0% found this document useful (0 votes)
15 views21 pages

Access Control Layer (ACL)

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
15 views21 pages

Access Control Layer (ACL)

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 21

Access Control List (ACL)

ACL
1. ACL is a set of rules which will allow or deny
the specific traffic moving through the
router
2. It is a Layer 3 security which controls the
flow of traffic from one router to another
3. These lists tell the router OS what types of
packets to accept or deny
4. It is also called packet filtering firewall
ACLs benefits
 Limit network traffic and increase network
performance
 Provide traffic flow control
 Provide a basic level of security for network

access
 Traffic decision (forwarded or blocked) at the

router interfaces
 To permit or deny screen hosts to access a

network segment
Network Topology
Types of ACL
Numbered ACL
1. ACL can be expressed by numbers
2. Numbers can be 1-99 or 100-199
3. In addition numbers can be 1300-1999 and 2000-
2699
Standard ACL
 The ACL number range is 1-99 or 1300-1999
 Can block/allow a network, host and subnet
 Two way communication is stopped
 All services are blocked by default
 Implemented closest to the destination
 Filtering is done based on source address only
Extended ACL
 The ACL number range is 100-199 and
2000-2699
 Can block/allow a network, host, subnet,

destination and service


 One way communication is stopped
 Selected services can be blocked
 Implemented closest to the source
 Checks source, destination, protocol/port no.
Terminology
 Deny: Blocking a network/host/subnet/service
 Permit: Allowing a network/host/subnet/service
 Source Address: Address of the PC, network,
group from where the request to be sent
 Destination Address: Address of the target PC,
network, IP where the request ends
 Inbound: Traffic coming into the interface
 Outbound: Traffic going out of the interface
 Protocol: The protocol associated with the service
 Operator: eq, neq, lt, gt
Terminology (contd.)

 Protocols
-IP
-TCP
-UDP
-ICMP
 Operators

-eq (equal to)


-neq (not equal to)
-lt (less than)
-gt (grater than)
 Services

-www, telnet, echo etc.


Layers of Protocol
Rules of ACL
1. All deny statements have to be given first
2. There should be at least one permit statement
3. An implicit deny blocks all traffic by default
when there is no match (an invisible statement)
4. Can have one access list per interface per
direction, i.e. two ACL per interface, one in
inbound direction and one in outbound
direction
5. Works in sequential order
6. Editing of ACL is not possible, i.e. selectively
adding or removing ACL statements is not
possible.
ACL Flow Chart
Standard ACL Configuration
 Standard ACL creation
(config)#access-list <acl no> <permit/deny>
<source address> <source WCM>
 Implementation of Standard ACL

(config)#interface <interface name>


(config-if)#ip access-group <acl no> <in/out>
 Verify ACL

#show access-list
#show access-list <acl no>
Wild Card Mask
 Tells the router which addressing bits must match
in the address of the ACL statement
 It’s the inverse of the subnet mask, hence is also
called as inverse musk
 A bit value of 0 indicates MUST MATCH (check bits)
 A bit value of 1 indicates IGNORE (uncheck bits)
 Wild Card Mask for a host will be always 0.0.0.0
 A wild card mask can be calculated using the
formula:
WCM Examples
Extended ACL Configuration
 Extended ACL Creation
(config)#access-list <acl no> <permit/deny>
<protocol> <src add> <src WCM> <dest add>
<dest WCM> <operator> <service/port no>

 Implementation of Extended ACL


(config)#interface <interface name>
(config-if)#ip access-group <acl no> <in/out>
Named ACL

1. ACL can be identified using names rather


than numbers
2. Names are case sensitive
3. No limitations of numbers
4. One main advantage is editing of ACL is
possible i.e. removing a specific statement
from the ACL is possible
5. IOS version 11.2 or later allows named ACL
Standard named ACL Configuration
 Standard Named ACL Creation
(config)#ip access-list standard <name>
(config-std-nacl)#<permit/deny> <src add>
<src WCM>

 Implementation of Standard Named ACL


(config)#interface <interface name>
(config-if)#ip access-group <name> <in/out>
Extended Named ACL Configuration

 Extended Named ACL Creation


(config)#ip access-list extended <name>
(config-ext-nacl)#<permit/deny> <protocol>
<src add> <src WCM> <dest add> <dest
WCM> <operator> <service/port no>

 Implementation of Extended ACL


(config)#interface <interface name>
(config-if)#ip access-group <name> <in/out>

You might also like