Access Control List (ACLs)
Access Control List (ACLs) are used to identify and filter the traffic with in the network and the traffic coming form outside the network. ACLs are set of rules which permit or deny the traffic. ACLs are use to filter the unwanted packets while implementing security policies. These are used to permit or deny different type of traffic coming towards the network or with in the network.
ACLs follow some rules while examining the packets
- Always compare with each line in the access list in sequential order which means it always compare the packet starting from the first line and moves towards the next lines in sequence.
- It compares till match founds. When packet and condition matches it apply that condition on that packet and stop processing next lines.
- By default there is a "deny" command at the end of each access list which means if there is no match of condition and packet in the access list then "deny" command will be implemented at the packet and packet will be discarded.
When ACLs are implemented on interfaces, administrator should have to specify that in which direction should traffic filtered:
Inbound Access Lists
When interface is configured with inbound access list it means that all the inbound traffic will be processed by access list before it is routed towards the outbound interface. Packets with deny command can't be routed because they are discarded before the routing takes place.
Outbound Access Lists
When interface is configured with outbound access list it means that first of all the traffic is routed towards the outbound interface and after that they are processed by access list before they are queued.
Facts about ACLs
- Access Control List have two varieties: Numbered and Named
- Access Control List supports two type of filtering: Standard and Extended
- Standard ACLs only filter source IP address inside the packet
- Extended ACLs filter both source and destination IP address inside the packet
- Access Control List can take only two actions on packet: permit or deny
- Access Control List process statements in sequence: top to down
- When Access Control List founds match between packet and condition it stop processing further conditions and implement that condition to the packet
- When Access Control List don't found match then it apply implicit deny command to that packet and discard that packet
- Access Control List should have one permit command other wise it drops down the whole traffic due to implicit deny command
Range of ACLs
Type | Range |
Standard | 1 - 99 |
Extended | 100 - 199 |
Standard Expanded Range | 1300 - 1999 |
Extended Expanded Range | 2000 - 2699 |
ACLs Placement
Standard ACLs should be placed as near to destination.
Extended ACLs should be palced as near to source.
Configuration of Standard ACLs
Requirements
Create a Standard ACL on R2 to be used for access to the attached networks. This ACL will allow the 192.168.200.10 host access and deny all others. Allow 192.168.100.1 on R2 so that it can receive routing updated from R1.
Create a Standard ACL on R2 to be used for access to the attached networks. This ACL will allow the 192.168.200.10 host access and deny all others. Allow 192.168.100.1 on R2 so that it can receive routing updated from R1.
Solution
R2(config)#access-list 1 permit 192.168.200.10
R2(config)#access-list 1 permit 192.168.100.1
R2(config)#access-list 1 deny any
R2(config)#interface serial 0/0/0
R2(config-if)#ip access-group 1 in
R2(config-if)#exit
Configuration of Extended ACLs
Requirements
1) Host 1 can access Host 3. All other hosts (on that network only) cannot access Host 3. Any
additional hosts added on other networks in the future should be able to access Host 3 because
they will not be guest-accessible machines.
2) Host 3 can access the R1 interfaces. All other devices on the network will not have access
1) Host 1 can access Host 3. All other hosts (on that network only) cannot access Host 3. Any
additional hosts added on other networks in the future should be able to access Host 3 because
they will not be guest-accessible machines.
2) Host 3 can access the R1 interfaces. All other devices on the network will not have access
Solution
R2(config)#access-list 101 permit ip host 192.168.1.10 host 192.168.5.10
R2(config)#access-list 101 deny ip 192.168.1.0 0.0.0.255 host 192.168.5.10
R2(config)#access-list 101 permit ip any any
R2(config)#access-list 101 deny ip any any
R2(config)#interface fastethernet 0/0
R2(config-if)#ip access-group 101 out
No comments:
Post a Comment