8/13/2019 ACL part 1

1/13

aveen Patel

8/13/2019 ACL part 1

2/13

aveen Patel

Access Control List

It provides Layer 3 security which controls the flow of

traffic from one network to another.

Filters Packets (Packet Filtering Firewall)

8/13/2019 ACL part 1

3/13

aveen Patel

Types of ACL

ACL

Name

Standard Extended Standard Extended

Numbered

8/13/2019 ACL part 1

4/13

aveen Patel

ACL - Network Diagram

E0192.168.1.1/24

LAN - 192.168.1.0/24

E0192.168.2.1/24

LAN - 192.168.2.0/24

E0192.168.3.1/24

LAN - 192.168.3.0/24

10.0.0.1/8S0

S110.0.0.2/8

11.0.0.1/8S0

S111.0.0.2/8

192.168.1.0 should not communicate with 192.168.2.0 network

1.2 1.3 1.4 2.2 2.3 2.4 3.2 3.3 3.4

HYD CHE BAN

8/13/2019 ACL part 1

5/13

aveen Patel

Standard ACL

Extended ACL

Named ACL

Types of Access-list

8/13/2019 ACL part 1

6/13

aveen Patel

Standard Access List

The access-list number range is 1 99

Can block a Network, Host and Subnet

Two way communication is stopped

All services are blocked.

Implemented closest to the destination. (Guideline)

Checks the source IP address.

8/13/2019 ACL part 1

7/13

aveen Patel

Extended Access List

The access-list number range is 100 199

Can block a Network, Host, Subnet and Service

One way communication is stopped

Selected services can be blocked.

Checks source, destination IP address & port number.

Implemented closest to the source. (Guideline).

8/13/2019 ACL part 1

8/13

aveen Patel

Deny : Blocking a Network/Host/Subnet/Service

Permit :Allowing a Network/Host/Subnet/Service

Source Address :The address of the PC from where

the request starts. Show Diagram

Destination address :The address of the PC where the

request ends.

Inbound : Traffic coming into the interface

Outbound : Traffic going out of the interface

Terminology

8/13/2019 ACL part 1

9/13

aveen Patel

Protocols : IP

- TCP

- UDP

- ICMP

Operators :eq (equal to)

neq (not equal to)

lt (less than)

gt (greater than)

Services : HTTP, FTP, TELNET, DNS, DHCP etc..

Terminology

8/13/2019 ACL part 1

10/13

aveen Patel

Tells the router which addressing bits must

match in the address of the ACL statement.

Its the inverse of the subnet mask, hence is also

called as Inverse mask.

A bit value of 0 indicates MUST MATCH (Check Bits)

A bit value of 1 indicates IGNORE (Ignore Bits)

Wild Card Mask for a Host will be always 0.0.0.0

Wild Card Mask

8/13/2019 ACL part 1

11/13

aveen Patel

A wild card mask can be calculated using

the formula :

Global Subnet Mask

Customized Subnet Mask

-------------------------------

Wild Card Mask

E.g.

255.255.255.255 255.255.255.240

---------------------

0. 0. 0. 15

Wild Card Mask

8/13/2019 ACL part 1

12/13

aveen Patel

8/13/2019 ACL part 1

13/13

aveen Patel

ACL - Network Diagram

E0192.168.1.1/24

LAN - 192.168.1.0/24

E0192.168.2.1/24

LAN - 192.168.2.0/24

E0192.168.3.1/24

LAN - 192.168.3.0/24

10.0.0.1/8S0

S110.0.0.2/8

11.0.0.1/8S0

S111.0.0.2/8

1.1 1.2 1.3 2.1 2.2 2.3 3.1 3.2 3.3

192.168.1.0 should not communicate with 192.168.2.0 network

HYD CHE BAN