Please enable JavaScript.
Coggle requires JavaScript to display documents.
CHAPTER 7: ACCESS CONTROL LISTS (What is an ACL? (When configured, ACLs…
CHAPTER 7: ACCESS CONTROL LISTS
What is an ACL?
An ACL is a series of IOS commands that control whether a router forwards or drops packets based on information found in the packet header.
ACLs are among the most commonly used features of Cisco IOS software.
When configured, ACLs perform the following tasks:
Limit network traffic to increase network performance.
Provide traffic flow control. ACLs can restrict the delivery of routing updates to ensure that the updates are from a known source.
Provide a basic level of security for network access.
Packet Filtering
Packet filtering controls access to a network by analyzing the incoming and outgoing packets and forwarding them or discarding them.
ACL Operation
ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router.
ACLs can be configured to apply to inbound traffic and outbound traffic as shown in the figure.
Inbound ACLs
- Incoming packets are processed before they are routed to the outbound interface.
Outbound ACLs
- Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.
Wildcard Masking
IPv4 ACEs include the use of wildcard masks. A wildcard mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match.
Wildcard Mask Examples
Wildcard Masks to Match IPv4 Subnets
Wildcard Masks to Match Ranges
Wildcard Mask Keywords
Working with decimal representations of binary wildcard mask bits can be tedious. To simplify this task, the keywords host and any help identify the most common uses of wildcard masking.
General Guidelines for Creating ACLs
Writing ACLs can be a complex task. For every interface there may be multiple policies needed to manage the type of traffic allowed to enter or exit that interface. The router in the figure has two interfaces configured for IPv4 and IPv6. If we needed ACLs for both protocols, on both interfaces and in both directions, this would require eight separate ACLs.
Numbered Standard IPv4 ACL Syntax
To use numbered standard ACLs on a Cisco router, you must first create the standard ACL and then activate the ACL on an interface.
Named Standard IPv4 ACL Syntax
Naming an ACL makes it easier to understand its function. When you identify your ACL with a name instead of with a number, the configuration mode and command syntax are slightly different.