Rahul Khadse
ACL are the basic security feature that is
required in any network to control the flow of traffic. Most of time our network may have
servers and clients for which traffic control is required We can also use ACL to classify the traffic.
ACLs are used in features like QOS (Quality of Service), Prioritize traffic and
interesting traffic for ISDN.
Classification Access Control List :-Types of ACL based on Protocol : --
The syntax to create Extended ACL
N/w
Lock and Key (Dynamic ACLs) -->These ACLs depends on either remote or local Telnet authentication in combination with extended ACLs. Before you can configure a dynamic ACL, you need to apply an extended ACL on your router to stop the flow of traffic through it.
Classification Access Control List :-Types of ACL based on Protocol : --
(1) IP Access Control List
(2) IPX Access Control List
(3) Appletalk Access Control List
Types of ACL based on Feature: -
(1) Standard ACL
(2) Extended ACL
Types of ACL based on Access mode: -
(1) Numbered ACL
(2) Named ACL
Types of ACL based on Order of rules: -
(1) Deny, permit
(2) Permit, deny
Types of ACL based on direction of implementation: -
(1) Inbound ACL
(2) Outbound ACL
 |
Flow chart of Inbound ACL |
IP Standard ACL (Numbered)
In Standard ACL, we are only able to specify source
address for the filtering of packets.The syntax to create IP standard ACL are: -
Router#conf ter
Router(config)#access-list <no> <permit|deny>
<source>
Router(config)#exit
<source> Single
pc host 192.168.10.5
192.168.10.5
192.168.10.5
0.0.0.0
N/w 200.100.100.0 0.0.0.255
Subnet 200.100.100.32 0.0.0.15
All
any
Example: - 172.16.0.16
– 18 should not access Internet; rest of all other pc should access Internet.
Router#conf ter
Router(config)#access-list 30 deny 172.16.0.16
Router(config)#access-list 30 deny 172.16.0.17
Router(config)#access-list 30 deny 172.16.0.18
Router(config)#access-list 30 permit any
Router(config)#exit
Applying ACL on interface
Router#conf ter
Router(config)#interface <type> <no>
Router(config-if)#ip access-group <ACL no.>
<in|out>
Router(config-if)#exit
Rule for applying ACL :-- Only one ACL can be applied on each interface, in each
direction for each protocol.e.g.=> Suppose
we want to allow Internet only for 192.168.10.32 – 70.
Router(config)#access-list 25 permit 192.168.10.32 0.0.0.31
Router(config)#access-list 25 permit 192.168.10.64 0.0.0.3
Router(config)#access-list 25 permit 192.168.10.68
Router(config)#access-list 25 permit 192.168.10.69
Router(config)#access-list 25 permit 192.168.10.70
Router(config)#interface serial 0
Router(config-if)#ip access-group 25 out
IP Standard ACL (Named)
In Numbered ACL editing feature is not available that
is we are not able to delete single rule from the ACL. In Named ACL editing feature is
available.
Router#config ter
Router(config)#ip access-list standard <name>
Router(config-std-nacl)#<deny|permit> <source>
Router(config-std-nacl)#exit
Router#conf ter
Router(config)#ip access-list standard abc
Router(config-std-nacl)#deny 172.16.0.16
Router(config-std-nacl)#deny 172.16.0.17
Router(config-std-nacl)#deny 172.16.0.18
Router(config-std-nacl)#permit any
Router(config-std-nacl)#exit
To modify the ACL
Router#conf ter
Router(config)#ip access-list standard abc
Router(config-std-nacl)#no deny 172.16.0.17
Router(config-std-nacl)#exit
To control Telnet access using ACL
If we want to control telnet with the help of ACL then
we can create a standard ACL and apply this ACL on vty port. The ACL that we will
create for vty will be permit – deny order.e.g. => suppose we want to allow telnet to our router
from 192.168.10.5 & 192.168.10.30 pc.
Router#conf ter
Router(config)#access-list 50 permit 192.168.10.5
Router(config)#access-list 50 permit 192.168.10.30
Router(config)#line vty 0 4
Router(config-line)#access-class 50 in
Router(config)#exit
IP
Extended ACL (Numbered) ==> Extended ACL are advanced ACL. ACL, which can control
traffic flow on the basis of five different parameters that are: -
(i) Source address
(ii) Destination address
(iii) Source port
(iv) Destination port
(v) Protocol (layer 3/layer 4)
The syntax to create Extended ACL
Router#conf ter
Router(config)#access-list <no> <deny|permit>
<protocol> <source> [<s.port>]
<destination>
[<d.port>]
router(config)#exit
<no> -> 100 to 199
<protocol> -> layer ¾
IP
TCP
UDP
ICMP
IGRP
<Source port> no
(1 to 65535) or
<Destination port> telnet/www/ftp
etc.
