CCNA: ACLs

3 minute read

Description:

Standard ACLs = close to the destination as possible
Extended ACLs = close to the source as possible

Standard ACL created and applied to interface:

1
2
3
4
5
   Router(config)#access-list 1 permit 172.16.1.1 # only permit or deny based on source IP
   Router(config)#access-list 1 permit 172.16.2.1
   Router(config)#interface FastEthernet0/0
   Router(config-if)#ip access-group 1 in
   Router(config-if)#end

To add an ACL for a line interface

1
2
   Router(config)#line vty 0 15
   Router(config-line)#access-class 101 in

Matching subnet 192.200.1.0 255.255.255.192 would require the following:

1
   Router(config)#access-list 1 permit 192.200.1.0 0.0.0.63 # remember that this would drop all packets not in this network!

Take off the active interface:

1
2
3
   Router(config)#int FastEthernet0/0
   Router(config-if)#no ip access-group 1 in
   Router(config-if)#end

To modify one:

  1. View the access list

    1
    
    Router#show ip access-list
    
  2. Copy and paste to notepad. Make sure to put an “!” in between each line to tell the router to do a carriage return.

    1
    2
    3
    4
    5
    6
    7
    8
    
    access-list 1 permit host 172.16.1.1
    !
    access-list 1 permit host 172.16.2.2
    
    change to:
    access-list 1 deny host 172.16.1.1
    !
    access-list 1 permit host 172.16.2.2
    
  3. Take it off the interface

    1
    2
    3
    4
    
    Router#config t
    Router(config)#int fa0/0
    Router(config-if)#no ip access-group 1 in
    Router(config-if)#end
    
  4. Modify it

    1
    2
    
    Router(config)# # this will over-ride whatever is current
    Router(config)#end
    
  5. Re-apply to interface

    1
    2
    3
    4
    
    Router#config t
    Router(config)#int fa0/0
    Router(config-if)#ip access-group 1 in
    Router(config-if)#end
    

To create a named Standard ACL

1
2
3
   Router(config)#ip access-list standard test
   Router(config-std-nacl)#15 permit 172.20.1.1
   Router(config-std-nacl)#end

To Add to an ACL

1
2
3
4
5
6
7
8
   Router(config)#ip access-list standard test
   Router(config-std-nacl)#15 permit 172.20.1.1
   Router(config-std-nacl)#do show ip access-lists
   Standard IP access list test
   30 permit 10.1.1.1
   20 permit 192.168.1.1
   15 permit 172.20.1.1
   10 permit 172.16.1.1

To Remove an ACL line: no (acl sequence number)

1
2
3
4
5
6
7
   Router(config)#ip access-list standard test
   Router(config-std-nacl)#no 15
   Router(config-std-nacl)#do show ip access-lists
   Standard IP access list test
   30 permit 10.1.1.1
   20 permit 192.168.1.1
   10 permit 172.16.1.1

To resequence an ACL: ip access-list resequence (acl_name, starting_seq_number, step_to_increment)

1
2
3
4
5
6
7
   Router(config)#ip access-list resequence test 100 20
   Router(config)#do show ip access-lists
   Standard IP access list test
   100 permit 10.1.1.1
   120 permit 172.20.1.1
   140 permit 172.16.1.1
   # The resequence command created new sequence numbers, starting from 100, and incremented them by 20 for each new ACL line.
1
2
3
4
5
6
7
   Router(config)#ip access-list extended test
   Router(config)#no 10
   Router(config)#10 deny tcp any any eq 80 log
   # When a packet hits that matches the rule, this is what you will see
   %SEC-6-IPACCESSLOGP: list test denied tcp 10.10.10.2(24667) -> 10.10.10.1(80), 1 packet
   # For even more information, replace "log" with "log-input" which includes the incoming interface and the source MAC address.
   %SEC-6-IPACCESSLOGP: list test denied tcp 10.10.10.2(14013) (FastEthernet0/0 00aa.aabb.ccdd) -> 10.10.10.1(80), 1 packet

To configure an extended ACL:

1
2
3
4
5
6
   access list [100-199] [permit/deny] [service/protocol] [source network/IP] [destination network/IP] [port#]
   # can filter on source, destination, or port. Preferred.
   For example:
   Router(config)#access-list 101 deny tcp 10.1.0.0 0.0.255.255 host 172.30.1.1 eq telnet
   Router(config)#access-list 100 permit tcp 10.1.0.0 0.0.255.255 host 172.30.1.1 eq ftp
   Router(config)#access-list 100 permit icmp any any

To make sure a connection is established first:

1
2
3
   access-list 102 permit tcp any host 172.30.1.1 eq ftp established
   # The "established" keyword tells the router to permit the traffic only if it was originated by hosts on the inside.
   # I'm not going into too many examples here because there are so many combinations!!

Show commands (all ACLs):

1
2
   show access-lists
   show ip acces-list interface [in/out] # more details

Spotted a mistake in this article? Why not suggest an edit!

Comments