If you find this page useful check out my other revision pages:
- CCNA Last minute revision guide
- IOS commands revision notes
- Layer 2 switching revision notes
- VLANS revision notes
- Spanning Tree Protocol revision notes
- ISDN revision notes
- Novell IPX revision notes
- Pre-exam Cram Sheet
Free CCNA Tests
.NET Enterprise Application Development
Certified Professional
Learning Tree International
Nik Makris is certified under the CCNA® program
Nik Makris has obtained the Google Analytics Individual Qualification
Cisco Access Control Lists Revision
Access Control Lists (ACL)
Access Control Lists are used to:
- Prioritise traffic
- Restrict or reduce updates
- Provide basic security
- Block types of traffic
Access control list placement
- Standard ACLs - Place as close to destination as possible.
- Extended ACLs - Place as close to source of traffic as possible.
- Only one ACL per port per direction is allowed.
- ACL are more efficient on outbound port.
- If a packet does not match the ACL statement then it will be implicitly denied.
- Once a packet matches an ACL statement no other checks are made, it is permitted.
ACL IOS commands
Standard ACLs - Used to permit or deny an entire protocol suite.
The following two statements have the same effect:
Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255
Router(config)# access-list 1 permit any
The following two statements also have the same effect:
Router(config)# access-list 1 permit 172.30.16.29 0.0.0.0
Router(config)# access-list 1 permit host 172.30.16.29
Extended ACLs - Used to permit or deny specific protocols
Protocol ranges are used in ACL statements to deny specific protocols. Below are the ones you will need for your CCNA.
| Protocol | Range |
|---|---|
| IP | 1-99 |
| Extended IP | 100-199 |
| Appletalk | 600-699 |
| IPX | 800-899 |
| Extended IPX | 900-999 |
| IPX SAP | 1000-1099 |
Use the following table to permit or deny specific protocols, ports or ranges of port numbers, an example ACL follows.
| lt | Less than |
| gt | Greater than |
| neq | Not equal to |
| eq | Equal to |
Router(config)# access-list 101 deny tcp 172.16.4.0 0.0.255.255 any eq 23
Router(config)# access-list 101 permit ip any any established - Established keyword used to connect with a TCP established connection.
Named ACLs
Named access control lists are another way of creating ACLs, any example follows.
Router(config)# ip access-list standard Nik
Router(config std-nacl)# deny any log - used to deny log packets.
Viewing ACLs
Router(config)# show access-lists - shows all access lists.
Router(config)# show access-list 101 - shows access list 101.
Router(config)# show ip interface - used to find out which access lists are on which interfaces.
Configuring ACLs on an interface
Router(config)# interface s1
Router(config-if)# ip access-group 1 out /in - out bound is the default.
Removal of ACLs
Router(config)# no access-list 1
Next set of revision notes: Pre-exam Cram Sheet
