8/13/2019 ACL part 1
1/13
aveen Patel
8/13/2019 ACL part 1
2/13
aveen Patel
Access Control List
It provides Layer 3 security which controls the flow of
traffic from one network to another.
Filters Packets (Packet Filtering Firewall)
8/13/2019 ACL part 1
3/13
aveen Patel
Types of ACL
ACL
Name
Standard Extended Standard Extended
Numbered
8/13/2019 ACL part 1
4/13
aveen Patel
ACL - Network Diagram
E0192.168.1.1/24
LAN - 192.168.1.0/24
E0192.168.2.1/24
LAN - 192.168.2.0/24
E0192.168.3.1/24
LAN - 192.168.3.0/24
10.0.0.1/8S0
S110.0.0.2/8
11.0.0.1/8S0
S111.0.0.2/8
192.168.1.0 should not communicate with 192.168.2.0 network
1.2 1.3 1.4 2.2 2.3 2.4 3.2 3.3 3.4
HYD CHE BAN
8/13/2019 ACL part 1
5/13
aveen Patel
Standard ACL
Extended ACL
Named ACL
Types of Access-list
8/13/2019 ACL part 1
6/13
aveen Patel
Standard Access List
The access-list number range is 1 99
Can block a Network, Host and Subnet
Two way communication is stopped
All services are blocked.
Implemented closest to the destination. (Guideline)
Checks the source IP address.
8/13/2019 ACL part 1
7/13
aveen Patel
Extended Access List
The access-list number range is 100 199
Can block a Network, Host, Subnet and Service
One way communication is stopped
Selected services can be blocked.
Checks source, destination IP address & port number.
Implemented closest to the source. (Guideline).
8/13/2019 ACL part 1
8/13
aveen Patel
Deny : Blocking a Network/Host/Subnet/Service
Permit :Allowing a Network/Host/Subnet/Service
Source Address :The address of the PC from where
the request starts. Show Diagram
Destination address :The address of the PC where the
request ends.
Inbound : Traffic coming into the interface
Outbound : Traffic going out of the interface
Terminology
8/13/2019 ACL part 1
9/13
aveen Patel
Protocols : IP
- TCP
- UDP
- ICMP
Operators :eq (equal to)
neq (not equal to)
lt (less than)
gt (greater than)
Services : HTTP, FTP, TELNET, DNS, DHCP etc..
Terminology
8/13/2019 ACL part 1
10/13
aveen Patel
Tells the router which addressing bits must
match in the address of the ACL statement.
Its the inverse of the subnet mask, hence is also
called as Inverse mask.
A bit value of 0 indicates MUST MATCH (Check Bits)
A bit value of 1 indicates IGNORE (Ignore Bits)
Wild Card Mask for a Host will be always 0.0.0.0
Wild Card Mask
8/13/2019 ACL part 1
11/13
aveen Patel
A wild card mask can be calculated using
the formula :
Global Subnet Mask
Customized Subnet Mask
-------------------------------
Wild Card Mask
E.g.
255.255.255.255 255.255.255.240
---------------------
0. 0. 0. 15
Wild Card Mask
8/13/2019 ACL part 1
12/13
aveen Patel
8/13/2019 ACL part 1
13/13
aveen Patel
ACL - Network Diagram
E0192.168.1.1/24
LAN - 192.168.1.0/24
E0192.168.2.1/24
LAN - 192.168.2.0/24
E0192.168.3.1/24
LAN - 192.168.3.0/24
10.0.0.1/8S0
S110.0.0.2/8
11.0.0.1/8S0
S111.0.0.2/8
1.1 1.2 1.3 2.1 2.2 2.3 3.1 3.2 3.3
192.168.1.0 should not communicate with 192.168.2.0 network
HYD CHE BAN