Skip to main content

Access Control List Fundamentals / Introduction to ACLs

Access Control List Fundamentals 
Introduction to ACLs
11.1.1 This page will explain what ACLs are and how they are used.
ACLs are lists of conditions used to test network traffic that tries to travel across a router interface. These lists tell the router what types of packets to accept or deny. Acceptance and denial can be based on specified conditions. ACLs enable management of traffic and secure access to and from a network.
ACLs can be created for all routed network protocols such as IP and Internetwork Packet Exchange (IPX). ACLs can be configured at the router to control access to a network or subnet.
To filter network traffic, ACLs determine if routed packets are forwarded or blocked at the router interfaces. The router examines each packet and will forward or discard it based on the conditions specified in the ACL. An ACL makes routing decisions based on source address, destination address, protocols, and upper-layer port numbers.
ACLs must be defined on a per protocol, per direction, or per port basis. To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface. ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic. Every interface can have multiple protocols and directions defined. If the router has two interfaces configured for IP, AppleTalk, and IPX, 12 separate ACLs would be needed. There would be one ACL for each protocol, times two for each direction, times two for the number of ports.
ACLs can be used to perform the following tasks:
  • Limit network traffic and increase network performance. For example, ACLs that restrict video traffic could greatly reduce the network load and increase network performance.
  • Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved.
  • Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, Host A is allowed to access the Human Resources network and Host B is prevented from accessing it.
  • Decide which types of traffic are forwarded or blocked at the router interfaces. ACLs can permit e-mail traffic to be routed, but block all Telnet traffic.
  • Control which areas a client can access on a network.
  • Screen hosts to permit or deny access to a network segment. ACLs can be used to permit or deny a user to access file types such as FTP or HTTP.
If ACLs are not configured on the router, all packets that pass through the router will be permitted to access the entire network.
The next page will describe how ACLs work.

Comments

Post a Comment

Popular posts from this blog

OSI layers / Peer-to-peer communications / TCP/IP model

OSI layers 2.3.4 This page discusses the seven layers of the OSI model. The OSI reference model is a framework that is used to understand how information travels throughout a network. The OSI reference model explains how packets travel through the various layers to another device on a network, even if the sender and destination have different types of network media. In the OSI reference model, there are seven numbered layers, each of which illustrates a particular network function. - Dividing the network into seven layers provides the following advantages: • It breaks network communication into smaller, more manageable parts. • It standardizes network components to allow multiple vendor development and support. • It allows different types of network hardware and software to communicate with each other. • It prevents changes in one layer from affecting other layers. • It divides network communication into smaller parts to make learning it easier to understand. In the foll...
Post a Comment
Read more

PC Basic...

• Backplane – A backplane is an electronic circuit board containing circuitry and sockets into which additional electronic devices on other circuit boards or cards can be plugged; in a computer, generally synonymous with or part of the motherboard. • Network interface card (NIC) – An expansion board inserted into a computer so that the computer can be connected to a network. • Video card – A board that plugs into a PC to give it display capabilities. • Audio card – An expansion board that enables a computer to manipulate and output sounds. • Parallel port – An interface capable of transferring more than one bit simultaneously that is used to connect external devices such as printers. • Serial port – An interface that can be used for serial communication in which only one bit is transmitted at a time. • Mouse port – A port used to connect a mouse to a PC. • USB port – A Universal Serial Bus connector. A USB port connects devices such as a mouse or printer to the computer ...
Post a Comment
Read more

1.2.2 RIP V2 Features

 1.2.2 RIP V2 Features This page will discuss RIP v2, which is an improved version of RIP v1. Both versions of RIP share the following features: It is a distance vector protocol that uses a hop count metric. It uses hold down timers to prevent routing loops – default is 180 seconds. It uses split horizon to prevent routing loops. It uses 16 hops as a metric for infinite distance. RIP v2 provides prefix routing, which allows it to send out subnet mask information with the route update. Therefore, RIP v2 supports the use of classless routing in which different subnets within the same network can use different subnet masks, as in VLSM. RIP v2 provides for authentication in its updates. A set of keys can be used on an interface as an authentication check. RIP v2 allows for a choice of the type of authentication to be used in RIP v2 packets. The choice can be either clear text or Message-Digest 5 (MD5) encryption. Clear text is the default. MD5 can be used t...
Post a Comment
Read more