The document discusses Access Control Lists (ACLs), which are lists of permit or deny rules that control what traffic can enter or leave a router's interface. There are standard ACLs, which filter traffic based only on the source IP address, and extended ACLs, which can filter traffic based on additional attributes like destination address, protocol, and port numbers. ACL rules are evaluated sequentially, with an implicit "deny all" rule at the end, so ACLs should be placed strategically to filter traffic close to either its source or destination.

1. Access Control List (ACL)
Prepared by: Roshan Kandel
Masters in Information & Communication Engineering
1

2. Introduction
• An ACL is a list of permit or deny rules detailing what can or can't
enter or leave the interface of a router.
• Every packet that attempts to enter or leave a router must be tested
against each rule in the ACL until a match is found.
• If no match is found, then it will be denied.
• To get a bit more technical, when a packet is sent out, it must know
where it's going (destination) and where it came from (source).
• So it contains a source and destination IP address.
• The router looks at this information to determine if it matches any of
the rules in its ACL.
2

3. • Access Control Lists (ACL) statements operate in sequential, logical
order.
• If a condition match is true, the packet is permitted or denied and the
rest of the Access Control Lists (ACL) statements are not checked.
• If all the Access Control Lists (ACL) statements are unmatched, an
implicit "deny any" statement is placed at the end of the list by default.
• Access list statements operate in sequential, logical order and they
evaluate packets from the top down.
• Once there is an access list statement match, the packet skips the rest
of the statements.
3

4. • If a condition match is true, the packet is permitted or denied.
• You should remember that there is an implicit "deny any" at the end of
every Access Control Lists (ACL).
• How Does Implicit Deny Work?
• The last rule in every ACL is an implicit deny statement. Because it's
implicit, you won't see it.
• Be aware that just because you don't see it doesn't mean it doesn't do
anything. This rule is very powerful.
• Every bit of traffic that doesn't match a rule in an ACL will be denied.
4

5. Why Use An ACL?
• The main idea of using an ACL is to provide security to your network.
• Without it, any traffic is either allowed to enter or exit, making it more
vulnerable to unwanted and dangerous traffic.
• To improve security with an ACL you can, for example, deny specific
routing updates or provide traffic flow control.
• As shown in the picture below, the routing device has an ACL that is
denying access to host C into the Financial network, and at the same
time, it is allowing access to host D.
5

6. • With an ACL you can filter packets for a single or group of IP address
or different protocols, such as TCP or UDP.
• So for example, instead of blocking only one host in the engineering
team, you can deny access to the entire network and only allow one.
Or you can also restrict the access to host C.
• If the Engineer from host C, needs to access a web server located in
the Financial network, you can only allow port 80, and block
everything else.
6

7. Where Can You Place an ACL?
• Many admins choose to place ACLs on the edge routers of a network.
• This enables them to filter traffic before it hits the rest of their system.
• To do this, you can place a routing device that has an ACL on it, positioning
it between the demilitarized zone (DMZ) and the internet.
• Within the DMZ, you may have devices such as application servers, web
servers, VPNs, or Domain Name System (DNS) servers.
• You can also place an ACL between the DMZ and the rest of your network.
• If you use an ACL between the internet and the DMZ, as well as between
the DMZ and the rest of your network, they will have different
configurations—each setting designed to protect the devices and users that
come after the ACL.
7

8. Types
• Standard and Extended Access Control Lists (ACL):
• Standard IP Access Control Lists (ACL) can be used filter traffic only
based on the source IP address of the IP datagram packet.
• An extended Access Control Lists (ACL) can be used to filter traffic
based on Source IP address, Destination IP address, Protocol
(TCP, UDP etc), Port Numbers etc.
8

9. • The following table shows the Access Control Lists (ACL) Types and
related Numbers which can be used to number an Access Control Lists
(ACL)
Access Control Lists (ACL) Type Access Control Lists (ACL) Numbers
IP Standard 1–99, 1300–1999
IP Extended 100–199, 2000–2699
9

10. Standard ACL
• Standard Access Control Lists (ACLs) are the oldest type of Access
Control Lists (ACL).
• Standard IP access lists are used to permit/deny traffic only based on
source IP address of the IP datagram packets.
• Standard Access Control Lists (ACLs) can be created by using the
"access-lists" IOS command.
• The syntax of "access-list" IOS command to create a Standard Access
Control List is shown below.
• access-list [Access_list_number] [permit | deny] [IP_address]
[wildcard mask (optional)]
10

