CCNA 200-120

Cisco certification training

Instructor:- ASHOK TAMBE

Contact us :- 9930157345 ashok tambe

Training for
CCNA,CCNP,
CCNA SECURITY
CCIP,
MPLS, BGP, IPV6
NETWORK+, SEURITY+

Cisco certification training

Instructor:- ASHOK TAMBE

https://www.facebook.com/Networkingwanschool

Copyright 2015 NETworkingWANschool

CCNA 200-120

IPv4 Services

Basic IPv4 Access Control Lists

Network Address Translation

Advanced IPv4 ACLs and Device Security

Instructor:- ASHOK TAMBE

Copyright 2015 NETworkingWANschool

CCNA 200-120

IPv4 Services
Basic IPv4 Access Control Lists

Instructor:- ASHOK TAMBE

Copyright 2015 NETworkingWANschool

Basic IPv4 Access Control Lists

Network security is a huge subject, and much of it is far beyond the scope of this course.
However, one of the most important skills a network administrator needs is mastery of access
control lists (ACLs). Administrators use ACLs to stop traffic or permit only specified traffic while
stopping all other traffic on their networks. This chapter includes an opportunity to develop
your mastery of ACLs with a series of lessons, activities, and lab exercises.

Network designers use firewalls to protect networks from unauthorized use. Firewalls are
hardware or software solutions that enforce network security policies. Consider a lock on a
door to a room inside a building. The lock only allows authorized users with a key or access
card to pass through the door. Similarly, a firewall filters unauthorized or potentially dangerous
packets from entering the network. On a Cisco router, you can configure a simple firewall that
provides basic traffic filtering capabilities using ACLs.
An ACL is a sequential list of permit or deny statements that apply to addresses or upperlayer protocols. ACLs provide a powerful way to control traffic into and out of your
network. You can configure ACLs for all routed network protocols

The most important reason to configure ACLs is to provide security for your network. This
chapter explains how to use standard and extended ACLs as part of a security solution and
teaches you how to configure them on a Cisco router. Included are tips, considerations,
recommendations, and general guidelines on how to use ACLs.
IPv4 ACLs perform many functions in Cisco routers, with the most common use as a packet
filter.
Packet filtering, sometimes called static packet filtering, controls access to a network by
analyzing the incoming and outgoing packets and passing or halting them based on
stated criteria
A router acts as a packet filter when it forwards or denies packets according to filtering
rules. When a packet arrives at the packet-filtering router, the router extracts certain
information from the packet header and makes decisions according to the filter rules
as to whether the packet can pass through or be discarded. Packet filtering works at
the network layer of the Open Systems Interconnection (OSI) model, or the Internet
layer of TCP/IP.

As a Layer 3 device, a packet-filtering router uses rules to determine whether to permit or deny traffic
based on source and destination IP addresses, source port and destination port, and the protocol of
the packet. These rules are defined using access control lists or ACLs.

Recall that an ACL is a sequential list of permit or deny statements that apply to IP
addresses or upper-layer protocols. The ACL can extract the following information from the
packet header, test it against its rules, and make "allow" or "deny" decisions based on:
Source IP address
Destination IP address
ICMP message type

The ACL can also extract upper layer information and test it against its rules. Upper layer
information includes:
TCP/UDP source port
TCP/UDP destination port

Packet Filtering
To understand the concept of how a router uses packet filtering, imagine that a guard has been posted
at a locked door. The guard's instructions are to allow only people whose names appear on a list to pass
through the door. The guard is filtering people based on the criterion of having their names on the
authorized list.
For example, you could say, "Only permit web access to users from network A. Deny web access to
users from network B, but permit them to have all other access." Refer to the figure to examine the
decision path the packet filter uses to accomplish this task.

An ACL is a router configuration script that controls whether a router permits or denies packets to pass
based on criteria found in the packet header. ACLs are among the most commonly used objects in Cisco
IOS software. ACLs are also used for selecting types of traffic to be analysed, forwarded, or processed in
other ways.
As each packet comes through an interface with an associated ACL, the ACL is checked from top to
bottom, one line at a time, looking for a pattern matching the incoming packet. The ACL enforces one
or more corporate security policies by applying a permit or deny rule to determine the fate of the
packet. ACLs can be configured to control access to a network or subnet. *******(must remember)
By default, a router does not have any ACLs configured and therefore does not filter traffic. Traffic that
enters the router is routed according to the routing table. If you do not use ACLs on the router, all
packets that can be routed through the router pass through the router to the next network segment.
*******(must remember)
The Three Ps
A general rule for applying ACLs on a router can be recalled by remembering the three Ps. You can
configure one ACL per protocol, per direction, per interface:
One ACL per protocol-To control traffic flow on an interface, an ACL must be defined for each protocol
enabled on the interface.
One ACL per direction-ACLs control traffic in one direction at a time on an interface. Two separate ACLs
must be created to control inbound and outbound traffic.
One ACL per interface-ACLs control traffic for an interface, for example, Fast Ethernet 0/0

ACLs perform the following tasks

Limit network traffic to increase network performance.

