Please enable JavaScript.
Coggle requires JavaScript to display documents.
Access Control List - Coggle Diagram
Access Control List
-
What is an ACL?
Packet filtering controls access to a network by analyzing the incoming and/or outgoing packets and forwarding them or discarding them based on given criteria
-
Extended ACLs - ACLs filter at Layer 3 using the source and / or destination IPv4 address. They can also filter at Layer 4 using TCP, UDP ports, and optional protocol type information for finer control.
ACLs number 1 to 99, or 1300 to 1999 are standard ACLs while ACLs number 100 to 199, or 2000 to 2699 are extended ACLs, as shown in the output.
-
An ACL is a series of IOS commands that are used to filter packets based on information found in the packet header. By default, a router does not have any ACLs configured.
-
ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router.
-
Wildcard Maskin
-
Wildcard Mask Keywords
any - This keyword substitutes for the 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept any addresses.
host - This keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match to filter just one host address.
-
A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify which bits in an IPv4 address to match. However, they differ in the way they match binary 1s and 0s.
-
-
-
IPv6 ACLs
IPv6 ACL Syntax
Router(config)# ipv6 access-list access-list-name
Router(config-ipv6-acl)# deny | permit protocol {source-ipv6-prefix / prefix-length | any | host source-ipv6-address} [ operator [ port-number ]] { destination-ipv6-prefix / prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ dscp value ] [ fragments ] [ log ] [ log-input ] [ sequence value ] [ time-range name ]
Configure IPv6 ACLs
-
An IPv6 ACL contains an implicit deny ipv6 any any. Each IPv6 ACL also contains implicit permit rules to enable IPv6 neighbor discovery. The IPv6 Neighbor Discovery Protocol (NDP) requires the use of the IPv6 network layer to send neighbor advertisements (NAs) and neighbor solicitations (NSs). If an administrator configures the deny ipv6 any any command without explicitly permitting neighbor discovery, then the NDP will be disabled.
-
Modify ACLs
Use a Text Editor
ACLs with multiple ACEs should be created in a text editor. This allows you to plan the required ACEs, create the ACL, and then paste it into the router interface. It also simplifies the tasks to edit and fix an ACL.
For example, assume ACL 1 was entered incorrectly using 19 instead of 192 for the first octet, as shown in the running configuration.
-
-
-
-
Use Sequence Numbers
An ACL ACE can also be deleted or added using the ACL sequence numbers. Sequence numbers are automatically assigned when an ACE is entered. These numbers are listed in the show access-lists command. The show running-config command does not display sequence numbers.
In the previous example, the incorrect ACE for ACL 1 is using sequence number 10, as shown in the example.
-
-
-
Implements ACLs
Apply an ACL
After creating an ACL, the administrator can apply it in a number of different ways. The following shows the command syntax to apply an ACL to an interface or to the vty lines.
-
-
-
-
