🌐
CCNA Prep
  • Intro
  • Network Devices
  • Interfaces and Cables
  • OSI Model & TCP/IP Suite
  • Intro to the CLI
  • Ethernet LAN Switching (Part 1)
  • Ethernet LAN Switching (Part 2)
  • IPv4 Addressing (Part 1)
  • IPv4 Addressing (Part 2)
  • Switch Interfaces
  • IPv4 Header
  • Routing Fundamentals
  • The Life of a Packet
  • Subnetting (Part 1)
  • Subnetting (Part 2)
  • Subnetting (Part 3 - VLSM)
  • VLANs (Part 1)
  • VLANs (Part 2)
  • VLANs (Part 3)
  • DTP/VTP
  • Spanning Tree Protocol (Part 1)
  • Spanning Tree Protocol (Part 2)
  • Rapid Spanning Tree Protocol
  • EtherChannel
  • Dynamic Routing
  • RIP & EIGRP
  • OSPF (Part 1)
  • OSPF (Part 2)
  • OSPF (Part 3)
  • First Hop Redundancy Protocols
  • TCP & UDP
  • IPv6 (Part 1)
  • IPv6 (Part 2)
  • IPv6 (Part 3)
  • Standard ACLs
  • Extended ACLs
  • CDP & LLDP
  • NTP
  • DNS
  • DHCP
  • SNMP
  • Syslog
  • SSH
  • FTP & TFTP
  • NAT (Part 1)
  • NAT (part 2)
  • QoS (Part 1)
  • QoS (Part 2)
  • Security Fundamentals
  • Port Security
  • DHCP Snooping
  • Dynamic ARP Inspection
  • LAN Architectures
  • WAN Architectures
  • Virtualization & Cloud, Containers, VRF
  • Wireless Fundamentals
  • Wireless Architectures
  • Wireless Security
  • Wireless Configuration
  • Network Automation
  • JSON, XML, & YAML
  • REST APIs
  • Software-Defined Networking
  • Ansible, Puppet, & Chef
Powered by GitBook
On this page

Standard ACLs

Day 34

PreviousIPv6 (Part 3)NextExtended ACLs

Last updated 1 year ago

ACLs

ACLs (Access Control Lists) have multiple uses but the primary one is security. ACLs function as a packet filter instructing the router to permit or discard the specific traffic based on source/destination IP, source/destination Layer 4 ports, etc. ACLs are configured globally on the router but after that, they have to be applied to an interface. ACLs are applied either inbound or outbound. ACL consists of an ordered sequence of ACEs (Access Control Entries). The order of these entries is very important. When a router checks a packet against ACL, it processes the ACEs in order from top to bottom. If the packet matches one of the ACEs, the router takes an action and stops processing the ACL. All entries below the matching entry are ignored. A maximum of one ACL per direction can be applied to an interface.

If a packet doesn't match any entries, it is denied. There is an implicit deny (if source IP = any, then deny) at the end of all ACLs which tells the router to deny all traffic that doesn't match any of the ACEs.

Types

There are two types of ACLs:

  1. Standard ACLs - match based on source IP only. Can use the number ranges 1-99 and 1300-1999. Standard ACLs should be applied as close to the destination as possible.

    • Standard Numbered ACLs

    • Standard Named ACLs

  2. Extended ACLs - match based on source/destination IP, source/destination port, etc.

    • Extended Numbered ACLs

    • Extended Named ACLs

Configuration

The basic command to configure a standard numbered ACL entered from the global config mode is access-list followed by the number followed by deny/permit and IP address with a wildcard mask, e.g. access-list 1 deny 1.1.1.1 0.0.0.255. To add a description use the command access-list with the number followed by remark and description. To apply the ACL on an interface, use the command ip access-group followed by the number and in/out.

Named ACLs are configured by entering the standard named ACL config mode. To do so, the command is ip access-list standard followed by a name. Then each entry is entered one by one. There is an optional field you can use at the beginning of each entry to control the order of the entries. So the command begins with an optional entry number followed by deny/permit and IP address with a wildcard mask. Named ACLs are applied on an interface in the same way as numbered ACLs. A router may re-order the /32 entries to improve the efficiency of processing the ACL but it doesn't change the effect of the ACL.

10KB
Day 34 Flashcards - Standard ACLs.apkg
94KB
Day 34 Lab - Standard ACLs.pkt