Skip to main content

Summary Module 11 ACLs

 Summary Module 11 ACLs

This page summarizes the topics discussed in this module.
ACLs are lists of conditions that are applied to traffic that travels across a router interface. They can be created for all routed network protocols such as IP and IPX. Packets are accepted or denied based on these lists.
Network administrators create ACLs to control network access. ACLs provide the ability to limit network traffic, increase performance, and manage security issues. ACL statements operate in sequential, logical order. When a condition is matched as true, the packet is permitted or denied and the rest of the ACL statements are not checked. If all the ACL statements are unmatched, an implicit deny any statement is placed at the end of the list by default. The invisible deny any statement at the end of the ACL will not allow unmatched packets to be accepted. When first learning how to create ACLs, it is a good idea to add the deny any at the end of ACLs to reinforce the dynamic presence implicit deny.
ACLs are created in the global configuration mode and the basic rules should be applied. Each ACL on a router must be configured with a unique number or a name. When a numbered ACL is used, the number identifies the type of access list. Numbered ACLs may be either standard or extended, and must fall within the specific range of numbers that is valid for that type of list . Standard IP ACLs use the numbers from 1 to 99. Extended IP ACLs use the numbers from 100 to 199. ACLs are created by entering the command access-list. Once created, the list is then assigned to the proper interface.
The placement of an ACL has a great impact on network efficiency. The general rule is to put the extended ACLs as close as possible to the source of the traffic denied. Standard ACLs do not specify destination addresses, so they should be placed as close to the destination as possible.
A wildcard mask is a 32-bit quantity that is divided into four octets. The numbers one and zero in the mask are used to determine the treatment of the corresponding IP address bits. In the wildcard mask process, the IP address in the access-list statement has the wildcard mask applied to it. This creates the match value, which compares the two and determines whether the packet should be processed by this ACL statement, or sent to the next statement to be checked.
The show ip interface command displays IP interface information and indicates whether any ACLs are set. The show access-lists command displays the contents of all ACLs on the router. To see a specific list, add the ACL name or number as an option for this command. The show running-config command will also display the access lists on a router and the interface assignment information.
Standard ACLs check the source IP address of packets that are routed. The ACL will permit or deny access based on the network, subnet, and host address. Extended ACLs are used more often than standard ACLs because they provide a greater range of control. Extended ACLs check the source and destination packet addresses and can also check for protocols and port numbers. A named ACL may be either an extended or standard ACL. Named ACLs provide the ability to modify ACLs without deleting and then reconfiguring them. A named access list will allow the deletion of statements but will only allow for statements to be inserted at the end of a list

Comments

Popular posts from this blog

OSI layers / Peer-to-peer communications / TCP/IP model

OSI layers 2.3.4 This page discusses the seven layers of the OSI model. The OSI reference model is a framework that is used to understand how information travels throughout a network. The OSI reference model explains how packets travel through the various layers to another device on a network, even if the sender and destination have different types of network media. In the OSI reference model, there are seven numbered layers, each of which illustrates a particular network function. - Dividing the network into seven layers provides the following advantages: • It breaks network communication into smaller, more manageable parts. • It standardizes network components to allow multiple vendor development and support. • It allows different types of network hardware and software to communicate with each other. • It prevents changes in one layer from affecting other layers. • It divides network communication into smaller parts to make learning it easier to understand. In the foll...

PC Basic...

• Backplane – A backplane is an electronic circuit board containing circuitry and sockets into which additional electronic devices on other circuit boards or cards can be plugged; in a computer, generally synonymous with or part of the motherboard. • Network interface card (NIC) – An expansion board inserted into a computer so that the computer can be connected to a network. • Video card – A board that plugs into a PC to give it display capabilities. • Audio card – An expansion board that enables a computer to manipulate and output sounds. • Parallel port – An interface capable of transferring more than one bit simultaneously that is used to connect external devices such as printers. • Serial port – An interface that can be used for serial communication in which only one bit is transmitted at a time. • Mouse port – A port used to connect a mouse to a PC. • USB port – A Universal Serial Bus connector. A USB port connects devices such as a mouse or printer to the computer ...

Windowing

Windowing 11.1.5 This page will explain how windows are used to transmit data. Data packets must be delivered to the recipient in the same order in which they were transmitted to have a reliable, connection-oriented data transfer. The protocol fails if any data packets are lost, damaged, duplicated, or received in a different order. An easy solution is to have a recipient acknowledge the receipt of each packet before the next packet is sent. If a sender had to wait for an ACK after each packet was sent, throughput would be low. Therefore, most connection-oriented, reliable protocols allow multiple packets to be sent before an ACK is received. The time interval after the sender transmits a data packet and before the sender processes any ACKs is used to transmit more data. The number of data packets the sender can transmit before it receives an ACK is known as the window size, or window. TCP uses expectational ACKs. This means that the ACK number refers to the next packet that is...