Please enable JavaScript.
Coggle requires JavaScript to display documents.
Chapter 7 : Access Control List (Wildcard Masks in ACLs, Wildcard masks…
Chapter 7 : Access Control List
Wildcard Masks in ACLs
Wildcard masks use binary 1s and 0s to filter individual IPv4 addresses or groups of IPv4 addresses to permit or deny access to resources.
Wildcard Masking
A wildcard mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match.
Wildcard mask bit 0 - Match the corresponding bit value in the address.
Wildcard mask bit 1 - Ignore the corresponding bit value in the address.
Wildcard masks are often referred to as an inverse mask.
Wildcard Mask Keywords
The keywords host and any help identify the most common uses of wildcard masking. These keywords eliminate entering wildcard masks when identifying a specific host or an entire network
The host keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match to filter just one host address.
The any option substitutes for the IPv4 address and 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept any addresses.
General Guidelines for Creating ACLs
Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet.
Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network.
Configure ACLs on border routers, that is, routers situated at the edges of your networks. This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network.
Configure ACLs for each network protocol configured on the border router interfaces.
Rules for Applying ACLs
Can configure one ACL per protocol, per direction, per interface
One ACL per protocol - To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface.
One ACL per direction - ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic.
One ACL per interface - ACLs control traffic for an interface, for example, GigabitEthernet 0/0.
Where to Place ACLs?
Extended ACLs - Locate extended ACLs as close as possible to the source of the traffic to be filtered. This way, undesirable traffic is denied close to the source network without crossing the network infrastructure.
Standard ACLs - Placing a standard ACL at the source of the traffic will effectively prevent that traffic from reaching any other networks through the interface where the ACL is applied.