Chapter 7 Access Control Lists

Administrators use ACLs to stop traffic or permit only specified traffic on their networks.

Packet filtering can occur at Layer 3 or Layer 4, as shown in the figure. Standard ACLs only filter at Layer 3. Extended ACLs filter at Layer 3 and Layer 4.

Code

Remove ACL

int se0/0/0R1- > no ip access-group 11 out

show access-lists

no access-list 11

Wildcards


Wildcard mask bit 0 - Match the corresponding bit value in the address.

Wildcard mask bit 1 - Ignore the corresponding bit value in the address.

For example, if corporate policy does not allow video traffic on the network, ACLs that block video traffic could be configured and applied


Packet Filtering

The last statement of an ACL is always an implicit deny.

Inbound ACLs

An ACL is a sequential list of permit or deny statements, known as access control entries

Outbound ACLs

  • Incoming packets are processed before they are routed to the outbound interface.

Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.

"show run" and "show access-lists" commands to view the currently configured ACLs

inverse mask to Subnets

The keywords "host"-0.0.0.0 and "any" -255.255.255.255 help identify the most common uses of wildcard masking.

"1 is open, 0 is closed if it doesn't match"

Guidelines for making ACLS

One ACL per protocol, One ACL per direction, One ACL per interface

Base your ACLs on the sec policy

Prepare a description of what you want the acl to do

use a text editor to create, edit and save ACLS

Test your ACLS on a development network before implementing them on a production network.

In calculating how many ACLs can be configured, use the rule of “three Ps”: one ACL per protocol, per direction, per interface. In this case, 2 interfaces x 2 protocols x 2 directions yields 8 possible ACLs.

Standard ACLs provides basic packet filtering in which match is based on only source IP address.


Extended ACLs allows filtering not only on source address but also on destination addresses, protocol type and source and destination port numbers

Access Class Lists

You can specify which IP addresses are allowed remote access to your router with an ACL and an access-class statement configured on your VTY lines.

Extended ACLs are beyond the scope of this course.

access-list 10 permit host 192.168.10.10

Any

Extended access list

access list to vty lines