Security On Router Access control lists (ACLs)

Access Control Lists (ACL) are used for security feature of Cisco IOS. By using Access Control Lists (ACL), we can permit or deny access to the network services.
It is a layer 3 security which control the flow of traffic from one router to another.
It is a powerful tool to control network traffic.
Is used to manage the IP traffic as an network grown.
It is used to manage permit or denied packet traffic through the router.
Access list is used to filter the unwanted packet while implementing security policy ,is also called packet Firewall filtering.

Types of ACL :

Standard Access Lists
Extended Access Lists
Named Access Lists

Terminology used in Access control list

Deny : blocking a network/host , subnet, services
Permit : Allowing a network/host , subnet, services
Source Add : address of the PC from where the request start
Destination Add : the address of the PC where the request end.
Inbound : traffic coming into the interface
Outbound : traffic going out of the interface
Protocol : IP, TCP, UDP, ICMP

 Number between 1–99 or 1300–1999 is used for creating Standard Access Control List (ACL).

Number between 100–199 or 2000–2699 is used for creating extended IP Access Control List (ACL) .

Standard ACL

This list number lies between 1 to 99
Can block a network , host or subnet
Two way communication is stopped
All service are blocked
Implemented closest to the router.

Standard IP Access List

Standard IP lists (1-99) only check source addresses of all IP packets.

Configuration Syntax
access-list access-list-number [permit | deny] source [source-mask]

Apply ACL to an interface
ip access-group access-list-number [in | out]

Example of Standard IP Access List

Configuration:

Below example will only allow network 10.0.0.0/8 to access server

Define which source is allowed to pass:

Router(config)#access-list 1 permit 10.0.0.0 0.255.255.255

Apply this ACL to an interface:

Router(config)#interface Fa0/1

Router(config-if)#ip access-group 1 out

Now it will deny all other traffic and only allow from 10.0.0.0/8.

The “0.255.255.255” is the wildcard mask part of network “10.0.0.0”.

Extended ACL

This list number lies between 100 to 199
Can block a network, host, subnet and services
One way communication is stopped
Selected service can be blocked
Implemented closest to the source.

Extended IP Access List

Configuration Syntax
access-list access-list-number [permit | deny] protocol source [source-mask] destination [destination-mask] [eq destination-port]

Example of Extended IP Access List

below example will deny FTP traffic from network 10.0.0.0/8 but allow other traffic .

Define which protocol, source, destination and port are denied:

Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 21
Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 20
Router(config)#access-list 101 permit ip any any

Apply this ACL to an interface:

Router(config)#interface Fa0/1
Router(config-if)#ip access-group 101 out

Operator Description
lt Less than
gt Greater than
neq Not equal to
eq Equal to range Range of port numbers

Named IP Access List

This allows standard and extended ACLs to be given names instead of numbers

Named IP Access List Configuration Syntax
ip access-list [standard | extended] [name | number]

Example of Named IP Access List

Define the ACL:

Router(config)#ip access-list extended in_to_out permit tcp host 10.0.0.1 host 187.100.1.6 eq telnet

Apply this ACL to an interface:

Router(config)#interface Fa0/0

Router(config-if)#ip access-group in_to_out in

Common TCP Port Names used in ACL

Port Name Keyword
FTP Data (TCP port number 20) ftp-data
FTP Control (TCP port number 21 ) ftp
Telnet (TCP port number 23) telnet
SMTP (TCP port number 25) smtp
HTTP (TCP port number 80) www

Common UDP Port Names Port Name

Keyword
DNS (UDP port number 53) dns
TFTP (UDP port number 69) tftp
SNMP (UDP port number 161) snmp
IP RIP (UDP port number 520) rip

Computer Networking Menu ☰Next >>

You May Also Enjoy Reading This …