Summary Module 11 ACLs
This page summarizes the topics discussed in this module.
ACLs
are lists of conditions that are applied to traffic that travels across a
router interface. They can be created for all routed network protocols such as
IP and IPX. Packets are accepted or denied based on these lists.
Network
administrators create ACLs to control network access. ACLs provide the ability
to limit network traffic, increase performance, and manage security issues. ACL
statements operate in sequential, logical order. When a condition is matched as
true, the packet is permitted or denied and the rest of the ACL statements are
not checked. If all the ACL statements are unmatched, an implicit deny any
statement is placed at the end of the list by default. The invisible deny any
statement at the end of the ACL will not allow unmatched packets to be
accepted. When first learning how to create ACLs, it is a good idea to add the deny any
at the end of ACLs to reinforce the dynamic presence implicit deny.
ACLs
are created in the global configuration mode and the basic rules should be
applied. Each ACL on a router must be configured with a unique number or a
name. When a numbered ACL is used, the number identifies the type of access
list. Numbered ACLs may be either standard or extended, and must fall within
the specific range of numbers that is valid for that type of list . Standard IP
ACLs use the numbers from 1 to 99. Extended IP ACLs use the numbers from 100 to
199. ACLs are created by entering the command access-list.
Once created, the list is then assigned to the proper interface.
The
placement of an ACL has a great impact on network efficiency. The general rule
is to put the extended ACLs as close as possible to the source of the traffic
denied. Standard ACLs do not specify destination addresses, so they should be
placed as close to the destination as possible.
A
wildcard mask is a 32-bit quantity that is divided into four octets. The
numbers one and zero in the mask are used to determine the treatment of the
corresponding IP address bits. In the wildcard mask process, the IP address in
the access-list statement has the wildcard mask applied to it. This creates the
match value, which compares the two and determines whether the packet should be
processed by this ACL statement, or sent to the next statement to be checked.
The
show ip
interface command displays IP interface information and indicates whether
any ACLs are set. The show access-lists command displays the
contents of all ACLs on the router. To see a specific list, add the ACL name or
number as an option for this command. The show running-config
command will also display the access lists on a router and the interface
assignment information.
Standard ACLs check the source IP address of packets that are routed.
The ACL will permit or deny access based on the network, subnet, and host
address. Extended ACLs are used more often than standard ACLs because they
provide a greater range of control. Extended ACLs check the source and
destination packet addresses and can also check for protocols and port numbers.
A named ACL may be either an extended or standard ACL. Named ACLs provide the
ability to modify ACLs without deleting and then reconfiguring them. A named
access list will allow the deletion of statements but will only allow for
statements to be inserted at the end of a list