ACL = Access Control List
ACE = Access Control Entry
A single ACL contains multiple sequentially ordered ACEs
ACLs = Like simple IP-based firewall rules (source/destination).
ACLs are configured globally on the router and then applied to an inbound or outbound interface.
Implicit DENY ALL at the end. After finding the first match, the router won't process remaining ACEs.
ACL Types:
Standard - Match based on source IP address only
- Standard Numbered ACLs
- Standard Named ACLs
Extended ACLs - Match based on Source/Destination IP, Source/Dest port, etc.
- Extended Numbered ACLs
- Extended Named ACLs
Standard ACLs use numbers 1-99 and 1300-1999.
Standard Numbered ACLs:
Syntax:
R1(config)#access-list number {deny | permit } ip wildcard-mask
R1(config)#access-list 1 deny 1.1.1.1 0.0.0.0
R1(config)#access-list 1 deny 1.1.1.1
^ These both do the same thing. Deny a specific host at 1.1.1.1
R1(config)#access-list 1 deny host 1.1.1.1
^ Same as previous two. Historical.
R1(config)#access-list 1 permit any
R1(config)#access-list 1 permit 0.0.0.0 255.255.255.255
^ These both do the same thing: allow all.
R1(config)#access-list 1 remark ## My comment goes here ##
^ Comments
Here is an example access list:
R1(config)#access-list 1 deny 1.1.1.1 0.0.0.0
R1(config)#access-list 1 permit 0.0.0.0 255.255.255.255
R1(config)#access-list 1 remark ## Block Bob from Accounting ##
R1(config)#do show access-lists
Standard IP access list 1
10 deny 1.1.1.1
20 permit any
^ Notice there could have been other types of access lists.
R1(config)#do show ip access-lists
Standard IP access list 1
10 deny 1.1.1.1
20 permit any
^ This limits output to ONLY IP access-lists
R1(config)#do show running-config | include access-list
access-list 1 deny 1.1.1.1
access-list 1 permit any
access-list 1 remark ##Block Bob from Accounting ##
^ Notice how we had to coax comments out from the running-config
!! Easy to forget !!
Now apply the ACL to an interface:
R1(config-if)#ip access-group number {in|out}
Recommendation for Standard ACLs: Apply the ACL to the interface nearest the destination.
Standard Named ACLs:
Still only match based on source IP
R1(config)#ip access-list standard acl-name
R1(config-std-nacl)#[entry-number] {deny|permit} ip wildcard-mask
R1(config)#ip access-list standard BLOCK_BOB
R1(config-std-nacl)#5 deny 1.1.1.1
R1(config-std-nacl)#10 permit any
R1(config-std-nacl)#remark ## Configured May 27 2024 ##
R1(config-std-nacl)#int g0/0
R1(config-if)#ip access-group BLOCK_BOB in
Editing and resequencing ACLs
R1(config)#access-list 1 deny 192.168.1.1
R1(config)#access-list 1 permit any
^ The normal numbered way
R1(config)#ip access-list standard BLOCK_PC1
R1(config-std-nacl)#deny 192.168.1.1
R1(config-std-nacl)#permit any
^ The named way
R1(config)#ip access-list standard 1
R1(config-std-nacl)#deny 192.168.1.1
R1(config-std-nacl)#permit any
^ Use the numbered ACL as a name
With this approach, you can modify ACEs in an ACL:
R1(config-std-nacl)#no 30
^ This would remove ACE 30
R1(config-std-nacl)#30 deny 192.168.2.0 0.0.0.255
^ This would insert a new ACE 30 whereas we previously deleted it
We can also renumber (resequence) ACEs in an ACL:
R1(config)#ip access-list resequence 1 5 10
^ This would renumber ACL #1 starting at 5 and incrementing by 10
Probably more common to start at 10 and increment by 10:
R1(config)#ip access-list resequence 1 10 10
[These are my notes from Jeremy's excellent CCNA course which can be viewed here.]
