Access Control List (ACL)


Terms in this set (...)

series of IOS commands that control whether a router forwards or drops packets based on information in packet header
Inbound ACL
filters packets coming into interface and before they are routed to the outbound interface
Outbound ACL
filters packets after being routed, regardless of inbound interface
Standard ACL
filter ip packets based on source address only
Extended ACL
Filter ip packets based on:
Source & destination ip
Source & destination TCP and UDP ports
Protocol type
Numbered ACL
Assign a number based on protocol to be filtered.
(1 to 99) & (1300 and 1999): Standard IP ACL
(100 to 199) & (2000 and 2699): Extended IP ACL
Named ACL
Assign a name to identify the ACL
-Can contain alphanumeric characters
-Suggests name CAPITAL LETTERS
-No spaces or punctuation
Wildcard mask bit 0
Match value of corresponding address bit
Wildcard mask bit 1
Ignore the value of the corresponding address bit
wildcard mask of
All IPv4 bits must match
wildcard mask of
Ignore all IPv4 address
Three P's of an ACL
-One ACL per protocol (IPv4 or IPv6)
-One ACL per direction (In or Out)
-One ACL per interface (Fa0/0)
Standard ACL's are usually placed near...
Extended ACL's are usually placed near...
used for documentation and makes access lists easier to understand
Configuring a standard ACL
R1(config)#access-list {1} {deny,permit} {} {}
Applying a standard ACL
R1(config)#interface serial 0/0/0
R1(config-if)#ip access-group 1 {out,in}
Applying a named standard ACL
R1(config)#ip access-list {standard} {name}
R1(config-std-nacl)#{permit,deny,remark} {source} {source-wildcard} {log}
R1(config-if)#ip access-group {name} {in, out}
Configuring a Standard ACL to secure a VTY port
R1(config)#line vty 0 4
R1(config-line)#login local
R1(config-line)#transport input ssh
R1(config-line)#access-class 21 in
Configuring an extended ACL
R1(config)#access-list permit tcp any eq 80
Equivalent to an IPv4 extended ACL but is named only
Configuring IPv6 ACL
R1(config)#ipv6 access-list {name}
R1(config-ipv6-acl)#{deny,permit} {protocol} {source prefix/length} {any,host} {port number}
Applying IPv6 ACL
R1(config)#interface s0/0/0
ipv6 traffic-filter {name} {in,out}