Access List Tutorial
In this tutorial we will learn about access list.
Access control lists (ACLs) provide a means to filter packets by allowing a user to permit or deny IP packets from crossing specified interfaces. Just imagine you come to a fair and see the guardian checking tickets. He only allows people with suitable tickets to enter. Well, an access list’s function is same as that guardian.
Access lists filter network traffic by controlling whether packets are forwarded or blocked at the router’s interfaces based on the criteria you specified within the access list.
To use ACLs, the system administrator must first configure ACLs and then apply them to specific interfaces. There are 3 popular types of ACL: Standard, Extended and Named ACLs.
Standard IP Access List
Standard IP lists (1-99) only check source addresses of all IP packets.
Configuration Syntax
| access-list access-list-number {permit | deny} source {source-mask} |
Apply ACL to an interface
| ip access-group access-list-number {in | out} |
Example of Standard IP Access List
Configuration:
In this example we will define a standard access list that will only allow network 10.0.0.0/8 to access the server (located on the Fa0/1 interface)
Define which source is allowed to pass:
Router(config)#access-list 1 permit 10.0.0.0 0.255.255.255
(there is always an implicit deny all other traffic at the end of each ACL so we don’t need to define forbidden traffic)
Apply this ACL to an interface:
Router(config)#interface Fa0/1
Router(config-if)#ip access-group 1 out
The ACL 1 is applied to permit only packets from 10.0.0.0/8 to go out of Fa0/1 interface while deny all other traffic. So can we apply this ACL to other interface, Fa0/2 for example? Well we can but shouldn’t do it because users can access to the server from other interface (s0 interface, for example). So we can understand why an standard access list should be applied close to the destination.
Note: The “0.255.255.255″ is the wildcard mask part of network “10.0.0.0″. We will learn how to use wildcard mask later.
Extended IP Access List
Extended IP lists (100-199) check both source and destination addresses, specific UDP/TCP/IP protocols, and destination ports.
Configuration Syntax
| access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port] |
Example of Extended IP Access List
In this example we will create an extended ACL that will deny FTP traffic from network 10.0.0.0/8 but allow other traffic to go through.
Note: FTP uses TCP on port 20 & 21.
Define which protocol, source, destination and port are denied:
Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 21
Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 20
Router(config)#access-list 101 permit ip any any
Apply this ACL to an interface:
Router(config)#interface Fa0/1
Router(config-if)#ip access-group 101 out
Notice that we have to explicit allow other traffic (access-list 101 permit ip any any) as there is an “deny all” command at the end of each ACL.
As we can see, the destination of above access list is “187.100.1.6 0.0.0.0″ which specifies a host. We can use “host 187.100.1.6″ instead. We will discuss wildcard mask later.
In summary, below is the range of standard and extended access list
| Access list type | Range |
| Standard | 1-99, 1300-1999 |
| Extended | 100-199, 2000-2699 |
Nice explanation on ACL…….
Can anyone send me latest dumps, i need to prepare for exam next two weeks, vichhaiyserey@gmail Thanks you
can u send me latest ccna 200-120 dumps to saran91aji@gmail.com thank you in advance
send me latest dumps please bakalai@gmail.com
kindly send the latest dumps pls ezrahjames@yahoo.com thank you so much :)
kindly send me the latest dumps olaosepin@gmail.com thanks
please provide me also latest dumps .
shivamx51@gmail.com
kindly send me the latest dumps subhymohammed@gmail.com thanks
Hi my CCNA GUYS,
I AM HAPPY TO SEE MY PEERS HERE. I WILL VERY THANKFUL AND HIGH APPRECIATION IF YOU CAN SEND ME THE LATEST CCNA DUMPS. MY EMAIL ID IS puttyrobin@yahoo.com
Many many thanks
Kindly send me latest CCNA DUMPS to puttyrobin@yahoo.com
Kindly send me latest dumps on my e-mail flyemirates2012@yahoo.com
Thanks..
