Please enable JavaScript.
Coggle requires JavaScript to display documents.
Chapter 7 Access Control List (7.1.2 Wildcard Mask in ACLs (Wildcard…
Chapter 7 Access Control List
7.1.1 Purpose of ACLs
What is ACL ?
the series of IOS command that control a router forward or drops packets of information that found in packet header.
Packet Filtering
controls access to a network by analyzing the incoming and outgoing packets and forwarding them or discarding them based on given criteria.
can occur at layer 3 or layer 4
ACL Operation
set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router.
Inbound ACLs
Incoming packets processed before routed to the outbound interface.
efficient because it saves the overhead of routing lookups if the packet is discarded.
Outbound ACLs
Incoming packets are routed to the outbound interface, and they are processed through the outbound ACL.
best used when the same filter will be applied to packets coming from multiple inbound interfaces before exiting the same outbound interface.
7.1.2 Wildcard Mask in ACLs
Wildcard Masking
wildcard mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match.
use numbers 1 and 0 in wildcard mask
wildcard mask bit 0 : match the value of corresponding address bit
wildcard mask bit : ignore the value of corresponding address bit
Wildcard Mask Example
Wildcard Masks to Match IPv4 Subnets
Calculating the wildcard mask can take some practice.
Wildcard Mask Calculation
Calculating wildcard masks can be challenging.
One shortcut method is to subtract the subnet mask from 255.255.255.255.
Wildcard Mask Keywords
the keywords
host
and
any
help identify the most common uses of wildcard masking.
The
host
keyword substitutes for the 0.0.0.0 mask.
The
any
option substitutes for the IPv4 address and 255.255.255.255 mask.
7.1.3 Guidelines for ACL Creation
General Guidelines for Creating ACLs
every interface there may be multiple policies needed to manage the type of traffic allowed to enter or exit that interface.
Guidelines
Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet.
Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network.
Configure ACLs on border routers, that is, routers situated at the edges of your networks. provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network.
Configure ACLs for each network protocol configured on the border router interfaces.
Rules for Applying ACLs
One ACL per protocol : To control traffic flow on an interface
One ACL per direction : ACLs control traffic in one direction at a time on an interface.
One ACL per interface : ACLs control traffic for an interface ( example : GigabitEthernet 0/0 )
ACL Best Practices
Using ACLs requires attention to detail and great care.
Mistakes can be costly in terms of downtime, troubleshooting efforts, and poor network service.
Before configuring an ACL, basic planning is required.
7.1.4 Guidelines for ACL Placement
Where to Place ACLs
can be placed to reduce unnecessary traffic.
( example : traffic that will be denied at a remote destination should not be forwarded using network resources along the route to that destination. )
Extended ACLs - Locate extended ACLs as close as possible to the source of the traffic to be filtered.
Standard ACLs - Placing a standard ACL at the source of the traffic will effectively prevent that traffic from reaching any other networks through the interface where the ACL is applied.
The type of ACL used may also depend on:
The extent of the network administrator’s control - Placement of the ACL can depend on whether or not the network administrator has control of both the source and destination networks.
Bandwidth of the networks involved - Filtering unwanted traffic at the source prevents transmission of the traffic before it consumes bandwidth on the path to a destination.
Ease of configuration - a network administrator wants to deny traffic coming from several networks, one option is to use a single standard ACL on the router closest to the destination.
7.2.1 Configure Standard IPV4 ACLs
Numbered Standard IPv4 ACL Syntax
To use numbered standard ACLs on a Cisco router, create the standard ACL and then activate the ACL on an interface.
access-list
global configuration command defines a standard ACL with a number in the range of 1 through 99.
when an administrator creates an ACL, the purpose of each statement is known and understood.
Applying Standard IPv4 ACLs to Interfaces
ip access-group
=> Router(config-if)# ip access-group { access-list-number | access-list-name } { in | out }
To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL.
Named Standard IPv4 ACL Syntax
Step 1
Starting from the global configuration mode, use the ip access-list command to create a named ACL. ACL names are alphanumeric, case sensitive, and must be unique. The ip access-list standard name command is used to create a standard named ACL.
Step 2
From the named ACL configuration mode, use permit or deny statements to specify one or more conditions for determining whether a packet is forwarded or dropped. You can use remark to add a comment to the ACL.
Step 3
Apply the ACL to an interface using the ip access-group name command. Specify whether the ACL should be applied to packets as they enter the interface (in) or applied to packets as they exit the interface (out).
7.2.2 Modify IPV4 ACLs
Method 1 - Use a Text Editor
Step 1
Display the ACL using the show running-config command.
Step 2
Highlight the ACL, copy it, and then paste it into Microsoft Notepad. Edit the list as required. After the ACL is correctly displayed in Microsoft Notepad, highlight it and copy it.
Step 3
In global configuration mode, remove the access list using the no access-list 1 command.
Step 4
Using the show running-config command, verify the changes
Method 2 - Use Sequence Numbers
Step 1
Display the current ACL using the show access-lists 1 command
Step 2
Enter the ip access-lists standard command that is used to configure named ACLs.
Step 3
Verify the changes using the show access-lists command.
Verifying ACLs
show ip interface command is used to verify the ACL on the interface.
shows the result of issuing the show access-lists command
To view an individual access list use the show access-lists command followed by the access list number or name.
ACL Static
the show access-lists command will show statistics for each statement that has been matched.
During testing of an ACL, the counters can be cleared using the clear access-list counters command.
7.2.3 Securing VTY ports with a Standard IPV4 ACL
The access-class Command
The access-class command configured in line configuration mode restricts incoming and outgoing connections between a particular VTY (into a Cisco device) and the addresses in an access list.
The command syntax of the access-class command is:
Router(config-line)# access-class access-list-number { in [ vrf-also ] | out }