ICND2 – Chapter 8 – Advanced IP ACLs

Chapter 7 taught you the very basics of standard access control lists and Chapter 8 is where you *really* learn about ACLs. The concepts are basically the same and the biggest issue with extended ACLs is remember the exact order of the parameters in the command. Here are my chapter 8 review notes:

Extended ACLs can look at more than the source address of a packet. (source address, destination address, source port, and destination port – as well as protocol type)

You can select TCP, UDP, or ICMP as the protocol type in an extended ACL. You can also use IP to select ALL IP packets.

When using a single address the host parameter is option in a standard ACL but not in an extended ACL. Always use host for both and there will be no issue.

When using TCP or UDP you can optionally use the port number as well.

Format of extended ACL:

access-list 101 permit protocol source_IP source_mask keyword source_port destination_IP destination_mask keyword destination_port


eq is equal to
ne is NOT equal to
lt is less than
gt is greater than
range allows range of ports

For example:

access-list 101 permit TCP lt 2000 eq 80

would allow TCP traffic from with a source port of less than 2000 to go to on port 80

Some well known ports numbers can be replaced with available keywords. Example:

telnet = port 23
www = port 80
pop3 = port 110
snmp = port 161

Named ACLS

Using names instead of number make it easier to identify the purpose of an ACL.

Named ACLs use the ACL subcommand instead of global commands for each item in the ACL.

To create a named ACL use:

Router(config#)ip access-list [standard | extended] MyNamedAccessList

You can also create a numbered ALC using the ip access-list command vs. the access-list command to allow more robust editing and line numbers.

When deleting an ACL, remove it from the interface first and then delete it.

The show-running-config always shows the old style of access lists.

To view the content of an IP access-list with line number use:

Router#show ip access-list 101

Place more specific statements earliest in the ACL.

Reflexive ACLs are essentially Stateful Packet Inspection (SPI) that most firewalls do my default.

Dynamic ACLs require a user to telnet to the router and authenticate before changing the ACL to accommodate the request.

Time-based ACLs add a time constraint to a normal ACL.


One comment on “ICND2 – Chapter 8 – Advanced IP ACLs

  1. Excellent post. I was checking continuously this blog and I’m impressed! Extremely helpful information specially the last part 🙂 I care for such info a lot. I was seeking this particular info for a very long time. Thank you and good luck.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s