Please enable JavaScript.

Coggle requires JavaScript to display documents.

Access Control List, image, image, image, image, image - Coggle Diagram

- - - - All access control lists (ACLs) must be planned. However, this is especially true for ACLs requiring multiple access control entries (ACEs).
      - When configuring a complex ACL, it is suggested that you:
      - Use a text editor and write out the specifics of the policy to be implemented.
      - Add the IOS configuration commands to accomplish those tasks.
      - Include remarks to document the ACL.
  - - - Naming an ACL makes it easier to understand its function. To create a named extended ACL, use the following global configuration command:
        Router(config)# ip access-list extended access-list-name
- - - - Create an ACL globally and then apply it.
      - Ensure the last statement is an implicit deny any or deny ip any any.
      - Remember that statement order is important because ACLs are processed top-down.
      - As soon as a statement is matched the ACL is exited.
      - Always filter from the most specific to the most generic. For example, deny a specific host and then permit all other hosts.
      - Remember that only one ACL is allowed per interface, per protocol, per direction.
      - Remember that new statements for an existing ACL are added to the bottom of the ACL by default.
      - Remember that router-generated packets are not filtered by outbound ACLs.
      - Place standard ACLs as close to the destination as possible.
  - - - Mitigate Spoofing Attacks
        
        ACLs can be used to mitigate many network threats, such as IP address spoofing and denial of service (DoS) attacks. Most DoS attacks use some type of spoofing. IP address spoofing overrides the normal packet creation process by inserting a custom IP header with a different source IP address. Attackers can hide their identity by spoofing the source IP address.
        
        Mitigate SNMP Attacks
        
        Management protocols, such as SNMP, are useful for remote monitoring and management of networked devices. However, they can still be exploited. If SNMP is necessary, exploitation of SNMP vulnerabilities can be mitigated by applying interface ACLs to filter SNMP packets
- - - - ACLs number 1 to 99, or 1300 to 1999 are standard ACLs while ACLs number 100 to 199, or 2000 to 2699 are extended ACLs, as shown in the output.
        
        R1(config)# access-list ?
        
        <1-99> IP standard access list
        
        <100-199> IP extended access list
        
        <1100-1199> Extended 48-bit MAC address access list
        
        <1300-1999> IP standard access list (expanded range)
        
        <200-299> Protocol type-code access list
        
        <2000-2699> IP extended access list (expanded range)
        
        <700-799> 48-bit MAC address access list
        
        rate-limit Simple rate-limit specific access list
        
        template Enable IP template acls
        
        R1(config)# access-list
      - ACL Operation
        
        ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router.
    - - A wildcard mask is similar to subnet mask in that it uses ANDring process to identify what bits ina Ipv4 address to match, However the differ in the way that they match binary 1s or 0s
      - Wild Masks Types
        
        wildcard to math a host, to match to a Ipv4 subnet, and Ipv4
        address range
        
        Wilcard Mask Calculation
        
        Calculating wildcard masks can be challenging. One shortcut method is to subtract the subnet mask from 255.255.255.255
        
        Wildcard Mask Keywords
        
        Working with decimal representations of binary wildcard mask bits can be tedious. To simplify this task, the Cisco IOS provides two keywords to identify the most common uses of wildcard masking. Keywords reduce ACL keystrokes but more importantly, keywords make it easier to read the ACE.
- - - - An ACL ACE can also be deleted or added using the ACL sequence numbers. Sequence numbers are automatically assigned when an ACE is entered. These numbers are listed in the show access-lists command. The show running-config command does not display sequence numbers.