Please enable JavaScript.
Coggle requires JavaScript to display documents.
Chapter 7: Access Control Lists (ACL Operation ACLs define the set of…
Chapter 7: Access Control Lists
An ACL is a series of IOS commands that control whether a router forwards or drops packets based on information found in the packet header.
Packet Filtering
Packet filtering controls access to a network by analyzing the incoming and outgoing packets and forwarding them or discarding them based on given criteria. Packet filtering can occur at Layer 3 or Layer 4, as shown in the figure. Standard ACLs only filter at Layer 3. Extended ACLs filter at Layer 3 and Layer 4.
ACL Operation
ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs do not act on packets that originate from the router itself.
Inbound ACLs - Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded.
Outbound ACLs - Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL. Outbound ACLs are best used when the same filter will be applied to packets coming from multiple inbound interfaces before exiting the same outbound interface.
ACL Wildcard Masking
A wildcard mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match.
Wildcard masks and subnet masks differ in the way they match binary 1s and 0s. Wildcard masks use the following rules to match binary 1s and 0s:
Wildcard mask bit 0 - Match the corresponding bit value in the address.
Wildcard mask bit 1 - Ignore the corresponding bit value in the address.
Where to Place ACLs
The proper placement of an ACL can make the network operate more efficiently. An ACL can be placed to reduce unnecessary traffic.
Extended ACLs - Locate extended ACLs as close as possible to the source of the traffic to be filtered. This way, undesirable traffic is denied close to the source network without crossing the network infrastructure.
Standard ACLs - Because standard ACLs do not specify destination addresses, place them as close to the destination as possible. Placing a standard ACL at the source of the traffic will effectively prevent that traffic from reaching any other networks through the interface where the ACL is applied.
The type of ACL
The extent of the network administrator’s control
Bandwidth of the networks involved
Ease of configuration
Numbered Standard IPv4 ACL Syntax
To use numbered standard ACLs on a Cisco router, you must first create the standard ACL and then activate the ACL on an interface.
The access-list global configuration command defines a standard ACL with a number in the range of 1 through 99.
Naming an ACL makes it easier to understand its function. When you identify your ACL with a name instead of with a number, the configuration mode and command syntax are slightly different.
Step 1. Starting from the global configuration mode, use the ip access-list command to create a named ACL.
Step 2. From the named ACL configuration mode, use permit or deny statements to specify one or more conditions for determining whether a packet is forwarded or dropped.
Step 3. Apply the ACL to an interface using the ip access-group name command.
Packet Tracer - Configuring Numbered Standard IPv4 ACLs
Standard access control lists (ACLs) are router configuration scripts that control whether a router permits or denies packets based on the source address. This activity focuses on defining filtering criteria, configuring standard ACLs, applying ACLs to router interfaces, and verifying and testing the ACL implementation.