What is ACL?
Access Control List is a packet filtering method that filters the IP packets based on source and destination address. It is a set of rules and conditions that permit or deny IP packets to exercise control over network traffic.
What are different Types of ACL?
There are two main types of Access lists:-
1.Standard Access List.
2.Extended Access List.
Explain Standard Access List?
Standard Access List examines only the source IP address in an IP packet to permit or deny that packet. It cannot match other field in the IP packet. Standard Access List can be created using the access-list numbers 1-99 or in the expanded range of 1300-1999. Standard Access List must be applied close to destination. As we are filtering based only on source address, if we put the standard access-list close to the source host or network than nothing would be forwarded from source.
R1(config)# access-list 10 deny host 192.168.1.1
R1(config)# int fa0/0
R1(config-if)# ip access-group 10 in
Explain Extended Access List?
Extended Access List filters the network traffic based on the Source IP address, Destination IP address, Protocol Field in the Network layer, Port number field at the Transport layer. Extended Access List ranges from 100 to 199, In expanded range 2000-2699. Extended Access List should be placed as close to source as possible. Since extended access list filters the traffic based on specific addresses (Source IP, Destination IP) and protocols we don’t want our traffic to traverse the entire network just to be denied wasting the bandwidth.
R1(config)# access-list 110 deny tcp any host 192.168.1.1 eq 23
R1(config)# int fa0/0
R1(config-if)# ip access-group 110 in
Explain Named ACL and its advantages over Number ACL?
It is just another way of creating Standard and Extended ACL. In Named ACL names are given to identify access-list.
It has following advantage over Number ACL - In Name ACL we can give sequence number which means we can insert a new statement in middle of ACL.
R1(config)# ip access-list extended CCNA
R1(config)# 15 permit tcp host 10.1.1.1 host 184.108.40.206 eq 23
This will insert above statement at Line 15.
R1(config)# int fa0/0
R1(config-if)# ip access-group ccna in
What is Wildcard Mask?
Wildcard mask is used with ACL to specify an individual hosts, a network, or a range of network. Whenever a zero is present, it indicates that octet in the address must match the corresponding reference exactly. Whenever a 255 is present, it indicates that octet need not to be evaluated.
Wildcard Mask is completely opposite to subnet mask.
Example:- For /24
Subnet Mask - 255.255.255.0
Wildcard Mask - 0.0.0.255
How to permit or deny specific Host in ACL?
1.Using a wildcard mask "0.0.0.0"
Example:- 192.168.1.1 0.0.0.0 or
2.Using keyword "Host"
Example:- Host 192.168.1.1
In which directions we can apply an Access List?
We can apply access list in two direction:-
IN - ip access-group 10 in
OUT - ip access-group 10 out
Difference between Inbound Access-list and Outbound Access-list?
When an access-list is applied to inbound packets on interface, those packets are first processed through ACL and than routed. Any packets that are denied won’t be routed. When an access-list is applied to outbound packets on interface, those packets are first routed to outbound interface and than processed through ACL.
Difference between #sh access-list command and #sh run access-list command?
#sh access-list shows number of Hit Counts.
#sh run access-list does not show number of Hit Counts.
How many Access Lists can be applied to an interface on a Cisco router?
We can assign only one access list per interface per protocol per direction which means that when creating an IP access lists, we can have only one inbound access list and one outbound access list per interface. Multiple access lists are permitted per interface, but they must be for a different protocol.
How Access Lists are processed?
Access lists are processed in sequential, logical order, evaluating packets from the top down, one statement at a time. As soon as a match is made, the permit or deny option is applied, and the packet is not evaluated against any more access list statements. Because of this, the order of the statements within any access list is significant. There is an implicit “deny” at the end of each access list which means that if a packet doesn’t match the condition on any of the lines in the access list, the packet will be discarded.
What is at the end of each Access List?
At the end of each access list, there is an implicit deny statement denying any packet for which the match has not been found in the access list.
- Any access list applied to an interface without an access list being created will not filter traffic.
- Access lists only filters traffic that is going through the router. They will not filter the traffic that has originated from the router.
- If we will remove one line from an access list, entire access-list will be removed.
- Every Access list should have at least one permit statement or it will deny all traffic.