Home > Access List Tutorial

Access List Tutorial

February 13th, 2011 Go to comments

In this tutorial we will learn about access list.

Access control lists (ACLs) provide a means to filter packets by allowing a user to permit or deny IP packets from crossing specified interfaces. Just imagine you come to a fair and see the guardian checking tickets. He only allows people with suitable tickets to enter. Well, an access list’s function is same as that guardian.

Access lists filter network traffic by controlling whether packets are forwarded or blocked at the router’s interfaces based on the criteria you specified within the access list.

To use ACLs, the system administrator must first configure ACLs and then apply them to specific interfaces. There are 3 popular types of ACL: Standard, Extended and Named ACLs.

Standard IP Access List

Standard IP lists (1-99) only check source addresses of all IP packets.

Configuration Syntax

access-list access-list-number {permit | deny} source {source-mask}

Apply ACL to an interface

ip access-group access-list-number {in | out}

Example of Standard IP Access List

Standard_ACL_Example1.jpg

Configuration:

In this example we will define a standard access list that will only allow network 10.0.0.0/8 to access the server (located on the Fa0/1 interface)

Define which source is allowed to pass:

Router(config)#access-list 1 permit 10.0.0.0 0.255.255.255

(there is always an implicit deny all other traffic at the end of each ACL so we don’t need to define forbidden traffic)

Apply this ACL to an interface:

Router(config)#interface Fa0/1

Router(config-if)#ip access-group 1 out

The ACL 1 is applied to permit only packets from 10.0.0.0/8 to go out of Fa0/1 interface while deny all other traffic. So can we apply this ACL to other interface, Fa0/2 for example? Well we can but shouldn’t do it because users can access to the server from other interface (s0 interface, for example). So we can understand why an standard access list should be applied close to the destination.

Note: The “0.255.255.255” is the wildcard mask part of network “10.0.0.0”. We will learn how to use wildcard mask later.

Extended IP Access List

Extended IP lists (100-199) check both source and destination addresses, specific UDP/TCP/IP protocols, and destination ports.

Configuration Syntax

access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port]

Example of Extended IP Access List

Extended_ACL_Example1.jpg

In this example we will create an extended ACL that will deny FTP traffic from network 10.0.0.0/8 but allow other traffic to go through.

Note: FTP uses TCP on port 20 & 21.

Define which protocol, source, destination and port are denied:

Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 21

Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 20

Router(config)#access-list 101 permit ip any any

Apply this ACL to an interface:

Router(config)#interface Fa0/1

Router(config-if)#ip access-group 101 out

Notice that we have to explicit allow other traffic (access-list 101 permit ip any any) as there is an “deny all” command at the end of each ACL.

As we can see, the destination of above access list is “187.100.1.6 0.0.0.0” which specifies a host. We can use “host 187.100.1.6” instead. We will discuss wildcard mask later.

In summary, below is the range of standard and extended access list

Access list type Range
Standard 1-99, 1300-1999
Extended 100-199, 2000-2699

Comments (25) Comments
Comment pages
1 7 8 9 458
  1. Anonymous
    July 29th, 2016

    After 187.100.1.6 the four octetes are 0 . I don’t exactly understand is that wild card subnet?

  2. Anonymous
    August 1st, 2016

    Cool content, thanks

  3. cisco
    August 4th, 2016

    Can you please explain wild card mask in detail?

  4. rick
    August 12th, 2016

    Wild card masks are basically the inverse regular mask. so 255.255.255.255 becomes 0.0.0.0.
    255.255.255.0 becomes 0.0.0.255. but if you need other values, the inverse mask (wild card mask) becomes the block size MINUS 1 so 255.255.255.240 (block size 16) becomes wild card mask 0.0.0.15. …224 (block size 32) becomes …31 etc etc.

    Hope that helps.

  5. cherry
    August 13th, 2016

    why v dont see questions in lab sim?
    we see only answers. please hw to see relevant questions.

  6. Anonymous
    October 1st, 2016

    HI

  7. Anonymous
    December 7th, 2016

    cheery same here too i cant see the question and i just only see the answer .Its awkward :(

  8. Anonymous
    December 28th, 2016

    i have one question ,that the system ping at one said but ping the other said
    example: 10.0.0.1 ping 10.0.0.2 but
    10.0.0.3 can not ping 10.0.0.1

  9. Anonymous
    December 30th, 2016

    Very well router security ACL….but this security only use to router and acl good manage to traffic signal and this security bast security in router

  10. Titus
    February 7th, 2017

    awesome information you guys have here what everybody’s first impressions on our site concerning real driving 3d online hack

  11. titties
    March 17th, 2017

    subtract 255 from each octet to find the wildcard mask

  12. $$$$$forquestion!
    April 2nd, 2017

    You wana see question! you pay!!!!!!!!!!!!! lol

  13. vietnamking
    April 4th, 2017

    Thank you 9tut!
    I will have CCNA Exam this late April , If anyone have the latest dumps , please send me to email zungvy @ Gmail.com
    Thanks @ Regards!!!

  14. Just Me
    April 4th, 2017

    Wouldn’t it be better to apply the Extended ACL (deny FTP-traffic) to Fa0/0?

  15. MARKLANDS
    April 4th, 2017

    Thank you 9tut everything is crystal clear.
    My question is how can I get previous LAB questions? anyone knows please?
    Thank kindly.

  16. Anonymous
    April 6th, 2017

    i hope this is another way how the question could be set, because in all the dumps , the question about the same issue are all different from this illustrated in the tutorial
    thanks and regards.

  17. iruhigwajr
    April 6th, 2017

    kind request on the detailed info on ACLs
    thanks n regards

  18. kuma
    April 11th, 2017

    hai everybody
    whoever want to see the question , please download it from 9tut feb pdf.

  19. raider
    June 12th, 2017

    any dumps for icnd 1

  20. Morex
    June 14th, 2017

    If you want to see the Qs you have to go to the FAQ section on the right and then look for the link to download which s in one of the answers for the questions.

  21. Fox1
    August 1st, 2017

    Does anyone have the latest dumps? carsz1976 at Yahoo please mail me

  22. Md Al-Momin
    August 14th, 2017

    Thanks a lot

  23. Md Al-Momin
    August 14th, 2017

    Any One Please send to me ccna200-125 dump….
    my email: {email not allowed}

  24. Md Al-Momin
    August 14th, 2017

    mominsig at gmail

  25. stwam
    September 30th, 2017

    wildcard

    255.255.255.255 – your mask.
    example 1
    address 192.168.1.0/24
    mask:255.255.255.0
    so wildmask: 255.255.255.255 – 255.255.255.0=0.0.0.255
    wildcard mask:0.0.0.255

    example 2
    address 10.10.1.0/30
    mask: 255.255.255.252
    so wildcard: 255.255.255.255 – 255.255.255.252=0.0.0.3
    wildcard mask:0.0.0.3

Comment pages
1 7 8 9 458
Add a Comment