If

corporate policy does not allow video traffic, ACLs can block video traffic.

Provide traffic flow control.

ACLs
If

can restrict the delivery of routing updates.

updates are not required because of network conditions, bandwidth is preserved.

Provide a basic level of security for network access.

ACLs

can allow one host to access a part of the network and prevent others from
accessing the same area.

Decide which types of traffic to forward or block at the router interfaces.

For

example, an ACL can permit e-mail traffic, but block all Telnet traffic.

Control which areas a client can access on a network.

Screen hosts to permit or deny access to network services.

ACLs

can permit or deny a user to access file types, such as FTP or HTTP.

ACLs inspect network packets based on criteria, such as source address,

destination address, protocols, and port numbers.

ACL can classify traffic to enable priority processing down the line.

ACL Location and Direction

Cisco routers can apply ACL logic to packets at the point at which the IP packets enter an interface,
or the point at which they exit an interface. In other words, the ACL becomes associated with an
The
four
lines
in the flow
figure
pointinout
direction
the inbound
interface
and
forarrowed
a direction
of packet
(either
or the
out).location
That is, and
the ACL
can befor
applied
used to
forward
the packet(routing)
from host
B to server
S1. In this
to the router
router, interfaces
before the router
makes
its forwarding
decision,
or outbound,
after the router
example,
those
interfaces
and the
direction
are inbound
R1s
F0/0
makes particular
its forwarding
decision
and has
determined
exit interface
to use.on
***
(must
remember )
interface, outbound on R1s S0/0/0 interface, inbound on R2s S0/0/1 interface,
The arrows
in Figure show
the locations
at whichIf,you
filter you
packets
flowing
to on
right
in
and outbound
on R2s
F0/0 interface.
for could
example,
enabled
onleft
ACL
R2s
the topology.
For example,
imagine
that youthat
wanted
allownot
packets
sentfilter
by host
to server
S1,
F0/1 interface,
in either
direction,
ACL to
could
possibly
theApacket
sent
but to from
discard
packets
sent by S1,
hostbecause
B to server
S1. F0/1
Each arrowed
represents
location
host
B to server
R2s
interfaceline
is not
part of athe
route and
from
direction
at
which
a
router
could
apply
an
ACL,
filtering
the
packets
sent
by
host
B.
B to S1.

How ACLs Work

ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets
that relay through the router, and packets that exit outbound interfaces of the router. ACLs do not act
on packets that originate from the router itself.
ACLs are configured either to apply to inbound traffic or to apply to outbound traffic.
Inbound ACLs-Incoming packets are processed before they are routed(before routing lookup)to the
outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if
the packet is discarded. If the packet is permitted by the tests, it is then processed for routing.
***(must remember )
Outbound ACLs-Incoming packets are routed (after routing lookup) to the outbound interface, and
then they are processed through the outbound ACL.***(must remember)

ACL statements operate in sequential order. They evaluate

packets against the ACL, from the top down, one statement at a
time***(must remember)

ACL Operation

Inbound ACLs

ACL statements operate in sequential order.

They

evaluate packets against the ACL, from the top down, one
statement at a time.

If a packet header and an ACL statement match, the rest of the

statements in the list are skipped,
and

the packet is permitted or denied as determined by the

matched statement.

If a packet header does not match a statement, the packet is tested

against the next statement in the list.
This

matching process continues until the end of the list.

A final implied (IMPLICIT) statement covers all packets for which

conditions did not test true.
This

final statement is often referred to as the "implicit deny

any statement" or the "deny all traffic" statement.
Because

of this statement, an ACL should have at least one

permit statement in it; otherwise, the ACL blocks all traffic.

Once you apply the ACL on an interface, the router MUST compare
every packet. Causes significant processor load.

ACL Operation

Outbound ACLs

Before a packet is forwarded to an outbound interface, the router

checks the routing table to see if the packet is routable.
If

the packet is not routable, it is dropped.

Next, the router checks to see whether the outbound interface is

grouped to an ACL.

If the outbound interface is not grouped to an ACL,

The

packet is sent directly to the outbound interface.

If the outbound interface is grouped to an ACL,

the

packet is not sent out on the outbound interface until it

is tested by the combination of ACL statements that are
associated with that interface.

A final implied (IMPLICIT) statement covers all packets for which

conditions did not test true.
This

final statement is often referred to as the "implicit

deny any statement" or the "deny all traffic" statement.