How to use the wildcard mask?
I believe there is a mistake to calculate wildcard mask on the given example. it should be 0.0.0.15
kindly send me the latest dumps for ccna exam to ovidaqkiss@yahoo.com
Very supportive of your peers, nice job!!
I think on the given example the mask is 172.23.16.0/20 not /28 there is a mistake because 0.0.15.255 = /20 and the 0.0.0.15 = /28
Extended ACL need to be applied as close as source IP, On your example is is applied close to the destination and outbound – please correct me if i am worng
@Tony: It depends on the situation. “Extended ACL need to be applied as close as source IP” is just a recommendation.
@Saamysaamy: Thanks for your detection. We have just updated it!
can u send me latest ccna 200-120 dumps to mambodee@mailinator.com thank you in advance
Kindly send me latest ccna 200-120 dumps to cannent@gmail.com Thks
can u send me latest ccna 200-120 dumps to my email yoga.hadi.saputra89@gmail.com thanks before
Dumps requester is an idiot.
kindly send me latest dumps to collyouma55@gmail.com
kindly send me latest dumps of ccna! umair.emi619@gmail.com
Please send me the latest dumps of CCNA 200-120 idkors@gmail.com
kindly send me latest dumps of ccna 200-120! josueriv08@gmail.com
Please anybody help me..taking exam in 1 week. Please send me the latest CCNA dumps 200-120
Email: ashking_leo@hotmail.com
highly appreciate your help..thnks
My question that after applying an access list to an interface in a particular direction, why is it that traffic is not allowed in the opposite direction by default? Using the above config for example, i tried to deny hosts on d left LAN icmp access to hosts on the right LAN. It worked as expected but hosts on the right LAN are not able to acces the hosts on the left LAN.
i have latest dumps of ccna 200/120 my gmail i.d sabeehhaider14@gmail.com
kindly send me on noorakhtar44@yahoo.com
how we will deny or permit a whole network on extanded acl plz i will be very thankful to u ?
kindly send me latest dumps on noorakhtar44@yahoo.com
can someone send me latest Dumps in bahatinkwabi@yahoo.com please………..
ON which version of Packet tracer can I run simulations?
Please e-mail me latest dumps to veerender.keerthi@live.com
Thanks in Advance
Wow it makes sense now
Can i please have the latest “player” an the simulators on cylesterbongani@gmail.com
can anyone send me the latest dump to rroy411@gmail.com
please send me the lastest dumps to harshit.ccna@gmail.com
please share the latest dumps to bugonearth7@gmail.com
please send me the latest to email john2wambugu@gmail.com
please share the latest dumps to raosandeep0@gmail.com
dear sir or madam. i have my ccna icnd2 exam monday Dec 8 2014
please send me latest dumps.
much appreciado.
p.s. i love this site and you guys are the bomb.
peace!
my email is techs7777@gmail.com exam on monday 8 2014 for icnd2 ccna
thanks
Can anyone send me latest dumps, i need to prepare for exam next two weeks, Talentedkillerno1@gmail.com Thanks you
Please send me the latest dumps of CCNA 200-120 talentedkillerno1@gmail.com
is same Watson can use in Toronto canada
pls if anyone can send me latest ccna 200-120 dumps to dagemtaye@gmail.com
Hai friends,
I am very happy about this group.Nice & well explanation in all simulation..and please if you can send me christophen23111990@gmail.com the new CCNA 200-120 Dums to i will be very greatfull…
can u send me latest ccna 200-120 dumps to meriehassou@gmail.com thank you in advance
Can someone explain why for routing in the subnet mask 255 = network ID & 0 = wildcard
BUT in ACL’s 0 = network ID & 255 = wildcard?
Why isnt it one way or the other?
Thanks
Leo
Kindly send me latest CCNA 200-120 DUMPS PDF to atmega128a1@hotmail.com
thx