ACLs in Cisco Routers

ACL Overview

What is an access control list?

In the Cisco IOS, an access control list is a record that identifies and manages traffic. After identifying that traffic, an administrator can specify various events that can happen to that traffic.

What's the most common type of ACL?

IP ACLs are the most popular type of access lists because IP is the most common type of traffic. There are two types of IP ACLs: standard and extended. Standard IP ACLs can only control traffic based on the SOURCE IP address. Extended IP ACLs are far more powerful; they can identify traffic based on source IP, source port, destination IP, and destination port.

What are the most common numbers for IP ACLs?

The most common numbers used for IP ACLs are 1 to 99 for standard lists and 100 to 199 for extended lists. However, many other ranges are also possible.

Standard IP ACLs: 1 to 99 and 1300 to 1999
Extended IP ACLs: 100 to 199 and 2000 to 2699

How can you filter traffic using ACLs?

You can use ACLs to filter traffic according to the "three P's"—per protocol, per interface, and per direction. You can only have one ACL per protocol (e.g., IP or IPX), one ACL per interface (e.g., FastEthernet0/0), and one ACL per direction (i.e., IN or OUT).

Simple Access Control List

(controls traffic between networks or specific IP addresses, but NOT specific ports/protocols)

To stop traffic from a particular subnet from reaching another subnet

--to deny an IP address range--
access-list 10 deny 192.168.200.0 0.0.0.255
access-list 10 permit any

--to deny a specific IP address --
access-list 10 deny 192.168.200.26 0.0.0.0
access-list 10 permit any

Should be placed on E0 on the router closest to the subnet we are protecting
--to apply to a router--
int e0
ip access-group 10 out

Extended Access Control List

Part 1 (Advanced access list)-WORKED GREAT!!!
--(blocking FTP from laptop [206 net] to webserver [172 net]--
--To Block Telnet from laptop [206 net] to srvr [172 net]--
access-list 121 deny tcp 206.205.204.0 0.0.0.255 172.16.3.11 0.0.0.255 eq 21
access-list 121 deny tcp 206.205.204.0 0.0.0.255 172.16.3.11 0.0.0.255 eq 23
access-list 121 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

--Part 2-Apply to E1 interface on Goofy (the router and interface closest to web server)
--Must select an interface--
--Out= outbound traffic from the Interface (E1)
config t
int e1
ip access-group 121 out