Introduction :The Access Control List (ACL) is a set of commands, which are grouped together. These commands enable to filter the traffic that enters or leaves an interface. A wildcard mask enables to match the range of address in the ACL statements. There are two references, which a router makes to ACLs, such as, numbered and named. These reference support two types of ;filtering, such as standard and extended. You need to first configure the ACL statements and then activate them.
Access Control ListAccess Control lists are created in the global configuration mode. These statements enables the administrator to deny or permit traffic that enters the interface. After creating the basic group of ACL statements, you need to activate them. In order to filter between interfaces, ACL needs to be activated in interface Sub-configuration mode.
The Two types in which the router will refer the ACL are:
- Numbered – Similar to an index value
- Named – Assigns a unique name to every ACL among the other ACLs. The router users these ACLs to filter the traffic.
- Standard – Filter only on the source IP Address inside a packet.
- Extended – Filters on the source IP and destination IP addresses in packet.
Creating an ACLYou can use the access-list command to create an ACL.
To syntax to create an ACL is :
access-list ACL_# permit | deny conditions
- ACL_# - Enables you to group statements into a single list
- permit | deny – Specifies the action that will be performed
- conditions - Specifies which packet needs to match, for the router to execute an action
Working Of ACLACL are statements, which are grouped together by using a name or number. When ACL precess a packet on the router from the group of statements, the router performs a number to steps to find a match for the ACL statements. The router processes each ACL in the top-down approach. In this approach, the packet in compared with the first statement in the ACL. If the router locates a match between the packet and statement then the router executes one of the two actions, permit or deny, which are included with statement.
For example, you want to configure the router to enable traffic from all th hosts of the subnet 184.108.40.206/25 except the host 220.127.116.11. You create an ACL on the router, which has statements in the following order:
- permit traffic from subnet 18.104.22.168/25
- Deny traffic from host 22.214.171.124
To achieve the required, you must reverse the order. The new order of the statements is as follow:
- Deny traffic from host 126.96.36.199
- Permit traffic from subnet 188.8.131.52/25
Editing EntriesYou may need to add, delete, or modify an entry in the ACL. In a numbered ACL, you cannot delete a specific entry in an ACL. You need to delete the entire the list in which the entry exist.
To delete an ACL, enter the following at the command prompt:
no access-list number
- number - Specifies the number of the ACL to be deleted
- Enter the following at the command prompt: show running-config
- Move the cursor to the required ACL entry to the router.
- Copy the existing ACL commands and paste it into a text editor.
- Enter the following at the command prompt, to remove the application of the ACL on the interface no ip access-group ACL_#
- Enter the the following at the command prompt, to delete the old access list: no access-list ACL_#
- Copy the ACL from the text editor and paste in the Configuration mode.
- To activate the ACL on the router interface, enter the following at the command prompt: ip access-group ACL_#
Standard ACLTo create an entry in a standard numbered IP ACL, enter the following at the command prompt:
access-list 1-199|1600 permit | deny source
sources_IP_address [wildcard_mask] [log]
Extended Numbered ACLsThe command for configuring an extended ACL is more complicated as compated to the standard ACL. The command to configure an extended numbered ACL is:
access-list 100-199|2000-2699 permit | deny IP_protocol source_address source_wildcard mask [operator port] destination_address destination_wildcard_mask [operator port] [established] [log]
Source : https://networkinghelps.wordpress.com/2012/10/01/basic-ip-traffic-management-with-access-lists/