11.1.3 This page will explain how ACLs are created in global configuration mode. There are many types of ACLs. This lesson explains standard ACLs, extended ACLs, and named ACLs. When ACLs are configured on a router, each ACL must have a unique identification number assigned to it. This number identifies the type of access list created and must fall within the specific range of numbers that is valid for that type of list.
After the proper command mode is entered and the list type number is decided upon, the user enters the access list statements using the keyword access-list, followed by the proper parameters. After the proper command mode is entered and the list type number is set, the user enters the access list statements with the access-list command followed by the proper parameters. This is the first of the two-step process. The second step of the process is assigning the ACL to the proper interface.
In TCP/IP, ACLs are assigned to one or more interfaces and can filter inbound traffic or outbound traffic by using the ip access-group command in interface configuration mode. The access-group command is issued in the interface configuration mode. When an ACL is assigned to an interface, inbound or outbound placement should be specified. The filter direction can be set to check packets that travel into or out of an interface. To determine if an ACL controls inbound or outbound traffic, the network administrator must view the interfaces as if looking at them from inside the router. This is a very important concept. Traffic that travels into an interface is filtered by the inbound access list. Traffic going out of an interface is filtered by the outbound access list. After a numbered ACL is created, it must be assigned to an interface. An ACL containing numbered ACL statements cannot be altered. It must be deleted by using the no access-list list-number command and then recreated.
Use the following rules to create and apply access lists:- There should be one access list per protocol per direction.
- Standard access lists should be applied closest to the destination.
- Extended access lists should be applied closest to the source.
- The inbound or outbound interface should be referenced as if looking at the port from inside the router.
- Statements are processed sequentially from the top of the list to the bottom until a match is found. If no match is found then the packet is denied, and discarded.
- There is an implicit deny any at the end of all access lists. This will not appear in the configuration listing.
- Access list entries should filter in the order from specific to general. Specific hosts should be denied first, and groups or general filters should come last.
- The match condition is examined first. The permit or deny is examined only if the match is true.
- Never work with an access list that is actively applied.
- A text editor should be used to create comments that outline the logic. Then fill in the statements that perform the logic.
- New lines are always added to the end of the access list. A no access-list x command will remove the whole list. It is not possible to selectively add and remove lines with numbered ACLs
- An IP access list will send an ICMP host unreachable message to the sender of the rejected packet and will discard the packet in the bit bucket.
- An access list should be removed carefully. If an access list that is applied to a production interface is removed, some versions of IOS will apply a default deny any to the interface and all traffic will be halted.
- Outbound filters do not affect traffic that originates from the local router.
The Lab Activity will help students become more familiar with the syntax that is used to create an ACL.
The next page will discuss wildcard masks.
No comments:
Post a Comment