Configuration Example
Let's look at the example below to better understand how ACLs work. The requirement is that Sales should not have any access to the IT department, have limited access (only SSH and Telnet) to the HR department, and have full access to the internet.
Configuring the Extended ACL
Since we have several requests based on source and destination IP addresses and applications, a better approach would be to use an extended ACL instead of a standard ACL. This way, we can translate all requests into ACL entries and assign them as close as possible to the source (R1), so only allowed packets will be permitted and all others denied early in the path.
As you can see from the commands above, first, you need to create the ACL. Once you define the type (extended) and the name (SALES_PERMISSIONS), you need to define the ACL statements inside the ACL mode.
The first three statements allow SSH and Telnet from Sales to HR and deny everything else between the two departments. The fourth entry denies any access from Sales to IT, while the last one permits everything else, including access to the internet.
Note: You do not use a subnet mask on Cisco routers and switches to identify the subnets or hosts inside the ACL statements, but a wildcard mask. An incorrectly defining a wildcard mask with a subnet mask will not provide any error message because the range of numbers used is the same, between 0 and 255. However, it will match completely different parts of the IP address defined and produce an incorrect result.
Applying the ACL
Creating an ACL without applying it does not perform any actions on the device. Therefore, you must apply the ACL to an interface and specify the direction in which the ACL will filter the traffic. This can be done using the ip access-group access-list-number|access-list-name in|out command to apply a standard or extended ACL on an interface.
In the example use case, the SALES_PERMISSIONS ACL should be applied to interface FastEthernet0/1 in the inbound direction. The following commands achieve that:
In the end, it does not matter whether you configure a standard or extended ACL, what matters is whether the ACL will contain accurate statements based on your requirements and the correct order in which they will be placed inside the ACL. Last but not least, you should apply the ACL on the right interface in the appropriate direction so that the ACL will be correctly used.
Verifying the ACL
Verifying the ACL configuration is very important, as it helps to ensure that the ACL is correctly configured and up-to-date and that the device is properly securing the network and protecting against unauthorized access or communications.
The show access-lists command displays the details of the configured access lists on the Cisco device. Based on the example above, the verification process will provide the following output: