1.
ACL
(Access
Control List)

2.
Access Control List:-
• It is layer 3 (network) security which
controls flow of traffic from one router to
another router.
• It is also called as packet filtering
firewall.
• Generally ACL implements on
Distribution layer Routers.

3.
Rules of ACL:-
• All deny statements have to be given first.
• There should be at least one permit
statement.
• An implicit deny block all traffic by default
when there no match.
• We can configure one access-list per
interface per direction I.e. two access-list-per
interface. One in inbound direction and one in
outbound direction.
• ACL works in sequential order.
• Editing of access-list is not possible
I.e.selecting, adding or removing access-list
statement is not possible.

4.
Types of ACL:-
• Standard Access list.
• Extended Access list.
• Named Access list.

5.
Standard Access list:-
• It is implement closer to destination.
• ACL number is 1 to 99 and 1300 to
1999.
• It works (matches) only with source IP
Address.
• Two way communication will stop.
• All service will block.

6.
Configuration of standard ACL:-
• Creation of ACL:-
Hyderabad#config t
Hyd(config)# access-list <acl no.> <deny/permit> <source ip>
<source wildcard mask>
• Implementation of ACL:-
Hyderabad(config)# interface <serial/Ethernet> <no.>
Hyderabad(config-if)# ip access-group <acl no> <in/out>
Hyderabad(config-if)#exit
Hyderabad(config)#exit
Hyderabad#show access-list

7.
Configuration contniued………….
• Creation of ACL:-
Hyderabad#config t
Hyd(config)# access-list 50 deny 192.168.1.1
0.0.0.0
Hyderabad(config)# access-list 50 permit any
• Implementation of ACL:-
Hyderabad(config)# int s1
Hyderabad(config-if)# ip access-group 50 in
Hyderabad(config-if)#exit
Hyderabad(config)#exit

8.
Extended Access list:-
• Extended ACL is implement as possible
closer to source.
• ACL no. is 100 to 199 and 2000 to
2699.
• Extended ACL matches source IP
address, Destination IP address,
Protocol type, source port no.,
destination port no.
• We can block specific service by using
Ex. ACL.

9.
Configuration of Extended ACL:-
• Creation of Ex. ACL:-
BANGLORE#config t
BANGLORE(config)# access-list <acl .no.>
<deny/permit> <protocol> <source IP> <source
wlid card mask> <destination IP> <destination wild
card mask> <operator> <port no.>
• Implementation of ACL:-
BANGLORE(config)# interface <serial/Ethernet> <no.>
BANGLORE(config-if)# ip access-group <acl no>
<in/out>
BANGLORE(config-if)#exit
BANGLORE(config)#exit
BANGLORE #show access-list

10.
Configuration contniued………….
• Creation of Ex. ACL:-
BANGLORE#config t
BANGLORE(config)# access-list 150 deny tcp
192.168.1.1 0.0.0.0 192.168.2.0 0.0.0.255 eq 23
BANGLORE(config)#access-list 150 permit ip any any
• Implementation of ACL:-
BANGLORE(config)# int e 0
BANGLORE(config-if)# ip access-group 150 in
BANGLORE(config-if)# exit
BANGLORE(config)# ^Z

11.
Named Access list:-
• In named ACL can use names as reference
of ACL instead of numbers.
• Named ACL support both IP & IPX protocol.
• Unlike in number-ACLs in named-ACLsyou
can delete a single entry in the ACLs.
• Types of Named ACLs:-
1. Named-standard access list.
2. Named-Extended access list.

12.
Configuration of Named-standard
ACL:-
• Creation of ACL:-
Hyderabad#config t
Hyderabad(config)# ip access-list standard <name>
Hyderabad#<permit/deny> <source IP> <source wild cardmask>
• Implementation of ACL:-
Hyderabad(config)# interface <serial/Ethernet> <no.>
Hyderabad(config-if)# ip access-group <name> <in/out>
Hyderabad(config-if)#exit
Hyderabad(config)#exit
Hyderabad#show access-list

13.
Configuration of Named-Extended ACL:-
• Creation of Ex. ACL:-
BANGLORE#config t
BANGLORE(config)# ip access-list extended <name>
BANGLORE(config)# <permit/deny> <protocol>
<source ip> <surce wild> <destination
IP><destination wild> <operator> <port no>
• Implementation of ACL:-
BANGLORE(config)# interface <serial/Ethernet> <no.>
BANGLORE(config-if)# ip access-group <name>
<in/out>
BANGLORE(config-if)#^z
BANGLORE #show access-list