Chapter 7 Access Control Lists
Administrators use ACLs to stop traffic or permit only specified traffic on their networks.
Packet filtering can occur at Layer 3 or Layer 4, as shown in the figure. Standard ACLs only filter at Layer 3. Extended ACLs filter at Layer 3 and Layer 4.
Code
Remove ACL
int se0/0/0R1- > no ip access-group 11 out
show access-lists
no access-list 11
Wildcards
Wildcard mask bit 0 - Match the corresponding bit value in the address.
Wildcard mask bit 1 - Ignore the corresponding bit value in the address.
For example, if corporate policy does not allow video traffic on the network, ACLs that block video traffic could be configured and applied
Packet Filtering
The last statement of an ACL is always an implicit deny.
Inbound ACLs
An ACL is a sequential list of permit or deny statements, known as access control entries
Outbound ACLs
- Incoming packets are processed before they are routed to the outbound interface.
Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.
"show run" and "show access-lists" commands to view the currently configured ACLs
inverse mask to Subnets
The keywords "host"-0.0.0.0 and "any" -255.255.255.255 help identify the most common uses of wildcard masking.
"1 is open, 0 is closed if it doesn't match"
Guidelines for making ACLS
One ACL per protocol, One ACL per direction, One ACL per interface
Base your ACLs on the sec policy
Prepare a description of what you want the acl to do
use a text editor to create, edit and save ACLS
Test your ACLS on a development network before implementing them on a production network.
In calculating how many ACLs can be configured, use the rule of “three Ps”: one ACL per protocol, per direction, per interface. In this case, 2 interfaces x 2 protocols x 2 directions yields 8 possible ACLs.
Standard ACLs provides basic packet filtering in which match is based on only source IP address.
Extended ACLs allows filtering not only on source address but also on destination addresses, protocol type and source and destination port numbers
Access Class Lists
You can specify which IP addresses are allowed remote access to your router with an ACL and an access-class statement configured on your VTY lines.
Extended ACLs are beyond the scope of this course.
access-list 10 permit host 192.168.10.10
Any
Extended access list
access list to vty lines