Lab 06B - Access Control Lists (ACL)

Back to Labs

Lab Objective

Introduction to ACL & configuration of ACL in Cisco Packet Tracer. Learn to implement security policies using Standard and Extended Access Control Lists.

Summary of ACL

Access Control Lists (ACLs) are used to filter network traffic and enhance security. Key points:

  • Sequential rule matching; first match applied
  • Implicit deny at the end of every ACL
  • Can be applied inbound or outbound on interfaces
  • Used for traffic filtering, security, and QoS

Types of ACL

Type Description Range
Standard ACL Filters traffic using source IP only; cannot distinguish protocols 1-99, 1300-1999
Extended ACL Filters traffic using source & destination IP, ports, and protocols 100-199, 2000-2699
Reflexive ACL Uses upper-layer session information; also called IP session ACL N/A
Dynamic ACL Grants access after authentication (Telnet); based on extended ACL N/A

ACL Categories

Category Description
Numbered ACL Identified by number; cannot delete specific rules, deleting removes whole ACL
Named ACL Identified by name; specific rules can be deleted

Rules for ACL Implementation

  • Standard ACLs applied closer to destination
  • Extended ACLs applied closer to source
  • Only one ACL per interface per protocol per direction
  • New rules added at the bottom; always include at least one permit statement
  • Standard and extended ACLs cannot share the same name

ACL Configuration Commands

Cisco ACL Configuration Commands

access-list 1 permit 192.168.1.0 0.0.0.255
Standard ACL permitting entire 192.168.1.0/24 network
access-list 101 permit tcp any any eq 80
Extended ACL permitting HTTP traffic from any to any
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
Extended ACL denying traffic between specific networks
ip access-list extended WEB_TRAFFIC
Creating a named extended ACL
permit tcp any any eq 80
Rule inside named ACL (HTTP permission)
interface gigabitethernet0/0
Enter interface configuration mode
ip access-group 101 in
Apply ACL 101 to interface inbound
show access-lists
Display all configured ACLs
show ip interface
Show ACLs applied to interfaces

Practical ACL Examples

Example 1: Standard ACL


                                ! Allow only specific network
                                access-list 10 permit 192.168.1.0 0.0.0.255
                                access-list 10 deny any

                                ! Apply to interface
                                interface gigabitethernet0/0
                                ip access-group 10 in

Explanation: This standard ACL permits traffic only from the 192.168.1.0/24 network and denies all other traffic.

Example 2: Extended ACL


                                ! Allow HTTP but deny FTP
                                access-list 101 permit tcp any any eq 80
                                access-list 101 deny tcp any any eq 21
                                access-list 101 permit ip any any

                                ! Apply to interface
                                interface gigabitethernet0/1
                                ip access-group 101 out

Explanation: This extended ACL allows HTTP traffic, blocks FTP traffic, and permits all other IP traffic outbound.

Flowchart Summary

Standard ACL

Source IP only

Range: 1-99, 1300-1999

Extended ACL

Source & Destination IP, ports, protocols

Range: 100-199, 2000-2699

Reflexive ACL

Uses session info

Session-based filtering

Dynamic ACL

Grants access after Telnet authentication

Authentication required

Lab Resources

ACL

Download PDF

Lab 06A+06B Task

Download PDF