1. Page 1 Access Lists Lecture 7 Hassan Shuja 04/25/2006

2. Page 2 Access Lists Access Lists (ACL) –Access lists are used to filter traffic that passes through a router –Some key features of Cisco ACL – Packets can be filtered as they enter an interface – Packets can be filtered before they exit an interface – Deny is the term used in Cisco IOS to block a packet at the interface that is doing the filtering – Permit is the term used in Cisco IOS to allow a packet through the interface that is doing the filtering – At the end of every ACL is an implied “deny all traffic” statement. Therefore, if a packet does not match any of your access list statements, it is blocked – ACL filter packets by looking at the IP, TCP, and UDP headers in the packet – There are two types of ACLs – The standard ACL only examine the source IP address – The extended ACL can examine the source and destination IP address, as well as the source and destination port numbers – ACLs use a wildcard mask instead of a subnet mask – Wildcard masks are the inverse of the subnet mask, the 1s are 0s and the 0s are 1s

3. Page 3 Access Lists Standard Access Lists –Standard ACLs are numbered in the range of 1 to 99 or 1300 to 1999 –The following is the syntax for a standard ACL – “access-list number permit/deny ip address wildcard mask” – “access-list 1 permit 172.16.0.0 0.0.255.255” – “access-list 1 deny 165.31.0.0 0.0.255.255” – Configuration is done in configuration mode –A standard ACL needs to be enabled under the interface before it will work – The command used to apply an ACL to an interface is “ip access-group” – This command is run under the interface mode – To enable an ACL The interfaces on router need to be designated as the “inside” and “outside” interface – “ip access-group 1 out” or “ip access-group 1 in”

4. Page 4 Access Lists Extended Access Lists –Extended ACLs are numbered in the range of 100 to 199 or 2000 to 2699 –The following is the syntax for a extended ACL – “access-list number permit/deny protocol source IP address source wildcard mask destination IP address destination wildcard mask eq port number” – “access-list 101 permit tcp 172.16.0.0 0.0.255.255 165.33.15.0 0.0.0.255 eq 23” – “access-list 101 deny udp host 130.85.5.5 209.80.1.0 0.0.255.255 eq 80” – “host” can be used to specify one ip address – “eq” stands for equal and is telling the exact port to filter traffic on – Ports can be compared by using less than (lt) or greater than (gt) – Configuration is done in configuration mode –An extended ACL needs to be enabled under the interface before it will work – The command used to apply an ACL to an interface is “ip access-group” – This command is run under the interface mode – To enable an ACL The interfaces on router need to be designated as the “inside” and “outside” interface – “ip access-group 101 out” or “ip access-group 101 in” –Remarks can be written to identify the ACL – “access-list 101 remark this access list is used to deny web traffic”