Skip to main content

ACCESS CONTROL LIST



1.   ACL is a sequential list having permit and deny statements with an implicit “deny all” statement at the end.
2.   ACL can be really helpful, when there is a need to exercise control over network traffic.
3.   Access lists is basically filtering unwanted packets when implementing security policies.
4.   Implementing access lists is really a lot like programming. If certain given condition is met, then a given action is taken. If the specific condition isn’t met, nothing happens and the next statement is evaluated.
5.   You can apply Access List to either inbound or outbound traffic on any interface.
6.   Access List is first created and the applied.
7.   Standard Access List:
·     Standard Access List filter network traffic by examining source IP Address of a packet only.
·     We create Standard Access List by using the Access List numbers 1-99 and 1300-1999 (extended Range).
·     It does not distinguish between IP traffic such as WEB, TELNET, UDP and so on.
·     Standard Access List is applied as near as possible to the destination and in the outbound direction.
8.   Extended Access List:
·     Extended access lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the protocol field in the Network layer header, and the port number at the Transport layer header. This gives extended access lists the ability to make much more granular decisions when controlling traffic.
·     Specific service or protocol can be denied with the help of Extended Access List.
·     Extended Access List can be created by using the Access List numbers 100-199 and 2000-2699 (extended Range).
·     It is recommended to apply the Extended Access List closest to source.
9.   General rules for Access Control lists:
·     You will first make an ACL and then apply as per your requirement.
·     You can assign only one access list per interface per direction. This means you can have only one inbound and one outbound access list per interface.
·     Organize your access lists so that the more specific entries are at the top of the access list. Try to minimize the size of your ACLs.
·     Every time a new entry is added to the access list, it will be placed at the bottom of the list.
·     You cannot remove one entry from an access list. If you try to do this, you will end up deleting the entire list.
·     There is an implicit “deny all” statement running at the bottom of every ACL.
·     Configure & apply Standard ACLs nearest to the destination and in outbound direction.
·     Configure & apply Extended ACLs nearest to the source and in inbound direction.
10.                 Numbered Standard Access List:
·     Creating Access list:
Router(config)# access-list (1-99) deny/permit host 1.0.0.1(deny a single host), or
Router(config)# access-list 1 deny/permit 1.0.0.0 0.255.255.255 (deny entire n/w)
Router(config)# access-list 1 permit any
·     Implementing ACL:
Router(config)#interface fastEthernet0/1
Router(config-if)#ip access-group 1(acl no) in/out(direction)
·     Editing ACL:
Router(config)#ip  access-list standard 1
Router(config-std-nacl)#no 10(seq-no) deny 1.0.0.0 0.255.255.255
11.                 Named Standard Access List:
·     Creating Access list:
Router(config)# ip access- list standard ccna(name)
Router(config-std-nacl)#deny host 1.0.0.2(deny a single host), or
Router(config-std-nacl)#deny 1.0.0.0 0.255.255.255
Router(config-std-nacl)#permit any
·     Implementing ACL:
Router(config)#interafce fastethernet0/0
Router(config-if)#ip access-group ccna in/out(direction)
·     Editing ACL:
Router(config)#ip access-list standard ccna
Router(config-std-nacl)#no 10 deny host 1.0.0.2
12.                 Numbered Extended Access List:
·     Creating Access list:
Router(config)#access-list (100-199) deny/permit tcp(service) host 1.0.0.2(s-add) host 2.0.0.2(d-add) eq 80(port no)
Router(config)#access-list (100-199) permit tcp any any
·     Implementing ACL:
Router(config)#ip access-group (100-199) in/out(diection)
·     Editing ACL:
Router(config)#ip access-list extended (100-199)
Router(config-ext-nacl)#no 10(seq no) deny tcp host 1.0.0.1 host 2.0.0.1 eq 80
13.                 Named Extended Access List:
·     Creating Access list:
Router(config)#ip access-list extended ccna
Router(config-ext-nacl)#deny/permit tcp(service) host 1.0.0.1 host 2.0.0.1 eq 80(port no)
Router(config-ext-nacl)#permit tcp any any
·     Implementing ACL:
Router(config)# interface fastethernet0/0
Router(config-if)# ip access-group ccna in/out(direction)
·     Editing ACL:
Router(config)#ip access-list extended ccna
Router(config-ext-nacl)#no 10(seq no) deny/permit tcp host 1.0.0.1 host 2.0.0.1 eq 80


Comments

Post a Comment

Popular posts from this blog

How To Upgrade Windows Server 2008 R2 To Windows Server 2012

In this post we will see how to upgrade Windows Server 2008 R2 to Windows Server 2012. It’s been an year that Microsoft has released Windows Server 2012, when Windows Sever 2012 was released the IT professionals were eager to know what’s new in Windows Server 2012 and i was one of them. Microsoft releases all of its operating systems in multiple editions, which provides consumers with varying price points and feature sets. While choosing the edition make sure you choose the edition that suits your requirements. Before we go ahead and deploy Server 2012, let’s take a look at editions of Windows Server 2012. 1)  Windows Server 2012 Datacenter Edition  – The Datacenter edition is designed for large and powerful servers with up to 64 processors and fault-tolerance features such as hot add processor support. This edition is available only through the Microsoft volume licensing program and from original equipment manufacturers bundled with a server. 2)  Windows Server 20...
1 comment
Read more

Installing the Fuzzy Lookup Excel Add-In

    1.       Navigate to the Microsoft website and download the Fuzzy Lookup installation ZIP file.  Save the ZIP file in a new directory on your desktop called ‘FuzzyLookup’ and then extract the files to that same directory.   2.       Make sure all applications are closed on your computer. 3.       Run the ‘setup.exe’ file. Press ‘Run’.   4.       Next the setup process will ask you if you accept two separate License Agreements.  Press ‘Accept’ to both. 5.       Next you will see the application start downloading and installing files.  This will take several minutes. 6.       Next the Setup Wizard will appear.  Press ‘Next.’ 7.       Another License Agreement screen will appear.  Choose ‘I Agree’ and then ‘Next’....
Post a Comment
Read more

How to Install Hyper-V Core: Step by step guide

Hyper-V is a very capable hypervisor for use today yet there are three ways to use it. I blogged about these three ways, but the key takeaway is that the three options are: Having the Hyper-V role on a Windows Server 2012 R2 system (full installation) Having the Hyper-V role on a Windows Server 2012 R2 system (core installation) Using the Free Hyper-V Server 2012 R2 In this post, let’s focus on the free Hyper-V Server 2012 R2 and its installation. Before you get too far along, be sure to check the Hyper-V system requirements to use the free hypervisor. The first step is to download Hyper-V Server 2012 R2, which you can do from the TechNet Evaluation Center. Once you have download the .ISO of Hyper-V Server 2012, let’s go through the installation process. Once the .ISO is burned to a DVD, you can boot the computer or server up on the new operating system. If you see this screen where you can select your language, keyboard and numerical formats you are start...
Post a Comment
Read more