What is an Access Control List?
In the simplest way that I can put it, ACL is used for traffic filtering. You can use ACL to filter traffic based on network, protocols, host.
All of this filtering is based on permit deny statements.
Permit 192.168.2.50
Deny 192.168.1.0/24
permit TCP port 80 for 200.1.1.1
Permit ALL TCP traffic for
210.0.1.0/24
What are they used for
- Access control
- NAT
- Quality of Service
- Demand Dial Routing
- Policy routing
- Route Filtering
Types of ACL
·
Standard
o
Matches based on source address
o
Lower processor utilization
o
Affect depends on application
o
Closer to destination
o
Uses wild card mask
·
Extended
o
Close to source as possible
o
Matches based on protocol
o
Matches from source
o
Matches destination
o
Port|source|destination
o
Can be used for debugging
·
Reflexive
o
Not applied to an interface
o
Creates dynamic ACL
o
Can be used as a firewall defense
Access List Number Range
Depending on what number you user for your ACL will determine its type. I have not included the complete list just that which is regularly used
- 1-99 IP Standard
- 100-199 IP extended
Rules
·
ACL are created in global config mode
o
Is not active until applied to an interface
·
List is read from top to bottom, stops at first
match
o
Invisible implicit deny at bottom
·
ACL is applied to an interface inbound or
outbound
·
Other possibilities: ACL used for NAT, QOS, VPN
Note: ACL must be applied to an interface before it is active
Note: ACL must be applied to an interface before it is active
Syntax - Standard Access-List
Legacy - access-list <number> {permit | deny} <source> [log]
Modern - ip access-list standard {<number> | <name>}
Modern Line 2 - [<sequence>] {permit | deny} <source> [log]
Syntax - Extended Access-List
Legacy - access-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
Modern - ip access-list extended {<number> | <name>}
Modern Line 2 - [<sequence>] {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
Question: You may be asking yourself whats the mane difference between legacy and modern?
Answer: The ability to have a named ACL everything else is the same
Here is a link to a quick reference sheet for ACL Packetlife ACL
Legacy - access-list <number> {permit | deny} <source> [log]
Modern - ip access-list standard {<number> | <name>}
Modern Line 2 - [<sequence>] {permit | deny} <source> [log]
Syntax - Extended Access-List
Legacy - access-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
Modern - ip access-list extended {<number> | <name>}
Modern Line 2 - [<sequence>] {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
Question: You may be asking yourself whats the mane difference between legacy and modern?
Answer: The ability to have a named ACL everything else is the same
Here is a link to a quick reference sheet for ACL Packetlife ACL
No comments:
Post a Comment