ACL and Routing and ACL Processes on a Router

As a frame enters an interface, the router checks the destination Layer 2 address.

If the frame is accepted and the router checks for an ACL on the inbound interface.

If an ACL exists, the packet is now tested against the statements in the list.

If the packet matches a statement, the packet is either accepted or rejected.

If the packet is accepted in the interface, it is then checked against routing table entries to determine the
destination interface and switched to that interface.

Next, the router checks whether the destination interface has an ACL.

If an ACL exists, the packet is tested against the statements in the list.

If there is no ACL or the packet is accepted, the packet is encapsulated in the new Layer 2 protocol and forwarded
out the interface to the next device.

Matching Packets
When you think about the location and direction for an ACL, you must already be thinking about what
packets you plan to filter (discard), and which ones you want to allow through. To tell the router those
same ideas, you must configure the router with an IP ACL that matches packets. Matching packets
refers to how to configure the ACL commands to look at each packet, listing how to identify which
packets should be discarded, and which should be allowed through.
For example, consider an example with Figure , in which you want to allow packets from host A
to server S1, but to discard packets from host B going to that same server. The hosts all now have IP
addresses, and the figure shows pseudocode for an ACL on R2. Figure also shows the chosen
location to enable the ACL: inbound on R2s S0/0/1 interface.

Taking Action When a Match Occurs

When using IP ACLs to filter packets, only one of two actions can be chosen. The
configuration commands use keywords deny and permit, and they mean (respectively) to
discard the packet or to allow it to keep going as if the ACL did not exist.

The Implied "Deny All Traffic" Criteria Statement

At the end of every access list is an implied "deny all traffic" criteria statement. It is also
sometimes referred to as the "implicit deny any" statement. Therefore, if a packet does not
match any of the ACL entries, it is automatically blocked. The implied "deny all traffic" is
the default behaviour of ACLs and cannot be changed. ***(must remember )

Types of IP ACLs
Cisco IOS has supported IP ACLs since the early days of Cisco routers. Beginning with the original
standard numbered IP ACLs in the early days of IOS, which could enable the logic shown earlier
Cisco has added many ACL features, including:

Standard Numbered ACLs (199)

Extended Numbered ACLs (100199)
Additional ACL Numbers
(13001999 standard, 20002699 extended)
Named ACLs
Improved Editing with Sequence Numbers

Numbering and Naming ACLs

Using numbered ACLs is an effective method for determining the ACL type on
smaller networks.

Standard ACL for IP 1-99

Extended ACL for IP 100-199

Starting with Cisco IOS Release 11.2, you can use a name to identify a Cisco
ACL.

Numbering and Naming ACLs

When configuring ACLs on a router, each ACL must be uniquely identified

by assigning a number to it.

(the

number scheme)
Named ACLs help identify the function. Some ACLs
(reflexive) MUST be named.

Access-list 5 permit
Access-list 5 permit
Access-list 5 permit
Access-list 5 permit
Access-list 5 permit
One group with the number 5

OR

Access-list 1 permit
Access-list 2 permit
Access-list 3 permit
Access-list 4 permit
Access-list 5 permit
5 different groups

Where to Place ACLs

ACLs can act as firewalls to filter packets and eliminate unwanted traffic.
Every ACL should be placed where it has the greatest impact on efficiency.

The basic rules are:

Locate

extended ACLs as close as possible to the source of the traffic denied.

This way, undesirable traffic is filtered without crossing the network infrastructure.
Because

standard ACLs do not specify destination addresses, place them as close

to the destination as possible.

2 Types of Cisco ACLs: standard and extended

Standard ACLs

Standard ACLs allow you to permit or deny traffic

from source IP addresses.

Apply these ACLs closest to the destination!

The destination of the packet and the ports

involved do not matter.

The example allows all traffic from network

192.168.30.0/24 network.

Because of the implied "deny any" at the end, all other

traffic is blocked with this ACL.

Extended ACLs

Extended ACLs filter IP packets based

on several attributes, for example,
protocol type, source IP address,
destination IP address, source TCP or
UDP ports, destination TCP or UDP
ports, and optional protocol type
information for finer granularity of
control.

In the figure, ACL 103 permits traffic

originating from any address on the
192.168.30.0/24 network to any
destination host port 80 (HTTP).

Where to Place ACLs

Standard ACL: In the figure, the

administrator wants to prevent
traffic originating in the
192.168.10.0/24 network from
getting to the 192.168.30.0/24
network.

An standard ACL on the

outbound interface of R1
denies R1 the ability to send
traffic to other places as well.

The solution is to place a

standard ACL on the inbound
interface of R3 to stop all
traffic from the source
address192.168.10.0/24.

A standard ACL is only concern

with source IP addresses.

Where to Place ACLs

Extended ACL: Placement must be

determined in the control of the network
administrator extends. (close to the
SOURCE as possible)

In this figure, the administrator of the

192.168.10.0/24 and 192.168.11.0/24
(referred to as Ten and Eleven) wants to
deny Telnet and FTP traffic from Eleven to
the 192.168.30.0/24 (Thirty). At the same
time, other traffic must be permitted to
leave Ten. (Use Bridge example to explain)

There are several ways to do this.

1. An extended ACL on R3 blocking Telnet and FTP from Eleven would accomplish the task,
but the solution also still allows unwanted traffic to cross the entire network, only to be
blocked at the destination.
2. Use an outbound extended, Telnet and FTP traffic from Eleven is not allowed to go to
Thirty." Place this extended ACL on the outbound S0/0/0 port of R1.
A disadvantage of this is that traffic from Ten would also be processing by the ACL, even though traffic is
allowed.

The better solution is to place an extended ACL on the inbound Fa0/2 of R1. This ensures
that packets from Eleven do not enter R1, and cannot cross over into Ten.

General Guidelines for Creating ACLs: Activity

Entering Criteria Statements

Recall that when traffic comes into the router, it is compared to ACL statements based on the order that the entries occur
in the router. The router continues to process the ACL statements until it has a match.

For this reason, you should have the most frequently used ACL entry at the top of the list.

If no matches are found when the router reaches the end of the list, the traffic is denied because there is an implied
deny for traffic.

A single-entry ACL with only one deny entry has the effect of denying all traffic. You must have at least one permit
statement in an ACL or all traffic is blocked.

For example, the two ACLs (101 and 102) in the figure have the same effect.

Network 192.168.10.0 would be permitted to access network 192.168.30.0 while 192.168.11.0 would not be allowed.

Standard ACL Logic

Standard ACL Logic
In the figure, packets that come in Fa0/0 are checked for their source addresses:
access-list 2 deny 192.168.10.1
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 deny 192.168.0.0 0.0.255.255
access-list 2 permit 192.0.0.0 0.255.255.255
If packets are permitted, they are routed through the router to an output interface. If packets are not permitted, they are dropped
at the incoming interface

Configuring a Standard ACL

To configure numbered standard ACLs on a Cisco router, you must first create the standard ACL and then
activate the ACL on an interface.
The access-list global configuration command defines a standard ACL with a number in the range of 1 to
99. Cisco IOS Software Release 12.0.1 extended these numbers by allowing 1300 to 1999 to provide a
maximum of 798 possible standard ACLs. These additional numbers are referred to as expanded IP ACLs.

The full syntax of the standard ACL command is as follows:

Router(config)# access-list access-list-number deny permit remark source [source-wildcard]
[log]
The figure provides a detailed explanation of the syntax for a standard ACL.

For example, to create a numbered ACL designated 10 that would permit network
192.168.10.0 /24, you would enter:
R1(config)# access-list 10 permit 192.168.10.0

Remove ACL
The no form of this command removes a standard ACL. In the figure, the output of the show
access-list command displays the current ACLs configured on router R1.
To remove the ACL, the global configuration no access-list command is used. Issuing the show
access-list command confirms that access list 10 has been removed.

Remark a Standard ACL

Typically, administrators create ACLs and fully understand each the purpose of each statement within
the ACL. However, when an ACL is revisited at a later time, it may no longer as obvious as it once was.
The remark keyword is used for documentation and makes access lists a great deal easier to
understand. Each remark is limited to 100 characters. The ACL in the figure, although fairly simple, is
used to provide an example. When reviewing the ACL in the configuration, the remark is also
displayed.

Matching the Exact IP Address

To match a specific source IP address, the entire IP address, all you have to do is
type that IP address at the end of the command. For example, the previous example
uses pseudocode for permit if source = 10.1.1.1. The following command configures
that logic with correct syntax using ACL number 1:
access-list 1 permit 10.1.1.1

Matching the exact full IP address is that simple.

In earlier IOS versions, the syntax included a host keyword. Instead of simply typing
the full IP address, you first typed the host keyword, and then the IP address. Note
that in later IOS versions, if you use the host keyword, IOS accepts the command,
but then removes the keyword.
access-list 1 permit host 10.1.1.1

Matching a Subset of the Address with Wildcards

Often, the business goals you want to implement with an ACL does not match a single
particular IP address, but rather a range of IP addresses. Maybe you want to match all IP
addresses in a subnet.
IOS allows standard ACLs to match a range of addresses using a tool called a wildcard
mask. Note that this is not a subnet mask. The wildcard mask (which this book
abbreviates as WC mask) gives the engineer a way to tell IOS to ignore parts of the
address when making comparisons, essentially treating those parts as wildcards, as if
they already matched.
ACLs statements include masks, called wildcard masks. A wildcard mask is a string of
binary digits telling the router which parts of the subnet number to look at. Although
wildcard masks have no functional relationship with subnet masks, they do provide a
similar function. The mask determines how much of an IP source or destination address to
apply to the address match. The numbers 1 and 0 in the mask identify how to treat the
corresponding IP address bits. However, they are used for different purposes and follow
different rules.

