Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.

Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.

Access Control Lists
Blocking traffic; Standard, Extended, RACL and VACL
Directions IN/OUT explanation

9128554_origAccess Control Lists are used not only to permit and deny traffic but for marking only interested traffic also. They may be used in cases like : NAT, Quality of service, policy routing, route filtering and VPN. Besides, there is a few kinds of ACLs depends on what traffic and where we are going to block or mark.

Before we go over explanation different kinds of ACLs I have to underline some rules which are important regardless which one we are going to use .

Common rules for access lists:

– Access list is being read from the top to the bottom and stop at first match

– Invisible “DENY” statement is always added at the end, this is why we  use “DENY” statement first in access lists always with “PERMIT ANY ANY” at the end. “DENY ANY ANY ” is being added automatically and if we wouldn’t add “PERMIT ANY ANY” at the end, the whole traffic would be blocked, regardless what our “DENY” statement says.

access-list 1 deny host

access-list 1 permit any any

access-list 1 deny ANY ANY   – invisible, added automatically

– We may have 2 ACLs per interface (1 in each direction in/out). Outbound ACLs are applied after packets were sent to the outbound interface by the routing engine, but before they’re put in the outgoing queue.Inbound ACLs are applied before the routing engine gets them.

– “Wildcard mask” is being used. Wildcard mask is inverse of subnet mask, that’s mean if a standard mask is then wildcard mask is (we subtract 192 – 255). Wildcard mask uses “0 – don’t care bits” and “1 – care bits”” and marks traffic whether the traffic is interested for us or not.

– according to the wildcard mask in case of a single host, wildcard mask will be but we may use a word “HOST” instead of and respectively for entire network wildcard mask will be and we may use the word “ANY”

– where should we apply ACLs? Standard ACL we have to apply as close to destination as possible, because they based on source address only, Extended ACLs we should apply on our local router cause we have given source and destination addresses, and we don’t have to worry that we will block entire traffic, not only to the point of destination. Below picture illustrates this issue. If I put Standard ACL “access-list 1 deny host” on the place of Extended ACL then entire traffic would be blocked and User wouldn’t be able to get outside whatsoever. If I put Extended ACL in place of Standard ACL then I would waste routers resources unnecessary, cause I may block traffic on the first interface as I did and what is a better solution. 


For Standard ACLs given ranges are reserved: from 1 to 99 and from 1300 to 1999, Standard ACLs work based on source IP address and have lower processor utilization.

Example of Standard ACL
We are going to reject traffic comes on interface fa0/1 from host and allow the other traffic to our network.

access-list 50 deny host
access-list 50 permit any
access-list 50 deny any  

interface fa0/1
ip access-group 50 out


Extended ACLs have got reserved numbers from 100 to 199 and 2000 to 2699. Extended ACL matches based on IP protocol number, source/destination address, protocol options (TCP/UDP ports), ICMP type code, TCP state (ACK/RST Flag) – “established” keyword which allows for returning traffic (reflexive ACLs described below)

Extended ACLs examples

Assuming, that we want to prevent host to connect on any port with a server on port 80 (http) we have to apply on our local  router this rule.

access-list 150 deny tcp host any host eq 80

REFLEXIVE (extended) ACL
Allows returning traffic for internal requests. If we want to allow any of hosts from our internal network to initiate connection to any host outside, but deny to initiate connection from outside to inside we have to apply this exemplary rule.

access-list permit tcp any any gt 1023 established

Any connection from inside to outisde and returning traffic will be allowed on port 1023 and gt(greater) (below port 1023 we have well-known ports which are being used by services) and initial traffic which comes from outside to inside will be rejected. It happens because RACL (Reflexive ACL) based on 3 way handshake mechanism and based on TCP FLAGs knows very well who first wants to establish connection (ACK Flag – acknowledgement)

We don’t have to use numbers in order to name ACL. In case of extended ACLs we may use “Named ACL”. This type of access list begins from

ip access-list extended <name>

Gives us ability to have an ACL which takes affect during a certain time.

Exemplary utilization

time-range <name>
absolute start 13:00 23 Aug 2016 end 16:00 23 Aug 2016
periodic monday-friday 10:00 to 14:00

Access list doesn’t have to be applied to the physical interface, it may be applied to the terminal line, let’s apply our time-based ACL to VTY line

access-list 100 permit tcp any any eq telnet time-range <name>
line vty 0 4
access-class 100 in


IN / OUT Directions

Applying of access-lists in correct directions might be misleading, but is not hard to understand. Take a look on below topology that we will be using in our lab. We will be trying to reach www server with IP address from the Client IP address (ANY for simplicity). We will be also blocking traffic only on R1 router, moreover only on interface f0/0 in IN and OUT directions.

WWW server is listening on port 80. The port that Client is trying to establish connection is random. So far nothing fancy. Now, for better understanding of applying directions let’s have a look on R1.

As we see the same access list might be applied applied in 2 different directions IN and OUT, depends on interface that we are going apply given access list on!


ip access-list extended 100
deny tcp any eq 80
permit ip any any

int fa0/0
ip access-group 100 in



ip access-list extended 110
deny tcp eq 80 any
permit ip any any

int fa0/0
ip access-group 110 out


Vlan access list are applied on multilayer switches Ordinary ACL can filter traffic between VLANs but CAN’t filter traffic between hosts in particular VLAN! It happens cause CAM table (based on MAC addresses) is not used in that case,  but TCAM table where switch also compares wildcard mask in order to redirect traffic and what is crucial based on the longest prefix what is not desirable in case of applying access lists within Vlans

First we mark interesting traffic with named ACL:
ip access-list extended BLOCK_3_HOSTS_TRAFFIC
permit ip

Then we have to create Vlan access map
vlan access-map VLAN_33_BLOCK
match ip address BLOCK_3_HOSTS_TRAFFIC
action drop
vlan access-map VLAN_33_BLOCK
action forward (counterpart of permit any any in Standard ACL)

And we have to apply vlan access map to interesting Vlan number

vlan filter VLAN_BLOCK vlan-list <vlan-number>


Onlain bookmaker bet365.com - the best bokie