However, ACLs can also be configured to control network traffic based on the TCP port being used. The ACL extracts the information from the packet header, test it against its rules, and make "allow" or "deny" decisions based on:
1.) Source IP address
2.) Destination IP address
3) ICMP message type
The ACL can also extract upper layer information and test it against its rules. Upper layer information includes:
TCP/UDP source port and TCP/UDP destination port
Routers
An ACL is a router configuration script that uses packet filtering to control whether a router permits or denies packets to pass based on criteria found in the packet header. ACLs are also used for selecting types of traffic to be analyzed, forwarded, or processed in other ways. ACLs are among the most commonly used objects in Cisco IOS software.
ACLs perform the following tasks:
Limit network traffic to increase network performance. Any network which uses excessive bandwidth can be controled.
Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved.
Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, access to the Human Resources network can be restricted to select users.
Decide which types of traffic to forward or block at the router interfaces. For example, an ACL can permit e-mail traffic, but block all Telnet traffic.
Control which areas a client can access on a network.
ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router.
Configuration
ACLs are configured either to apply to inbound traffic or to apply to outbound traffic.
Inbound ACLs-Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing.
Outbound ACLs-Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.
ACL statements operate in sequential order. They evaluate packets against the ACL, from the top down, one statement at a time.
There are different types of ACLs - standard, extended, named and numbered.
Standard ACLs
A standard ACL is a sequential collection of permit and deny conditions that apply to IP addresses.
It IP packets are filted based on source address only
ie access-list 10 permit 192.168.30. 0 0.0.0.255
Extended ACLs
Extended ACLs filter IP packets based on several attributes which are:
Source and destination IP address,
Source and destination TCP or UDP ports
Protocol type (IP, ICMP, UDP, TCP or protocol number)
access-list 103 permit tcp 192.168.30.0 0.0.0.255 any eq 80
List of ACL types and their ranges
ACL TYPE Range
Standard IP 1-99
Extended IP 100-199
Standard IPX 800-899
Extend IPX 900-999
SAP IPX 1000-1099
I am following your blog from the beginning, it was so distinct & I had a chance to collect conglomeration of information that helps me a lot to improvise myself. I hope this will help many readers who are in need of this vital piece of information. Thanks for sharing & keep your blog updated.Regards,aws jobs in hyderabad
ReplyDelete