Cisco CCNA Access Control Lists (ACL) Part I

Cisco CCNA Why Use ACLs?

An access list (ACL) is a mechanism for identifying particular traffic. One application of
an access list is for filtering traffic into or out of a router interface. There are numerous
different types of ACLs. IP standard access lists filter on source ip address only while
extended access lists filter on both source and destination ip addresses. You can
specify different protocols to filter on (i.e. ip, tcp, udp, icmp, etc.). When specifying tcp
and udp, port numbers are chosen to permit or deny specific layer 4 data.

Cisco CCNA ACL Applications : Filtering

This figure illustrates common uses for IP access lists.

While this chapter focuses on IP access lists, the concept of access lists as
mechanisms to control traffic in a network applies to all protocols.
An improved security solution is the lock-and-key access feature, which is available only
with IP extended access lists. Lock-and-key access allows you to set up dynamic
access lists that grant access per user to a specific source/destination host through a
user authentication process. You can allow user access through a firewall dynamically,
without compromising security restrictions.

Cisco CCNA Types of IP ACLs

More detailed information regarding standard and extended ACLs are explained on the
slides that follow.

Cisco CCNA How to identify ACLs

Normal IP access-list range:

IP standard access list range
IP extended access list range
With Cisco IOS 12.0 and later, the IP access-lists range has been expanded to also
include:
IP standard access list (expanded range)
IP extended access list (expanded range)

Cisco CCNA IP Access List Entry Sequence Numbering

Cisco CCNA ACL Configuration Guidelines

As a general rule, extended ACLs should be placed close to the source while standard
ACLs should be placed close to the destination.
The order of ACLs is very important as each statement is checked from top to bottom
and exiting upon the first match. That means the most specific statements should be
placed at the top of the list. The last ACL is always an implicit deny so every ACL needs
at least one permit statement to be useful.

Cisco CCNA Dynamic ACLs

When to Use Lock-and-Key Access

Two examples of when you use lock-and-key access are listed here:
When you want a remote host to be able to access a host in your internetwork through
the Internet. Lock-and-key access limits the access beyond your firewall on an
individual host or net basis.
When you want a subset of hosts on a network to access a host on a remote network
protected by a firewall. With lock-and-key access, you can enable only a desired set of
hosts to gain access by having them authenticate through a TACACS+ or RADIUS
server.
Lock-and-Key Access Operation
This process describes the lock-and-key access operation.
A user opens a Telnet session to a border router configured for lock-and-key access.

The Cisco IOS software receives the Telnet packet. It performs a user authentication
process. The user must pass authentication before access is allowed. The
authentication process is done by the router or a central access server such as a
TACACS+ or RADIUS server.

Cisco CCNA Reflexive ACLs

Reflexive access lists are similar in many ways to other access lists. Reflexive access
lists contain condition statements (entries) that define criteria for permitting IP packets.
These entries are evaluated in order, and when a match occurs, no more entries are
evaluated.
However, reflexive access lists have significant differences from other types of access
lists. Reflexive access lists contain only temporary entries; these entries are
automatically created when a new IP session begins (for example, with an outbound

packet), and the entries are removed when the session ends. Reflexive access lists are
not themselves applied directly to an interface, but are nested within an extended
named IP access list that is applied to the interface. Also, reflexive access lists do not
have the usual implicit deny all traffic statement at the end of the list, because of the
nesting.

Cisco CCNA Time-Based ACLs

Time-Based ACLs implement access lists based on the time of day. To do so, you
create a time range that defines specific times of the day and week. The time range is
identified by a name and then referenced by a function, so that those time restrictions
are imposed on the function itself.

The time range allows the network administrator to define when

the permit or deny statements in the access list are in effect. Prior to this feature,
access list statements were always in effect once they were applied. Both named or
numbered access lists can reference a time range.