Scribd
Upload
39 views

Introducing ACL Operation: Access Control Lists

Access control lists (ACLs) allow network administrators to filter or classify network traffic by controlling which packets are permitted or denied on network interfaces. ACLs can filter packets, enable special handling of certain traffic, and control access to network devices. Standard ACLs check only the source IP address while extended ACLs examine both source and destination addresses as well as protocol types and port numbers. ACLs are configured globally and applied to interfaces to filter incoming or outgoing traffic.

Uploaded by

tuancoi
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
39 views

Introducing ACL Operation: Access Control Lists

Access control lists (ACLs) allow network administrators to filter or classify network traffic by controlling which packets are permitted or denied on network interfaces. ACLs can filter packets, enable special handling of certain traffic, and control access to network devices. Standard ACLs check only the source IP address while extended ACLs examine both source and destination addresses as well as protocol types and port numbers. ACLs are configured globally and applied to interfaces to filter incoming or outgoing traffic.

Uploaded by

tuancoi
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Introducing ACL

Operation

Access Control Lists

http://vnexperts.net

ICND1 v1.01-1

Why Use ACLs?

Filtering: Manage IP traffic by filtering packets passing through a route


Classification: Identify traffic for special handling
http://vnexperts.net

ICND1 v1.01-2

ACL Applications: Filtering

Permit or deny packets moving through the router.


Permit or deny vty access to or from the router.

Without ACLs, all packets could be transmitted to all parts of your netwo
http://vnexperts.net

ICND1 v1.01-3

ACL Applications: Classification

Special handling for traffic based on packet tests


http://vnexperts.net

ICND1 v1.01-4

Outbound ACL Operation

If no ACL statement matches, discard the packet.


http://vnexperts.net

ICND1 v1.01-5

A List of Tests: Deny or Permit

http://vnexperts.net

ICND1 v1.01-6

Types of ACLs
Standard ACL
Checks source address
Generally permits or denies entire protocol suite

Extended ACL
Checks source and destination address
Generally permits or denies specific protocols and applications

Two methods used to identify standard and


extended ACLs:
Numbered ACLs use a number for identification
Named ACLs use a descriptive name or number for
identification
http://vnexperts.net

ICND1 v1.01-7

How to Identify ACLs

Numbered standard IPv4 lists (199) test conditions of all IP


packets for source addresses. Expanded range (13001999).
Numbered extended IPv4 lists (100199) test conditions of source
and destination addresses, specific TCP/IP protocols, and destination
ports. Expanded range (20002699).
Named ACLs identify IP standard and extended ACLs with an
alphanumeric string (name).
http://vnexperts.net

ICND1 v1.01-8

IP Access List Entry Sequence


Numbering
Requires Cisco IOS Release 12.3
Allows you to edit the order of ACL statements using sequence
numbers
In software earlier than Cisco IOS Release 12.3, a text editor is
used to create ACL statements, then the statements are copied
into the router in the correct order.
Allows you to remove a single ACL statement from the list using a
sequence number
With named ACLs in software earlier than Cisco IOS Release
12.3, you must use no {deny | permit} protocol source sourcewildcard destination destination-wildcard to remove an
individual statement.
With numbered ACLs in software earlier than Cisco IOS Release
12.3, you must remove the entire ACL to remove a single ACL
statement.
http://vnexperts.net

ICND1 v1.01-9

ACL Configuration Guidelines


Standard or extended indicates what can be filtered.
Only one ACL per interface, per protocol, and per direction is
allowed.
The order of ACL statements controls testing, therefore, the most
specific statements go at the top of the list.
The last ACL test is always an implicit deny everything else
statement, so every list needs at least one permit statement.
ACLs are created globally and then applied to interfaces for inbound
or outbound traffic.
An ACL can filter traffic going through the router, or traffic to and from
the router, depending on how it is applied.
When placing ACLs in the network:
Place extended ACLs close to the source
Place standard ACLs close to the destination
http://vnexperts.net

ICND1 v1.01-10

Dynamic ACLs

Dynamic ACLs (lock-and-key): Users that want to traverse the router


are blocked until they use Telnet to connect to the router and are
authenticated.
http://vnexperts.net

ICND1 v1.01-11

Reflexive ACLs

Reflexive ACLs: Used to allow outbound traffic and limit inbound


traffic in response to sessions that originate inside the router

http://vnexperts.net

ICND1 v1.01-12

Time-Based ACLs

Time-based ACLs: Allow for access control


based on the time of day and week

http://vnexperts.net

ICND1 v1.01-13

Wildcard Bits: How to Check the


Corresponding Address Bits

0 means to match the value of the corresponding address bit


1 means to ignore the value of the corresponding address bit
http://vnexperts.net

ICND1 v1.01-14

Wildcard Bits to Match IP Subnets


Match for IP subnets 172.30.16.0/24 to 172.30.31.0/24.

Address and wildcard mask:


172.30.16.0 0.0.15.255

http://vnexperts.net

ICND1 v1.01-15

Wildcard Bit Mask Abbreviations


172.30.16.29 0.0.0.0 matches
all of the address bits
Abbreviate this wildcard mask
using the IP address preceded
by the keyword host
(host 172.30.16.29)

0.0.0.0 255.255.255.255
ignores all address bits
Abbreviate expression
with the keyword any
http://vnexperts.net

ICND1 v1.01-16

Summary
ACLs can be used for IP packet filtering or to identify traffic to
assign it special handling.
ACLs perform top-down processing and can be configured for
incoming or outgoing traffic.
You can create an ACL using a named or numbered ACL. Named
or numbered ACLs can be configured as standard or extended
ACLs, which determines what they can filter.
Reflexive, dynamic, and time-based ACLs add more functionality
to standard and extended ACLs.
In a wildcard bit mask, a 0 bit means to match the corresponding
address bit and a 1 bit means to ignore the corresponding
address bit.

http://vnexperts.net

ICND1 v1.01-17

You might also like