ACLs
ACL definition-Lists of instructions applied to a router interface that tell the router what kinds of packets to accept and what kinds of packets to deny.
Acceptance and denial can be based on certain specifications, such as source address, destination address, and port number.
Any traffic going through the interface is tested against certain conditions that are part of the ACL.
Operate at OSI Layer 3
ACL purposes-
Used to limit network traffic and increase network performance. An example of this is using the lists to designate certain packets to be processed by a router before others. This process is known as Queuing.
Provide traffic flow control by restricting or reducing the contents of routing updates
Provide a basic level of security for network access by allowing only certain users access to a certain part of the network while denying access to all other users.
ACL basics
When configuring ACLs on a router, you must identify each ACL uniquely by assigning a number to the ACL for a protocol.
When you use a number to identify an ACL, the number must be within the specific range of numbers that is valid for the protocol.
Protocol Range
IP 1-99
Extended IP 100-199
AppleTalk 600-699
IPX 800-899
Extended IPX 900-999
IPX Service Advertising Protocol 1000-1099
WildCard Masking
-A wildcard mask is a 32-bit, dotted-decimal number that is divided into four octets, with each octet containing 8 bits.
-ACLs use wildcard masking to identify single or multiple addresses for permit or deny tests.
-A wildcard mask is paired with an IP address. The numbers 1 and 0 are used to identify how to treat the corresponding IP address bits.
-A wildcard mask bit 0 means 'check the corresponding bit value'.
-A wildcard mask bit 1 means 'do not check (ignore) that corresponding bit value'.
How ACLs Work
When the router is deciding whether to forward or block a packet, the Cisco Internetwork Operating System (IOS) software tests the packet against each condition statement, in the order in which the statements were created.
After a match is found, no more condition statements are checked.
ACL statements operate in sequential, logical order. If a condition match is true, the packet is permitted or denied and the rest of the ACL statements are not checked. If the packet does not match any of the written ACL statements, then the packet will match the final implicit "deny any" statement. This means that even though you will not see the "deny any" as the last line of an ACL, it is there.
Standard ACLs
-Used when you want to block all traffic from a network, allow all traffic from a specific network, or deny protocol suites
-By checking only the source address of packets that could be routed, Standard ACLs permit or deny output for an entire protocol suite, based on the network, subnet, and host addresses.
-Because they do not specify destination addresses, Standard ACLs are placed as near to the destination as possible
Extended ACLs
-Used most often to test conditions because they provide a greater range of control than standard ACLs.
Check for both source and destination packet addresses. Consequently, Packets can be permitted or denied output based on where the packet originated and based on its destination.
Can also check for specific protocols, port numbers, and other parameters.
Placed as close as possible to the source of the traffic denied.
Applying ACLs to Interfaces
-ACLs are assigned to one or more interfaces. They can filter inbound traffic or outbound traffic, depending on the configuration.
-Because a router with an inbound ACL must check every packet to see whether it matches the ACL condition before switching the packet to an outbound interface, outbound ACLs are generally more efficient than inbound ones, and are therefore preferred.
-For some protocols, up to two ACLs can be grouped to an interface: one inbound ACL and one outbound ACL. With other protocols, only one ACL, and this checks both inbound and outbound packets.
Back to Main Page
