2. In 60 Days – ICND2 Access Lists

3. Traffic Cops Decides what can pass through router Set of YES/NO filters Have several uses…

4. Use ACLs To filter traffic Reference NAT pools Debugging With route maps for routing

5. Types of ACL Standard Extended Named

6. Standard IP ACL Numbered from 1 to 99 Can filter on source host/network Can’t filter ports or protocols

7. Extended IP ACLs Numbered from 100-199 Filters port/destination/source etc. More complicated to configure

8. Named ACLs Names instead of numbers Can be standard or extended Slightly different commands

9. Need to Know... Port numbers Command syntax ACL rules

10. Common Ports PortServicePortService 20FTP Data80HTTP 21FTP Control110POP3 22SSH119NNTP 23Telnet123NTP 25SMTP161/162SNMP 53DNS443HTTPS 69TFTP

11. Command Syntax We will come to this!

12. ACL Rule #1 One ACL per interface per direction One incoming One outgoing One incoming One outgoing

13. ACL Rule #2 Processed top down Incoming 172.16.1.1 Permit 10.0.0.0 No match Permit 192.168.1.1 No match Permit 172.16.0.0 Match – Permit Permit 172.16.1.0 Not processed Deny 172.16.1.1 Not processed

14. ACL Rule #3 Implicit ‘deny all’ at bottom Incoming 172.20.1.1 Permit 10.0.0.0 No match Permit 192.168.1.1 No match Permit 172.16.0.0 No match Permit 172.16.1.0 No match Deny all Match – DROP PACKET

15. ACL Rule #4 Router can’t filter self generated traffic

16. ACL Rule #5 – Can’t Edit Live Can’t edit live standard or extended lists Can edit named 1.Stop access list working (from interface) 2.Copy into notepad – edit - reapply

17. ACL Rule #6 Disable ACL on the interface R1(config)#no ip access-group 101 in

18. ACL Rule #7 Can reuse the same ACL

19. ACL Rule #8 Keep ‘em short Most specific rules at top Permit 10.0.0.0 Permit 192.168.1.1 Permit 172.16.0.0 Deny 172.16.1.1 Should be at top

20. ACL Rule #9 Place as close to traffic source as possible Do not put it here

21. End