Please enable JavaScript.
Coggle requires JavaScript to display documents.
ACLs for IPv4 Configuration - Coggle Diagram
ACLs for IPv4 Configuration
5.1. Configure Standard IPv4 ACLs
Command to create a numbered standard ACL:
Router(config)# access-list access-list-number {deny | permit | remark text} source [source-wildcard] [log]
Use the no access-list access-list-number global configuration command to remove a numbered standard ACL
Naming an ACL makes it easier to understand its function
Router(config)# ip access-list standard access-list-name
After a standard IPv4 ACL is configured, it must be linked to an interface or feature
Router(config-if) # ip access-group {access-list-number | access-list-name} {in | out}
5.2. Modify IPv4 ACLs
5.2.1 Two methods to modify an ACL
When an ACL is configured, it may need to be constantly modified, since ACLs with multiple ACEs can be complex to set up.💡In this case, two methods used when modifying an ACL will be analyzed:-
Text Editor
-
Sequence Numbers
5.2.2 Text Editor Approach
ACLs with multiple ACEs should be created in a text editor. This allows you to plan the required ACEs, create the ACLs, and have the option to paste them into the router interface.
5.2.3 Sequence Numbers Method
In an ACE of an ACL, you can also delete or add entries using the ACL sequence numbers; you can interpret this as an identifier that is automatically created when an ACL is created.
5.2.4 Example of Modifying a Named ACL
Named ACLs can also use sequence numbers to remove or add ACEs.
5.2.5 ACL Statistics
With the
show access-lists
command, it displays the statistics of each statement that has matched. If we want to track how many implicit denied packets have been associated, you must manually configure the
deny any
command.If we want to clear the statistics of an ACL, use the following command:
clear access-list counters.
5.2.6 Syntax Checker - Modify ACL for IPv4
5.3. Secure VTY Ports with a Standard IPv4 ACL
5.3.1 The access-class Command
ACLs typically filter incoming or outgoing traffic on an interface. However, an ACL can also be used to secure remote administrative access to a device using the vty lines.
• Create an ACL to identify which administrative hosts should be allowed remote access.
• Apply the ACL to incoming traffic on the vty lines.
Use the following two steps to secure remote administrative access to the vty lines:
5.3.2 Secure VTY Access Example
The topology in the figure is used to demonstrate how to configure an ACL to filter vty traffic. In this example, only PC1 will be allowed to Telnet in to R1.
5.3.3 Verify the VTY Port is Secured
This verifies that PC1 can access R1 for administrative purposes. Next, we test the connection from PC2. As shown in this figure, when PC2 attempts to Telnet, the connection is refused.
5.4. Configure Extended IPv4 ACLs
5.4.2 Numbered Extended ACL Syntax
Apply ACL to interface → ip access-group <number|name> in | out
Remove ACL → no access-list <number>
Router(config)# access-list <number> {permit|deny|remark text} protocol source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [log]
5.4.3 Protocols and Ports
Supports filtering on many protocols: IP, TCP, UDP, ICMP, OSPF, GRE, EIGRP, etc.
Ports can be specified by name (www, ssh) or number (80, 22, 443).
Examples:
access-list 100 permit tcp any any eq 80 → HTTP
access-list 100 permit tcp any any eq 443 → HTTPS
access-list 100 permit tcp any any eq 22 → SSH
5.4.4 Placement of Extended ACLs
Best practice → place close to the source of the traffic
Prevents unwanted traffic from traveling across the network.
5.4.5 TCP Established Keyword
established allows return traffic only (ACK/RST).
Works like a basic stateful firewall:
Inside → traffic goes out
Outside replies → allowed back in
New outside connections → blocked
5.4.6 Named Extended ACLs
Easier to manage and understand.
Syntax: ip access-list extended <name>
Example:
SURFING → permits outbound HTTP/HTTPS.
BROWSING → permits only returning web traffic inbound.
5.4.7 Editing Extended ACLs
Use sequence numbers for corrections.
Router(config)# ip access-list extended SURFING Router(config-ext-nacl)# no 10 Router(config-ext-nacl)# 10 permit tcp 192.168.10.0 0.0.0.255 any eq www
5.4.8 Special Use Case Example
PERMIT-PC1 → only PC1 allowed to use FTP, SSH, Telnet, DNS, HTTP, HTTPS.
REPLY-PC1 → only returning traffic to PC1 is permitted.
All other LAN users → denied.
5.4.9 Verification Commands
show ip interface → shows ACL applied (in/out).
show access-lists → shows ACL rules + hit counters.
show running-config → shows current configuration.
5.4.1 Extended ACLs
More powerful than Standard ACLs.
Can filter traffic by
Source address
Destination address
Protocol (IP, TCP, UDP, ICMP, etc.)
Port number
Allow precise control (e.g., permit email, block FTP/web).
Two types:
Numbered → access-list number ...
Named → ip access-list extended name