<Source> Single
pc
<Destination> 192.168.10.4
0.0.0.0
host
192.168.10.4
200.100.100.0
0.0.0.255
Subnet
172.30.0.32
0.0.0.7
All
Any
Example rules of Extended ACL
Router(config)#access-list 140 deny ip 192.168.10.3 0.0.0.0
any
Router(config)#access-list 120 permit ip any any ==> (All tcp/ip data permit from any source to any
destination)
Router(config)#access-list 145 deny tcp any host
200.100.100.5 ==> (All tcp data is denied from any source to host
200.100.100.5)
Router(config)#access-list 130 permit tcp any host
200.100.100.10 eq 80 ==> (All tcp based data from any source is allowed to
access destination 200.100.100.10 on port no. 80 that is www(http) ) – web access
Router(config)#access-list 130 permit udp any host
200.100.100.10 eq 53 ==> (Any pc is able to access our DNS service running on port
no. 53)
Router(config)#access-list 150 deny tcp any any eq 23 [or
telnet] ==> (Telnet traffic is not allowed)
Router(config)#access-list 160 deny icmp any any ==> (All icmp data from any source to any destination is
denied)
To display ACL
Router#show access-lists or
To display ACL applied on interface
Router#show ip interface
Router#show ip interface <type> <no>
Router#show ip interface Ethernet 0
Example: - Extended ACL
Suppose we want to control inbound traffic for our
network. ACL should be designed according the following policy.
(1) Access to web server (200.100.100.3) is allowed from any
source.
(2) FTP server (200.100.100.4) should be accessible only
from branch office n/w (200.100.175.0/24).
(3) ICMP & Telnet should be allowed only from remote pc
200.100.175.80
(4) Any pc can access DNS (200.100.100.8)
Router(config)#access-list 130 permit tcp any host
200.100.100.3 eq 80
Router(config)#access-list 130 permit tcp 200.100.175.0
0.0.0.255 200.100.100.4 0.0.0.0
Eq 21
Router(config)#access-list 130 permit icmp 200.100.175.80 0.0.0.0
any
Router(config)#access-list 130 permit tcp 200.100.175.80
0.0.0.0 any eq 23
Router(config)#access-list 130 permit udp any host
200.100.100.8 eq 53
Switch port ACL
You can only apply port ACLs to layer 2 interfaces on
your switches because they are only supported on physical layer 2 interfaces.
You can apply them as only inbound lists on your interfaces, and you can use only named
lists as well.Extended IP access lists use both source and
destination addresses as well as optional protocol information and port number.
There are also MAC extended access lists that use source and destination MAC addresses
and optional protocol type information.
Switches scrutinize all inbound ACLs applied to
a certain interface and decide to allow traffic through depending on whether the
traffic is a good match to the ACL or not. ACLs can also be used to control traffic on
VLANs. You just need to apply a port ACL to a truk port.
Switch#conf ter
Switch(config)#mac access-list extended abc
Switch(config-ext-mac)#deny any host 000d.29bd.4b85
Switch(config-ext-mac)#permit any any
Switch(config-ext-mac)#do show access-list
Switch(config-ext-mac)#int f0/6
Switch(config-if)#mac access-group abc in
Lock and Key (Dynamic ACLs) -->These ACLs depends on either remote or local Telnet authentication in combination with extended ACLs. Before you can configure a dynamic ACL, you need to apply an extended ACL on your router to stop the flow of traffic through it.
Reflexive ACLs --> These ACLs filter IP packets depending upon upper-layer
session information, and they often permit outbound traffic to pass but place
limitations on inbound traffic. You can not define reflexive ACLs with numbered or standard
IP ACLs, or any other protocol ACLs.They can be used along with other standard or static
extended ACLs, but they are only defined with extended named IP ACLs.
Time-Based ACLs --> In this you can specify a certain time of day and week
and then identity that particular period by giving it a name referenced by a task.
The reference function will fall under whatever time constraints you have dictated. The
time period is based upon the router’s clock, but it is highly recommended that using
it in conjunction with Network Time Protocol (NTP) synchronization.
Router#conf ter
Router(config)#time-range no-http
Router(config-time-range)#periodic
<Wednesday|weekdays|weekend> 06:00 to 12:00
Router(config-time-range)#exit
Router(config)#time-range tcp-yes
Router(config-time-range)#periodic weekend 06:00 to 12:00
Router(config-time-range)#exit
Router(config)ip access-list extended time
Router(config-ext-nacl)#deny tcp any any eq www time-range
no-http
Router(config-ext-nacl)#permit tcp any any time-range
tcp-yes
Router(config-ext-nacl)#interface f0/0
Router(config-if)#ip access-group time in
Router(config-if)#do show time-range
Remarks --> Remarks are the comments or remarks regarding the
entries you have made in both your IP Standard and Extended ACLs.
Router#conf ter
Router(config)#access-list 110 remark <remark words>
permit rahul from admin only to sale
Router(config)#access-list 110 permit ip host 172.16.10.1
172.16.20.0 0.0.0.255
Router(config)#access-list 110 deny ip 172.16.10.0
0.0.0.255 172.16.20.0 0.0.0.255
Router(config)#ip access-list extended no_telnet
Router(config-ext-nacl)#remark deny all of finance from
telnetting to sale
Router(config-ext-nacl)#deny tcp 172.16.30.0 0.0.0.255
172.16.20.0 0.0.0.255 eq 23
Router(config-ext-nacl)#permit ip any any
Router(config-ext-nacl)#do show run
Posted in: CCNA