ACLs statements include wildcard masks.

A wildcard mask is a string of binary digits telling the router which parts of the subnet number to look at.

The numbers 1 and 0 in the mask identify how to treat the corresponding IP address bits.

Wildcard masks are referred to as an inverse mask.

Wildcard masks and subnet masks differ in the way they match binary 1s and 0s. Wildcard masks use the following
rules to match binary 1s and 0s:
Wildcard

mask bit 0 - Match the corresponding bit value in the address

Wildcard

mask bit 1 - Ignore the corresponding bit value in the address

The table in the figure shows the results of applying a 0.0.255.255 wildcard mask to a 32-bit IP address.

ACL Wildcard Masks to Match IP Subnets

The first example the wildcard mask stipulates that every bit in the IP
192.168.1.1must match exactly.

In the second example, the wildcard mask stipulates that anything will match.

The wildcard mask is 0.0.0.0.

The wildcard mask is 255.255.255.255.

In the third example, the wildcard mask stipulates that it will match any host
within the 192.168.1.0 /24 network.

The wildcard mask is 0.0.0.255.

The second figure are more complicated.

In example 1, the first two octets and first four bits of the third octet must
match exactly.

This checks for 192.168.16.0 to 192.168.31.0

The wildcard mask is 0.0.15.255.

Example 2 , a wildcard mask that matches the first two octets, and the least
significant bit in the third octet.

The result is a mask that would permit or deny all hosts from odd
subnets (/24) from the 192.168.0.0 major network.

The wildcard mask is 0.0.254.255.

ACL Wildcard Masks to Match IP Subnets

Although you could accomplish the result with two statements:

R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255

R1(config)# access-list 10 permit 192.168.11.0 0.0.0.255

It is far more efficient to configure the wildcard mask such as:

R1(config)# access-list 10 permit 192.168.10.0 0.0.3.255

That may not seem more efficient, but when you consider if you wanted to match network 192.168.16.0 to 192.168.31.0 :

R1(config)# access-list 10 permit 192.168.16.0 0.0.0.255

R1(config)# access-list 10 permit 192.168.17.0 0.0.0.255

R1(config)# access-list 10 permit 192.168.18.0 0.0.0.255

R1(config)# access-list 10 permit 192.168.19.0 0.0.0.255

R1(config)# access-list 10 permit 192.168.20.0 0.0.0.255

R1(config)# access-list 10 permit 192.168.21.0 0.0.0.255

R1(config)# access-list 10 permit 192.168.22.0 0.0.0.255

R1(config)# access-list 10 permit 192.168.23.0 0.0.0.255

R1(config)# access-list 10 permit 192.168.24.0 0.0.0.255

R1(config)# access-list 10 permit 192.168.25.0 0.0.0.255

R1(config)# access-list 10 permit 192.168.26.0 0.0.0.255

R1(config)# access-list 10 permit 192.168.27.0 0.0.0.255

R1(config)# access-list 10 permit 192.168.28.0 0.0.0.255

R1(config)# access-list 10 permit 192.168.29.0 0.0.0.255

R1(config)# access-list 10 permit 192.168.30.0 0.0.0.255

R1(config)# access-list 10 permit 192.168.31.0 0.0.0.255

You can see that configuring the following wildcard mask makes it far more efficient:

R1(config)# access-list 10 permit 192.168.16.0 0.0.15.255

ACL Wildcard Masks to Match IP Subnets

Calculating wildcard masks can be difficult, but you can

do it easily by subtracting the subnet mask from
255.255.255.255.

Example 1: assume you wanted to permit access to all

users in the 192.168.3.0 network.

Because the subnet mask is 255.255.255.0, you could take

the 255.255.255.255 and subtract from the subnet mask.

The solution produces the wildcard mask 0.0.0.255.

Example 2: Now assume you wanted to permit network

access for the 14 users in the subnet 192.168.3.32 /28.
The subnet mask for the IP subnet is 255.255.255.240,

take 255.255.255.255 and subtract the subnet mask

255.255.255.240

The solution this time produces the wildcard mask 0.0.0.15.

