Thursday, April 16, 2015

Configure Cisco Named Standard Access Control List ACL on Cisco routers / ACL Rules

In this article will demonstrate on Named Standard Access Contol List (Named Standard ACL).
Access control list is used for filtering unwanted traffic, there are two types of acl :numbered and named acl. numbered acess lists are either standard or extended. Also, named access lists are either standard and extended. So, there are four access lists
  1. Numbered standard access list
  2. Numbered extended access list
  3. Named standard access list
  4. Named extended access list

In this article will cover Named Standard Access List. Standard means it will filter the packet based on the source ip address, named  means that the access list is identified by name not by number and has a feature of editing (adding and removing specific lines capability).

Access Control List Rules
1- If you use Numbered (Standard and Extended) and Named (Standard and Extended) Access Lists, the packet is always compared with each line of the access list in sequential order, means If the source packet ip address matches the first line(entry) of the acl, the router will not check  all other entries in the access list. If the source ip address doesn't match the first line of the acl, the router will check the second line and so on. The packet is compared with lines of the access list only until a match is made. Once it matches the condition on a line of the access list, no further comparisons take place.

2- There is an implicit deny at the end of each access list—this means that if a packet doesn't match the condition on any of the lines in the access list, the packet will be discarded.

3- The access list is applied on an interface in a specific direction -Inbound or Outbound. Inbound:The packets will be processed through the acl before routed to the outbound interfaces. Outbound:The packets are routed to the outbound interface, and then processed through the acl.

4- Standard (Numbered&Named) access control lists filter network traffic by examining the source ip address in a packet (filtering traffic based on the source ip address).

5- The Named Access Lists (Standard and Extended) are editable, means you can insert a line in between the lines or at the top of the entries. Also you can delete specific line. So, there is a capability of modifying the access list(adding a line or deleting specific line).

6- Named Standard Access Control List is identified by a name specified by the network administrator.

7- Standard Access Control List is placed as close to destination as possible.

8- Named Standard Access Control Lists use the following syntax
R(config)# ip access-list standard <acl name>
R(config-std-nacl)#<permit or deny> <source address> 


Named access list acl configuring

Looking at the above diagram, we want preventing network 192.168.10.0/24 from accessing network 192.168.30.0/24, and everthing else is permitted.

Configuration Steps:
1- Create an access list which is identified by a name, I used tariq as a name of the access list as you see below in the first command. the second command prevents the packets coming from network 192.168.10.0/24, means dropping the packets from the source network 192.168.10.0/24.The third line permits the packets coming from any other source ip address. the third line is very necessary because if this line is not written all the packets will be dropped because there is an implicit deny any at the end of the access list.
R2(config)#ip access-list standard tariq

R2(config-std-nacl)#deny 192.168.10.0 0.0.0.255
R2(config-std-nacl)#permit any

2- The access list is applied on an interface in a specific direction: no action(permit or deny)  will be taken until the access list is applied on an interface in a specific direction.
you should know the packet coming from network 192.168.10.0/24 will enter R2 interface g0/0 as you see in the diagram. if you apply this acl on the g0/0 interface of  R2 in inbound direction, the router after checking the acl (that prevent network 192.168.10.0/24), will prevent this packet from being routed to the outbound interfaces g0/1&g0/2 based on the action in the first line of the acl. So, network 192.1698.10.0/24 will not access not only network 192.168.30.0/24 but also network 192.168.50.0/24. So you should be care where you will apply the acl and in which direction.
The Solution is applying the acl on the interface g0/2 in outbound direction, means the router will permit the packets from entering g0/0 and routes the packets to the outbound interfaces g0/1 and g0/2, after that, the packet are processed through the acl. In our example will apply the acl on g0/2 to prevent network 10 to reach network 50  but will not apply the acl on the g0/1 because we want allowing network 10 from accessing network 50.
before writing the commands below, host 192.168.10.2 can reach 192.168.30.2 

R2(config)#int f0/0
R2(config-if)#ip access-group tariq out

After writing the above commands (applying the acl on the interface), host 192.168.10.2 can't access 192.168.30.2
To view the configured access list

R2#sh access-list
Standard IP access list tariq
10 deny 192.168.10.0 0.0.0.255
 20 permit any

Adding a line in between the lines of the ACL
After that, if you want to deny the host 192.168.2.10 by using the command deny host 192.168.2.10. you can't add normally because it will be added at the bottom of the acl. If you add it normally at the bottom of the list, the host 192.168.2.10 will not be denied because the acl find a match in the second line of the acl that permit this host.
So, you have to insert the command before the second line(permit any), means the number of the inserted line must be before number 20 (The number of the second line)
R2(config)#ip access-list standard tariq

R2(config-std-nacl)#15 deny 192.168.2.10
View the access list after adding a line
Router#sh access-lists 

Standard IP access list tariq
10 deny 192.168.10.0 0.0.0.255
15 deny host 192.168.2.10
 20 permit any

Delete individual lines
To delete individual line from the acl, for example to delete line number 20.
Router(config)#ip access-list standard tariq

Router(config-std-nacl)#no 20
View the access list after deleting line number 20
Router#sh access-lists 

Standard IP access list tariq
10 deny 192.168.10.0 0.0.0.255
15 deny host 192.168.2.10



For more details and explanation , watch this video on youtube

To get automatic updates on your facebook, join a facebook group



2 comments:

  1. Hello, I love reading through your blog, I wanted to leave a little comment to support you and wish you a good continuation. Wish you best of luck for all your best efforts.Regards aws jobs in hyderabad

    ReplyDelete