- ACL is a set of rules which will allow or deny the specific traffic
moving through the router
- It controls the
flow of traffic from one network to other via router
Types of
Access-list:
Numbered ACL – set
of rules identified by a number(e.g., ACL-120)
Named ACL – set of
rules identified by a name(e.g., ACL-CCNA)
Standard ACL
- It can be a named
or numbered
- The access-list
number range is 1 - 99 (or 1300 – 1699)
- It can block a
Network, Host and Subnet (not a selected services)
- All services are
blocked
- Filtering is done
based on only source IP address
ACL Rules:
- ACL works in
sequential order
- Deny to be give
first (preferred)
- It must have at
least one permit statement
- If no statement
matches ACL will drop the traffic by default
- Two ACL can be
implemented on every interface (in/out)
Extended ACL
- It can be named or
numbered
- The access-list
number range is 100 – 199 (or 2000 – 2699)
- We can allow or
deny a Network, Host, Subnet and Services
- Selected services
can be blocked
- Filtering is done
based on source IP, destination IP, protocol and port number
Operators used in extended ACL:
Equal to = eq
Not Equal to = neq
Greater than = gt
Lesser than = lt
Named ACL:
- Access-lists are
identified using Names (instead of numbers)
- Names are
Case-Sensitive
- No limitation of
Numbers here
- Main advantage is
editing of ACL is possible (i.e., removing of specific statement from
the ACL is possible)
Named ACL –
Standard:
Router(config)# ip
access-list standard <name>
Router(config-std-nacl)#<permit/deny>
<source address> <source wildcard mask>
Router(config)#interface
<interface type> <interface number>
Router(config-if)#ip
access-group <name> <out/in>
Named ACL – Extended:
Router(config)#ip
access-list extended <name>
Router(config-ext-nacl)#<permit/deny>
<protocol> <source address> <source wildcard mask>
<destination address> <destination wildcard mask>
<operator> <service>
Router(config)#interface
<interface type> <interface number>
Router(config-if)#ip
access-group <name> <out/in>