Example 3: assume you wanted to match only networks

192.168.10.0 and 192.168.11.0.

take 255.255.255.255 and subtract the subnet mask

255.255.254.0.

The result is 0.0.1.255.

Wildcard Bit Mask Keywords

The keywords host and any help identify the most common uses of wildcard
masking.
The

host option substitutes for the 0.0.0.0 mask. This mask states that all IP
address bits must match or only one host is matched.
The

This mask says to ignore the entire IP address or to accept any

addresses.

Example for keyword any:

Instead of entering

R1(config)# access-list 1 permit 0.0.0.0 255.255.255.255,

you can use

any option substitutes for the IP address and 255.255.255.255 mask.

R1(config)# access-list 1 permit any

Example for keyword host:

Instead of entering

R1(config)# access-list 1 permit 192.168.10.10 0.0.0.0,

you can use

R1(config)# access-list 1 permit host 192.168.10.10.

Applying Standard ACL to Interfaces

After a standard ACL is configured, it is linked to an interface using the ip access-group command:
Router(config-if)#ip access-group {access-list-number | access-list-name} {in | out}
To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter
the global no access-list command to remove the entire ACL.
The figure lists the steps and syntax to configure and apply a numbered standard ACL on a router.

Example 1: use an ACL to permit a

single network.

This ACL allows only traffic from source

network 192.168.10.0 to be forwarded out on
S0/0/0. Traffic from networks other than
192.168.10.0 is blocked.

The first line identifies the ACL as access list

1. It permits traffic that matches the
selected parameters.

access-list 1 permit 192.168.10.0 0.0.0.255

The unseen implicit deny all other traffic.

The ip access-group 1 out interface

configuration command links and ties ACL 1
to the Serial 0/0/0 interface as an outbound
filter.

Example 2: an ACL that denies a

specific host.

The first command deletes the previous

ACL 1.

The next ACL statement, denies the

PC1 host located at 192.168.10.10.
Every other host on the 192.168.10.0
/24 network is permitted.

The implicit deny statement matches

other network.

The ACL is again reapplied to interface

S0/0/0 in an outbound direction.

Example 3: an ACL that denies a

specific host.

This ACL replaces the previous example

but still blocks traffic from the host
PC1. It also permits all other LAN
traffic to exit from router R1.

The first command deletes the previous

version of ACL 1 and the next ACL
statement denies the PC1 host located
at 192.168.10.10.

The third line is new and permits all

hosts from the 192.168.x.x /16
networks.

The ACL is again reapplied to interface

S0/0/0 in an outbound direction.

Using an ACL to Control VTY Access

Cisco recommends using SSH for administrative connections to routers and switches. If the Cisco IOS
software image on your router does not support SSH, you can partially improve the security of
administrative lines by restricting VTY access. Restricting VTY access is a technique that allows you to
define which IP addresses are allowed Telnet access to the router EXEC process. You can control which
administrative workstation or network manages your router with an ACL and an access-class statement to
your VTY lines. You can also use this technique with SSH to further improve administrative access security.
The access-class command in line configuration mode restricts incoming and outgoing connections
between a particular VTY (into a Cisco device) and the addresses in an access list.

Filtering Telnet traffic is typically considered an extended IP ACL function because it filters a
higher level protocol. However, because you are using the access-class command to filter
incoming or outgoing Telnet sessions by source address and apply filtering to VTY lines, you
can use standard ACL statements to control VTY access.

The command syntax of the access-class command is:

access-class access-list-number {in [vrf-also] | out}
The parameter in restricts incoming connections between a
particular Cisco device and the addresses in the access list,
while the parameter out restricts outgoing connections
between a particular Cisco device and the addresses in the
access list.
An example allowing VTY 0 and 4 is shown in the figure. For
example, the ACL in the figure is configured to permit
networks 192.168.10.0 and 192.168.11.0 access to VTYs 0 - 4.
All other networks are denied access to the VTYs.
The following should be considered when configuring access
lists on VTYs:
Only numbered access lists can be applied to VTYs.
Identical restrictions should be set on all the VTYs,
because a user can attempt to connect to any of them.

Commenting ACLs

You can use the remark keyword to include comments about entries in any ACL.

The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.

To include a comment for IP numbered standard or extended ACLs,

access-list access-list number remark remark command.

To remove the remark, use the no form of this command.

For an entry in a named ACL,

use the remark configuration command.

To remove the remark, use the no form of this command.

Creating Standard Named ACLs

Naming an ACL makes it easier to understand.

For example, an ACL to deny FTP could be called NO_FTP.

When you identify your ACL with a name, the configuration command syntax are slightly different.

The steps to create a standard named ACL.

Step 1. Starting from the global configuration mode, use the ip access-list command to create a named ACL.

