Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 4: ACL Concepts - Coggle Diagram
Module 4: ACL Concepts
4.3 Guidelines for ACL Creation
4.3.1 Limited Number of ACLs per Interface
4.3.2 ACL Best Practices
4.1 Purpose of ACLs
4.1.2 Packet Filtering
4.1.3 ACL Operation
4.1.1 What is an ACL?
4.2 Wildcard Masks in ACLs
4.2.3 Wildcard Mask Types
Wildcard Mask to Match an IPv4 Subnet
The wildcard mask 0.0.0.255 stipulates that the very first three octets must match exactly but the fourth octet does not.
Wildcard Mask to Match an IPv4 Address Range
The table lists in binary the host IPv4 address, the wildcard mask, and the permitted IPv4 addresses.
The highlighted wildcard mask bits identify which bits of the IPv4 address must match.
Wildcard To Match a Host
The wildcard mask is used to match a specific host IPv4 address.
4.2.3 Wildcard Mask Calculation
Calculating wildcard masks can be challenging. One shortcut method is to subtract the subnet mask from 255.255.255.255.
4.2.1 Wildcard Mask Overview
An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to examine for a match. Wildcard masks are also used by the Open Shortest Path First (OSPF) routing protocol.
A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify which bits in an IPv4 address to match. However, they differ in the way they match binary 1s and 0s. Unlike a subnet mask, in which binary 1 is equal to a match and binary 0 is not a match, in a wildcard mask, the reverse is true.
Wildcard masks use the following rules to match binary 1s and 0s:
Wildcard mask bit 0 - Match the corresponding bit value in the address
Wildcard mask bit 1 - Ignore the corresponding bit value in the address
4.2.4 Wildcard Mask Keywords
Working with decimal representations of binary wildcard mask bits can be tedious. To simplify this task, the Cisco IOS provides two keywords to identify the most common uses of wildcard masking. Keywords reduce ACL keystrokes and make it easier to read the ACE.
host - This keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match to filter just one host address.
any - This keyword substitutes for the 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept any addresses.
4.4 Types of IPv4 ACLs
4.4.3 Where to Place ACLs
Every ACL should be placed where it has the greatest impact on efficiency.
4.4.2 Numbered and Named ACLs
Numbered ACLs
ACLs number 1 to 99, or 1300 to 1999 are standard ACLs while ACLs number 100 to 199, or 2000 to 2699 are extended ACLs, as shown in the output.
Named ACLs
Named ACLs is the preferred method to use when configuring ACLs. Specifically, standard and extended ACLs can be named to provide information about the purpose of the ACL. For example, naming an extended ACL FTP-FILTER is far better than having a numbered ACL 100.
4.4.1 Standard and Extended ACLs
There are two types of IPv4 ACLs:
Standard ACLs
These permit or deny packets based only on the source IPv4 address.
Extended ACLs
These permit or deny packets based on the source IPv4 address and destination IPv4 address, protocol type, source and destination TCP or UDP ports and more.
ACL 10 permits hosts on the source network 192.168.10.0/24. Because of the implied "deny any" at the end, all traffic except for traffic coming from the 192.168.10.0/24 network is blocked with this ACL.
In the next example, an extended ACL 100 permits traffic originating from any host on the 192.168.10.0/24 network to any IPv4 network if the destination host port is 80 (HTTP).
