ACLs control and manage network traffic by allowing or denying packet access based on conditions. Standard ACLs are used to filter traffic by source IP address only, while extended ACLs filter by source/destination IP address, protocols, and ports. ACLs are created with permit or deny statements and applied to interfaces using access lists or to virtual terminal lines using access classes to restrict access. Wildcard masks are used to filter groups of IP addresses in an access list.

1. ACCESS CONTROL LISTS TS, PHẠM VĂN TÍNH PART13

2. Objective Describe the differences between standard and extended ACLs Explain the rules for placement of ACLs Create and apply named ACLs Describe the function of firewalls Use ACLs to restrict virtual terminal access

3. ACCESS CONTROL LIST FUNDAMENTALS

4. What are ACLs ACL tell the router what types of packets to accept or deny. Acceptance and denial can be based on specified conditions. ACLs enable management of traffic and secure access to and from a network

5. What are ACLs The router examines each packet to determine whether to forward or drop it, based on the conditions specified in the ACL

6. What are ACLs ACLs can be created for all routed network protocols, such as Internet Protocol (IP) and Internetwork Packet Exchange (IPX). ACLs must be defined on a per-protocol, per direction, or per port basis

7. the Primary Reasons to Create ACLs Limit network traffic and increase network performance. For example By restricting video traffic … Provide traffic flow control . ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved. Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, Host A is allowed to access the Human Resources network and Host B is prevented from accessing it.

8. the Primary Reasons to Create ACLs Decide which types of traffic are forwarded or blocked at the router interfaces. For Examples: Permit e-mail traffic to be routed, but block all telnet traffic. Allow an administrator to control what areas a client can access on a network. Screen certain hosts to either allow or deny access to part of a network . Grant or deny user permission to access only certain types of files, such as FTP or HTTP

9. How ACLs work

10. Creating ACLs

11. Creating ACLs Step 1 : Create ACL Router(config)# access-list acl_num { permit | deny } { test_conditions } Step 2 : Apply ACL to an Interface Router(config- if )#{ protocol } access-group acl_num { in|out } Step 3 : Delete a ACL Router(config)# no access-list acl_num

12. These basic rules One access list per protocol per direction. Standard access lists should be applied closest to the destination. Extended access lists should be applied closest to the source. Use the inbound or outbound interface reference as if looking at the port from inside the router. Statements are processed sequentially from the top of list to the bottom until a match is found, if no match is found then the packet is denied.

13. These basic rules There is an implicit deny at the end of all access lists. This will not appear in the configuration listing. The match condition is examined first. The permit or deny is examined ONLY if the match is true. Never work with an access list that is actively applied. Use a text editor to create comments outlining the logic, then, fill in the statements that perform the logic. New lines are always added to the end of the access list. A no access-list x command will remove the whole list.

14. These basic rules An IP access list will send an ICMP host unreachable message to the sender of the rejected packet and will discard the packet in the bit bucket. Care should be used when removing an access list. If the access list is applied to a production interface and the access list is removed, depending on the version of the IOS, there may be a default deny any applied to the interface, and all traffic will be halted. Outbound filters do not affect traffic originating from the local router.

15. wildcard mask Wildcard masks are designed to filter individual or groups of IP addresses permitting or denying access to resources based on the address. A wildcard mask is a 32-bit quantity that is divided into four octets. A wildcard mask is paired with an IP address. The numbers one and zero in the mask are used to identify how to treat the corresponding IP address bits. Wildcard masks have no functional relationship with subnet masks.

16. Verifying ACLs show ip interface show access-lists show running-config

17. Type of ACLs

18. Placing ACLs

19. Restricting virtual terminal access Only numbered access lists can be applied to virtual lines. Only standard access lists can be applied to virtual lines. to create the vty access list is the same as described for an interface. applying the ACL to a terminal line requires the access-class command instead of the access-group command

20. Creating & Applying VTAL

21. Summary ACLs perform several functions within a router, including implementing security/access procedures. ACLs are used to control and manage traffic. For some protocols, two ACLs can be applied to an interface: one inbound ACL and one outbound ACL. With ACLs, after a packet is matched to an ACL statement, it can be denied or permitted access to the router. Wildcard mask bits use the number one (1) and the number zero (0) to identify how to treat the corresponding IP address bits.

22. Summary Access list creation and application is verified through the use of various IOS show commands. The two main types of ACLs are standard and extended. Named ACLs allow for the use of a name to identify the access list instead of a number. ACLs can be configured for all routed network protocols. ACLs are placed where they allow the most efficient control. ACLs are typically used in firewall routers. Access lists can also restrict virtual terminal access to the router.