Thursday, April 14, 2016

CCNAv2 Chapter 9 Notes

Greetings, and welcome to Seeseenayy.
Below are the notes for Chapter 9 (ACLs) I wrote myself.
Feel free to share them!

Chapter 9 - Access Control Lists (“ACLs”)

Packet Filtering: Controls access to a network by analyzing the incoming and outgoing packets, passing or dropping them based on given criteria, such as Source IP, Destination IP, and the protocol carried within the packet.

A router acts as a packet filter when forwarding or denying packets according to filter rules.
An ACL is a sequential list of permit or deny statements, known as ACEs.

The last statement of an ACL is always an implicit deny. This statement is automatically inserted at the end of each ACL even though it is not physically present. The implicit deny blocks all traffic. Because of the implicit deny format, if you do not have one ‘permit’ rule, all traffic will be blocked. This basically means if your packet does not match any criteria it will be denied.

There are two kinds of ACLs we deal with:
  • Standard ACLs
    • Filters IP-Packets based on the source-address only.
      • EX: “access-list 10 permit”
        • “For access-control list, permit all traffic coming from <THIS NETWORK>”.
  • Extended ACLs
    • Filter IP packets based on several attributes, including the following:
      • Source and destination IP addresses.
      • Source and destination TCP and UDP ports.
      • Protocol type / protocol number (IP, ICP, UDP, TCP, etc).
    • EX: “access-list 103 permit top any eq 80”

Numbering & Naming ACLs:
  • You assign a number based on which protocol you want filtered.
    • You may use 1 to 99 and 1300 to 1999 for Standard IP ACLs, for example.
  • You assign a name to the ACL.
    • Names can contain alphanumeric characters, it is suggested that the name be written in CAPITAL LETTERS. They may not contain punctuation or spaces.
    • Within the ACL, you may add or delete entries, which you must be careful with as the data is sequential.
  • “HOST”
    • You can put this instead of using an exact IP address.
  • “ANY”
    • Ignore all of the bits.

Guidelines for ACLs

Benefits for ACLs
Base your ACLs on the security policy of the organization.

This will ensure you implement organizational security guidelines.
Prepare a description of what you want your ACLs to do.

This will help you avoid inadvertently creating potential access problems.
Use a text editor to create, save, and edit ACLs.

This will help you create a library of reusable ACLs.
Test your ACLs on a development network before implementing them on a production network.

This will help you avoid costly errors.

Where to place ACLs:
  • Extended ACLs
    • Locate extended ACLs as close as possible to the source of the traffic to be filtered.
  • Standard ACLs
    • Because standard ACLs do not specific destination addresses, place them to the destination areas.

After a standard ACL is configured, link it to an interface via “ip access-group”, which accepts the arguments “access-list-number”, “access-list-name”, followed by either “in” or “out”.

To remove an ACL, issue the "no access-list" command.
The "remark" keyword is used for documentation and makes access lists easier to understand.

Internal Logic: Cisco IOS applies an internal logic when attempting and processing ACL statements-- as discussed previously, ACLs are processed sequentially, therefore, the order the ACLs are entered is IMPORTANT.

Applying ACLs to Interfaces: After a standard ACL is configured, use "ip access-group <ACL Number | ACL Name> <In | Out>" from an interface.

Let's configure a Standard ACL to secure a VTY port. Generally, we can use a standard ACL for this, but most of the time an extended ACL is used in place.

Configuring Extended ACLs
The procedural steps for configuring extended ACLs are the same as standard ACLs. The extended ACL is first configured, then it is activated on an interface. However, the syntax and parameters are more complex to support additional features provided by extended ACLs.

Applying Extended ACLs to Interfaces
Simply said, applying the interface is as easy as any other ACL command. Simply, when done configuring your ACL’s parameters, open the interface and use “ip access-group <NAME/ID> <IN/OUT>”.

