© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE I Chapter 6
1
Access Control Lists (ACLs)
Accessing the WAN – Chapter 5
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
2
Objectives
 In this chapter, you will learn to:
– Explain how ACLs are used to secure a medium-size
enterprise branch office network, including the concept of
packet filtering, the purpose of ACLs, how ACLs are used to
control access, and the types of Cisco ACLs.
– Configure standard ACLs in a medium-size enterprise
branch office network, including defining filtering criteria,
configuring standard ACLs to filter traffic, and applying
standard ACLs to router interfaces.
– Configure extended ACLs in a medium-size enterprise
branch office network, including configuring extended ACLs
and named ACLs, configuring filters, verifying and
monitoring ACLs, and troubleshooting extended ACL issues.
– Describe complex ACLs in a medium-size enterprise branch
office network, including configuring dynamic, reflexive, and
timed ACLs, verifying and troubleshooting complex ACLs,
and explaining relevant caveats.
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
3
Objectives
 These are examples of IP ACLs that can be configured
in Cisco IOS Software:

–Standard ACLs
–Extended ACLs
–Dynamic (lock and key) ACLs
–IP-named ACLs
–Reflexive ACLs
–Time-based ACLs that use time ranges
–Commented IP ACL entries
–Context-based ACLs
–Authentication proxy
–Turbo ACLs
–Distributed time-based ACLs
/>61/technologies_configuration_example09
186a0080100548.shtml
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
4
A TCP Conversation
 ACLs enable you to control traffic in and out of
your network.
–ACL control can be as simple as permitting or denying
network hosts or addresses.
–However, ACLs can also be configured to control
network traffic based on the TCP port being used.
–[Tony] Also, UDP, ICMP, time, and ……
 To understand how an ACL works, let us look at
the dialogue when you download a webpage.
–The TCP data segment identifies the port matching the
requested service. For example, HTTP is port 80, SMTP
is port 25, and FTP is port 20 and port 21.
–TCP packets are marked with flags:

•a SYN starts (synchronizes) the session;
•an ACK is an acknowledgment that an expected packet
was received,
•a FIN finishes the session.
•A SYN/ACK acknowledges that the transfer is
synchronized.
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
5
Packet Filtering
 Packet filtering, sometimes called static packet
filtering, controls access to a network by analyzing
the incoming and outgoing packets and passing or
halting them based on stated criteria.
–These rules are defined using ACLs.
–An ACL is a sequential list of permit or deny statements
that apply to IP addresses or upper-layer protocols.
 The ACL can extract the following information from
the packet header, test it against its rules, and make
"allow" or "deny" decisions based on:
–Source IP address
–Destination IP address
–ICMP message type
–TCP/UDP source port
–TCP/UDP destination port
–And ……….
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
6
Packet Filtering

Router(config)#access-list 101 deny ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco's IGRP routing protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
7
Packet Filtering Example
 For example, you could say,
–Only permit web access to users from
network A.
–Deny web access to users from network B,
but permit them to have all other access."
 This is just a simple example. You
can configure multiple rules to
further permit or deny services to
specific users. You can also filter

packets at the port level using an
extended ACL, which is covered in
Section 3.
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
8
What is an ACL?
 By default, a router does not have any ACLs
configured and therefore does not filter traffic.
–Traffic that enters the router is routed according to the
routing table.
 An ACL is a router configuration script that controls
whether a router permits or denies packets to pass
based on criteria found in the packet header.
–As each packet comes through an interface with an
associated ACL, the ACL is checked from top to bottom,
one line at a time, looking for a pattern matching the
incoming packet.
•[Tony]: It stops when it finds a matching statement.
–The ACL applying a permit or deny rule to determine the
fate of the packet.
•[Tony]: If ACL cannot find a matching statement from the
list, the default action is deny the traffic.
–ACLs can be configured to control access to a network
or subnet.
•[Tony]: It can control into and out of the network, or subnet,
or, single host.
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
9

What is an ACL?
 Here are some guidelines for using ACLs:
–Use ACLs in firewall routers positioned between
your internal network and an external network
•such as the Internet.
–Use ACLs on a router positioned between two
parts of your network
•to control traffic entering or exiting a specific part of
your internal network.
–Configure ACLs on border routers
•routers situated at the edges of your networks.
•This provides a very basic buffer from the outside
network, or between a less controlled area of your
own network and a more sensitive area of your
network.
–Configure ACLs for each network protocol
configured on the border router interfaces.
•You can configure ACLs on an interface to filter
inbound traffic, outbound traffic, or both.
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
10
ACL: The Three Ps
 ACL: The Three Ps:
–One ACL per protocol - An ACL must be
defined for each protocol enabled on the interface.
–One ACL per direction - ACLs control traffic in
one direction at a time on an interface. Two
separate ACLs must be created to control inbound
and outbound traffic.

