Sicher in 15 min.
CCNA (engl.)
Access Lists
Become Partner!

With Access Lists, you can filter traffic on your Cisco Router.
It filters only traffic coming in or going through your router.
It does not filter traffic which origins from the router. Its kind of "Firewall"-Feature.
You can permit or deny traffic from or to a network or host, and can filter on special ports.
Its useable for "basic" security.
For komplex Firewall settings, better use a "real" Firewall, because
to much filtering can make the device slower, cause each paket has to be checked, and the more rulez are configured, the more the CPU of the router has to work.

There are two kinds of Access Lists on Cisco Routers

1. Standart ACLs

-Numbered from 1-99 (and some higher ranges)
-filter ONLY on SOURCE IP
-needed to permit or deny a single source ip or source network to access another network or host

2. Extended ACLs

-Numbered from 100-199 (and some higher ranges)
-filter on Source IP and protocols and ports/applications
-needed to filter only traffic from a specified host or network and specified protocols and ports

ACLs can be identified by numbers, or by names.

Handling of Access-Lists

1. Configure some statements.

example1: Deny http and telnet access from a Network to an Host

access-list 100 deny tcp eq 80
access-list 100 deny tcp eq 23
access-list 100 permit ip any any

example2: Deny complete ip access from a network

access-list 1 deny
access-list 1 permit any any

example 3: Deny Ping from a network to a host

access-list 101 deny icmp host
access-list 101 permit ip any any

You can also use command

access-list 101 deny icmp
access-list 101 permit ip any any

2. Select the Interface where the Access List will filter pakets.
ALL the statements build ONE Access List.
Bind the ACL on an interface with command "ip access-group <acl-number> <in or out>"

interface e0
ip access-group 101 in


1. "Last" deny statement of every ACL
At the end of EVERY access-list there is a "access-list deny ip any any" statement, which is invisible.
Thats why we have to use the "access-list <nr> permit ip any any" statement at the end of OUR ACL.

2. From first to last
In filtering the packets, the router checks the statements of the ACL from the first to the last.
When an statement is found as true, the next statements are not checked anymore.


access-list 100 deny tcp eq 80
access-list 100 deny tcp eq 23
access-list 100 permit ip any any

If a host with IP would try to access the Webserver he would be denied, because of the first statement. The second and third statement would not be checked in that case.
If the same host would try to access the telnet port of the Webserver, then the first statement would be checked. Because its NOT Port 80 which the host wants to reach, the second statement would be checked.
The second statement denys telnet, and the host would not access the Webserver via Telnet.

3. Placement of ACLs
Put standart ACLs close to the Destination Host or Network which has to be protected
Put extended ACLs close to the Source Hosts or Network, from where the traffic will origin.

4. You can put ONE ACL per Interface, per Protocol, per Direction
You cant bind more than one ACL to an Interface per Direction (incoming or outgoing).

5. Single statements of an ACL can NOT be deleted
If you have to change or delete a single statement, you have to delete the whole ACL and write a new one.
Only in named access-lists it is possible to change or delete single statements of the ACL.

6. Different terms for different useage
There are different terms which can confuse.
Used to bind an access-list to an interface
Used to deny or permit telnet access to a router vty line.

7. synthax of extended ACL

access-list <number> <permit or deny> <protocol> <source> <wildcard> <destination> <wildcard> eq <portnumber or application>


access-list 111 deny tcp eq 23

8. synthax of standart ACL

access-list <number> <permit or deny> <source> <wildcard>

duno-netze.de | info<at>duno-netze.de