ACL - jibingl/CCNA-CCNP GitHub Wiki

Access Control List

Syntax

Standard ACL

R1(config)#access-list <1-99/1300-1999> {action} {source-ip-wildcard}

R1(config)#ip access-list standard {named-string | number}
R1(config-std-nacl)#[seq-number] {action} {source-ip-wildcard}
                     <int>        permit   subnet
                                  deny     host/IP
                                           any/0.0.0.0 255.255.255.255

Extended ACL

R1(config)#access-list <100-199/2000-2699> {action} {protocol} {source-ip-wildcard} {operator} {source-port} {dest-ip-wildcard} {operator} {dest-port} [established]

R1(config)#ip access-list extended {named-string | number}
R1(config-ext-nacl)#[seq-number] {action} {protocol} {source-ip-wildcard} {operator} {source-port} {dest-ip-wildcard} {operator} {dest-port} [established]
                     <int>        permit   ip         subnet               eq         port-number   subnet             eq         port-number
                                  deny     6:tcp      host                 neq        port-name     host + IP          neq        port-name
                                           17:udp     any                  gt                       any                gt         
                                           1:icmp     object-group         lt                       object-group       lt
                                           88:EIGRP                        range                                       range
                                           89:OSPF

Other ACl cmd

R1(config-if)#ip access-group {number|name} {in|out}

R1(config-std-nacl)#remark <description-to-acl>
R1(config)#ip access-list resequence <acl-id> <start-seq-number> <increment>

Example

                              Internet                     .30
                                 |                       SRV3_cam
         192.168.1.0/24        R1|g0/0      10.10.10.0/24 |
 PC1---[=]-----------------f1/1-(+)-g1/1-----------------[=]----SRV1_dns
 .11    |                        |f1/2                    |       .10
       PC2                       |                       SRV2_app
       .12               PC3---[=]172.16.0.0/24           .20
                         .13     |
                                PC4 .14

Context and requirements:
Management (mgnt) subnet 172.16.0.0/24. Workstation (wk) subnet 192.168.1.0/24. Server (SRV) subnet 10.10.10.0/24.

  1. To mngt subnet, PC3 manages SRV1 and SRV3, and PC4 manages SRV2 and SRV3.
  2. To wk subnet, all PCs are not allowed to connect SRV3.
  3. To SRVs subnet, only allow SSH or RDP form mgnt.
  4. Between mngt and wk, traffic can flow from mngt to wk, but not vice versa.
  5. From Internet, only allow traffics of https, emails, and DNS.
R1(config)#ip access-list extended MNGT-to-SRVs
R1(config-ext-nacl)#deny ip host 172.16.0.13 host 10.10.10.20
R1(config-ext-nacl)#deny ip 172.16.0.14 0.0.0.0 host 10.10.10.10
R1(config-ext-nacl)#permit ip any any

R1(config)#ip access-list extended WorkStation
R1(config-ext-nacl)#deny ip any host 10.10.10.30
R1(config-ext-nacl)#deny tcp any 10.10.10.0 0.0.0.255 ssh                 //22
R1(config-ext-nacl)#deny tcp any 10.10.10.0 0.0.0.255 3389                //RDP
R1(config-ext-nacl)#deny ip any 172.168.0.0 0.0.255.255
R1(config-ext-nacl)#permit ip any any

R1(config)#ip access-list Secure-Internet
R1(config-ext-nacl)#permit ip any any eq domain                           //53
R1(config-ext-nacl)#permit tcp any any eq 443                             //https
R1(config-ext-nacl)#permit tcp any any eq smtp                            //25
R1(config-ext-nacl)#permit tcp any any eq 465                             //SMTP-SSL
R1(config-ext-nacl)#permit tcp any any eq 995                             //POP3-TLS
R1(config-ext-nacl)#permit tcp any any eq 996                             //POP3-SSL
R1(config-ext-nacl)#permit icmp any any

R1(config)#interface f1/2
R1(config-if)#ip access-group MNGT-to-SRVs in

R1(config)#interface f1/1
R1(config-if)#ip access-group WorkStation in

R1(config)#interface g0/0
R1(config-if)#ip access-group Secure-Internet out
⚠️ **GitHub.com Fallback** ⚠️