ACL names are alphanumeric, must be unique and must not begin with a number.

Step 2. From the named ACL configuration mode, use the permit or deny statements to specify one or more
conditions for determining if a packet is forwarded or dropped.

Step 3. Return to privileged EXEC mode with the end command.

Creating Standard Named ACLs

Naming an ACL makes it easier to understand its function. For example, an ACL to deny FTP could be called
NO_FTP. When you identify your ACL with a name instead of with a number, the configuration mode and command
syntax are slightly different.
The figure shows the steps to create a standard named ACL.
Step 1. Starting from the global configuration mode, use the ip access-list command to create a named ACL. ACL
names are alphanumeric, must be unique and must not begin with a number.
Step 2. From the named ACL configuration mode, use the permit or deny statements to specify one or more
conditions for determining if a packet is forwarded or dropped.
Step 3. Return to privileged EXEC mode with the end command

Monitoring and Verifying ACLs

When you finish an ACL configuration, use Cisco IOS show commands to verify the
configuration.

Editing Names ACLs

Named ACLs have a big advantage over numbered ACLs in that they are easier to edit.
Starting
You
If

with Cisco IOS 12.3, named IP ACLs allow you to delete individual entries in a specific ACL.

can use sequence numbers to insert statements anywhere in the named ACL.

you are using an earlier Cisco IOS version, you can add statements only at the bottom of the named ACL.

The example in the figure shows an ACL applied to the S0/0/0 interface of R1. It restricted access to the web server. Looking at this
example,
In

the first show command output, you can see that the ACL named WEBSERVER has three numbered lines.

To

grant another workstation access in the list only requires inserting a numbered line. The workstation with the IP address
192.168.11.10 is being added.
The

final show command output verifies that the new workstation is now allowed access.

Extended Numbered IP Access Control Lists

Extended IP access lists have many similarities compared to the standard numbered IP
ACLs discussed in the previous chapter. Just like standard IP ACLs, you enable extended
access lists on interfaces for packets either entering or exiting the interface. IOS searches
the list sequentially.
Extended ACLs also use first-match logic, because the router stops the search through the
list as soon as the first statement is matched, taking the action defined in the first-matched
statement. All these features are also true of standard numbered access lists (and named
ACLs).
Extended ACLs differ from standard ACLs mostly because of the larger variety of packet
header fields that can be used to match a packet. One extended ACL statement can
examine multiple parts of the packet headers, requiring that all the parameters be matched
correctly to match that one ACL statement. That powerful matching logic makes extended
access lists both more useful and more complex than standard IP ACLs.

Matching the Protocol, Source IP, and Destination IP

Like standard numbered IP ACLs, extended numbered IP ACLs also use the access-list global
command. The syntax is identical, at least up through the permit or deny keyword. At that point, the
command lists matching parameters, and those differ, of course. In particular, the extended ACL
access-list command requires three matching parameters: the IP protocol type, the source IP address,
and the destination IP address.
The IP headers Protocol field identifies the header that follows the IP header. Figure shows the location
of the IP Protocol field, the concept of it pointing to the type of header that follows, along with some
details of the IP header for reference.

IOS requires that you configure parameters for the three highlighted parts of Figure . For the protocol type,
you simply use a keyword, such as tcp, udp, or icmp, matching IP packets that happen to have a TCP,
UDP, or ICMP header, respectively, following the IP header. Or you can use the keyword ip, which means
all ip packets.

Extended ACL Syntax, with Required Fields

Note
When matching IP addresses in the source and destination fields, there is
one difference with standard ACLs: When matching a specific IP address,
the extended ACL requires the use of the host keyword. You cannot simply
list the IP address alone.
In an extended ACL access-list command, all the matching parameters must
match the packet for the packet to match the command.**** (must remember )

Matching TCP and UDP Port Numbers

Extended ACLs can also examine parts of the TCP and UDP headers, particularly the source
and destination port number fields. The port numbers identify the application that sends or
receives the data.
The most useful ports to check are the well-known ports used by servers. For example, web
servers use well-known port 80 by default. Figure shows the location of the port numbers in
the TCP header, following the IP header.

When an extended ACL command includes either the tcp or udp keyword, that command
can optionally reference the source and/or destination port. To make these comparisons, the
syntax uses keywords for equal, not equal, less than, greater than, and for a range of port
numbers. Additionally, the command can use either the literal decimal port numbers, or
more convenient keywords for some well-known application ports. Figure shows the
positions of the source and destination port fields in the access-list command and these
port number keywords.

