➢ ACCESS CONTROL LIST

What is an Access Control List (ACL)?

An ACL is a set of rules on a Cisco router or switch used to filter network traffic or control routing updates. It
defines which packets are permitted or denied based on criteria like source/destination IP addresses,
protocols, or ports. ACLs are used in scenarios like:

• Security: Block unauthorized access (e.g., deny traffic from a specific IP).

• Policy-Based Routing (PBR): Match traffic for route-maps (as in your previous question).

• Route Filtering: Control which routes are advertised or accepted in routing protocols.

• NAT: Identify traffic for Network Address Translation.

Types of Access Lists on Cisco Devices

Cisco supports several types of ACLs, categorized by how they’re defined and applied. Here are the main
types:

1. Standard ACL:

o Filters traffic based only on the source IP address.

o Numbered range: 1–99 or 1300–1999.

o Example: Permit traffic from 192.168.1.0/24.

o Best used close to the destination to avoid affecting unintended traffic.

2. Extended ACL:

o Filters traffic based on source and destination IP addresses, protocol (e.g., TCP, UDP),
ports, and other parameters.

o Numbered range: 100–199 or 2000–2699.

o Example: Allow HTTP traffic from 192.168.1.0/24 to 10.10.10.0/24.

o Offers more granular control, typically applied near the source.

3. Named ACL:

o Uses a user-defined name instead of a number for standard or extended ACLs.

o Example: ip access-list standard MY_ACL or ip access-list extended MY_EXT_ACL.

o Easier to manage, as names are more descriptive than numbers.

4. Dynamic ACL:

o Temporary rules activated via authentication (e.g., through Telnet or AAA).

o Used in features like Lock-and-Key security.

5. Reflexive ACL:

o Dynamically allows return traffic for sessions initiated inside a network (e.g., for stateful-like
filtering).

o Used with extended ACLs, often in older Cisco firewalls.

o Example: Allow return traffic for an outbound HTTP request.

6. Time-Based ACL:

o Applies rules based on time schedules (e.g., allow traffic only during business hours).

o Configured with a time-range command and linked to standard or extended ACLs.

Note: Standard and extended ACLs (both numbered and named) are the most commonly used. Dynamic,
reflexive, and time-based ACLs are more specialized and less frequent in basic configurations.

Simple Step-by-Step Guide to Create a Standard ACL

This example creates a standard named ACL to permit traffic from the IT department (192.168.1.0/24) and
deny all other traffic, then applies it to an interface to filter incoming traffic.

1. Access Global Configuration Mode:

o Log in to the Cisco router (via console, SSH, or Telnet).

o Enter privileged EXEC mode: enable

o Enter global configuration mode: configure terminal

2. Create a Named Standard ACL:

o Command: ip access-list standard IT_ACL

o This creates a standard ACL named IT_ACL.

3. Add Rules to the ACL:

o Permit IT department traffic: permit 192.168.1.0 0.0.0.255

o Deny all other traffic (optional, as there’s an implicit deny): deny any

o Rules are processed top-down; order matters.

4. Exit ACL Configuration:

o Command: exit

5. Apply the ACL to an Interface:

o Identify the interface (e.g., GigabitEthernet0/0).

o Command: interface GigabitEthernet0/0

o Apply the ACL to filter incoming traffic: ip access-group IT_ACL in

6. Verify the Configuration:

o Check the ACL: show ip access-lists IT_ACL

o Verify interface application: show running-config | section interface

o Test with ping or debug ip packet (use debug cautiously).

o Save the configuration: write memory

Key Points:

• Implicit Deny: All ACLs end with an implicit deny any, so explicitly permit desired traffic.

• Direction: ACLs can be applied in (incoming traffic) or out (outgoing traffic) on an interface.

• Order Matters: Rules are evaluated sequentially. Place more specific rules (e.g., permit 192.168.1.10)
before general ones (e.g., deny 192.168.1.0 0.0.0.255).

• Editing Named ACLs: Use show running-config to view the ACL, then re-enter ip access-list standard
IT_ACL to add or modify rules.

Simple Plaintext (ASCII) Representation

Below is an ASCII diagram illustrating the ACL filtering traffic on a Cisco router. The ACL IT_ACL permits
traffic from 192.168.1.0/24 (IT Dept) and denies other traffic entering GigabitEthernet0/0.
Additional Tips:

• Standard vs. Extended: Use standard ACLs for simple source-based filtering; use extended ACLs for
complex scenarios involving protocols or destinations.