–One ACL per interface - ACLs control traffic for
an interface, for example, Fast Ethernet 0/0.
 The router in the example has two interfaces
configured for IP: AppleTalk and IPX.
–This router could require 12 separate ACLs
• one ACL for each protocol,
• times two for each direction,
• times two for the number of ports.
• 3 protocols X 2 directions X 2 directions = 12
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
11
ACLs perform the following tasks
 Limit network traffic to increase network performance.
–If corporate policy does not allow video traffic, ACLs can block video traffic.
 Provide traffic flow control.
–ACLs can restrict the delivery of routing updates.
–If updates are not required because of network conditions, bandwidth is preserved.
 Provide a basic level of security for network access.
–ACLs can allow one host to access a part of the network and prevent others from
accessing the same area.
 Decide which types of traffic to forward or block at the router interfaces.
–For example, an ACL can permit e-mail traffic, but block all Telnet traffic.
 Control which areas a client can access on a network.
 Screen hosts to permit or deny access to network services.
–ACLs can permit or deny a user to access file types, such as FTP or HTTP.
 ACLs inspect network packets based on criteria, such as source address,
destination address, protocols, and port numbers.
 ACL can classify traffic to enable priority processing down the line.
Cisco Thai Nguyen Networking Academy

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
12
ACL Operation
 ACLs are configured either to apply to
inbound traffic or to apply to outbound
traffic.
–Inbound ACLs - An inbound ACL is efficient
• it saves the overhead of routing lookups if
packet is discarded.
• If the packet is permitted by the tests, it is
then processed for routing.
–Outbound ACLs - Incoming packets are
routed to the outbound interface, and then
they are processed through the outbound
ACL.
 ACLs do not act on packets that
originate from the router itself.
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
13
ACL Operation - Inbound ACLs
 ACL statements operate in sequential order.
–They evaluate packets against the ACL, from the top
down, one statement at a time.
 If a packet header and an ACL statement match, the
rest of the statements in the list are skipped,
–and the packet is permitted or denied as determined by
the matched statement.
 If a packet header does not match an statement, the
packet is tested against the next statement in the list.

–This matching process continues until the end of the list.
 A final implied (IMPLICIT) statement covers all packets
for which conditions did not test true.
–This final statement is often referred to as the "implicit
deny any statement" or the "deny all traffic" statement.
–Because of this statement, an ACL should have at least
one permit statement in it; otherwise, the ACL blocks all
traffic.
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
14
ACL Operation - Outbound ACLs
 Before a packet is forwarded to an outbound
interface, the router checks the routing table to see if
the packet is routable.
–If the packet is not routable, it is dropped.
 Next, the router checks to see whether the outbound
interface is grouped to an ACL.
 If the outbound interface is not grouped to an ACL,
–The packet is sent directly to the outbound interface.
 If the outbound interface is grouped to an ACL,
–the packet is not sent out on the outbound interface
until it is tested by the combination of ACL statements
that are associated with that interface.
 A final implied (IMPLICIT) statement covers all
packets for which conditions did not test true.
–This final statement is often referred to as the "implicit
deny any statement" or the "deny all traffic" statement.
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6

15
ACL and Routing and ACL Processes on a Router
 As a frame enters an interface, the router checks the destination Layer 2 address.
 If the frame is accepted and the router checks for an ACL on the inbound interface.
 If an ACL exists, the packet is now tested against the statements in the list.
– If the packet matches a statement, the packet is either accepted or rejected.
 If the packet is accepted in the interface, it is then checked against routing table entries to
determine the destination interface and switched to that interface.
 Next, the router checks whether the destination interface has an ACL.
– If an ACL exists, the packet is tested against the statements in the list.
 If there is no ACL or the packet is accepted, the packet is encapsulated in the new Layer 2
protocol and forwarded out the interface to the next device.
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
16
2 Types of Cisco ACLs: standard and extended
 Standard ACLs
– Standard ACLs allow you to permit or deny traffic from
source IP addresses.
– The destination of the packet and the ports involved do
not matter.
– The example allows all traffic from network
192.168.30.0/24 network.
• Because of the implied "deny any" at the end, all other
traffic is blocked with this ACL.
 Extended ACLs
– Extended ACLs filter IP packets based on several
attributes, for example, protocol type, source and IP
address, destination IP address, source TCP or UDP
ports, destination TCP or UDP ports, and optional