For example, consider the simple network shown in Figure . The FTP server sits on the right,
with the client on the left. The figure shows the syntax of an ACL that matches the following:
Packets that include a TCP header
Packets sent from the client subnet
Packets sent to the server subnet
Packets with TCP destination port 21 (FTP server control port)

Conversely, Figure shows the reverse flow, with a packet sent by the server back toward
PC1. In this case, the packets TCP header has a source port of 21, so the ACL must
check the source port value of 21, and the ACL must be located on different interfaces. In
this case, the eq 21 parameters follow the source address field, but comes before the
destination address field.

Configuring Extended ACLs

The procedural steps for configuring extended ACLs are the same as for standard ACLs

first create the extended ACL

then activate it on an interface.

For example, the network administrator needs to restrict Internet access to allow only web browsing.

ACL 103 applies to traffic leaving 192.168.10.0 network,

It allows traffic to go to any destination ports 80 (HTTP) and 443 (HTTPS) only.

ACL 104 applies to traffic coming into the network.

ACL 104 blocking all incoming traffic, except for the established connections.

HTTP establishes connections starting with the request and then exchange of ACK, FIN, and SYN
messages.

A match occurs if the TCP datagram has the ACK or reset (RST) bits set, which indicates that the
packet belongs to an existing connection.

This parameter allows responses to traffic that originates from the 192.168.10.0 /24 network to
return to s0/0/0.

Applying Extended ACLs to Interfaces

Recall that we want to allow users to browse both insecure and secure websites.

First consider whether the traffic you want to filter is going in or out.

In the example in the figure, R1 has two interfaces. It has a serial port, S0/0/0, and a Fast
Ethernet port, Fa0/0.

The Internet traffic coming in is going in the S0/0/0 interface,

but is going out the Fa0/0 interface to reach PC1.

The example applies the ACL to the serial interface in both directions.

Example: Deny FTP

Denying FTP traffic from subnet 192.168.11.0 going to 192.168.10.0, but permitting all other traffic.

Remember that FTP requires ports 20 and 21, therefore you need to specify to deny FTP.

With extended ACLs, you can choose to use port numbers as in the example, or to call out a well-known port by name.

access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq ftp

access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq ftp-data

Example: Deny Telnet

Denies Telnet traffic from 192.168.11.0 going out interface Fa0/0, but allows all other IP
traffic from any other source to any destination out Fa0/0.

Note the use of the any keywords, meaning from anywhere going to anywhere.

Creating Named Extended ACLs

You can create named extended ACLs in essentially the same way you created named standard ACLs.

Step 1. Starting in the global configuration mode, use the ip access-list extended name command to define a
named extended ACL.

Step 2. In named ACL configuration mode, specify the conditions you want to allow or deny.

Step 3. Return to privileged EXEC mode and verify your ACL with the show access-lists [number | name]
command.

Step 4. As an option and recommended step, save your entries in the configuration file with the copy runningconfig startup-config command.

To remove a named extended ACL, use the no ip access-list extended name global configuration command.

ACL Editing
Now that you have a good understanding of the core concepts in IOS IP ACLs, this section
examines a few enhancements to IOS support for ACLs :- ACL editing with sequence numbers
Named ACLs allow the user to delete and add new lines to the ACL from within ACL configuration
mode.
ACL sequence numbers make it easier to edit existing ACLs when an ACL needs to change.

Numbered ACLs have existed in IOS since the early days of Cisco routers and IOS.
However, for many years, through many IOS versions, the ability to edit a numbered IP ACL
was poor. For example, to simply delete a line from the ACL, the user had to delete the
entire ACL and then reconfigure it.
Today, modern IOS versions allow CLI users to easily edit both numbered and named
ACLs. Cisco first introduced these enhanced ACL editing features in named ACLs only, and
slowly added them to numbered ACLs as well. This section examines these great ACL
editing features that have been around in IOS since Version 12.3, is now a relatively old
IOS version.

The ACL editing feature uses an ACL sequence number that is added to each ACL permit
or deny statement, with the numbers representing the sequence of statements in the
ACL. ACL sequence numbers provide the following features for both numbered and
named ACLs:
New Configuration Style for Numbered: Numbered ACLs use a configuration style like
named ACLs, as well as the traditional style, for the same ACL; the new style is required to
perform advanced ACL editing.
Deleting Single Lines: An individual ACL permit or deny statement can be deleted with a
no sequence-number subcommand.
Inserting New Lines: Newly added permit and deny commands can be configured with a
sequence number, dictating the location of the statement within the ACL.
Automatic Sequence Numbering: IOS adds sequence numbers to commands as you
configure them, even if you do not include the sequence numbers.

Cisco certification training

Instructor:- ASHOK TAMBE

Contact us :- 9930157345 ashok tambe

https://www.facebook.com/ashok.tambe.733
https://www.facebook.com/groups/networkingwanschool/
tambe.ashok@gmail.com