• Placement: Place standard ACLs close to the destination, extended ACLs close to the source for
efficiency.

• Troubleshooting: Use show ip access-lists to see hit counts for rules, indicating which traffic is
matching.

Modifying and Deleting ACLs on a Cisco Router

Overview
 • Modifying an ACL: Involves adding, removing, or changing rules within an existing ACL. For named
ACLs, you can directly edit specific lines. For numbered ACLs, you may need to delete and recreate the
ACL (in older IOS versions) or use sequence numbers (in newer IOS versions).

• Deleting an ACL: Involves removing the entire ACL or specific rules, ensuring it’s also removed from
any interfaces where it’s applied.

Step-by-Step Guide to Modify an ACL

Let’s assume you have a named standard ACL called IT_ACL from the previous example, with rules:

• permit 192.168.1.0 0.0.0.255 (permits IT department traffic)

• deny any (denies all other traffic)

You want to modify it to:

• Add a rule to permit a specific host (192.168.2.10).

• Change the existing rule to permit a smaller subnet (192.168.1.0/26).

• Remove the deny any rule.

Steps to Modify:

1. Access Global Configuration Mode:

o Log in to the router: enable

o Enter configuration mode: configure terminal

2. Enter the ACL Configuration:

o Command: ip access-list standard IT_ACL

o This opens the named ACL for editing.

3. View Existing Rules with Sequence Numbers:

o Exit to privileged EXEC mode temporarily: exit

o Command: show ip access-lists IT_ACL

o Example output:

o Note the sequence numbers (10, 20) for each rule.

4. Add a New Rule:

o Add a rule to permit the host with a specific sequence number (e.g., 5, to place it before
existing rules):

▪ Command: 5 permit host 192.168.2.10

▪ Note: host 192.168.2.10 is shorthand for 192.168.2.10 0.0.0.0.

5. Modify an Existing Rule:

o Remove the old rule by sequence number: no 10

o Add a new rule with the updated subnet: 10 permit 192.168.1.0 0.0.0.63

▪ Note: 0.0.0.63 is the wildcard mask for /26 (255.255.255.192).

6. Remove an Unwanted Rule:

o Remove the deny any rule: no 20

o Note: Named ACLs allow direct editing of specific sequence numbers, unlike older numbered
ACLs.

7. Verify the Modified ACL:

o Command: show ip access-lists IT_ACL

o Expected output:

8. Save the Configuration:

o Command: write memory

Step-by-Step Guide to Delete an ACL

To completely delete the IT_ACL and remove it from any interfaces:

1. Remove the ACL from Interfaces:

o Identify where the ACL is applied (e.g., GigabitEthernet0/0).

o Command: show running-config | include ip access-group

o Enter interface configuration: interface GigabitEthernet0/0

o Remove the ACL: no ip access-group IT_ACL in

o Exit interface: exit

o Command: no ip access-list standard IT_ACL

o This removes the entire ACL.

3. Verify Deletion:

o Command: show ip access-lists

o Ensure IT_ACL no longer appears.

o Check interfaces: show running-config | section interface

4. Save the Configuration:

o Command: write memory

Notes:

• Numbered ACLs (Older IOS): For numbered ACLs (e.g., access-list 1 permit 192.168.1.0 0.0.0.255),
you cannot edit individual lines. You must delete the entire ACL (no access-list 1) and recreate it. In
newer IOS versions, sequence numbers allow editing similar to named ACLs.

• Sequence Numbers: Use show ip access-lists to see sequence numbers. If you don’t specify a
sequence number when adding a rule, it’s appended to the end (e.g., sequence 30).

• Implicit Deny: After removing the explicit deny any, the implicit deny still applies unless you add a
permit any rule.

• Caution: Removing an ACL from an interface without replacing it may allow all traffic, posing a
security risk.

Simple Plaintext (ASCII) Representation

Below is an ASCII diagram showing the effect of the modified ACL IT_ACL on traffic entering the router. The
modified ACL permits traffic from 192.168.2.10 and 192.168.1.0/26, denying all other traffic implicitly.
Additional Tips:

• Testing Changes: Use show ip access-lists to check hit counts (e.g., 10 permit 192.168.1.0 0.0.0.63
(50 matches)) to confirm traffic is matching as expected.

• Debugging: Use debug ip packet detail cautiously to troubleshoot ACL behavior, ensuring you have a
specific ACL to limit output.
• Backup: Before modifying ACLs, save the running configuration (copy running-config startup-config)
to avoid accidental loss.