3. Packet Filtering
ALLOW or DENY
•Source IP address
•Destination IP address
•ICMP message type
•TCP/UDP source port
•TCP/UDP destination port
One ACL per protocol (e.g., IP or IPX)
One ACL per interface (e.g., FastEthernet0/0)
One ACL per direction (i.e., IN or OUT)
IN
OUT
4. Numbering and Naming ACLs
Router(config)#access-list ?
<1-99>
<100-199>
IP standard access list
IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
You assign a number based on which protocol you want filtered:
•(1 to 99) and (1300 to 1999): Standard IP ACL
•(100 to 199) and (2000 to 2699): Extended IP ACL
You assign a name by providing the name of the ACL:
•Names can contain alphanumeric characters.
•It is suggested that the name be written in CAPITAL LETTERS.
•Names cannot contain spaces or punctuation and must begin with a letter.
•You can add or delete entries within the ACL.
5. Where To Place ACLs
Router1 Router2
Host2
Host1 Host3
Fa0/1Fa0/1
Router0
Standart ACLExtended ACL
192.168.2.0/24
192.168.2.0/24
18. Difference between STD and EXT ACL
STANDARD EXTENDED
The access-list number range from1 to 99 The access-list number range from100 to
199
Can block a host, network and subnet Can block a host, network ,subnet and
service
Two way communication is stopped One way communication is stopped
Implemented closest to the destination Implemented closest to the source
Filtering is done based on only source IP
address
Checks source,destination,protocol,
port no.
19. 1. Create access list (std or extnd)
2. Apply access-list to an interface(inbound/outbound)
R0(config)#access-list 1 deny 192.168.2.101 0.0.0.0
R0(config)#access-list 1 permit any
R0(config)#int gi0/0
R0(config)#ip access-group 1 out
20. R0(config)#no access-list 1
R0(config)#access-list 2 deny 192.168.2.100
R0(config)#access-list 2 deny 192.168.2.101
R0(config)#access-list 2 permit any
R0(config)#int gi0/0
R0(config)#no ip access-group 1 out
R0(config)# ip access-group 2 out
R0(config)#no access-list 2
R0(config)#access-list 3 deny 192.168.2.0 0.0.0.255
R0(config)#int gi0/0
R0(config)#no ip access-group 2 out
R0(config)# ip access-group 3 out