Types of IPv4 ACL’s

• Standard ALCs permit or deny packets based on only the source address
  • Uses Layer 3 devices
• Extended ACLs permit or deny packets based in the source address AND destination as well as TCP and UDP ports. This is because extended ACLs are used on layer 4 devices
  • Much more flexible.
  • Used layer 4 devices

Inbound vs Outbound

• Inbound traffic is where the packets are going INTO the ROUTER
• Outbound traffic is where the packets are going OUT of the the ROUTER

Standard ACL implementation syntax ~~~ config# access-list ACL-# {deny | permit | remark} source_ip [source-wildcard] [log]

(config)# access-list 10 permit 192.168.10.0 0.0.0.255 ~~~

Linking an ACL to interface ~~~ (config)# ip access-group {ACL-# | access-list-name} {in | out}

(config)# access-list 1 permit 192.168.10.0 0.0.0.255 (config)# interface s0/0/0 (config-if)# ip access-group 1 out ~~~

Extended ACL implementation syntax ~~~ (config)# access-list ACL-# {deny | permit | remark} protocol {source source-wildcard} [operator] [port-number | port-name] {destination destination-wildcard} [operator] [port-number | port-name]

(config)# access-list 103 permit tcp 192.168.10.0 eny eq 80 ~~~

Numbered and Named ACL’s

• There are two categories of access lists: numbered and named
• Numbered
  • Access lists are broken down into several ranges, each dedicated to a specific protocol
• Named
  • Access lists provide a bit of flexibility. Descriptive names can be used to identify your ACL’s,
  • Named ACL’s are preferred over numbered. Its just easier.

Where do we place ACLs?

• Every ACL should be placed where it has the greatest impact on efficiency.
  • Standard ACLs should be as close to the destination as possible
  • Extended ACLs should be as close as possible to the source of the traffic to be filtered.

Common ACL Errors

• The most common ACL errors are entering ACEs in the wrong order or not applying adequate criteria to ACL rules
  • Rules filter in order, low to high. 1 > 2 > 3 > 4 > 10 > 1000
• Another common error would be entering clauses in out of order. With extended ALCs its easy to mix up source and destination ports and a addresses.
  • SOURCE first, DESTINATION second
• Another common error could be just entering an ip address wrong. Its easy to do so

Example Only Allowing HTTP

Router(config)#ip acc

Router(config)#ip access-list ex

Router(config)#ip access-list extended ALLOW_HTTP_PC1

Router(config-ext-nacl)#permit tcp host 192.168.1.3 host 172.16.1.2 eq 80