Access-Control Lists (ACLs)

## Overview Access Control Lists (ACLs) filter traffic based on configured criteria. They process entries top-down and stop at the first match. An implicit "deny all" exists at the end of every ACL. #### Numbered vs Named - Numbered ACLs use numbers for identification - Named ACLs use descriptive names and allow line editing #### Standard vs Extended - Standard ACLs filter on source IP only (1-99, 1300-1999) - Extended ACLs filter on source, destination, protocol, and ports (100-199, 2000-2699) Place standard ACLs close to destination, extended ACLs close to source. ## Standard ACLs Standard ACLs examine source IP addresses using wildcard masks. Use `host` for exact matches and `any` for all addresses. #### Numbered Standard ACLs ``` access-list 10 permit 192.168.1.0 0.0.0.255 access-list 10 permit host 10.1.1.1 access-list 10 deny any interface GigabitEthernet0/1 ip access-group 10 in ``` #### Named Standard ACLs ``` ip access-list standard BRANCH_OFFICE permit 192.168.1.0 0.0.0.255 permit host 10.1.1.1 deny any interface GigabitEthernet0/1 ip access-group BRANCH_OFFICE out ``` **Editing** ``` ip access-list standard BRANCH_OFFICE 15 permit 10.1.1.0 0.0.0.255 no permit host 10.1.1.1 ``` ## Extended ACLs Extended ACLs filter on source IP, destination IP, protocol, and ports. Use `eq`, `gt`, `lt`, or `range` for port specifications. #### Numbered Extended ACLs ``` access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 80 access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 443 access-list 101 permit udp any any eq 53 access-list 101 deny ip any any interface GigabitEthernet0/0 ip access-group 101 in ``` #### Named Extended ACLs ``` ip access-list extended WEB_TRAFFIC 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 20 permit tcp 192.168.1.0 0.0.0.255 any eq 443 30 permit udp any any eq 53 40 deny ip any any log interface GigabitEthernet0/2 ip access-group WEB_TRAFFIC in ``` **Common Examples** ``` ip access-list extended SECURITY_POLICY permit tcp any any eq 22 permit icmp any any deny tcp any any eq 23 permit tcp any any established deny ip any any log ``` **Verification** ``` show access-lists show ip interface GigabitEthernet0/1 ```