R1(config)#access-list 103 permit tcp any eq 80
R1(config)#access-list 103 permit tcp any eq 80
R1(config)#access-list 104 permit tcp established
R1(config)#int g0/0
R1(config)#ip access-group 103 in
R1(config)#ip access-group 104 out

Verifying Extended ACLs
You may use "show access-lists" to show any access lists you have configured, and then "show ip interface <interface>" to show any ACLs on an interface.

Outbound ACL Logic
  • Packets are checked for a route before being sent to an outbound interface.
  • If there is no route, the packets are dropped.
  • If an outbound interface has no ACL, packets are sent to that interface.
  • If there is an ACL on the outbound interface, it is tested before being sent to that interface.
  • If an outbound packet matches an ACL statement with a permit, it is sent to that interface.
  • If any outbound packet matches an ACL statement with a deny, it is dropped.
  • If an outbound packet does not meet any ACL statements, it is "implicitly denied" and dropped.

Standard ACL Decision
Standard ACLs only examine the source IPv4 address. The destination of the packet is not considered.

Extended ACL Decision
The ACL first filters on the source address, then the port and protocol of the source. Then, it filters the destination address, then the port and protocol of that destination, and makes a final permit or deny decision.

Type of IPv6 ACLs
  • Named only
  • Similar in functionality to IPv4 Extended ACL

Although IPv4 and IPv6 are very similar, there are three significant differences between them.
Applying an IPv6 ACL
  • IPv6 uses the ipv6 traffic-filter command to perform the same function for IPv6 interfaces.
  • No wildcard masks.
  • Additional default statements, such as:
    • permit icmp any any nd-na
    • permit icmp any any nd-ns

Three steps to configure an IPv6 ACL:
  • Ipv6 access-list <name>
  • Use permit or deny to specify conditions

Chapter Summary
By default, a router won't filter traffic. Traffic that enters is routed solely based on information within the routing table. Packet filtering controls access to networks by filtering ingoing, outgoing, or passing packets-- dropping or permitting those which match the applied criteria.

A packet-filtering router uses rules to determine whether to permit or deny traffic. A router can also do this, but is through Layer 4 (Transport). The router, with an ACL, compares the packet information against each entry and applies action accordingly. ACLs can be configured to apply to inbound or outbound traffic.

Standard ACLs permit or deny traffic and filter via the IPv4 Source address exclusively, which is why it's standard rule to place the ACL to the closest destination. Extended ACLs, however, filter on many attributes; source IP, destination IP, source port, and destination port, as well as protocol. These should be placed as close to the source as possible.

What commands are automatically added to an IPv6 Access Control List?

- deny ip any any
- permit icmp any any nd-na
- permit icmp any nd-ns

These commands have to be implemented as router updates will be denied if the above aren't included in the configuration.

With an access control list, what does 'LT' and 'GT' do?

  • Less than or greater than in regards to the address.

Do we use 'LG' and 'GT' for port numbers or addresses?

  • Port numbers; they are used to indicate port numbers less than (LT) and greater than (GT) specified.

Command Summary
  • Defines a standard ACL with a number in the range of 1 - 99, or an extended ACL with either numbers to 100 to 199, or 200 to 2699. Both of these, though, may be named.

ip access-list standard <name>
  • Used to create a standard named ACL, whereas the command 'ip access-list extended <name>' is for extended access lists. IPv4 ACl statements use wildcard masks.

After an ACL is configured, it's linked to an interface via 'ip access-group' from int config mode.

no ip access-group
no access-list
  • Removes an ACL from an interface (first command), then removes the entire ACL (second).

“show running-config”, “show access-lists”, “show ip interface”
  • All of these commands are used to utilize ACL configuration, as well as debug and display which and whats of the ACLs.

Remember the three Ps -- one ACL per protocol, per direction, and per interface.


  1. Your notes are very helpful, thank you!

  2. Thank You. This site is awesome


Feel free to comment if you have a question, commendation, or concern. We love to hear your feedback!

Please do not share links to external websites if it not relevant to discussion. We reserve our right to remove any content we deem advertising.