An ACL is a list of rules that can be applied to an interface to make a policy to the traffic.
There are two main types of ACL:
Standard: is usually applied to the outbound interface because it only looks at the source of the package. It is usually identified by numbers between 1 and 99. It is also possible to put a name in it but the syntax is different.
Extended: is usually applied in the inbound interface because it looks at the source and destination IPs and prevents unnecessary traffic in the network. It also looks at the port to restrict or allow based on what type of service. You can name with numbers (between 100 and 199) and names, which makes it much easier to manage.
Standard ACL syntax:
access-list 10 access-list 10 allow 192.168.1.9 access-list 10 deny 10.0.0.0 0.0.0.255
Note: 10 is the identification of the ACL, 0.0.0.255 is the wildcard of the network 10.0.0.0, for a single host the wildcard is not necessary.
And apply to one interface:
interface g0/0 ip access-group 10 out
Extended ACL syntax:
access-list 100 remark Allow HTTP+SSH access-list 100 permit tcp host 192.168.10.3 host 10.2.2.1 eq 22 access-list 100 permit tcp any any eq 80 ip access-list extended WEB-POLICY permit tcp 192.168.30.0 0.0.0.255 host 10.1.1.1 eq 80 permit tcp 192.168.30.0 0.0.0.255 209.165.200.224 0.0.0.31 eq 80
Note: 100 and WEB-POLICY Are the identification of the ACLs. When you inform host you don’t have to inform the wildcard because it is known, and eq stands for equal and followed by the port you are applying the rule.
Applying to an interface:
interface g0/0 ip access-group 100 out interface g0/1 ip access-group WEB-POLICY in
Altering one rule of the Extended ACL:
ip access-list extended 100 30 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
Remember! ACLs have always hidden one last rule that means DENY EVERYTHING FROM ANY TO ANY. So, if you want to permit everything else you have to set this command at the end:
access-list 100 deny icmp any any echo access-list 100 deny icmp any any echo-reply access-list 100 permit ip any any
If you want to allow the traffic that was already established, which means the response to a request adds “established” at the end of the rule:
access-list 100 permit tcp any any established
Note: it can be applied to a tcp but not to an udp or ip.
Useful commands (show all ACLs or show only ACL 100):
show access-lists show access-list 100
Removing a rule or modifying it:
ip access-list extended 100 do show access-list 100 no 30 20 xxxxx
Note: 100 is the identifier of the ACL and 30 and 20 are the numbers of the rule line listed in the second command.
A common errors while creating ACL rules is blocking returning traffic. Double-check these conditions to avoid issues.
Follow how to allow the traffic for already established TCP connections.
access-list 100 permit tcp any any established access-list 100 deny tcp any any eq telnet
In the example above, the ACL 100 is applied to inbound of a WAN interface, for example. It blocks telnet coming in but allows incoming traffic for TCP established connections coming in that can be a telnet connection.