Please enable JavaScript.
Coggle requires JavaScript to display documents.
ACLs for IPv4 Configuration - Coggle Diagram
ACLs for IPv4 Configuration
Create an ACL
All access control lists (ACLs) must be planned. However, this is especially true for ACLs requering multiple acces control entries (ACEs).
This is the decimal number of the ACL
This denies access if the condition is matched
Use the no access-list access-list-number global configuration command to remove a numbered standard ACL:
This permits access if the condition is matched:
Numbered Standar IPv4 ACL
Syntax Use the following command to crate a AC:
This identifies the source network or host address to filter:
(Optional) This is a 32-bit wildcard mask that is applied to the soruce:
This keyword generates and sends an informational message whenever the ACE is matched:
Named Standard IPv4 ACL Syntax:
Namer an ACL makes it easir to understand its function. Use the following command:
The three highlighted options are configured similar to the numbered standard ACL. Unlike the numbered ACL method, there is no need to repeat the initial ip access-list command for each ACE.
Apply a Standard IPv4 ACL: After a standard IPv4 ACL is configured, it must be linked to an interface or feature. The following command can be used to bind a numbered or named standard IPv4 ACL to an interface:
Numbered Standard IPv4 ACL Example
: This first example shows a numbered standard IPv4 ACL implementation.
Assume only PC1 is allowed out to the internet. To enable this policy, a standard ACL ACE could be applied outbound on S0/1/0, as shown in the figure
assume that a new network policy states that hosts in LAN 2 should also be permitted to the internet. To enable this policy, a second standard ACL ACE could be added to ACL 10, as shown in the output.
Apply ACL 10 outbound on the Serial 0/1/0 interface.
Use the show running-config command to review the ACL in the configuration, as shown in the output.
Finally, use the show ip interface command to verify if an interface has an ACL applied to it.
Named Standard IPv4 ACL Example:
This second example shows a named standard IPv4 ACL implementation.
Now add an ACE permitting only host 192.168.10.10 and another ACE permitting all LAN 2 hosts to the internet.
Apply the new named ACL outbound to the Serial 0/1/0 interface.
Remove the previously configured named ACL 10 and create a named standard ACL called PERMIT-ACCESS, as shown here.
Use the show access-lists and show running-config command to review the ACL in the configuration, as shown in the output.
Finally, use the show ip interface command to verify if an interface has an ACL applied to it.
Two Methods to Modify an ACL
Text Editor Method ACLs
with multiple ACEs should be created in a text editor. This allows you to plan the required ACEs, create the ACL, and then paste it into the router interface. It also simplifies the tasks to edit and fix an ACL.
Sequence Numbers Method :
An ACL ACE can also be deleted or added using the ACL sequence numbers.
Use the ip access-list standard command to edit an ACL.
Modify a Named ACL Example:
Assume that host 192.168.10.5 from the 192.168.10.0/24 network should also have been denied
.
ACL Statistics text
: Notice that the show access-lists command in the example shows statistics for each statement that has been matched. The deny ACE in the NO-ACCESS ACL has been matched 20 times and the permit ACE has been matched 64 times.
The access-class Command:
Use the following command to apply an ACL to the vty lines:
The in keyword is the most commonly used option to filter incoming vty traffic. The out parameter filters outgoing vty traffic and is rarely applied.
In a production environment, you would set the vty lines to only allow SSH, as shown in the example.
To increase secure access, a username and password will be created, and the login local authentication method will be used on the vty lines:
Verify the VTY Port is Secured:
After the ACL to restrict access to the vty lines is configured, it is important to verify that it is working as expected.
Next, we test the connection from PC2. As shown in this figure, when PC2 attempts to Telnet, the connection is refused.
To verify the ACL statistics, issue the show access-lists command.
Secure VTY Access Example:
Extended ACLs
Extended ACLs are used more often than standard ACLs because they provide a greater degree of control. They can filter on source address, destination address, protocol (i.e., IP, TCP, UDP, ICMP), and port number.
Protocols and Ports Extended ACLs can filter on many different types of internet protocols and ports.
Protocol Options
The four highlighted protocols are the most popular options.
Port Keyword Options
Extended ACLs can filter on different port number and port name options. This example configures an extended ACL 100 to filter HTTP traffic.
TCP Established Extended ACL TCP can also perform basic stateful firewall services using the TCP established keyword.
Protocols and Port Numbers Configuration Examples
Configuring the port number is required when there is not a specific protocol name listed such as SSH (port number 22) or an HTTPS (port number 443), as shown in the next example.
Apply a Numbered Extended IPv4 ACL
In this example, the ACL permits both HTTP and HTTPS traffic from the 192.168.10.0 network to go to any destination.
Named Extended IPv4 ACL Syntax
The show access-lists command is used to verify the ACL statistics. Notice that the permit secure HTTPS counters (i.e., eq 443) in the SURFING ACL and the return established counters in the BROWSING ACL have increased.
Named Extended IPv4 ACL ExampleNamed extended ACLs are created in essentially the same way that named standard ACLs are created
.
Edit Extended ACLsLike standard ACLs, an extended ACL can be edited using a text editor when many changes are required. Otherwise, if the edit applies to one or two ACEs, then sequence numbers can be used.
Another Named Extended IPv4 ACL Example
Verify Extended ACLs
how ip interface
The show ip interface command is used to verify the ACL on the interface and the direction in which it was applied, as shown in the output.
show access-lists
The show access-lists command can be used to confirm that the ACLs work as expected.
show running-config
The show running-config command can be used to validate what was configured. The command also displays configured remarks.
The command to apply an extended IPv4 ACL to an interface is the same as the command used for standard IPv4 ACLs
.
Numbered Extended IPv4 ACL Syntax:
To create a numbered extended ACL, use the following global configuration command:
