0 Items | 0.00
Go

Access control Lists (ACLs)

Global Knowledge | Knowledge Centre | White Papers | Cisco White Papers | Access control Lists (ACLs)

Access control Lists (ACLs)

Author: Al Friebe

Abstract

Because Access Control Lists (ACLs) are used to implement many features of Cisco IOS, it is critical that CCNA candidates be familiar with their proper use. This white paper discusses various types of ACLs, and gives examples of their creation and editing.

IP Access Lists

For example, let's say that traffic originating from a host with IP address 192.168.1.1 should be permitted to leave the FastEthernet0/0 interface. An ACL that would accomplish this would be:

Router#configure terminal
Router(config)#access-list 1 permit 192.168.1.1

The ACL resides in the running config, and can be seen with the command show access-lists. There are various options for this command, including show ip access-lists, show access-lists X where "X" is the ACL identifier, etc.

The ACL created above is now resident in memory, but will not take effect until it is placed into service in some manner. To place it outbound on the FastEthernet0/0 interface, the commands would be:

Router(config)#interface fastethernet0/0
Router(config-if)#ip access-group 1 out

To see the access lists that are outgoing or inbound on an interface, use the command show ip interface. Note that the ip is required (if you don't specify the protocol, it won't show you the ACL information). This command also has options, such as the particular interface you're interested in, such as sh ip int f0/0.

As usual, commands can be abbreviated, so to create and apply the ACL, you could simply do:

Router#conf t
Router(config)#access-l 1 per 192.168.1.1
Router(config)#int f0/0
Router(config-if)#ip access-g 1 o

Find some shortcuts that work for you, and then use them!

In the ACL we created above, we have explicitly permitted traffic originating from the host with IP address 192.168.1.1, but what about other traffic? The default behavior of an access list is to deny all traffic that is not referenced by the list. In other words, it's as if there is a "deny everything else" at the bottom of the list. This is much better than having to deny every other IP address, of which there are over four billion possibilities!

It's commonly desired to permit and/or deny multiple hosts in a single list. What if we want to permit more hosts? Simply add more lines to the list. This can be accomplished by going back into global config mode and adding the lines. Building on the single line list from above, let's add lines to ACL 1 to also permit packets from the hosts with addresses 192.168.1.2 and 192.168.1.3.

Router#conf t
Router(config)#access-list 1 permit 192.168.1.2
Router(config)#access-list 1 permit 192.168.1.3

If we examine ACL 1 with show access-list, we'll see that it now contains three lines, for 192.168.1.1, 2, and 3. It's important to realize that because the same ACL number was used for each line, all lines belong to that access list (ACL 1, in this case). Note that if the list is in effect on the interface while we are editing it, the changes take effect immediately (this can be dangerous, as we'll discuss in the future).

Let's create another ACL, this one denying traffic from the hosts with addresses 10.1.1.1, 10.1.1.2, and 10.1.1.3, and permitting all other addresses. Since this is a separate ACL, we'll use access list number 2:

Router#conf t
Router(config)#access-list 2 deny 10.1.1.1
Router(config)#access-list 2 deny 10.1.1.2
Router(config)#access-list 2 deny 10.1.1.3

The list we've just created will deny traffic from the specified hosts, but what about traffic from other hosts? Remember that ACLs deny all traffic that they don't explicitly permit, as if there was a "deny everything else" at the bottom. In other words, this list denies all traffic! Obviously, we need to permit traffic from the other hosts, but it would be unreasonable to list the billions of them individually. Instead, we can use the any keyword, thus:

Router(config)#access-list 2 permit any

HINT: An ACL that contains only "deny" statements is either incomplete, or wrong!

Our ACL 2 will now deny traffic from the 10.1.1.1, 2 and 3 hosts, but permit traffic sourced from any other host. Again, as with ACL 1, the list doesn't actually take effect until it is placed in effect. Let's place it inbound on Serial 2/1.

Router(config)#int s2/1
Router(config-if)#ip access-group 2 in

As before, we can see the list with sh access-l 2, and see its application on the interface with sh ip int s2/1.

To summarize the basics of access lists, ACLs

  • Are created in global config mode
  • End with an implicit "deny any" (which can be overridden)
  • Must be placed into service somewhere to have any effect

Thus, the commands

Router#conf t
Router(config)#access-list 3 deny 172.16.1.1
Router(config)#access-list 3 deny 172.16.1.2
Router(config)#access-list 3 deny 172.16.1.3
Router(config)#access-list 3 permit any
Router(config)#interface g1/2
Router(config-if)#ip access-group 3 out

will create an ACL 3 (denying traffic from hosts 172.16.1, 2 and 3, while permitting all other traffic), and place it in service on the GigEthernet1/2 interface in the outbound direction.

Related Courses

ICND1 - Interconnecting Cisco Network Devices 1
ICND2 - Interconnecting Cisco Network Devices 2


Copyright © 2012 Global Knowledge FZ-LLC. Registered in UAE with company no. 18019.
Sitemap, Accessibility Policy, Privacy Policy, Terms & Conditions, Legal Information.
RSS. (Srv: 222)