Access Control Lists Lecture 1

1
Access Control Lists Lecture 1

• PJC CCNA Semester 2 Ver. 3.0
• by
• William Kelly

2
ACL Definition

• An ACL is a sequential group of permit
• and/or deny statements that control the
• flow of particular protocols or protocol
• suits in or out of an interface to a
• specific host or group of hosts

3
ACL Concepts

• Applied to a routers interface
• Traffic is forwarded or blocked
• Each protocol must have its own ACL defined (You
  are only allowed 1 ACL per protocol, per port,
  per direction)

4
Why Use ACLs ?

• Controlling traffic can increase network
  performance
• Distribution of routing updates can be controlled
• Security can be added at the network boundary
• Specific types of traffic can be permitted or
  blocked
• An administrator controls what areas a client
  can access
• Screen certain hosts to either allow or deny
  access to part of a network

5
Calculate number of ACLs

• 2 ports, each port running IP, IPX
• 2 ports, each port running IP, IPX, Appletalk
• (Remember you need an ACL for each
• protocol in each direction on each port)

6
How ACLs Work

• Packets enter the interface
• If the packets are routable then they are routed
  toward the outbound interface
• If there is no access list then the packets
  proceed out the outbound interface
• If there is an ACL then the packets are filtered
  using the sequential ACL statements

7
ACL Basic Flowchart
8
How does a Router Process an ACL?

• Does the Layer 2 address match?
• Is there an inbound ACL?
• Is there an outbound ACL?

9
Creating Standard ACLs

• ACL statements must be in the correct order! (Use
  a flowchart to plan your logic)
• ACLs cant be modified (only created and
  deleted). Use a text editor to write your ACLs

10
Configuring ACLs

• ACLs are created in Global Configuration Mode
• Standard ACLs are 1-99 and Extended ACLs are
  100 199
• Plan your ACLs in a flowchart considering the
  protocol or protocol suite, host or group of
  hosts, and interface and direction of filtering

11
Configuring ACLs (cont.)

• Define ACL
• Router(config) access-list access-list-num perm
  it deny test conditions
• Apply ACL to interface
• Router(config-if) protocol access-group
  access-list number

12
Points to remember creating ACLs

• Outbound ACLs are more efficient
• If you need to alter an ACL use
• no access-list list-number
• (Remember you cant modify an standard ACL so you
  must erase it and create it again with your
  changes. This is why you should create ACLs in
  a text file)
• (See Basic Rules in Online Curriculum)

13
Wildcard Mask Bits

• Wildcard mask bits appear similar to a reverse
  subnet mask but have NO RELATIONSHIP TO SUBNET
  MASKS!!
• 0 means check a position
• 1 means dont check a position

14
Common Wildcard command and Abbreviations

• Permit 0.0.0.0 255.255.255.255 is the same as
  permit any
• Permit 181.16.1.1 0.0.0.0 is the same aspermit
  host 181.16.1.1 (ONLY A PARTICULAR HOST IS
  MATCHED!!)

15
Commands to verify ACLs

• show ip interface indicates whether any ACLs
  are set
• show access-lists Displays the contents of all
  the ACLs
• show running-config Also shows access lists and
  the interface to which they are assigned

16
Standard ACLs

• Allow denying/permitting traffic from a specific
  host/group of hosts and/or protocol suite
• Use number 1 99
• Only 1 protocol per port per interface is allowed
• Can only check source address so they should be
  put as close to the destination as possible

17
Extended ACLs

• Allow denying/permitting traffic from a specific
  host/group of hosts and/or protocol
  suite/protocol and/or port/group of ports
• Use number 100 199
• Only 1 protocol per port per interface is allowed
• Can check source and destination address so they
  should be put as close to the source as possible

18
Named ACLs

• Names for standard and extended ACLs can be
  alphanumeric strings
• Use deny/no deny or permit/no permit to change
  conditions of a named standard or extended ACL
• You cant use the same alphanumeric name twice!