Summary Module 11 ACLs

 Summary Module 11 ACLs

This page summarizes the topics discussed in this module.

ACLs are lists of conditions that are applied to traffic that travels across a router interface. They can be created for all routed network protocols such as IP and IPX. Packets are accepted or denied based on these lists.

Network administrators create ACLs to control network access. ACLs provide the ability to limit network traffic, increase performance, and manage security issues. ACL statements operate in sequential, logical order. When a condition is matched as true, the packet is permitted or denied and the rest of the ACL statements are not checked. If all the ACL statements are unmatched, an implicit deny any statement is placed at the end of the list by default. The invisible deny any statement at the end of the ACL will not allow unmatched packets to be accepted. When first learning how to create ACLs, it is a good idea to add the deny any at the end of ACLs to reinforce the dynamic presence implicit deny.

ACLs are created in the global configuration mode and the basic rules should be applied. Each ACL on a router must be configured with a unique number or a name. When a numbered ACL is used, the number identifies the type of access list. Numbered ACLs may be either standard or extended, and must fall within the specific range of numbers that is valid for that type of list . Standard IP ACLs use the numbers from 1 to 99. Extended IP ACLs use the numbers from 100 to 199. ACLs are created by entering the command access-list. Once created, the list is then assigned to the proper interface.

The placement of an ACL has a great impact on network efficiency. The general rule is to put the extended ACLs as close as possible to the source of the traffic denied. Standard ACLs do not specify destination addresses, so they should be placed as close to the destination as possible.

A wildcard mask is a 32-bit quantity that is divided into four octets. The numbers one and zero in the mask are used to determine the treatment of the corresponding IP address bits. In the wildcard mask process, the IP address in the access-list statement has the wildcard mask applied to it. This creates the match value, which compares the two and determines whether the packet should be processed by this ACL statement, or sent to the next statement to be checked.

The show ip interface command displays IP interface information and indicates whether any ACLs are set. The show access-lists command displays the contents of all ACLs on the router. To see a specific list, add the ACL name or number as an option for this command. The show running-config command will also display the access lists on a router and the interface assignment information.

Standard ACLs check the source IP address of packets that are routed. The ACL will permit or deny access based on the network, subnet, and host address. Extended ACLs are used more often than standard ACLs because they provide a greater range of control. Extended ACLs check the source and destination packet addresses and can also check for protocols and port numbers. A named ACL may be either an extended or standard ACL. Named ACLs provide the ability to modify ACLs without deleting and then reconfiguring them. A named access list will allow the deletion of statements but will only allow for statements to be inserted at the end of a list