2
• It is a Layer 3 security which controls the flow of
traffic from one router to another.
• It is also called as Packet Filtering Firewall.
Access Control List
3
ACL - Network Diagram
E0 192.168.1.150/24
HYD
LAN - 192.168.1.0/24
E0 192.168.2.150/24
CHE
LAN - 192.168.2.0/24
E0 192.168.3.150/24
BAN
LAN - 192.168.3.0/24
10.0.0.1/8S0
S110.0.0.2/8
11.0.0.1/8S0
S111.0.0.2/8
1.0 should not communicate with 2.0 network1.0 should not communicate with 2.0 network
1.1 1.2 1.3 2.1 2.2 2.3 3.1 3.2 3.3
6
• The access-list number lies between 1 – 99
• Can block a Network, Host and Subnet
• Two way communication is stopped
• All services are block.
• Implemented closest to the destination
Standard Access List
7
• The access-list number lies between 100 – 199
• Can block a Network, Host, Subnet and Service
• One way communication is stopped
• Selected services are block.
• Implemented closest to the source.
Extended Access List
8
• Deny : Blocking a Network/Host/Subnet/Service
• Permit : Allowing a Network/Host/Subnet/Service
• Source Address : The address of the PC from where
the request starts. Show Diagram
• Destination address : The address of the PC where the
request ends.
• Inbound : Traffic coming into the interface
• Outbound : Traffic going out of the interface
Terminology
9
• Protocols : IP
- TCP
- UDP
- ICMP
• Operators : eq (equal to)
neq (not equal to)
lt (less than)
gt (greater than)
• Services : HTTP, FTP, TELNET, DNS, DHCP etc..
Terminology
10
• Tells the router which addressing bits must
match in the address of the ACL statement.
• It’s the inverse of the subnet mask, hence is also
called as Inverse mask.
• A bit value of 0 indicates MUST MATCH (Check Bits)
• A bit value of 1 indicates IGNORE (Ignore Bits)
• Wild Card Mask for a Host will be always 0.0.0.0
Wild Card Mask
11
• A wild card mask can be calculated using
the formula :
Global Subnet Mask – Customized Subnet Mask
-------------------------------Wild Card Mask
E.g.255.255.255.255
– 255.255.255.240 ---------------------
0. 0. 0. 15
Wild Card Mask
12
• All deny statements have to be given First
• There should be at least one Permit statement
• An implicit deny blocks all traffic by default when
there is no match (an invisible statement).
• Can have one access-list per interface per direction.
(i.e.) Two access-list per interface, one in inbound
direction and one in outbound direction.
• Works in Sequential order
• Editing of access-lists is not possible (i.e) Selectively
adding or removing access-list statements is not
possible.
Rules of Access List
13
Standard ACL - Network Diagram
E0 192.168.1.150/24
HYD
LAN - 192.168.1.0/24
E0 192.168.2.150/24
CHE
LAN - 192.168.2.0/24
E0 192.168.3.150/24
BAN
LAN - 192.168.3.0/24
10.0.0.1/8S0
S110.0.0.2/8
11.0.0.1/8S0
S111.0.0.2/8
1.1 1.2 1.3 2.1 2.2 2.3 3.1 3.2 3.3
1.0 should not communicate with 2.0 network1.0 should not communicate with 2.0 network
Creation and
Implementation
is done Closest
to the
Destination.
Creation and
Implementation
is done Closest
to the
Destination.
14
Standard ACL - Network Diagram
E0 192.168.1.150/24
HYD
LAN - 192.168.1.0/24
E0 192.168.2.150/24
CHE
LAN - 192.168.2.0/24
E0 192.168.3.150/24
BAN
LAN - 192.168.3.0/24
10.0.0.1/8S0
S110.0.0.2/8
11.0.0.1/8S0
S111.0.0.2/8
1.1 1.2 1.3 2.1 2.2 2.3 3.1 3.2 3.3
1.0 should not communicate with 2.0 network1.0 should not communicate with 2.0 network
1.1
15
1.1 2.1Source IP
192.168.1.1
Destination IP192.168.2.1
access-list 1 deny 192.168.1.1 0.0.00.0
access-list 1 deny 192.168.1.2 0.0.00.0
access-list 1 permit any
Source IP 192.168.1.1
16
1.1 2.1Source IP
192.168.1.1
Destination IP192.168.2.1
Source IP 192.168.1.1
access-list 1 deny 192.168.1.1 0.0.00.0
access-list 1 deny 192.168.1.2 0.0.00.0
access-list 1 permit any
17
Standard ACL - Network Diagram
E0 192.168.1.150/24
HYD
LAN - 192.168.1.0/24
E0 192.168.2.150/24
CHE
LAN - 192.168.2.0/24
E0 192.168.3.150/24
BAN
LAN - 192.168.3.0/24
10.0.0.1/8S0
S110.0.0.2/8
11.0.0.1/8S0
S111.0.0.2/8
1.1 1.2 1.3 2.1 2.2 2.3 3.1 3.2 3.3
1.0 should not communicate with 2.0 network1.0 should not communicate with 2.0 network
1.3
18
1.1 2.1Source IP
192.168.1.3
Destination IP192.168.1.2
access-list 1 deny 192.168.1.1 0.0.00.0
access-list 1 deny 192.168.1.2 0.0.00.0
access-list 1 permit any
Source IP 192.168.1.3
x
19
1.1 2.1Source IP
192.168.1.3
Destination IP192.168.1.2
Source IP 192.168.1.3
xaccess-list 1 deny 192.168.1.1 0.0.00.0
access-list 1 deny 192.168.1.2 0.0.00.0
access-list 1 permit any
20
1.1 2.1Source IP
192.168.1.3
Destination IP192.168.1.2
Source IP 192.168.1.3
access-list 1 deny 192.168.1.1 0.0.00.0
access-list 1 deny 192.168.1.2 0.0.00.0
access-list 1 permit any
21
1.1 2.1Source IP
192.168.1.1
Destination IP192.168.2.1
Source IP 192.168.1.1
access-list 1 deny 192.168.1.1 0.0.00.0
access-list 1 deny 192.168.1.2 0.0.00.0
access-list 1 permit any
22
• Access-lists are identified using Names
rather than Numbers.
• Names are Case-Sensitive
• No limitation of Numbers here.
• One Main Advantage is Editing of ACL is Possible (i.e)
Removing a specific statement from the ACL is
possible.
(IOS version 11.2 or later allows Named ACL)
Named Access List
23
ACL - Network Diagram
E0 192.168.1.150/24
HYD
LAN - 192.168.1.0/24
E0 192.168.2.150/24
CHE
LAN - 192.168.2.0/24
E0 192.168.3.150/24
BAN
LAN - 192.168.3.0/24
10.0.0.1/8S0
S110.0.0.2/8
11.0.0.1/8S0
S111.0.0.2/8
1.1 1.2 1.3 2.1 2.2 2.3 3.1 3.2 3.3
1.0 should not communicate with 2.0 network1.0 should not communicate with 2.0 network