Do you know what is Access-Lists (ACL) and why and where to use ?
Hello Networkers, I know most of you know about the access lists and most of you using them in their environment. Today I am just to explain the basics of the Access lists for the students who needs to understand the basic concept of the Access lists and their use.
Basics understanding on ACL
An access control list (ACL) is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects or you can say for each rule we have two conditions and that is Permit or Deny.
Things of Remember
So simply say that ACL is required to give permission or restriction to access.
Types of Access Lists (ACL)
There are two categories of access lists: numbered and named. Numbered access lists are broken down into several ranges, each dedicated to a specific protocol and If we talked about Named Access lists instead of using the numbers we are using the descriptive names in order to identify your access-lists. Additionally, individual lines can be removed from a named access-list. However, like numbered lists, all new entries are still added to the bottom of the access list.
Things of Remember
Numbered Access Lists
Named Access Lists
Below is the basic showing how access lists are using in your network
Things of Remember
Below are the numbered access lists and how they differentiate with the number.
To apply this access list, we would configure the following
Basics understanding on ACL
An access control list (ACL) is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects or you can say for each rule we have two conditions and that is Permit or Deny.
Things of Remember
So simply say that ACL is required to give permission or restriction to access.
Types of Access Lists (ACL)
There are two categories of access lists: numbered and named. Numbered access lists are broken down into several ranges, each dedicated to a specific protocol and If we talked about Named Access lists instead of using the numbers we are using the descriptive names in order to identify your access-lists. Additionally, individual lines can be removed from a named access-list. However, like numbered lists, all new entries are still added to the bottom of the access list.
Things of Remember
Numbered Access Lists
Named Access Lists
Below is the basic showing how access lists are using in your network
 |
| Fig 1.1- Access List example |
Below are the numbered access lists and how they differentiate with the number.
- 1–99 IP standard access list
- 100-199 IP extended access list
- 200-299 Protocol type-code access list
- 300-399 DECnet access list
- 400-499 XNS standard access list
- 500-599 XNS extended access list
- 600-699 Appletalk access list
- 700-799 48-bit MAC address access list
- 800-899 IPX standard access list
- 900-999 IPX extended access list
- 1000-1099 IPX SAP access list
- 1100-1199 Extended 48-bit MAC address access list
- 1200-1299 IPX summary address access list
- 1300-1999 IP standard access list (expanded range)
- 2000-2699 IP extended access list
Things of Remember
There are two common types of named access lists:
There are two common types of named access lists:
- IP standard named access lists
- IP extended named access lists
Standard IP access-lists are based upon the source host or network IP address, and should be placed closest to the destination network.
Router(config)# access-list 10 deny 172.20.0.0 0.0.255.255 ( Just for an Example)
Router(config)# access-list 10 permit any
To apply Access Lists we have to configure the Access-Group on the Interface. Likewise we are taking the interface serial 0/1 as a reference.
Router(config)# int s0/1
Router(config-if)# ip access-group 10 in
To view all IP access lists configured on the router:
Router# show ip access-list
To view what interface an access-list is configured on:
Router# show ip interface
Router# show running-config
Router(config)# access-list 101 permit tcp 172.20.0.0 0.0.255.255 host 172.18.10.10 eq 80
Router(config)# access-list 101 deny ip 172.20.0.0 0.0.255.255 172.18.0.0 0.0.255.255
Router(config)# access-list 101 permit ip any any
Explanation of above configuration
The first line allows the 172.20.x.x network access only to port 80 on the web server. The second line blocks 172.20.x.x from accessing anything else on the 172.18.x.x network. The third line allows 172.20.x.x access to anything else.
To apply this access list, we would configure the following
Router(config)# int e0
Router(config-if)# ip access-group 101 in
Extended IP Access List Port Operators
In the preceding example, we identified TCP port 80 on a specific host use the following syntax:
Router(config)# access-list 101 permit tcp 172.20.0.0 0.0.255.255 host 172.18.10.10 eq 80
We accomplished this using an operator of eq, which is short for equals. Thus, we are identifying host 172.18.10.10 with a port that equals 80.
ICMP Access Lists
ICMP Access Lists
The specific ICMP port that a “ping” uses is echo. To block specific ICMP parameters, use an extended IP access list. On Router B, we would configure:
Router(config)# access-list 102 deny icmp 172.20.0.0 0.0.255.255 172.18.0.0 0.0.255.255 echo
Router(config)# access-list 102 permit icmp 172.20.0.0 0.0.255.255 172.18.0.0 0.0.255.255
Router(config)# access-list 102 permit ip any any
The first line blocks only ICMP echo requests (pings). The second line allows all other ICMP traffic. The third line allows all other IP traffic. To apply the access lists on other router, you need to configure the following as:-
Router(config)# int e0
Router(config-if)# ip access-group 102 in
