IP ACL types

Two types of IP ACL can be configured in Cisco Packet Tracer 8.2 :

  • Standard ACLs : This is the oldest ACL type which can be configured on Cisco routers. Traffic is filtered based on the source IP address of IP packets. The access-list number can be any number from 1 to 99. This kind of ACL has to be placed near the destination to avoid blocking legitimate trafic from the source.
access-list 1 permit
access-list 1 deny any
  • Extended ACLs : Introduced in IOS version 8.3, the extended ACLs are more complex and allow filtering of the IP traffic based on a combination of multiple criterias : source IP address, destination IP address, TCP or UDP port, protocol, .... In numbered ACLs, the access-list number can be any number from 100 to 199 or 2000 to 2699 (available in IOS versions >12.0.1). Such ACLs can also be named access lists in which the ACL number is replaced by a keyword. This kind of ACL has to be placed near the source as it allows fine grained control to ressources accessed. Placing the ACL near the destination will make the trafic travel through the network before beeing blocked, resulting in bandwidth waste.
access-list 1 permit ip
access-list 101 permit icmp any echo
access-list 1 deny ip any any

Configuration on Cisco 2911 ISR Router

Restrict remote telnet or SSH access to the ISR router

Access lists can be used to restrict remote SSH or Telnet access to the ISR router management interface (VTY) from specific networks only. Only numbered access-lists are supported on the Virtual Terminal Line.

The access-class command is used to apply the access list on the Virtual Terminal Line. The following configuration deny administrative access to the router except for the network hosting admin workstations. Note the wildcard mask used in the access-list configuration for the /24 network.

access-list 1 permit

line vty 0 4
 access-class 1 in
line vty 5 15
 access-class 1 in