In preparation of your CCNA Security 640-553 exam, we want to make sure we cover the topics that you will encounter on your CCNA exam. So to assist you, below we will discuss the CCNA Security concept, the functionality of standard, extended, and named IP ACLs used by routers to filter packets. As you progress through your CCNA exam studies, I am sure with repetition you will find that all the topics become much easier. So even though this may be a difficult concept initially, keep at it as no one said getting your Cisco certification would be easy!

ACLs tell the router which traffic to allow and which traffic to deny. They can be configured to be general or specific. Unused but enabled services on routers represent a potential vulnerability for your network. Every network is unique, and therefore, every network requires a different type of configuration on its routers. This chapter covers some of the Cisco IOS Software services that should be turned off in most network settings to prevent security breaches or network downtime. It also discusses some commonly configured management services and how to securely operate them.

ACLs are rules that deny or permit packets coming in or out of an interface. An ACL typically consists of multiple ACL entries (ACE), organized internally by the router. When a packet is subjected to access control, the router searches this linked list in order from top to bottom to find a matching element. The matching element is then examined to determine whether the packet is allowed or denied.

Standard IP ACLs

Standard IP ACLs are the oldest type of ACLs, dating back as early as Cisco IOS Software Release 8.3. Standard IP ACLs control traffic by comparing the source address of the IP packets to the addresses configured in the ACL.

The following is the command syntax format of a standard IP ACL:

access-list access-list-number {permit | deny} {host | source source-wildcard | any} log

In all software releases, the access-list-number can be anything from 1 to 99.

The log option enables you to monitor how many packets are permitted or denied by a particular ACL, including the source address of each packet. The logging message includes the ACL number, whether the packet was permitted or denied, the source IP address of the packet, and the number of packets from that source permitted or denied in the prior 5-minute interval.

After defining an ACL, you must apply it to the interface (inbound or outbound):

interface interface

ip access-group number {in | out}

Extended IP ACLs

Extended IP ACLs were introduced in Cisco IOS Software Release 8.3. Extended IP ACLs control traffic by not only comparing the source and destination IP addresses but also comparing the source and destination port numbers of the IP packets to those configured in the ACL.

The following is the command syntax format of extended IP ACLs:

ip access-list access-list-number [dynamic dynamic-name [timeout minutes]]

{deny | permit} protocol source source-wildcard destination destination-wildcard

[precedence precedence] [tos tos] [log | log-input] [time-range time-range-name]

In all software releases, the access-list-number can be 101 to 199.

After defining an ACL, you must apply it to the interface (inbound or outbound):

interface interface

ip access-group number {in | out}

IP Named ACLs

IP named ACLs were introduced in Cisco IOS Software Release 11.2. This allows standard and extended ACLs to be given names instead of numbers.

This is the command syntax format for IP named ACLs.

ip access-list {extended|standard} name

This is a TCP example:

permit|deny tcp source source-wildcard [operator [port]]

destination destination-wildcard [operator [port]] [established]

[precedence precedence] [tos tos] [log] [time-range time-range-name]

This is an example of the use of a named ACL in order to block all traffic except the Telnet connection from host 10.1.1.2 to host 172.16.1.1.

interface Ethernet0/0

ip address 10.1.1.1 255.255.255.0

ip access-group in_to_out in

ip access-list extended in_to_out permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet

Hopefully you found this Cisco CCNA Security 640-533 article helpful as you progress toward your CCNA certification. You will find that the hands-on experience you gain with our CCNA certification kits is the best way to really solidify the various CCNA concepts in your brain. So please check out our various kits and other free CCNA certification material.