ACL (Access Control List) is a list of rules that specifies which users or systems are allowed access to a particular object or system resource. It can simply be defined as a set of instructions to filter inbound and outbound traffic on an interface.
Access Control List Overview and Access List Concepts
Access Control List carries out a packet identification mechanism and can also identify packets on the basis of Layer 3 and Layer header. Each access list is composed of one or more ACEs (Access Control Entries) and each ACE is assigned a sequence number. ACEs are processed in sequential order until a match is found. Primarily some of the Access List concepts available are Plan, List, and Apply
Types of Access Control List (ACL)
There are 3 types of Access-list: Standard Access List, Extended Access List and Named Access List.
Standard Access Control Lists (ACLs)
Standard ACLs identify traffic based on Layer-3 header and only the source IP address is checked. The range is from 1 through 99
Configuring, Applying, and Verifying Standard ACL
Below illustrates how we can configure, pair and verify Standard ACL:
- Configuration Command:
Router(config)#access-list<#> <permit | deny> host <source address>
- Pairing ACLs with access groups:
Router(config)#ip access-group <#> <in | out>
- Verification commands:
Router# show ip access-list
Router# show run | include access-list
Extended Access Control Lists (ACLs)
Extended ACLs filter traffic based on Layer-3 and Layer-4 headers. Source and demonstration IP and port numbers can be checked and the range is from 100 through 199
Configuring, Applying and Verifying Extended Access Control List (ACL)
- Configuration Command:
- Router(config)#access-list<#> <permit | deny> <protocol> <source address> <wildcard mask> <destination address> <wildcard mask> <port numbers>
- Pairing ACLs with access groups:
- Router(config)#ip access-group <#> <in | out>
- Verification commands:
- Router# show ip access-list
- Router# show run | include access-list
Named Access Control Lists (ACLs)
- Individual statements can be edited, unlike numbered ACLs
- Configuring standard named ACL:
Router(config)#ip access-list standard <name>
Router(config-std-acl)# <permit | deny> <source address>
- Configuring extended named ACL:
Router(config)#ip access-list standard <name>
Router(config)#access-list<#> <permit | deny> <protocol> <source address> <wildcard mask> <destination address> <wildcard mask> <port numbers>
- Pairing ACLs with access groups:
Router(config)#ip access-group <#> <in | out>
-End-