Please enable JavaScript.
Coggle requires JavaScript to display documents.
TOPIC 7 : ACCESS CONTROL LIST (ACL operation (ACLs define the set of rules…
TOPIC 7 : ACCESS CONTROL LIST
What is ACL ?
ACL is a series of IOS commands that control whether a router forwards or drops packets based on information found in the packet header
ACLs can be used for selecting types of traffic to be analyzed, forwarded, or processed in other ways
Provide traffic flow control. ACLs can restrict the delivery of routing updates to ensure that the updates are from a known source.
Packet filtering
An ACL is a sequential list of permit or deny statements, known as access control entries (ACEs)
Packet filtering controls access to a network by analyzing the incoming and outgoing packets and forwarding them or discarding them based on given criteria
Packet filtering can occur at Layer 3 or Layer 4
ACL is always an implicit deny. This statement is automatically inserted at the end of each ACL even though it is not physically present.
ACL operation
ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router.
Inbound ACLs
Incoming packets are processed before they are routed to the outbound interface
An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded
Inbound ACLs are best used to filter packets when the network attached to an inbound interface is the only source of packets that need to be examined.
Outbound ACLs
Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL
Outbound ACLs are best used when the same filter will be applied to packets coming from multiple inbound interfaces before exiting the same outbound interface.
Introducing ACL Wildcard Masking
Wildcard Masking
IPv4 ACEs include the use of wildcard masks. A wildcard mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match
Wildcard mask bit 0 - Match the corresponding bit value in the address
Wildcard mask bit 1 - Ignore the corresponding bit value in the address.
Wildcard Mask Keywords
the keywords host and any help identify the most common uses of wildcard masking
The host keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match to filter just one host address
The any option substitutes for the IPv4 address and 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept any addresses.
General Guidelines for Creating ACLs
Rules for Applying ACLs
One ACL per protocol - To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface
One ACL per direction - ACLs control traffic in one direction at a time on an interface.
One ACL per interface - ACLs control traffic for an interface, for example, GigabitEthernet 0/0.
Where to Place ACLs
Extended ACLs
Locate extended ACLs as close as possible to the source of the traffic to be filtered.
Standard ACLs
Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.
Editing Numbered ACLs using a text editor
Method 1 - Use a Text Editor
Method 2 - Use Sequence Numbers