5. Access List Applications
Permit or deny packets moving through the
router
Permit or deny telnet access to or from the
router
Without access lists all packets could be
transmitted onto all parts of your network
telnet access (IP)
Transmission of packets on an interface
6. ACL Configuration Procedure
Define trigger condition
Define packet matching rules
Bind to interface or service
Packet outgoing
interfacePacket incoming
interface
ACL process
permit?
Source IP、
Destination IP
protocol
8. Dest Address
Source Address
Protocol
Port number
Segment Header
(TCP Header) Data
Packet Header
(IP Header )
Frame Header
(e.g. HDLC)
Use ACL to check
data
Deny Permit
ACL Types and Matching Conditions
Standard ACL
Use source address as filtering standard
Can generally restrict a kind of protocol
Extend ACL
Use five elements to filter packets
Can restrict a concrete protocol accurately
14. Notify Sender
Outbound Access Lists
If no access list statement matches then discard the packet
N
Y
Packet Discard Bucket
Choose
Interface
Routing
Table
Entry
?
N
Y
Test
Access List
Statements
Permit
?
Y
Access
List
?
Discard Packet
N
Outbound
Interface
Packets
Packets
S0
E0
Inbound
Interface
Packets
16. A List of Tests: Deny or Permit
Packets to Interface(s)
in the access group
Packet
Discard
Bucket
Y
Interface(s)
Destination
Deny
Deny
Y
Match
First
Rule
?
Permit
17. A List of Tests: Deny or Permit
Packets to Interface(s)
in the Access Group
Packet
Discard
Bucket
Y
Interface(s)
Destination
Deny
Deny
Y
Match
First
Rule
?
Permit
N
Deny Permit
Match
Next
Rule(s)
?
YY
18. A List of Tests: Deny or Permit
Packets to Interface(s)
in the Access Group
Packet
Discard
Bucket
Y
Interface(s)
Destination
Deny
Deny
Y
Match
First
Rule
?
Permit
N
Deny Permit
Match
Next
Rule(s)
?
Deny
Match
Last
Rule
?
YY
N
YY
Permit
19. A List of Tests: Deny or Permit
Packets to Interface(s)
in the Access Group
Packet
Discard
Bucket
Y
Interface(s)
Destination
Deny
Y
Match
First
Rule
?
Permit
N
Deny Permit
Match
Next
Rule(s)
?
Deny
Match
Last
Rule
?
YY
N
YY
Permit
Implicit
Deny
If no match
deny all
Deny
N
20. ACL Rule Conclusion
Q:How to arrange
the sequence of rules
when configuring
ACL
ACL matching execute from top to bottom, if one statement
match the packets, it will execute the corresponding rule (permit
or deny) and then jump out of ACL.
There is an implicit rule “Deny all” at the end of each ACL.
ACL can be applied to inbound or outbound direction of a
concrete IP interface
ACL can be applied to a specific system service (e.g. Telnet
service on device)
Before applying ACL, we should create it
We can set only one ACL for a specific protocol on one direction
of an interface at one time
21. Where to apply ACL?
Standard ACL: near the destination
Extend ACL: near the source
E0
E0
E1
S0
To0
S1
S0
S1
E0
E0Token
Ring
BB
AA
DD
PC_A
PC_B
23. Questions
Where to place standard ACL in the network?
Where to place extend ACL?
What will be done to the packet if there are no
matches in the ACL?
How to arrange the sequence of rules when
configuring ACL?
What will happen if a data packet pass an
interface that no ACL is defined?