BASIC IP TRAFFIC MANAGEMENT WITH
ACCESS CONTROL LIST
Cisco provides Access
Control List (ACL) to control the flow of traffic from One interface to the
other interface in a network.
Access control lists (ACLs) can be used for two
purposes on Cisco devices:
1- To
filter traffic
2- To identify
traffic
Access Control List (ACL) is a set of commands which are grouped
together to the filter traffic that enters and leaves the interface. Access lists are a
set of rules, organized in a rule table. Each rule or line in an access-list
provides a condition, either permit or
deny:
Specify the following directions---- When filtering traffic, access
lists are applied on interfaces. As a packet passes through a router, the top
line of the rule list is checked first, and the router continues to go down the
list until a match is made. Once a match is made, the packet is either
permitted or denied.
Inbound –
Filtering the traffic as it enters
the interface. (Before Routing)
Outbound
–Filtering the traffic before it leaves the interface. (After
Routing)
NOTE--
Only one access list per interface, per protocol, per direction is allowed.
Filtering
traffic is the primary use of access lists. However, there are several
instances when it is necessary to identify traffic using ACLs, including:
Provides
Security in the network.
Control the
flow of traffic
Increase Network
performance. Optimize CPU & Memory usages
Reduce network
traffic & congestion.
Make decision
about the type of network to be forwarded or restricted on an interface.
1-Identifying
interesting traffic to bring up an ISDN link or VPN tunnel
2-Identifying
routes to filter or allow in routing updates
3-Identifying
traffic for QoS purposes
4-
Optimizes CPU usage & Memory.
Two
types of Access Lists---
NUMBERED ACL – Unique number is assigned to each ACL. individual lines cannot
be removed from a numbered access
list. The entire access list must be deleted and recreated. All new entries to
a numbered access list are still added to the bottom of access list.
NAMED ACL –
Unique name is assigned to each ACL. Named access lists provide a bit more flexibility.
Descriptive names can be used to identify your access-lists. Additionally,
individual lines can be
removed from a named access-list.
Each
of ACL supports two types
Standard ACL (Normal
Range 1–99) (Expanded Range1300-1999) – Standard
IP access-lists are based upon the source host or network IP Address, and should
be placed closest to the destination network. It forwards or filters the only source address in IP packet. Standard IP ACL is also used to restrict telnet access to the router.
Extended ACL (Normal
Range 100–199) (Expanded Range 2000-2699) – It Extended IP access-lists filters the packet based
upon the source IP address, as well as destination IP address, and TCP or UDP,
ICMP port number. Extended access-lists should be placed closest to the source
network. The extended numbered ACLs are more flexible as compared to the
standard ACLs.
Wild Card Masks----
IP access-lists use wildcard
masks to determine two things:
1. Which part of an address must match exactly?
2. Which part of an address can match any number?
This is as opposed to a subnet
mask, which tells us what part of an address is the network (subnet),
and what part of an address is the host. Wildcard masks look like inversed
subnet masks.
Two Golden Rules of Access Lists:
1. If a bit is set to 0
in a wild-card mask, the corresponding bit in the
Address must be matched exactly.
2. If a bit is set to 1
in a wild-card mask, the corresponding bit in the
Address can match any number. In
other words, we “don’t care” what
number
it matches.
There are actually two ways we can match a
host:
1- Using a wildcard mask
with all bits set to 0 – 172.16.1.1 0.0.0.0
2- Using the keyword
“host” – host 172.16.1.1
There are actually two ways we can match all
addresses:
1- Using a wildcard mask
with all bits set to 1 – 0.0.0.0 255.255.255.255
2- Using the keyword
“any” – any
We can use several other operators for port
numbers:
Eq = Matches a specific
port
Gt = Matches all ports
greater than the port specified
It= Matches all ports
less than the port specified
Neq = Matches all ports
except for the port specified
Range= Match a specific
inclusive range of ports
No comments:
Post a Comment