at the Pennsylvania–New York border (out) or the Maryland–Pennsylvania border (in). replace with town/cities which u are familiar with.
When you refer to a router, these terms have these meanings.
• Out—Traffic that has already been through the router and leaves the interface. The source is where it has been, on the other side of the router, and the destination is where it goes.
• In—Traffic that arrives on the interface and then goes through the router. The source is where it has been and the destination is where it goes, on the other side of the router.
• Inbound —if the access list is inbound, when the router receives a packet, the Cisco IOS software checks the criteria statements of the access list for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.
• Outbound—if the access list is outbound, after the software receives and routes a packet to the outbound interface, the software checks the criteria statements of the access list for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.
The in ACL has a source on a segment of the interface to which it is applied and a destination off of any other interface. The out ACL has a source on a segment of any interface other than the interface to which it is applied and a destination off of the interface to which it is applied.
I just hope that u will grasp one or two things from this scenario.
9tut help me if I am giving this man poison
@9tut
Thnks 4yo valuable website, ques, answers & explanations
Hie all aspiring CCNA network engineers and already in the field?
Can any one send me the vce engine software (Visual CertExam Suite) and dumbs from collision 486q by Jericho 632q or Bruce 564q by DHAKANI 615Q. I tried to google the vce engine, but got a trial version which only exhibited five questions.
My id is musinawellaz@gmail.com
Pliz help- I am preparing for ccna final exam on this month end (August 2012),so pliz again send me latest dumbs from collision 486q by Jericho 632q or Bruce 564q by DHAKANI 615Q.
my ccna exam is aug 23 2012 Please can someone send me the lattest CCNA dumps.” My email add is indiasonu20@gmail.com Pls help me
I have my ccna exam on 31 aug 2012. Please send me the latest dumps at arjun.upadhya@yahoo.com. Many Thanks in advance.
Hello Guys…!!! Need your help regarding CCNA Dumps the upgrade one, i schdueled my exam coming month, thanks in advance , please forward to clomr@live.com
I have my ccna exam on 31 aug 2012. Please send me the latest dumps at jayantha33@yahoo.com. Many Thanks in advance.
Am certifying next month. Any one with latest update please send me a copy on goodbyron@yahoo.com or goodbruno88@gmail.com I will be grateful for help. Thanx
Sory i meant the latest CCNA dumps. Thanx
Guys i have the exam on 1st of september i would be grateful if anyone could send me the latest dump to my mail..
sumududesilva@gmail.com
Thanks in advance
n All the best for the people who are doing to do the exam… :)
guys, i have the exam on 29 september. can someone please send me the latest dump on mail kuruzna@yahoo.com. thank you :)))
plz send me some dumps of CCNA. my id prasant.kumar1985@gmail.com
Could someone also send me the latest dump please? robproctor61@gmail.com
Many thanks in advance……:)
ave my egzam on fridei!!
pls my exam is on the16th, wat do i need to revise
I’m writing CCNA ending of this month – october, pls i need some1 to help me with current dumps. thumps up to u guys that hv succeeded. thanks in advance.
this is my email fonimely@yahoo.com
Can any one send me the vce engine software (Visual CertExam Suite) and dumbs from collision 486q by Jericho 632q or Bruce 564q by DHAKANI 615Q. I tried to google the vce engine, but got a trial version which only exhibited five questions.my mail id.tamilarasiek@gmail.com
please guys sent me the latest CCNA dumps, jose.m20076@gmail.com.
thanks guys
Hi! Guys. i m planning to attempt CCNA 640-802, can anyone send me latest Dumps for the same.
can anybody send me ccna dumps, my email is himal.nepali@gmail.com
CCNA first or MCSE first?
Hey guys I have my CCNA scheduled for this month (October) could anyone please send me the latest dumps…I would be super thankful, congrats to those who passed it already…THANKS in advance !!!
Sorry I forgot to type my e-mail it’s: cr7cubanocr7@gmail.com
I’ll give CCNA exam in first week of November..
please contact me who recently passed CCNA exam or planning to give CCNA exam…
please tell me which dump is good and sims…
er.anita.annu@gmail.com
miren recomendaciones para CCNA es realizar demasiadas simulaciones hay es donde mas tiempo se toma uno para realizarlas sobre todo de estas ACL
latest dumb please..help me..
please send me a latest dumb ..anonimandvo@yahoo.com..thankss
Am in for the exam ping 10.0.0.0/8
This is as direct as it will ever get! Concisely and pointedly outlined – thank you!
There is a small mistake
172.23.16.0/28 must be 172.23.16.0/20
ofcourse in the second page
please explain concept of “in” & “out” . when we should us “in” or “out”?
please explain concept of “in” & “out” . when we should use “in” or “out”?