Access Control List

• It provides Layer 3 security which controls the flow of

traffic from one network to another.

• Filters Packets (Packet Filtering Firewall)

Types of ACL

ACL

Name

Standard Extended Standard Extended

Numbered

ACL - Network Diagram

E0 192.168.1.1/24

LAN - 192.168.1.0/24

E0 192.168.2.1/24

LAN - 192.168.2.0/24

E0 192.168.3.1/24

LAN - 192.168.3.0/24

10.0.0.1/8S0

S110.0.0.2/8

11.0.0.1/8S0

S111.0.0.2/8

192.168.1.0 should not communicate with 192.168.2.0 network192.168.1.0 should not communicate with 192.168.2.0 network

1.2 1.3 1.4 2.2 2.3 2.4 3.2 3.3 3.4

HYD CHE BAN

• Standard ACL

• Extended ACL

• Named ACL

Types of Access-list

Standard Access List

• The access-list number range is 1 – 99

• Can block a Network, Host and Subnet

• Two way communication is stopped

• All services are blocked.

• Implemented closest to the destination. (Guideline)

• Checks the source IP address.

Extended Access List

• The access-list number range is 100 – 199

• Can block a Network, Host, Subnet and Service

• One way communication is stopped

• Selected services can be blocked.

• Checks source, destination IP address & port number.

• Implemented closest to the source. (Guideline).

• Deny : Blocking a Network/Host/Subnet/Service

• Permit : Allowing a Network/Host/Subnet/Service

• Source Address : The address of the PC from where

the request starts. Show Diagram

• Destination address : The address of the PC where the

request ends.

• Inbound : Traffic coming into the interface

• Outbound : Traffic going out of the interface

Terminology

• Protocols : IP

- TCP

- UDP

- ICMP

• Operators : eq (equal to)

neq (not equal to)

lt (less than)

gt (greater than)

• Services : HTTP, FTP, TELNET, DNS, DHCP etc..

Terminology

• Tells the router which addressing bits must

match in the address of the ACL statement.

• It’s the inverse of the subnet mask, hence is also

called as Inverse mask.

• A bit value of 0 indicates MUST MATCH (Check Bits)

• A bit value of 1 indicates IGNORE (Ignore Bits)

• Wild Card Mask for a Host will be always 0.0.0.0

Wild Card Mask

• A wild card mask can be calculated using

the formula :

Global Subnet Mask – Customized Subnet Mask

-------------------------------Wild Card Mask

E.g.255.255.255.255

– 255.255.255.240 ---------------------

0. 0. 0. 15

Wild Card Mask

ACL - Network Diagram

E0 192.168.1.1/24

LAN - 192.168.1.0/24

E0 192.168.2.1/24

LAN - 192.168.2.0/24

E0 192.168.3.1/24

LAN - 192.168.3.0/24

10.0.0.1/8S0

S110.0.0.2/8

11.0.0.1/8S0

S111.0.0.2/8

1.1 1.2 1.3 2.1 2.2 2.3 3.1 3.2 3.3

192.168.1.0 should not communicate with 192.168.2.0 network192.168.1.0 should not communicate with 192.168.2.0 network

HYD CHE BAN