Please enable JavaScript.
Coggle requires JavaScript to display documents.
Access Control List :question: (Method 1 - Use a Text Editor (Step 1.…
Access Control List :question:
What is
ACL
:!?::
ACLs
are among the most commonly used features of Cisco IOS Software.
ACL
is a series of IOS commands that control whether a router forward or drops packets based on information found in the packet header. :star:
ACL OPERATION
Out
bound
ACLs
-
Incoming packets are routed to the outbound interface,and they are processed through the outbound ACL.
In
bound
ACLs
-
Incoming packets are processed before they are routed to the outbound interface
ACL OPERATION EXPLAINATION
-define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs do not act on packets that originate from the router itself.
Place of
ACL
-Extended ACLs
-Standard ACLs
PACKET FILTERING
Packet filtering can occur at Layer 3
Network
or Layer 4
Transport
.
Packet filtering controls access to a network by analyzing the incoming and outgoing packets and forwarding tbem or discarding them based on criteria.
The source IPv4 address is the filtering criteria set in each ACE of a standard IPv4 ACL.
Applying Standard IPv4 ACLs to Interfaces
removes an ACL from an interface,first enter the no ip address group command and then enter the global no access-list command to remove the entire ACLs/
-using the ip access group command.
Wildcard Mask Keywords
any
- The any option substitutes for the
IPv4
address and 255.255.255.255 mask.
-This mask says to ignore the entire IPv4 address or to accept any addresses.
hos
- The hostt keyword substitutes for the 0.0.0.0 mask. - This mask states that all IPv4 address bits must watch to filter just one host address.
Rules for Applying ACLs
-One ACL per direction
One ACL per interface
-One ACL per protocol
Wildcard Masking
Wildcard mask bit 0- Match the corresponding bit value in the address.
A wildcard mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for match.
Wildcard mask bit 1- Ignore the corresponding bit value in the address.
Placement of the ACL
The extent of the network administrator’s control
- Placement of the ACL can depend on whether or not the network administrator has control of both the source and destination networks.
Bandwidth of the networks involved
- Filtering unwanted traffic at the source prevents transmission of the traffic before it consumes bandwidth on the path to a destination. This is especially important in low bandwidth networks.
Ease of configuration
- If a network administrator wants to deny traffic coming from several networks, one option is to use a single standard ACL on the router closest to the destination. The disadvantage is that traffic from these networks will use bandwidth unnecessarily. An extended ACL could be used on each router where the traffic originated. This will save bandwidth by filtering the traffic at the source but requires creating extended ACLs on multiple routers.
Standard ACL Placement
R3 S0/0/1 interface
- Applying a standard ACL to prevent traffic from 192.168.10.0/24 from entering the S0/0/1 interface will prevent this traffic from reaching 192.168.30.0/24 and all other networks reachable by R3.
R3 G0/0 interface
- Applying the standard ACL to traffic exiting the G0/0 interface will filter packets from 192.168.10.0/24 to 192.168.30.0/24.
Editing Standard Named ACLs
In the first show command output, you can see that the ACL named NO_ACCESS has two numbered lines indicating access rules for a workstation with the IPv4 address 192.168.11.10.
From named access list configuration mode, statements can be inserted or removed.
To add a statement to deny another workstation requires inserting a numbered line. In the example, the workstation with the IPv4 address 192.168.11.11 is being added using a new sequence number of 15.
Method 1 - Use a Text Editor
Step 1. Display the ACL using the show running-config command. The example in the figure uses the include keyword to display only the ACEs.
Step 2. Highlight the ACL, copy it, and then paste it into Microsoft Notepad. Edit the list as required. After the ACL is correctly displayed in Microsoft Notepad, highlight it and copy it.
Step 3. In global configuration mode, remove the access list using the no access-list 1 command. Otherwise, the new statements would be appended to the existing ACL. Then paste the new ACL into the configuration of the router.
Step 4. Using the show running-config command, verify the changes
Method 2: Use sequence number
Step 2. Enter the ip access-lists standard command that is used to configure named ACLs.
Step 1. Display the current ACL using the show access-lists 1 command.
Step 3. Verify the changes using the show access-lists command
General guidelines for creating ACLs
Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet
Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network
Configure ACLs for each network protocol configured on the border router interfaces.
