ACL’s can filter inbound and outbound router traffic
The 2 Functions ACL’s are used for:
- Classification: After the router identifies and classifies traffic the router can decide how to handle that traffic.
- Filtering: Permitting or denying specific traffic
Packet filtering helps control packet movement through the network.
ACL’s permit or deny the following:
- Packets to or from specific interfaces and packets traversing the router
- Inbound or outbound remote administration traffic
BY DEFAULT ALL IP TRAFFIC IS ALLOWED INBOUND AND OUTBOUND ON ALL INTERFACES!
In IP ALL discard returns “Destination Unreachable”
ACL’s can classify traffic, for example:
Identify traffic to be encrypted across VPN
- Identify routes to be redistributed
- Use with route filtering to identify which routes to send in an update
- Used with policy based routing to identify routes
- Identify traffic to be natted
- Used with QoS
ACL’s specify how a router handles traffic
ACL’s do NOT apply to traffic originating from the router.
ACL statements operate in a sequential, logical order.
Evaluation is top down one statement at a time, once a match is found the rest of the statement are skipped.
Implicit deny any statement is last, dropping all packets that do not meet the criteria of an ACL.
1 ACL per PROTOCOL per DIRECTION per INTERFACE
Standard ACL’s – Check only the source address (1-99 or 1300-1999)
Extended ACL’s – Are 100-199 or 2000-2699 and check:
- Source address
- Destination Address
- Port Numbers
Named or numbered ACL’s (to identify them)
Specific references to a subnet should appear before more general ones.
Create the ACL before applying it to an interface
Place ACL’s as close as possible to the source of the traffic being filtered.
Dynamic ACL’s – Require authentication before passing traffic
Reflexive ACL’s – Denys inbound connections unless the request comes from an address inside the network. Entries are temporary. Can only be defined with extended Named ACL’s, they cannot be used with standard or numbered ACL’s.
Time based ACL’s – Access control based on time
Summary of ACL Operations
- Used for IP packet filtering and identification
- Top down processing for inbound and outbound
- Named or Numbered, Standard or extended these determine what can be filtered.
Standard ACL’s – Deploy as close to the destination as possible.
access-list – Creates a Standard ACL
ip access-group – assigns an ACL to and interface
Remove an ACL from an interface before deleting it
access-class – assigns an ACL to a vty line
remark – Allows the use of comments in the config
show access-list – displays the contents of all ACL’s
show ip access-list – shows the contents of IP access lists
show ip interface – shows the ACL (if any) applied to an interface