Please enable JavaScript.
Coggle requires JavaScript to display documents.
TOPIC 7 : ACCESS CONTROL LISTS (What is an ACL? (a series of IOS commands…
TOPIC 7 : ACCESS CONTROL LISTS
What is an ACL?
a series of IOS commands that control whether a router forwards or drops packets based on information found in the packet header.
most commonly used features of Cisco IOS software.
ACLs can be used for selecting types of traffic to be analyzed, forwarded, or processed in other ways.
Limit network traffic to increase network performance.
ACLs can allow one host to access a part of the network and prevent another host from accessing the same area.
Packet Filtering
An ACL is a sequential list of permit or deny statements, known as access control entries (ACEs).
Packet filtering controls access to a network by analyzing the incoming and outgoing packets and forwarding them or discarding them based on given criteria
Packet filtering can occur at Layer 3 or Layer 4.
The source IPv4 address is the filtering criteria set in each ACE of a standard IPv4 ACL.
The last statement of an ACL is always an implicit deny. This statement is automatically inserted at the end of each ACL even though it is not physically present.
ACL Operation
ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router.
Inbound ACLs
Incoming packets are processed before they are routed to the outbound interface.
An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded.
Inbound ACLs are best used to filter packets when the network attached to an inbound interface is the only source of packets that need to be examined.
Outbound ACLs
Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.
Outbound ACLs are best used when the same filter will be applied to packets coming from multiple inbound interfaces before exiting the same outbound interface.
Introducing ACL Wildcard Masking
Wildcard Masking
IPv4 ACEs include the use of wildcard masks. A wildcard mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match.
Wildcard mask bit 0 - Match the corresponding bit value in the address.
Wildcard mask bit 1 - Ignore the corresponding bit value in the address.
Wildcard Mask Keywords
the keywords host and any help identify the most common uses of wildcard masking.
The
host
keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match to filter just one host address.
The
any
option substitutes for the IPv4 address and 255.255.255.255 mask.This mask says to ignore the entire IPv4 address or to accept any addresses.
General Guidelines for Creating ACLs
Rules for Applying ACLs
One ACL per protocol - To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface
One ACL per direction - ACLs control traffic in one direction at a time on an interface.
One ACL per interface - ACLs control traffic for an interface, for example, GigabitEthernet 0/0.
Where to Place ACLs
Extended ACLs - Locate extended ACLs as close as possible to the source of the traffic to be filtered. This way, undesirable traffic is denied close to the source network without crossing the network infrastructure.
Standard ACLs - Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.
Editing Numbered ACLs using Sequenced Numbers
Method 1 - Use a Text Editor
Method 2 - Use Sequence Numbers