"CCNA Learning Notes" access control List

Source: Internet
Author: User

1. ACL definition

An ACL (access control list) is a list of instructions that are applied to the router interface. These instructions tell the router which packets to receive, which packets are rejected, received, or rejected according to certain rules, such as source address, destination address, port number, and so on. ACLs enable users to manage the flow of data and detect specific packets. For the IP protocol, on each port of the router, you can create two ACLs: one for filtering the incoming (inbound) port data stream and the other for filtering the outgoing (outbound) port traffic.

2. Standard ACL

2.1. Wildcard Mask

The router uses a wildcard mask to resolve the matching address range along with the source or destination address. In the access control list, set one of the wildcard masks to 1 to ignore the corresponding bit in the IP address, which can be either 1 or 0, which can be referred to as a "do not check" bit. A wildcard mask of 0 indicates that the corresponding bits in the IP address must match exactly.

2.2. Configure Standard ACLs

Way One

R3 (config) #access-list 1 Deny host 12.1.1.1 create access list R3 (config) #access-list 1 Permit any

Way Two

R3#show access-lists View access list, corresponding line number
R3 (config) #ip access-list standard 1R3 (CONFIG-STD-NACL) #deny host 12.1.1.1r3 (CONFIG-STD-NACL) #permit any

Enter the interface to configure:

R3 (config-if) #ip access-group 1 in interface mode, configure in or out which list to use

2.3. Edit the standard ACL

(1) Removing ACLs

R3 (config) #no access-list 1 Delete an ACL
R3 (config) #ip access-list standard 1R3 (CONFIG-STD-NACL) #no 10 remove 10 rows from the configuration

(2) Cancellation of ACL application in the interface

R3 (config) #int s1/0r3 (config-if) #no IP access-group 1 in


The Access control list filters only packets that traverse the router and does not filter packets originating from the router.

The standard access control list is as close to the target as possible, otherwise it restricts the flow of data that you do not want to restrict.

2.4. Configuring standard named ACLs

R3 (config) #ip access-list standard DENY-R1 Configuring a standardized named ACL
R3 (config-if) #ip Access-group deny-r1 in applied to an interface


3. Extended ACL

Standard access control lists can only use the original address as a filter, providing a very basic filtering capability. Extended access control lists can use both source and destination addresses as filters, and can also be filtered for different protocols, protocol characteristics, port numbers, time ranges, and so on.

3.1. Configuring extended ACLs

Access-list access-list-number {Deny|permit|remark} protocol source [source-wildcard] [ operator operand] [port port-number or name] destination Destinantion-wildcard [operator operand< /c5>] [Port port-number ORName] [established]

R2 (config) #access-list TCP host 12.1.1.1 host 23.1.1.3 eq telnet create extension ACLR2 (config) #access-list permit IP any Any
R2 (config-if) #ip Access-group in interface mode configuration takes effect

The Access control list filters only packets that traverse the router and does not filter packets originating from the router.

The extended access control list is as close to the start as possible, which can reduce unnecessary waste.

3.2, extended ACL enhanced editing function

R2 (config) #ip access-list extended 100R2 (CONFIG-EXT-NACL) #15 deny UDP any any in 10 and 20 directly plug in a line of 15r2 (config) #ip access -list resequence 100 10 10 Reorder ACL100 10 for the starting line number, plus 10 for each

3.3. Established in extended ACLs

When configuring an extended ACL that uses the TCP protocol, there is a parameter established (established), which is particularly noteworthy, which can be used to do one-way TCP access control, a bit like a firewall, one side can access the other side, but the other side cannot access this side.

R2 (config) #access-list 101 Permit TCP Any any established ACK equals 0 not allowed via R2 (config) #int s1/1r2 (config-if) #ip acces S-group 101 out in the out direction of the S1/1 port

3.4. Configuring extended named ACLs

R2 (config) #ip Access-list extended deny-r1-telnet-r3 intuitive named extension ACL


4. Considerations for configuring ACLs

(1) Access control lists only work across traffic.

(2) standard list to be applied near the target end

(3) Extended access control list to be applied near the source end

(4) The Order of placement. When you configure ACLs, the order of the statements is important, the list looks down from the top, and if a match is found, the action is performed and no longer looks down. If the two statements before or after the result does not affect the results, generally the more used to put the bar in front, so that the router can reduce the time to find.

(5) implied rejection of all. The last sentence of the IP access control list implies rejection of all. It indicates that the traffic must be explicitly allowed, otherwise it will be rejected.

(6) Edit the list. After the access control list is established, the addition of the ACL is placed at the end of the table, and the user cannot selectively add or DELETE statements. The only delete that can be done is to delete the entire access control list, the command is "no access-list access-list-number", and obviously, when the access control list is large, it is very troublesome. To save time, you can cut the table and then paste it in a text document to edit it. Enhanced editing features that name access control lists and extended access control lists can be used to overcome this shortcoming.

(7) The invocation of the list. An access control list can be used on many different interfaces of the same router, and there is no need to define an access control list with different table numbers and identical content for each interface that needs it. If you do not provide any access control lists to the interface, or provide an undefined access control list, it will pass all traffic by default. If you want the access control list to be useful in two directions, call the access control list two times on the interface, one time for inbound, and one for the fight. For each direction of each interface of each protocol, only one access control list can be provided.

(8) Use ACLs to restrict remote logins. Use Access-class instead of restricting Telnet logins on all interfaces.

R2 (config) #access-list 1 permit 12.1.1.1r2 (config) #line vty 0 4r2 (config-line) #access-class 1 in

(9) When configuring ACLs, be careful not to reject the routing protocol.

R3 (config) #access-list permit UDP host A.B.C.D host 255.255.255.255 EQ 520 allows RIP broadcast updates from ABCD


"CCNA Learning Notes" access control List

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.