protocol type information for finer granularity of control.
– In the figure, ACL 103 permits traffic originating from
any address on the 192.168.30.0/24 network to any
destination host port 80 (HTTP).
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
17
How a Standard ACL Works
 A standard ACL is a sequential collection of permit and deny conditions that
apply to source IP addresses.
– The destination of the packet and the ports involved are not covered.
– Because the software stops testing conditions after the first match, the order of the
conditions is critical.
– If no conditions match, the address is rejected.
 The two main tasks involved in using ACLs are as follows:
– Step 1. Create an access list by specifying an access list number or name and access
conditions.
– Step 2. Apply the ACL to interfaces or terminal lines.
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
18
Example of the order of the conditions is critical.
 Because the software stops testing conditions after the first match, the order of
the conditions is critical.

access-list 101 permit IP host 10.1.1.2 host 172.16.1.1
access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1
access-list 101 permit udp host 10.1.1.2 host 172.16.1.1
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6

19
Numbering and Naming ACLs
 Using numbered ACLs is an effective method
for determining the ACL type on smaller
networks.
–Regarding numbered ACLs, in case you are
wondering why numbers 200 to 1299 are
skipped, it is because those numbers are used
by other protocols.
–This course focuses only on IP ACLs. For
example, numbers 600 to 699 are used by
AppleTalk, and numbers 800 to 899 are used by
IPX.
–However, a number does not inform you of the
purpose of the ACL.
 Starting with Cisco IOS Release 11.2, you can
use a name to identify a Cisco ACL.
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
20
Numbering and Naming ACLs
 When configuring ACLs on a
router, each ACL must be
uniquely identified by assigning
a number to it.
–(the number scheme)
Access-list 5 permit …
Access-list 5 permit …
Access-list 5 permit …
Access-list 5 permit …

Access-list 5 permit …
Access-list 1 permit …
Access-list 2 permit …
Access-list 3 permit …
Access-list 4 permit …
Access-list 5 permit …
OR
One group with the number 5
5 different groups
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
21
Where to Place ACLs
 ACLs can act as firewalls to filter packets and eliminate unwanted traffic. Every
ACL should be placed where it has the greatest impact on efficiency.
 The basic rules are:
–Locate extended ACLs as close as possible to the source of the traffic denied. This
way, undesirable traffic is filtered without crossing the network infrastructure.
–Because standard ACLs do not specify destination addresses, place them as close to
the destination as possible.
Source
Destination
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
22
Where to Place ACLs
 Standard ACL: In the figure, the administrator
wants to prevent traffic originating in the
192.168.10.0/24 network from getting to the
192.168.30.0/24 network.

–An standard ACL on the outbound interface of R1
denies R1 the ability to send traffic to other places
as well.
–The solution is to place a standard ACL on the
inbound interface of R3 to stop all traffic from the
source address192.168.10.0/24.
–A standard ACL only concern with source IP
addresses.
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
23
Where to Place ACLs
 Extended ACL: Placement must be determined in the
control of the network administrator extends.
 In this figure, the administrator of the 192.168.10.0/24
and 192.168.11.0/24 (referred to as Ten and Eleven)
wants to deny Telnet and FTP traffic from Eleven to
the 192.168.30.0/24 (Thirty). At the same time, other
traffic must be permitted to leave Ten.
 There are several ways to do this.
1. An extended ACL on R3 blocking Telnet and FTP from
Eleven would accomplish the task, but the solution also
still allows unwanted traffic to cross the entire network,
only to be blocked at the destination.
2. Use an outbound extended, “Telnet and FTP traffic
from Eleven is not allowed to go to Thirty." Place this
extended ACL on the outbound S0/0/0 port of R1.
•A disadvantage of this is that traffic from Ten would also be
processing by the ACL, even though traffic is allowed.
–The better solution is to place an extended ACL on the

inbound Fa0/2 of R1. This ensures that packets from
Eleven do not enter R1, and cannot cross over into Ten.
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
24
General Guidelines for Creating ACLs
 Using ACLs requires attention to detail and great care. Mistakes can be
costly in terms of downtime, troubleshooting efforts, and poor network
service.
 Before starting to configure an ACL, basic planning is required.
 The figure presents guidelines that form the basis of an ACL best
practices list.
Cisco Thai Nguyen Networking Academy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public ITE 1 Chapter 6
25
General Guidelines for Creating ACLs: Activity