Cisco® CCENT Exam Cram Notes : Access Control lists(ACL'S)

5. Infrastructure Services & Maintenance

4. Access-Lists

Access lists filter network traffic by controlling whether packets are forwarded or blocked at the router's interfaces based on the criteria you specified within the access list.

To use ACLs, first you need to configure the ACL(s) and then apply them to specific interfaces. There are 3 popular types of ACL: Standard, Extended and Named ACLs.

1. Standard ACLs : Standard ACLs control traffic by the comparison of the source address of the IP packets to the addresses configured in the ACL.


Standard IP lists (1-99) only check source addresses of all IP packets.

The command syntax format of a standard ACL is access-list access-list-number {permit|deny} {host|source source-wildcard|any}

In all software releases, the access-list-number can be anything from 1 to 99. In Cisco IOS Software Release 12.0.1, standard ACLs begin to use additional numbers (1300 to 1999). These additional numbers are referred to as expanded IP ACLs. After the ACL is defined, it must be applied to the interface (inbound or outbound).

1. Place standard access lists as near the destination as possible and extended access lists as close to the source as possible.

2. Access lists have an implicit deny at the end of them automatically. Because of this, an access list should have at least one permit statement in it; otherwise the access list will block all remaining traffic.

3. Access lists applied to interfaces default to outbound if no direction is specified.

2. Extended ACLs : Extended ACLs control traffic by the comparison of the source and destination addresses of the IP packets to the addresses configured in the ACL.

In all software releases, the access-list-number can be 100 to 199. In Cisco IOS Software Release 12.0.1, extended ACLs begin to use additional numbers (2000 to 2699). These additional numbers are referred to as expanded IP ACLs. IP Named ACLs

IP Extended Access lists have the format, access-list {number} {permit or deny} {protocol} {source} {destination} {port}

With extended IP access lists, we can act on any of the following:

  • Source address
  • Destination address
  • IP protocol (TCP, ICMP, UDP, etc.)
  • Port information (WWW, DNS, FTP, etc.)

An example configuration for extended ACL is given below. Note that www is a TCP protocol.:

access-list 100 deny tcp host host eq www
access-list 100 permit ip any any

interface fastEthernet 0/0
ip access-group
100 in

Observe that the command "ip access-group 100 in" applies the access list to the interface fe 0/0.

3. Named ACLs : The standard and extended ACLs to be given names instead of numbers.

This is the command syntax format for IP named ACLs.

ip access-list {extended|standard} name

IP access lists are a sequential list of permit and deny conditions that apply to IP addresses or upper-layer protocols. Access Control Lists are used in routers to identify and control traffic.

The permitted numbers for some important access-lists are:

1-99 : IP standard access list
100-199 : IP extended access list
800-899 : IPX standard access list
900-999 : IPX extended access list
1000-1099 : IPX SAP access list
1100-1199 : Extended 48-bit MAC address access list

The following are the Cisco recommended security measures for controlling access to a campus network:

1. Access Layer: This is the layer at which users log into the network and access network resources. The recommended security measures at Access Layer are:

  • Controlling physical access to network devices (This applies to all layers),
  • Port security, also known as "MAC address lockdown" is Cisco feature that enables the switch to prevent input from a port when the MAC address of a station trying to access the port is different from the configured MAC address for that port.
  • Passwords: A properly managed network should have login and password for each network device. There are several ways of accessing Cisco devices such as Console, vty, TFTP servers etc. Each of these should have properly defined passwords to control access to the network.

2. Distribution Layer: The security at distribution layer is implemented by using Access Policies. These in turn make use of Access Control Lists. There are two types of IP access lists:Standard and Extended

In addition to security, Distribution layer is responsible for sending only the data that need to reach the Core Layer. This not only achieves security, but also makes sure that Core Layer is not burdened with unnecessary traffic. Core layer is responsible for transmitting data efficiently. For this reason, Cisco recommends that there is little or no policy at Core layer.

Previous   Contents   Next

CCENT Cram Notes Contents ad