11. • The arguments are explained in detail below.
• Access_list_number: For Standard Access Control List, Access list
number must be between 1–99 or 1300–1999.
• permit | deny: Whether to permit or deny traffic.
• IP_address: An IP address to filter the traffic.
• wildcard mask: Instead of specifying a single IP address, you can
also permit or deny networks/subnets entirely or partly by
using wildcard masks, also known as inverse masks. Wildcard mask is
optional in above IOS command.
11

12. Where should a Standard Access Control
List (ACL) be placed?
• Standard Access Control List (ACL) filters the traffic based on
source IP address.
• Therefore a Standard Access Control List (ACL) must be placed on
the router which is near to the destination network/host where it is
denied.
• If we place the Standard Access Control List (ACL) near to source of
the traffic, there is a chance for denial or other legitimate traffic from
the source network to some other network.
12

13. Access Control List (ACL) - Wildcard
Masks
• Wildcard masks are used in Access Control Lists (ACL) to identify
(or filter) an individual host or a network to permit or deny access .
• When using a wildcard mask, a 0 in a bit position means that the
corresponding bit position in the address of the Access Control Lists
(ACL) statement must match the bit position in the IP address in the
examined packet.
• A "0" bit in the wildcard mask means that corresponding part in the IP
address should exactly match and "1" bit means that the corresponding
part in IP address can be ignored.
13

14. • How to specify a single host using Access Control List (ACL)
Wildcard mask
• To specify a single host using Access Control List (ACL) Wildcard
mask, the IP address and wildcard mask should be as below.
• 172.16.0.12 0.0.0.0
• The keyword "host" can also be used to accomplish the same result as
shown below.
• host 172.16.0.12
14

15. • How to specify an entire network using Access Control List (ACL)
Wildcard mask
• To specify an entire network using Access Control List (ACL) Wildcard
mask, use a wild card mask of 255 (all bits "1" in that octet). The following
example can be used to specify all IP addresses in 172.16.0.0/16 network.
• 172.16.0.0 0.0.255.255
• The above example states that the values of only first two octets should
exactly match and the values of the last two octets can be any. This
statement can match all the IP addresses of 172.16.0.0/16 network.
15

16. Extended Access Control Lists
• Standard Access Control Lists can filter the IP traffic ONLY based
on the source IP address in an IP datagram packet.
• Extended Access Control Lists can filter the traffic based on many
other factors.
• Source and destination IP addresses.
• Protocols like IP, TCP, UDP, ICMP etc.
• Protocol information Port numbers for TCP and UDP, or message
types for ICMP.
16

17. • Extended Access Control Lists can be created by using the "access-
lists" IOS command. The syntax of "access list" IOS command to
create a Extended Access Control List is shown below.
• Router(config)# access-list [Access_list_number] permit|deny
IP_protocol source_address source_wildcard_mask
[source_protocol_information] destination_address
destination_wildcard_mask
[destination_protocol_information]
17

18. • Access_list_number: For Extended Access Control List, Access list
number must be between 100–199 or 2000–2699.
• IP_protocol: IP protocol to match. The IP protocols can
be IP, ICMP, TCP, GRE, UDP, etc.
18

19. 19

20. Commonly Used
Port Numbers
20

21. Extended Access Control List (ACL) - Port
Operators
• When working with Extended
Access Control Lists (ACL), we
can specify TCP and UDP port
numbers to permit or deny.
• To filter the traffic based on TCP
or UDP port numbers, we can
use an operator. The operator is
used to match the port number or
numbers in Access Control Lists.
Operator Description
lt Less than
gt Greater than
neq
Not equal to
eq Equal to
range Range of port numbers
21
The following table lists important Extended Access Control
Lists (ACL) operators.

22. Where should an Extended Access Control
List (ACL) be placed?
• Extended Access Control List (ACL) can filter the traffic based
many factors like source IP address, destination IP address,
Protocol, TCP or UDP port numbers etc.
• Since an Extended Access Control List (ACL) can filter the IP
datagram packet based on the destination IP address, it must be placed
on the router which is near to the source network/host.
• If we place the Extended Access Control List (ACL) near to
destination, the unwanted traffic may consume the bandwidth till
destination, and the the unwanted traffic will get filtered finally near
destination.
22