Skip to main content

ACCESS CONTROL LIST



1.   ACL is a sequential list having permit and deny statements with an implicit “deny all” statement at the end.
2.   ACL can be really helpful, when there is a need to exercise control over network traffic.
3.   Access lists is basically filtering unwanted packets when implementing security policies.
4.   Implementing access lists is really a lot like programming. If certain given condition is met, then a given action is taken. If the specific condition isn’t met, nothing happens and the next statement is evaluated.
5.   You can apply Access List to either inbound or outbound traffic on any interface.
6.   Access List is first created and the applied.
7.   Standard Access List:
·     Standard Access List filter network traffic by examining source IP Address of a packet only.
·     We create Standard Access List by using the Access List numbers 1-99 and 1300-1999 (extended Range).
·     It does not distinguish between IP traffic such as WEB, TELNET, UDP and so on.
·     Standard Access List is applied as near as possible to the destination and in the outbound direction.
8.   Extended Access List:
·     Extended access lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the protocol field in the Network layer header, and the port number at the Transport layer header. This gives extended access lists the ability to make much more granular decisions when controlling traffic.
·     Specific service or protocol can be denied with the help of Extended Access List.
·     Extended Access List can be created by using the Access List numbers 100-199 and 2000-2699 (extended Range).
·     It is recommended to apply the Extended Access List closest to source.
9.   General rules for Access Control lists:
·     You will first make an ACL and then apply as per your requirement.
·     You can assign only one access list per interface per direction. This means you can have only one inbound and one outbound access list per interface.
·     Organize your access lists so that the more specific entries are at the top of the access list. Try to minimize the size of your ACLs.
·     Every time a new entry is added to the access list, it will be placed at the bottom of the list.
·     You cannot remove one entry from an access list. If you try to do this, you will end up deleting the entire list.
·     There is an implicit “deny all” statement running at the bottom of every ACL.
·     Configure & apply Standard ACLs nearest to the destination and in outbound direction.
·     Configure & apply Extended ACLs nearest to the source and in inbound direction.
10.                 Numbered Standard Access List:
·     Creating Access list:
Router(config)# access-list (1-99) deny/permit host 1.0.0.1(deny a single host), or
Router(config)# access-list 1 deny/permit 1.0.0.0 0.255.255.255 (deny entire n/w)
Router(config)# access-list 1 permit any
·     Implementing ACL:
Router(config)#interface fastEthernet0/1
Router(config-if)#ip access-group 1(acl no) in/out(direction)
·     Editing ACL:
Router(config)#ip  access-list standard 1
Router(config-std-nacl)#no 10(seq-no) deny 1.0.0.0 0.255.255.255
11.                 Named Standard Access List:
·     Creating Access list:
Router(config)# ip access- list standard ccna(name)
Router(config-std-nacl)#deny host 1.0.0.2(deny a single host), or
Router(config-std-nacl)#deny 1.0.0.0 0.255.255.255
Router(config-std-nacl)#permit any
·     Implementing ACL:
Router(config)#interafce fastethernet0/0
Router(config-if)#ip access-group ccna in/out(direction)
·     Editing ACL:
Router(config)#ip access-list standard ccna
Router(config-std-nacl)#no 10 deny host 1.0.0.2
12.                 Numbered Extended Access List:
·     Creating Access list:
Router(config)#access-list (100-199) deny/permit tcp(service) host 1.0.0.2(s-add) host 2.0.0.2(d-add) eq 80(port no)
Router(config)#access-list (100-199) permit tcp any any
·     Implementing ACL:
Router(config)#ip access-group (100-199) in/out(diection)
·     Editing ACL:
Router(config)#ip access-list extended (100-199)
Router(config-ext-nacl)#no 10(seq no) deny tcp host 1.0.0.1 host 2.0.0.1 eq 80
13.                 Named Extended Access List:
·     Creating Access list:
Router(config)#ip access-list extended ccna
Router(config-ext-nacl)#deny/permit tcp(service) host 1.0.0.1 host 2.0.0.1 eq 80(port no)
Router(config-ext-nacl)#permit tcp any any
·     Implementing ACL:
Router(config)# interface fastethernet0/0
Router(config-if)# ip access-group ccna in/out(direction)
·     Editing ACL:
Router(config)#ip access-list extended ccna
Router(config-ext-nacl)#no 10(seq no) deny/permit tcp host 1.0.0.1 host 2.0.0.1 eq 80


Comments

Post a Comment

Popular posts from this blog

How To Upgrade Windows Server 2008 R2 To Windows Server 2012

In this post we will see how to upgrade Windows Server 2008 R2 to Windows Server 2012. It’s been an year that Microsoft has released Windows Server 2012, when Windows Sever 2012 was released the IT professionals were eager to know what’s new in Windows Server 2012 and i was one of them. Microsoft releases all of its operating systems in multiple editions, which provides consumers with varying price points and feature sets. While choosing the edition make sure you choose the edition that suits your requirements. Before we go ahead and deploy Server 2012, let’s take a look at editions of Windows Server 2012. 1)  Windows Server 2012 Datacenter Edition  – The Datacenter edition is designed for large and powerful servers with up to 64 processors and fault-tolerance features such as hot add processor support. This edition is available only through the Microsoft volume licensing program and from original equipment manufacturers bundled with a server. 2)  Windows Server 2012 Standard Ed
1 comment
Read more

Installing the Fuzzy Lookup Excel Add-In

    1.       Navigate to the Microsoft website and download the Fuzzy Lookup installation ZIP file.  Save the ZIP file in a new directory on your desktop called ‘FuzzyLookup’ and then extract the files to that same directory.   2.       Make sure all applications are closed on your computer. 3.       Run the ‘setup.exe’ file. Press ‘Run’.   4.       Next the setup process will ask you if you accept two separate License Agreements.  Press ‘Accept’ to both. 5.       Next you will see the application start downloading and installing files.  This will take several minutes. 6.       Next the Setup Wizard will appear.  Press ‘Next.’ 7.       Another License Agreement screen will appear.  Choose ‘I Agree’ and then ‘Next’.   8.       Do not change the default installation folder.  Press ‘Next’. 9.       The setup application will next ask you to confirm installation instructions.  Press ‘Next’ to confirm the installation choices and the i
Post a Comment
Read more