4/28/2008

Access Control List

• It provides Layer 3 security which controls the flow of

traffic from one network to another.

• Filters Packets (Packet Filtering Firewall)

1
 4/28/2008

Types of Access-list

• Standard ACL

• Extended ACL

• Named ACL

Standard Access List

• The access-list number range is 1 – 99

• Can block a Network, Host and Subnet

• Two way communication is stopped

• All services are blocked.

• Implemented closest to the destination. (Guideline)

• Checks the source ip address.

2
 4/28/2008

Extended Access List

• The access-list number range is 100 – 199

• Can block a Network, Host, Subnet and Service

• One way communication is stopped

• Selected services can be blocked.

• Implemented closest to the source. (Guideline)

• Configured at source router.

Terminology

• Deny : Blocking a Network/Host/Subnet/Service

• Permit : Allowing a Network/Host/Subnet/Service

• Source Address : The address of the PC from where

the request starts. Show Diagram

• Destination address : The address of the PC where the

request ends.

• Inbound : Traffic coming into the interface

• Outbound : Traffic going out of the interface

3
 4/28/2008

Terminology

• Protocols : IP
- TCP
- UDP
- ICMP

• Operators : eq (equal to)

neq (not equal to)

lt (less than)

gt (greater than)

• Services : HTTP, FTP, TELNET, DNS, DHCP etc..

Wild Card Mask

• Tells the router which addressing bits must

match in the address of the ACL statement.

• It’s the inverse of the subnet mask, hence is also

called as Inverse mask.

• A bit value of 0 indicates MUST MATCH (Check Bits)

• A bit value of 1 indicates IGNORE (Ignore Bits)

• Wild Card Mask for a Host will be always 0.0.0.0

4
 4/28/2008

Wild Card Mask

• A wild card mask can be calculated using

the formula :

Global Subnet Mask

– Customized Subnet Mask
-------------------------------
Wild Card Mask

E.g.
255.255.255.255
– 255.255.255.240
---------------------
0. 0. 0. 15
10