1
Chapter 5 - ACLs
CCNA Exploration 4.0
Học viện mạng Bach Khoa - Website: www.bkacad.com 2
Introduction
Học viện mạng Bach Khoa - Website: www.bkacad.com 3
Using ACLs to Secure Networks
Học viện mạng Bach Khoa - Website: www.bkacad.com 4
A TCP Conversation
• ACLs enable you to control traffic into and out of your network. This control can
be as simple as permitting or denying network hosts or addresses.
• ACLs can also be configured to control network traffic based on the TCP port
being used.
Học viện mạng Bach Khoa - Website: www.bkacad.com 5
A TCP Conversation
Học viện mạng Bach Khoa - Website: www.bkacad.com 6
Packet Filtering
• Packet filtering, sometimes called static packet filtering, controls
access to a network by analyzing the incoming and outgoing packets
and passing or halting them based on stated criteria.
• Packet filtering works at the network layer of the Open Systems
Interconnection (OSI) model, or the Internet layer of TCP/IP.
Học viện mạng Bach Khoa - Website: www.bkacad.com 7
Packet Filtering
• The ACL is a sequential list of permit or deny statements that apply to IP addresses or
upper-layer protocols.
• The ACL can extract the following information from the packet header, test it against its
rules, and make "allow" or "deny" decisions based on:
1. Source IP address
2. Destination IP address
3. ICMP message type

• The ACL can also extract upper layer information and test it against its rules. Upper
layer information includes:
1. TCP/UDP source port
2. TCP/UDP destination port
Học viện mạng Bach Khoa - Website: www.bkacad.com 8
Packet Filtering Example
Học viện mạng Bach Khoa - Website: www.bkacad.com 9
What is an ACL ?
• An ACL is a router configuration script that controls whether a router permits or
denies packets to pass based on criteria found in the packet header.
• ACLs are also used for selecting types of traffic to be analyzed, forwarded, or
processed in other ways.
Học viện mạng Bach Khoa - Website: www.bkacad.com 10
What is an ACL ?
• Here are some guidelines for using ACLs:
1. Use ACLs in firewall routers positioned between your internal network and an
external network such as the Internet.
2. Use ACLs on a router positioned between two parts of your network to control
traffic entering or exiting a specific part of your internal network.
3. Configure ACLs on border routers-routers situated at the edges of your networks.
This provides a very basic buffer from the outside network, or between a less
controlled area of your own network and a more sensitive area of your network.
4. Configure ACLs for each network protocol configured on the border router
interfaces. You can configure ACLs on an interface to filter inbound traffic,
outbound traffic, or both.
The Three Ps
You can configure one ACL
per protocol, per direction,
per interface.
Học viện mạng Bach Khoa - Website: www.bkacad.com 11

What is an ACL ?
• ACLs perform the following tasks:
1. Limit network traffic to increase network performance. For example, if
corporate policy does not allow video traffic on the network, ACLs that
block video traffic could be configured and applied. This would greatly
reduce the network load and increase network performance.
2. Provide traffic flow control. ACLs can restrict the delivery of routing
updates. If updates are not required because of network conditions,
bandwidth is preserved.
3. Provide a basic level of security for network access. ACLs can allow one
host to access a part of the network and prevent another host from
accessing the same area. For example, access to the Human Resources
network can be restricted to select users.
4. Decide which types of traffic to forward or block at the router interfaces.
For example, an ACL can permit e-mail traffic, but block all Telnet traffic.
5. Control which areas a client can access on a network.
6. Screen hosts to permit or deny access to network services. ACLs can
permit or deny a user to access file types, such as FTP or HTTP.
Học viện mạng Bach Khoa - Website: www.bkacad.com 12
ACL Operation
• ACLs define the set of rules that give added control for packets that enter inbound
interfaces, packets that relay through the router, and packets that exit outbound
interfaces of the router.
• ACLs do not act on packets that originate from the router itself.
• Inbound ACLs -Incoming packets are processed before they are routed to the outbound
interface. An inbound ACL is efficient because it saves the overhead of routing lookups if
the packet is discarded. If the packet is permitted by the tests, it is then processed for
routing.
Học viện mạng Bach Khoa - Website: www.bkacad.com 13
ACL Operation

• Outbound ACLs -Incoming packets are routed to the outbound
interface, and then they are processed through the outbound ACL.
Học viện mạng Bach Khoa - Website: www.bkacad.com 14
ACL Operation
• ACL statements operate in sequential order. They evaluate packets
against the ACL, from the top down, one statement at a time.
– If a packet header and an ACL statement match, the rest of the
statements in the list are skipped, and the packet is permitted or
denied as determined by the matched statement.
– If a packet header does not match an ACL statement, the packet is
tested against the next statement in the list. This matching process
continues until the end of the list is reached.
• A final implied statement covers all packets for which conditions did not
test true.Instead of proceeding into or out of an interface, the router
drops all of these remaining packets.
• This final statement is often referred to as the "implicit deny any
statement" or the "deny all traffic" statement.
• Because of this statement, an ACL should have at least one permit
statement in it; otherwise, the ACL blocks all traffic.
Học viện mạng Bach Khoa - Website: www.bkacad.com 15
ACL Operation
• There is a key caveat associated with this "deny all" behavior:
– For most protocols, if you define an inbound access list for traffic filtering, you should
include explicit access list criteria statements to permit routing updates.
– If you do not, you might effectively lose communication from the interface when
routing updates are blocked by the implicit "deny all traffic" statement at the end of
the access list.
Học viện mạng Bach Khoa - Website: www.bkacad.com 16
Types of Cisco ACLs
• The two main tasks involved in using ACLs are as follows:

– Step 1. Create an access list by specifying an access list number or name
and access conditions.
– Step 2. Apply the ACL to interfaces or terminal lines.
Học viện mạng Bach Khoa - Website: www.bkacad.com 17
How a Standard ACL works ?
Học viện mạng Bach Khoa - Website: www.bkacad.com 18
Numbering and Naming ACLs
• Using numbered ACLs is an effective method for determining the ACL
type on smaller networks with more homogeneously defined traffic.
– a number does not inform you of the purpose of the ACL.
– starting with Cisco IOS Release 11.2, you can use a name to
identify a Cisco ACL.
Học viện mạng Bach Khoa - Website: www.bkacad.com 19
Where to place ACLs
• The basic rules are:
– Locate extended ACLs as close as possible to the source of the traffic
denied. This way, undesirable traffic is filtered without crossing the network
infrastructure.
– Because standard ACLs do not specify destination addresses, place them
as close to the destination as possible.
Học viện mạng Bach Khoa - Website: www.bkacad.com 20
General Guidelines for Creating ACLs
Học viện mạng Bach Khoa - Website: www.bkacad.com 21
General Guidelines for Creating ACLs
• Activity 5.1.9.2
Học viện mạng Bach Khoa - Website: www.bkacad.com 22
General Guidelines for Creating ACLs
• Activity 5.1.9.2
Học viện mạng Bach Khoa - Website: www.bkacad.com 23
General Guidelines for Creating ACLs

• Activity 5.1.9.2
Học viện mạng Bach Khoa - Website: www.bkacad.com 24
Configuring Standard ACLs
Học viện mạng Bach Khoa - Website: www.bkacad.com 25
Entering Criteria Statements
• A single-entry ACL with only one deny entry has the effect of denying all traffic.
You must have at least one permit statement in an ACL or all traffic is blocked.