ACL5.1 # ACCESS CONTROL LIST (ACL)
The cisco access control list is used for filtering traffic based on a given filtering criteria on a router/switch interfaces. In order to filter network traffic, ACL control whether routed packets are forwarded or blocked at the router interface. Your router examines each packet in order to determine whether to forward or drop the packet based on the criteria that you specify within the ACL.
ACL criteria include:
1) Source address of the traffic.
2) Destination address of the traffic.
3) Upper – layer protocol.
Cisco access list are available for several types of routed protocols including IP, IPX, Apple – talk, XNS, DEC net and others. The IP ACL is a sequential collection of permit and deny conditions that apply to an IP packet. The router tests packets against the conditions in the ACL one at the time. Each of these rules has some powerful implication when filtering IP packets with access lists, so keep in mind that creating effective access lists truly takes some practice.
1) Standard access lists: These use only the source IP address in an IP packet as the condition test. All decisions are made based on the source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. They don’t distinguish between any of the many types of IP traffic such as web, Telnet, UDP and so on. You can create a standard access list by using the access – list numbers 1 – 99 or 1300 – 1999.
2) Extended access lists: Extended access lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the protocol field in the Network layer header and the port number at the Transport layer header. This gives extended access lists the ability to make much more granular decisions when controlling traffic. You can create an extended access list by using the access – list numbers 100 – 199 or 2200 – 2699.
3) Numbered access lists: Copy the configuration of the router to a TFTP server or a text editor such as Notepad in order to edit numbered ACLs. Then make any changes and copy the configuration back to the router.
o In access lists: Traffic that arrives on the interface and then goes through the router. The source is where it has been and the destination is where it goes, on the other side of the router.
o Inbound access lists: When an access list is applied to inbound packets on an interface, those packets are processed through the access list before being routed to the outbound interface. Any packets that are denied won’t be routed they are discarded before the routing process in invoked.
o Out access lists: Traffic that has already been through the router and leaves the interface. The source is where it has been, on the other side of the router and the destination is where it goes.
o Outbound access lists: When an access list is applied to outbound packets on an interface, those packets are routed to the outbound interface and then processed through the access list before being queued.
Masks are used with IP addresses in IP ACLs to specify what should be permitted and denied. Masks in order to configure IP addresses on interfaces start with 255 and have the large values on the left side. For example IP address 209.165.202.129 255.255.255.224 mask. Masks for IP ACLs are the reverse, for example mask 0.0.0.255. This is sometime called an inverse mask or a wildcard mask.
When the value of the mask is broken down into binary (0s and 1s), the results determine which address bits are to be considered in processing the traffic. A “0” is represented the bits as exact match and “1” is represented the bits as don’t care.
| Masking | Disadvantages |
|---|---|
| Network address (traffic that is to be processed) | 10.1.1.0 |
| Mask | 0.0.0.255 |
| Network address (binary) | 00001010.00000001.00000001.00000000 |
| Mask (binary) | 00000000.00000000.00000000.11111111 |
Based on the binary mask, you can see that the first sets (octets) must match the given binary network address exactly (00001010.00000001.00000001). The last set of number is “don’t care” (.11111111). Therefore, all traffic that begins with 10.1.1. matches since the last octet is “don’t care”. Therefore, with this mask, network addresses 10.1.1.1 through 10.1.1.255 (10.1.1.x) are processed.
Subtract the normal mask from 255.255.255.255 in order to determine the ACL inverse mask. In this example, the inverse mask is determined for network address 172.16.1.0 with a normal mask of 255.255.255.0.
255.255.255.255 – 255.255.255.0 (normal mask) = 0.0.0.255 (inverse mask)
Note these ACL equivalents
o The source/source-wildcard of 0.0.0.0/255.255.255.255 means “any”
o The source/wildcard of 10.1.1.2/0.0.0.0 is the same as “host 10.1.1.2”
It is used with access lists to specify an individual host, a network or a certain range of a network or networks. To understand a wildcard, you need to understand what a block size is; it’s used to specify a range of addresses. Some of the different block sizes available are 64, 32, 16, 8 and 4.
When you need to specify a range of addresses, you choose the nest – largest block size for your needs.
For example,
o If you want to specify 34 networks then you need a block size of 64.
o If you want to specify 18 hosts then you need a block size of 32.
o If you want specify only 2 networks then you need a block size of 4 would work.
Try to figure out this wildcard masking: -
Corp(config)# access-list 10 deny 172.16.16.0 0.0.3.255
This configuration tells the router to start at network 172.16.16.0 and use a block size of 4.The range would then be 172.16.16.0 through 172.16.19.0
Here are two more things to keep in mind when working with block sizes and wildcards:
o Each block size must start at 0 or a multiple of the block size.
For example, you can’t say that you want a block size of 8 and then start at 12. You must use 0 – 7, 8 – 15, 16 – 23, etc.
For a block size of 32, the ranges are 0 – 31, 32 – 63, 64 – 95, etc.
o The command any is the same thing as writing out the wildcard 0.0.0.0 255.255.255.255
5.2 CONFIGURATION AND EXPLAINATION STANDARD ACL WITH LAB
! --- Allow a select host to access the network --- !
Side_A(config)# access-list 10 permit host 192.168.3.2Side_A(config-if)# access-list 10 permit any
Side_A(config-if)# exit
Side_A(config)# interface fastethernet S 0/0
Side_A(config-if)# ip access-group 10 out
Side_A(config-if)# exit
! --- Allow a select network to deny the internet --- !
Side_A(config)# access-list 10 deny 192.168.3.0 0.0.0.255Side_A(config-if)# access-list 10 permit any
Side_A(config-if)# exit
Side_A(config)# interface fastethernet S 0/0
Side_A(config-if)# ip access-group 10 out
Side_A(config-if)# exit
Be updated into yourself and improve lives through DIT
0 Comments