Please enable JavaScript.
Coggle requires JavaScript to display documents.
Chapter 7 Access Control List (7.1 ACL Operation (7.1.1 Purpose of ACL (7…
Chapter 7 Access Control List
7.1 ACL Operation
7.1.1 Purpose of ACL
7.1.1.2 Packet filtering
Packet filtering controls access to a network by analyzing the incoming and outgoing packets and forwarding them or discarding them based on given criteria. Packet filtering can occur at Layer 3 or Layer 4, as shown in the figure. Standard ACLs only filter at Layer 3. Extended ACLs filter at Layer 3 and Layer 4.
7.1.1.3 Inbound and Outbound
Inbound - An inbound ACL filters packets coming into a specific interface and before they are routed to the outbound interface.
Outbound - An outbound ACL filters packets after being routed, regardless of the inbound interface.
7.1.1.1 What is ACL?
An ACL is a series of IOS commands that control whether a router forwards or drops packets based on information found in the packet header. ACLs are among the most commonly used features of Cisco IOS software.
7.1.2 Wildcards Masks in ACL
7.1.2.1 Wildcard masking
IPv4 ACEs include the use of wildcard masks. A wildcard mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match.
7.1.2.2 Wildcards mask examples
Wildcard Masks to Match IPv4 Subnets
In the first example the wildcard mask stipulates that every bit in the IPv4 192.168.1.1 must match exactly
In the second example, the wildcard mask stipulates that anything will match
In the third example, the wildcard mask stipulates that any host within the 192.168.1.0/24 network will match.
7.1.4 Guidelines for ACL placement
7.1.4.1 where to place ACL
Extended ACLs - Locate extended ACLs as close as possible to the source of the traffic to be filtered. This way, undesirable traffic is denied close to the source network without crossing the network infrastructure.
Standard ACLs - Because standard ACLs do not specify destination addresses, place them as close to the destination as possible. Placing a standard ACL at the source of the traffic will effectively prevent that traffic from reaching any other networks through the interface where the ACL is applied.
7.1.3 Guidelines for ACL Creation
7.1.3.1 General guidelines
Rules for applying ACLs
You can configure one ACL per protocol, per direction, per interface:
One ACL per protocol-To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface.
One ACL per direction-ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic.
7.1.3.2 ACL best practices
Benefit
This will ensure you implement organizational security guidelines.
This will help you avoid inadvertently creating potential access problems.
This will help you create a library of reusable ACLs.
This will help you avoid costly errors.
7.2 Standards IPv4 ACLs
7.2.2 Modify IPv4 ACLs
7.2.2.3 editing standard named ACLs
The figure shows an example of inserting a line to a named ACL..
In the first show command output, you can see that the ACL named NO_ACCESS has two numbered lines indicating access rules for a workstation with the IPv4 address 192.168.11.10.
From named access list configuration mode, statements can be inserted or removed.
To add a statement to deny another workstation requires inserting a numbered line.
The final show command output verifies that the new workstation is now denied access.
7.2.2.1 Method 1 - use a text editor
Configuration: For example, assume that the host IPv4 address in the figure was incorrectly entered.
Step 1. Display the ACL using the show running-config command. The example in the figure uses the include keyword to display only the ACEs.
Step 2. Highlight the ACL, copy it, and then paste it into Microsoft Notepad. Edit the list as required. After the ACL is correctly displayed in Microsoft Notepad, highlight it and copy it.
Step 3. In global configuration mode, remove the access list using the no access-list 1 command.
Step 4. Using the show running-config command, verify the changes
7.2.2.2 Method 2 - use sequence numbers
Step 1. Display the current ACL using the show access-lists 1 command. The output from this command will be discussed in more detail later in this section. The sequence number is displayed at the beginning of each statement.
Step 2. Enter the ip access-lists standard command that is used to configure named ACLs. The ACL number 1, is used as the name. First, the misconfigured statement needs to be deleted using the no 10 command with 10 referring to the sequence number.
Step 3. Verify the changes using the show access-lists command.
7.2.1 Configure standard IPv4 ACLs
7.2.1.1 Numbered standard IPv4 ACL syntax
To use numbered standard ACLs on a Cisco router, you must first create the standard ACL and then activate the ACL on an interface.
7.2.1.2 applying standard IPv4 ACLs to interfaces
After a standard IPv4 ACL is configured, it is linked to an interface using the ip access-group command in interface configuration mode:
Router(config-if)# ip access-group { access-list-number | access-list-name } { in | out }
To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL.
7.2.1.4 Named standard IPv4 ACL syntax
Naming an ACL makes it easier to understand its function. When you identify your ACL with a name instead of with a number, the configuration mode and command syntax are slightly different.
7.2.1.3 Numbered standard IPv4 ACL examples
This ACL is applied to interface G0/0 in the inbound direction. Because the filter only affects the 192.168.10.0/24 LAN on G0/0 it is more efficient to apply the ACL to the inbound interface. The ACL could be applied to S0/0/0 in the outbound direction but then R1 would have to examine packets from all networks including 192.168.11.0/24.
