The document discusses access control lists (ACLs), including: 1) ACLs are used for packet filtering and can allow or deny traffic based on source/destination IP addresses and TCP/UDP ports. 2) Standard ACLs filter based on source IP address, extended ACLs add destination IP address and ports. 3) ACLs are configured with numbers or names and applied to interfaces to filter incoming or outgoing traffic.

1. Access Control List 2009 © Alexander Rybolovlev

2. A TCP Conversation SMTP 25 POP3 110 IMAP 143 HTTP 80 HTTPS 443 DNS 53 FTP-DATA 20 FTP 21 TFTP 69 SNMP 169 NTP 123

3. Packet Filtering ALLOW or DENY Source IP address Destination IP address ICMP message type TCP/UDP source port TCP/UDP destination port One ACL per protocol (e.g., IP or IPX) One ACL per interface (e.g., FastEthernet0/0) One ACL per direction (i.e., IN or OUT)

4. Numbering and Naming ACLs Router (config)# access-list ? <1-99> IP standard access list <100-199> IP extended access list <1100-1199> Extended 48-bit MAC address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list <2000-2699> I P extended access list (expanded range) <700-799> 48-bit MAC address access list You assign a number based on which protocol you want filtered: (1 to 99) and (1300 to 1999): Standard IP ACL (100 to 199) and (2000 to 2699): Extended IP ACL You assign a name by providing the name of the ACL: Names can contain alphanumeric characters. It is suggested that the name be written in CAPITAL LETTERS. Names cannot contain spaces or punctuation and must begin with a letter. You can add or delete entries within the ACL.

5. Where To Place ACLs

6. Standard ACL [no] access-list acl-num {deny|permit|remark} [ source [source-wildcard]] [log] access-list 2 deny 192.168.10.1 access-list 2 permit 192.168.10.0 0.0.0.255 access-list 2 deny 192.168.0.0 0.0.255.255 access-list 2 permit 192.0.0.0 0.255.255.255 Router# show access-lists Standard IP access list 99 10 permit host 192.168.99.0 20 permit host 192.168.98.0 Router#conf t Router(config)#no access-list 99 Router(config)#end Router#show access-lists Router# Router(config)#access-list 10 remark Acces_to_LAN Router(config)#access-list 10 permit 192.168.10.0 Router(config-if)# ip access-group {access-list-number | access-list-name} {in | out} Router(config)#access-list 1 permit ip 192.168.10.0 0.0.0.255 Router(config)#interface FastEthernet0/0 Router(config-if)#ip access-group 1 out

7. Example

8. Example

9. Example

10. Example

11. Edit Standard ACL #1 R1# show running-config | include access-list access-list 20 permit 192.168.10.100 access-list 20 deny 192.168.10.0 0.0.0.255 #2 access-list 20 permit 192.168.10.11 access-list 20 deny 192.168.10.0 0.0.0.255 #3 R1# conf t R1(config)# no access-list 20 R1(config)#access-list 20 remark Access for permit host 10.11 R1(config)# access-list 20 permit 192.168.10.11 R1(config)# access-list 20 deny 192.168.10.0 0.0.0.255

12. Naming ACL Router(config)# ip access-list [standart | extended] name Router(config-std-nacl)# [no] [num] {deny|permit|remark} … Router(config)#ip access-list standard Bumburum Router(config-std-nacl)#deny host 192.168.0.1 Router(config-std-nacl)#permit 192.168.0.0 0.0.0.255 Router#sh access-lists Standard IP access list Bumburum 10 deny host 192.168.0.1 20 permit 192.168.0.0 0.0.0.255 Router(config-if)# ip access-group {access-list-number | access-list-name} {in | out} Router(config-if)#ip access-group Bumburum out

13. Edit ACL Router# show access-lists {acl-num|name} Router#sh access-lists 99 Standard IP access list 99 10 permit host 192.168.9.9 20 permit host 192.168.9.11 Router(config)# ip access-list {standart | extended} {acl-num|name} Router(config-std-nacl)# [no] [num] {deny|permit|remark} … Router#sh access-lists standard 99 Router(config-std-nacl)#15 permit host 192.168.9.10 Router#sh access-lists 99 Standard IP access list 99 10 permit host 192.168.9.9 15 permit host 192.168.9.10 20 permit host 192.168.9.11

14. Extended ACL R1(config)# access-list 101 permit tcp any eq ?

15. Example

16. Example

17. Example