Home > Access List Tutorial

Access List Tutorial

February 13th, 2011 Go to comments

In this tutorial we will learn about access list.

Access control lists (ACLs) provide a means to filter packets by allowing a user to permit or deny IP packets from crossing specified interfaces. Just imagine you come to a fair and see the guardian checking tickets. He only allows people with suitable tickets to enter. Well, an access list’s function is same as that guardian.

Access lists filter network traffic by controlling whether packets are forwarded or blocked at the router’s interfaces based on the criteria you specified within the access list.

To use ACLs, the system administrator must first configure ACLs and then apply them to specific interfaces. There are 3 popular types of ACL: Standard, Extended and Named ACLs.

Standard IP Access List

Standard IP lists (1-99) only check source addresses of all IP packets.

Configuration Syntax

access-list access-list-number {permit | deny} source {source-mask}

Apply ACL to an interface

ip access-group access-list-number {in | out}

Example of Standard IP Access List

Standard_ACL_Example1.jpg

Configuration:

In this example we will define a standard access list that will only allow network 10.0.0.0/8 to access the server (located on the Fa0/1 interface)

Define which source is allowed to pass:

Router(config)#access-list 1 permit 10.0.0.0 0.255.255.255

(there is always an implicit deny all other traffic at the end of each ACL so we don’t need to define forbidden traffic)

Apply this ACL to an interface:

Router(config)#interface Fa0/1

Router(config-if)#ip access-group 1 out

The ACL 1 is applied to permit only packets from 10.0.0.0/8 to go out of Fa0/1 interface while deny all other traffic. So can we apply this ACL to other interface, Fa0/2 for example? Well we can but shouldn’t do it because users can access to the server from other interface (s0 interface, for example). So we can understand why an standard access list should be applied close to the destination.

Note: The “0.255.255.255” is the wildcard mask part of network “10.0.0.0”. We will learn how to use wildcard mask later.

Extended IP Access List

Extended IP lists (100-199) check both source and destination addresses, specific UDP/TCP/IP protocols, and destination ports.

Configuration Syntax

access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port]

Example of Extended IP Access List

Extended_ACL_Example1.jpg

In this example we will create an extended ACL that will deny FTP traffic from network 10.0.0.0/8 but allow other traffic to go through.

Note: FTP uses TCP on port 20 & 21.

Define which protocol, source, destination and port are denied:

Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 21

Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 20

Router(config)#access-list 101 permit ip any any

Apply this ACL to an interface:

Router(config)#interface Fa0/1

Router(config-if)#ip access-group 101 out

Notice that we have to explicit allow other traffic (access-list 101 permit ip any any) as there is an “deny all” command at the end of each ACL.

As we can see, the destination of above access list is “187.100.1.6 0.0.0.0” which specifies a host. We can use “host 187.100.1.6” instead. We will discuss wildcard mask later.

In summary, below is the range of standard and extended access list

Access list type Range
Standard 1-99, 1300-1999
Extended 100-199, 2000-2699

Comments (11) Comments
Comment pages
1 7 8 9 458
  1. Anonymous
    July 29th, 2016

    After 187.100.1.6 the four octetes are 0 . I don’t exactly understand is that wild card subnet?

  2. Anonymous
    August 1st, 2016

    Cool content, thanks

  3. cisco
    August 4th, 2016

    Can you please explain wild card mask in detail?

  4. rick
    August 12th, 2016

    Wild card masks are basically the inverse regular mask. so 255.255.255.255 becomes 0.0.0.0.
    255.255.255.0 becomes 0.0.0.255. but if you need other values, the inverse mask (wild card mask) becomes the block size MINUS 1 so 255.255.255.240 (block size 16) becomes wild card mask 0.0.0.15. …224 (block size 32) becomes …31 etc etc.

    Hope that helps.

  5. cherry
    August 13th, 2016

    why v dont see questions in lab sim?
    we see only answers. please hw to see relevant questions.

  6. Anonymous
    October 1st, 2016

    HI

  7. Anonymous
    December 7th, 2016

    cheery same here too i cant see the question and i just only see the answer .Its awkward :(

  8. Anonymous
    December 28th, 2016

    i have one question ,that the system ping at one said but ping the other said
    example: 10.0.0.1 ping 10.0.0.2 but
    10.0.0.3 can not ping 10.0.0.1

  9. Anonymous
    December 30th, 2016

    Very well router security ACL….but this security only use to router and acl good manage to traffic signal and this security bast security in router

  10. Titus
    February 7th, 2017

    awesome information you guys have here what everybody’s first impressions on our site concerning real driving 3d online hack

  11. titties
    March 17th, 2017

    subtract 255 from each octet to find the wildcard mask

Comment pages
1 7 8 9 458