Scribd
Upload
47 views37 pages

Data Communication and Network Management

Access control lists (ACLs) allow network administrators to filter network traffic by specifying acceptance and denial criteria for packets. There are two main types of ACLs - standard ACLs filter based on source IP addresses, while extended ACLs can filter on source/destination addresses, protocols, and port numbers. ACL rules are evaluated sequentially, and network devices apply ACLs to interfaces to filter inbound or outbound traffic.

Uploaded by

MuthuPabasara
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
47 views37 pages

Data Communication and Network Management

Access control lists (ACLs) allow network administrators to filter network traffic by specifying acceptance and denial criteria for packets. There are two main types of ACLs - standard ACLs filter based on source IP addresses, while extended ACLs can filter on source/destination addresses, protocols, and port numbers. ACL rules are evaluated sequentially, and network devices apply ACLs to interfaces to filter inbound or outbound traffic.

Uploaded by

MuthuPabasara
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 37

Data Communication

and
Network Management

Lecture
Access Control Lists (ACLs)

Outline

Access Control List (ACL)

How ACL works

Wild Card Mask

ACL Configurations

Standard ACL

Extended ACL

Named ACL

Access Control Lists


(ACLs)

ACLs are lists of conditions used to test network traffic


that tries to travel across a router interface.
ACLs tell router what types of packets to accept or deny.
Acceptance and denial can be based on specified
conditions such as source address, destination address,
protocols and upper-layer port numbers.

ACLs

Cont.

Use of ACLs

Prevent hackers from entering the network


Prevent employees from using systems in unauthorized
manner
Filter routing updates
Match packets for VPN tunneling

How ACL Works

An ACL can has several statements which operate in sequential


order

If statement 1 is matched, router has to carry out the action


defined in that statement

If it isnt matched, router has to examine the next statement

If it matches, router has to carry out the action it defines

Router has to continue looping through the list until a statement is


matched or until the last statement in the list is not matched

If none of the statements is matched, it will be passed to the final


implied statement (DENY ANY) which results in a deny and the
packet is discarded.

How ACL Works

Cont.

Wildcard Mask

ACLs use wildcard masking

Wildcard Masking for IP address bits uses the number 1


and the number 0 to identify how to treat the
corresponding IP address bits.
A wildcard mask bit 0 means
check the corresponding bit value
A wildcard mask bit 1 means
do not check (ignore) the corresponding bit value

Wildcard Bits: How to Check


the Corresponding Address
Bits

Wildcard Bits to Match a


Specific Host IP Address

For example, 172.30.16.29 0.0.0.0 checks all address bits


preceded by the keyword host (host 172.30.16.29)

Wildcard Bits to
Match Any IP Address

Accept any address: 198.10.0.1 255.255.255.255.

expression using the keyword any.

Wildcard Bits to
Match IP Subnets

Wildcard Mask

Cont.

ACL Configurations

Create ACL

Apply ACL to an interface

Create ACLs

There are two types of ACLs


Standard ACLs
Extended ACLs

Standard ACLs

ACL number is in between 1-99


Checks source address
Generally permits or denies entire protocol suite
E0
Incoming
Packet

Access List Processes


Outgoing
Packet

Source
Permit?

S0

Standard ACLs

Cont.

Router(config)# access-list access-list-number


{permit | deny} {Source address}
{wildcard mask}
R1(config)# access-list 10 permit 192.168.10.0
0.0.0.255

Standard ACLs

Cont.

Standard ACLs

Cont.

Standard ACLs

Cont.

Extended ACLs

ACL number is in between 100-199


Checks source and destination address
Generally permits or denies specific protocols
E0
Incoming
Packet

Access List Processes


Source Protocol
Permit?
and
Destination

Outgoing
Packet

S0

Extended ACLs

Cont.

Router(config)# access-list access-list-number


{permit | deny} {protocol}
{Source address} {wildcard mask}
{destination address} {wildcard mask}
{eq | lt | gt} {port number}

Extended ACLs

Cont.

Extended ACLs Cont.

Network administrator needs to restrict Internet access of


192.168.10.0 to allow only website browsing

Extended ACLs

Cont.

Extended ACLs

Cont.

Apply ACL to an
interface

ACLs are configured to apply to inbound traffic or to


outbound traffic
Inbound ACLs : Incoming packets are checked with
the ACLs before taking the routing decisions
Outbound ACLs : Incoming packets are first process
for the routing decisions and then checked with the
outbound ACL

Apply ACL to an interface


Cont.

Apply ACL to an interface


Cont.

Router(config-if)# {protocol} access-group


access-list-number {in | out}

Placing ACLs

Proper ACL placement will filter traffic and make the

network more efficient

The ACL should be placed where it has the greatest

impact on efficiency.
The general rule is to put the Extended ACLs as close as
possible to the source of the traffic denied

Standard ACLs should be placed as close to the

destination as possible

Placing ACLs

Cont.

Placing ACLs

Cont.

Named ACLs

Naming an ACL makes it easier to understand its function


For example, an ACL to deny FTP could be called NO_FTP
ACL names are alphanumeric
and must be unique
and must not begin with a number

Creating Named ACLs

Router(config)# ip access-list
{standard | extended} {name}

Router(config-std-nacl)# {permit | deny}


{source address} {wild card mask}

Creating Named ACLs


Cont.

Advantages of Named
ACLs

It is easier to understand the function of ACL because you


have used the function of ACL as its name
It is easier to edit because Named ACLs allow you to
delete individual entries in a specific ACL

Can

use

sequence

anywhere in the

numbers

named ACL

to

insert

statements

You might also like