Introduction to Access Control Lists - Cisco

INTRODUCTION TO ACL (LIST OF ACCESS CONTROL)

ACLs are used in networks to prevent attacks and control network traffic.

Sysadmin can use ACLs to define and control the traffic of devices on the network to try to secure them.

The ACLs can be defined by a number, that number has a range between 200-299 that will be used to control traffic according to the Ehernet type. The range between 700-799 should indicate how the traffic is classified by its MAC address.

CONFIGURATION OF ACLs

An ACL is a list of statements that allow or deny a state, known as access control entries (ACEs).

ACEs can be created to filter traffic based on certain criteria such as : the destination address, the source address, the protocol, and the port number.

Standard ACLs mark packets by examining the IP address of the packet's IP header.

Those ACLs are used to filter packets based only on layer 3 information. To configure a standard ACL number we will do this using the following command.

Code: Select

access-list (acl-#) (bpermit/b | bdeny/b | bremark/b) source-addr (source-wildcard) blog/b

Parameter ........................... Description

-acl- # This is a decimal number between 1 and 99, or 1300 to 1999

-deny Denies access if conditions are

checked -permit Allows access if conditions are

checked -remark Add comment about entries in a IP access list to make them easier to understand and scan.

-source-addr The host or network number the packet will be sent to.

-source-wildcard (optional) 32-bit wildcard mask will be applied at the source.

-log (optional) Collects information about logging messages.

Extended ACLs mark packets based on information from source and destination layers 3 and 4.

Layer 4 may include information protocols such as TCP and UDP. Extended ACLs provide greater flexibility and control over network access than standard ACLs. To configure an Extended ACL number we will use the following command.

Code: Select

access-list acl-% (bpermit | deny | remark/b) protocol source-addr (source-wildcard) dest-addr (dest-wildcard) (operator port) bestablished/b

Parameter .............................. Description

-acl- # This is a decimal number between 1 and 99, or 1300 to 1999

-deny Denies access if conditions are

checked -permit Allows access if conditions are

checked -remark Add comment about entries in a IP access list to make them easier to understand and scan.

-protocol Name or number of a protocol.

-source-addr The host or network number the packet will be sent to.

-source-wildcard Wildcard bits will be applied to the source address

-destination-adrr Network number or host the packet will be sent to

-destination-wildcard Wildcard bits will be applied to the destination address

-operator (optional) Compare the origin or address of the ports. It includes possible operands like lt (less than) gt (greater than) eq (equal) neq (not equal) and range (including a range).

-port (optional) Port number or name of a TCP or UDP port

-established (optional)

Instead of using a number, a name can be used to configure an ACL. To configure a standard or extended ACL, we will use the following command.

SYNTAX TO CALL AN ACL

Router (config) #

Code: Select

bip access-list (standard | extended)/b nombredela_ACL

Configure Access Control Entries (ACEs)

Router (config-std-nacl) #

Code: Select

(bpermit | deny | remark/b) (source (source-wildcard) | bany)/b

Syntax ACE Standard.

Router (config-ext-nacl) #

Code: Select

(permit | deny | remark) protocl source-addr (source-wildcard) dest-address (dest-wildcard) (operator-port)

Extended ACE Syntax