An ACL is a list of rules that can be applied to an interface to make a policy to the traffic.<\/p>\n
There are two main types of ACL:<\/p>\n
Standard<\/strong>: is usually applied to the outbound interface because it only looks at the source of the package. It is usually identified by numbers between 1 and 99. It is also possible to put a name in it but the syntax is different.<\/p>\n Extended<\/strong>: is usually applied in the inbound interface because it looks at the source and destination IPs and prevents unnecessary traffic in the network. It also looks at the port to restrict or allow based on what type of service. You can name with numbers (between 100 and 199) and names, which makes it much easier to manage.<\/p>\n Standard<\/strong> ACL syntax:<\/p>\n Note: 10<\/strong> is the identification of the ACL, 0.0.0.255<\/strong> is the wildcard of the network 10.0.0.0<\/strong>, for a single host the wildcard is not necessary.<\/p>\n And apply to one interface:<\/p>\n Extended<\/strong> ACL syntax:<\/p>\n Note: 100<\/strong> and WEB-POLICY<\/strong> Are the identification of the ACLs. When you inform host<\/strong> you don’t have to inform the wildcard because it is known, and eq<\/strong> stands for equal and followed by the port<\/strong> you are applying the rule.<\/p>\n Applying to an interface:<\/p>\n Altering one rule of the Extended ACL:<\/p>\n Remember! ACLs have always hidden one last rule that means DENY EVERYTHING FROM ANY TO ANY. So, if you want to permit everything else you have to set this command at the end:<\/p>\n If you want to allow the traffic that was already established, which means the response to a request<\/strong> adds “established” at the end of the rule:<\/p>\n Note: it can be applied to a tcp<\/strong> but not to an udp<\/strong> or ip<\/strong>.<\/p>\n Useful commands (show all ACLs or show only ACL 100):<\/p>\n Removing a rule or modifying it:<\/p>\n Note: 100<\/strong> is the identifier of the ACL and 30<\/strong> and 20<\/strong> are the numbers of the rule line listed in the second command.<\/p>\n A common errors while creating ACL rules is blocking returning traffic. Double-check these conditions to avoid issues.<\/p>\n Follow how to allow the traffic for already established TCP connections.<\/p>\n In the example above, the ACL 100 is applied to inbound of a WAN interface, for example. It blocks telnet coming in but allows incoming traffic for TCP established connections coming in that can be a telnet connection.<\/p>\n","protected":false},"excerpt":{"rendered":" An ACL is a list of rules that can be applied to an interface to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-514","post","type-post","status-publish","format-standard","hentry","category-ccna"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/514","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=514"}],"version-history":[{"count":14,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/514\/revisions"}],"predecessor-version":[{"id":1424,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/514\/revisions\/1424"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=514"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=514"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=514"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}access-list 10\r\n<\/strong>access-list 10<\/strong> allow 192.168.1.9\r\naccess-list 10<\/strong> deny 10.0.0.0 0.0.0.255<\/strong><\/pre>\n
interface g0\/0\r\nip access-group 10<\/strong> out<\/pre>\n
access-list 100<\/strong> remark Allow HTTP+SSH\r\naccess-list 100 permit tcp host 192.168.10.3 host<\/strong> 10.2.2.1 eq<\/strong> 22\r\naccess-list 100 permit tcp any any eq<\/strong> 80\r\n\r\nip access-list extended WEB-POLICY<\/strong>\r\npermit tcp 192.168.30.0 0.0.0.255 host<\/strong> 10.1.1.1 eq<\/strong> 80\r\npermit tcp 192.168.30.0 0.0.0.255 209.165.200.224 0.0.0.31 eq<\/strong> 80<\/pre>\n
interface g0\/0\r\nip access-group 100 out<\/strong>\r\n\r\ninterface g0\/1\r\nip access-group WEB-POLICY in<\/strong><\/pre>\n
ip access-list extended 100\r\n30<\/strong> permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255<\/pre>\n
access-list 100 deny icmp any any echo\r\naccess-list 100 deny icmp any any echo-reply\r\naccess-list 100 permit ip any any<\/pre>\n
access-list 100 permit tcp<\/strong> any any established<\/strong><\/pre>\n
show access-lists\r\nshow access-list 100<\/strong><\/pre>\n
ip access-list extended 100\r\n<\/strong>do show access-list 100\r\n<\/strong>no 30\r\n20<\/strong> xxxxx<\/pre>\n
access-list 100 permit tcp any any established\r\naccess-list 100 deny tcp any any eq telnet<\/pre>\n