Types of Cisco ACLs


There are two types of Cisco ACLs, standard and extended.
Standard ACLs
Standard ACLs allow you to permit or deny traffic from source IP addresses. The destination of the packet and the ports involved do not matter. The example allows all traffic from network 192.168.30.0/24 network. Because of the implied "deny any" at the end, all other traffic is blocked with this ACL. Standard ACLs are created in global configuration mode.

Extended ACLs
Extended ACLs filter IP packets based on several attributes, for example, protocol type, source and IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports, and optional protocol type information for finer granularity of control. In the figure, ACL 103 permits traffic originating from any address on the 192.168.30.0/24 network to any destination host port 80 (HTTP). Extended ACLs are created in global configuration mode.

How a Standard ACL Works:
A standard ACL is a sequential collection of permit and deny conditions that apply to IP addresses. The destination of the packet and the ports involved are not covered.
The decision process is mapped in the figure. Cisco IOS software tests addresses against the conditions one by one. The first match determines whether the software accepts or rejects the address. Because the software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the address is rejected.

The two main tasks involved in using ACLs are as follows:
Step 1. Create an access list by specifying an access list number or name and access conditions.
Step 2. Apply the ACL to interfaces or terminal lines.

N
umbering and Naming ACLs:

Using numbered ACLs is an effective method for determining the ACL type on smaller networks with more homogeneously defined traffic. However, a number does not inform you of the purpose of the ACL. For this reason, starting with Cisco IOS Release 11.2, you can use a name to identify a Cisco ACL.
Regarding numbered ACLs, in case you are wondering why numbers 200 to 1299 are skipped, it is because those numbers are used by other protocols. This course focuses only on IP ACLs. For example, numbers 600 to 699 are used by AppleTalk, and numbers 800 to 899 are used by IPX.

Where to Place ACLs:
The proper placement of an ACL to filter undesirable traffic makes the network operate more efficiently. ACLs can act as firewalls to filter packets and eliminate unwanted traffic. Where you place ACLs can reduce unnecessary traffic. For example, traffic that will be denied at a remote destination should not use network resources along the route to that destination.
Every ACL should be placed where it has the greatest impact on efficiency. The basic rules are:
Locate extended ACLs as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure.
Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.
Let us consider an example of where to place ACLs in our network. The interface and network location is based on what you want the ACL to do.
Consider that administrators can only place ACLs on devices that they control. Therefore, placement must be determined in the context of where the control of the network administrator extends. In this figure, the administrator of the 192.168.10.0/24 and 192.168.11.0/24 networks (referred to as Ten and Eleven, respectively, in this example) wants to deny Telnet and FTP traffic from Eleven to the 192.168.30.0/24 network (Thirty, in this example). At the same time, other traffic must be permitted to leave Ten.
There are several ways to do this. An extended ACL on R3 blocking Telnet and FTP from Eleven would accomplish the task, but the administrator does not control R3. That solution also still allows unwanted traffic to cross the entire network, only to be blocked at the destination. This affects overall network efficiency.
One solution is to use an outbound extended ACL that specifies both source and destination addresses (Ten and Thirty, respectively), and says, "Telnet and FTP traffic from Ten is not allowed to go to Thirty." Place this extended ACL on the outbound S0/0/0 port of R1.
A disadvantage of this solution is that traffic from Eleven would also be subject to some processing by the ACL, even though Telnet and FTP traffic is allowed.

0 comments:

Post a Comment

 

NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog