Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
An
access list
is essentially a list of conditions that categorize packets. They can be really helpful
when you need to exercise control over network traffic. An access list would be your tool
of choice for decision making in these situations.
One of the most common and easiest to understand uses of access lists is filtering
unwanted packets when implementing security policies. For example, you can set them up
to make very specific decisions about regulating traffic patterns so that they’ll allow only
certain hosts to access web resources on the Internet while restricting others. With the right
combination of access lists, network managers arm themselves with the power to enforce
nearly any security policy they can invent.
Access lists can even be used in situations that don’t necessarily involve blocking packets.
For example, you can use them to control which networks will or won’t be advertised by
dynamic routing protocols. How you configure the access list is the same. The difference here
is simply how you apply it—to a routing protocol instead of an interface. When you apply an
7.1 Describe the purpose and types of ACLs
321
access list in this way, it’s called a
distribute list
, and it doesn’t stop routing advertisements,
it just controls their content. You can also use access lists to categorize packets for queuing or
QoS-type services and for controlling which types of traffic can activate a pricey ISDN link.
Creating access lists is really a lot like programming a series of
if-then
statements—if a
given condition is met, then a given action is taken. If the specific condition isn’t met, nothing
happens and the next statement is evaluated. Access-list statements are basically packet filters
that packets are compared against, categorized by, and acted upon accordingly. Once the lists
are built, they can be applied to either inbound or outbound traffic on any interface. Applying
an access list causes the router to analyze every packet crossing that interface in the specified
direction and take the appropriate action.
There are a few important rules that a packet follows when it’s being compared with an
access list:
It’s always compared with each line of the access list in sequential order—that is, it’ll
always start with the first line of the access list, then go to line 2, then line 3, and so on.
It’s compared with lines of the access list only until a match is made. Once the packet
matches the condition on a line of the access list, the packet is acted upon and no further
comparisons take place.
There is an implicit “deny” at the end of each access list—this means that if a packet doesn’t
match the condition on any of the lines in the access list, the packet will be discarded.
Each of these rules has some powerful implications when filtering IP packets with access
lists, so keep in mind that creating effective access lists truly takes some practice.
There are two main types of access lists:
Standard access lists
These use only the source IP address in an IP packet as the condition
test. All decisions are made based on the source IP address. This means that standard access
lists basically permit or deny an entire suite of protocols. They don’t distinguish among any
of the many types of IP traffic such as web, Telnet, UDP, and so on.
Extended access lists
Extended access lists can evaluate many of the other fields in the layer 3
and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the
protocol field in the Network layer header, and the port number at the Transport layer header.
This gives extended access lists the ability to make much more granular decisions when controlling
traffic.
Named access lists
Hey, wait a minute—I said there were two types of access lists but listed
three! Well, technically there really are only two since
named access lists
are either standard or
extended and not actually a new type. I’m just distinguishing them because they’re created and
referred to differently than standard and extended access lists, but they’re functionally the same.
Exam Objectives
Understand the differences between standard and extended access lists.
Standard access
lists make decisions based on source IP address only. Extended access lists can look at source
and destination information at layers 3 and 4, as well as protocol type information.
Know the rules for creating and applying access lists.
Access lists are
directional
, meaning
that you can only have one access list per direction (inbound or outbound) on an interface. The
implicit deny means that any packet not matching any line of an access list will be denied, it
is as if every access list ends with a “deny all” function.
No comments:
Post a Comment