Date post: | 03-Jan-2016 |
Category: |
Documents |
Upload: | priscilla-knight |
View: | 228 times |
Download: | 0 times |
CCNA – Cisco Certified Network Associates
Access Control List (ACL)
By Roshan Chaudhary
Lecturer
Islington College
Access Control List (ACL)ACL to Secure Networks
• ACLs are used to stop traffic or permit only specified traffic while
stopping all other traffic on their networks.
• ACLs enable us to control traffic into and out of your network. This
control can be as simple as permitting or denying network hosts or
addresses. However, ACLs can also be configured to control network
traffic based on the port being used.
• ACL is a sequential list of permit or deny statements that apply to IP
addresses or upper-layer protocols.
Access Control List (ACL)Packet Filtering
• Packet filtering, sometimes called static packet filtering, controls access
to a network by analyzing the incoming and outgoing packets and
passing or halting them based on stated criteria.
Access Control List (ACL)
ACL Operation
• ACLs are configured either to apply to inbound traffic or to apply to
outbound traffic.
• Inbound ACLs - Incoming packets are processed before they are routed
to the outbound interface. An inbound ACL is efficient because it saves
the overhead of routing lookups if the packet is discarded. If the packet
is permitted by the tests, it is then processed for routing.
• Outbound ACLs - Incoming packets are routed to the outbound
interface, and then they are processed through the outbound ACL.
Types of Cisco ACLsStandard ACLs
• Standard ACLs allow us to permit or deny traffic from source IP
address. The destination of the packet and the ports involved do not
matter.
Router(config)#access-list <ACL number> <permit/deny> <source
network/host address> <wildcard mask>
Types of Cisco ACLsExtended ACLs
• Extended ACLs filter IP packets based on several attributes, for
example, protocol type, source and destination IP address, source TCP
or UDP ports, destination TCP or UDP ports, and optional protocol type
information for finer granularity of control.
Router(config)#access-list <ACL number> <permit/deny> <Protocol>
<source network/host address> <wildcard mask> <destination
network/host address> <wildcard mask> <eq> <port number/name>
Types of Cisco ACLsNumbered and Named ACL
Types of Cisco ACLsACL-List Numbers
ACL Keywords
Standard ACL Command Syntax
ACL Example
ACLRemoving ACL
Router(config)#no access-list <ACL Number>
Wildcard Mask
Wildcard mask bit 0 - Match the corresponding bit value in the address.
Wildcard mask bit 1 - Ignore the corresponding bit value in the address.
Procedure for Configuring Standard ACL
ACL Tips• An implicit DENY statement is hard-coded into every ACL. We cannot
see it, but it says "deny everything not already permitted". This is always
the last line of any ACL. If we want to defeat this implicit DENY, should
put a PERMIT ANY statement in our standard ACLs or PERMIT IP ANY
ANY in our extended ACLs as the last line.
• Access lists can be applied in either an inbound direction (keyword IN)
or in an outbound direction (keyword OUT).
• Apply a standard ACL as close as possible to the destination network or
device.
• Only one access list can be applied per interface, per direction.
ACL Examples
ACL Examples
ACL Examples
Named ACL Configuration
ACL Examples
Extended ACL Configuration
ACL Examples
ACL Examples
ACL Examples
ACL Examples