In
this article will demonstrate on numbered standard access control list (Numbered
Standard ACL) and how access list works.
Access
control list is used for filtering unwanted traffic, There are two types of
acl, numbered and named acl. Numbered access lists are either standard or
extended. Also, named access lists are either standard and extended. So, there
are four access lists
- Numbered standard access list
- Numbered extended access list
- Named standard access list
- Named extended access list
In this article will cover numbered standard
access list. Standard means the ios router will filter the packet based on the source ip
address, numbered means that the access list is identified by a number and has
not the capability of editing the acl.
Access Control List Rules
1- If you use Numbered (Standard and Extended) and
Named (Standard and Extended) Access Lists, the packet is always compared with
each line of the access list in sequential order, means If the source packet ip
address matches the first line(entry) of the acl, the router will not check all other entries in the access list. If the
source ip address doesn't match the first line of the acl, the router will
check the second line and so on. The packet is compared with lines of the
access list only until a match is made. Once it matches the condition on a line
of the access list, no further comparisons take place.
2- There
is an implicit deny at the end of each access list—this means that if a packet doesn't
match the condition on any of the lines in the access list, the packet will be discarded.
3- The
access list is applied on an interface in a specific direction -Inbound or
Outbound. Inbound:The packets will be processed through the acl before routed
to the outbound interfaces. Outbound:The packets are routed to the outbound
interface, and then processed through the acl
4- Standard
(Numbered&Named) access control lists filter network traffic by examining
the source ip address in a packet (filtering traffic based on the source ip
address).
5- The
Numbered Access Lists (Standard and Extended) are non-editable, means you
can't insert a line in between the lines or at the top of the entries. Also you
can't delete specific line. So, if you want to modify(adding a line or deleting
specific line) the access list, you have to delete it and write it again.This
is not flexible at all, to solve this problem use the named access list.
6-
Numbered Standard Access Control List is identified by a number from the ranges
1-99,1300-1999.
7- Place Standard access lists as close to destination as possible, for example, if you want preventing network 192.168.10.0/24 -source- from accessing network 192.168.30.0/24 - destination-, the access list should be placed on the router that is directly connected to the destination network 192.168.30.0/24 (The router located in the middle) as you see at the diagram below.
7- Place Standard access lists as close to destination as possible, for example, if you want preventing network 192.168.10.0/24 -source- from accessing network 192.168.30.0/24 - destination-, the access list should be placed on the router that is directly connected to the destination network 192.168.30.0/24 (The router located in the middle) as you see at the diagram below.
8- Numbered
Standard Access Control Lists use the following syntax
R(config)#
access-list <1-99><permit/deny> <source address> <wildcard
mask>
Looking
at the above diagram, we want preventing network 192.168.10.0/24 from accessing
network 192.168.30.0/24, and everything else is permitted.
Configuration
Steps:
1- Create
an access list which is identified by anumber from the range 1-99, I used
number 5 as you see in the first command that permit the packets coming from
network 192.168.10.0/24, means permitting the packets from the source network
192.168.10.0/24.The second line to permit the packets coming from any source ip
address. the second line is very necessary because if this line is not written
all the packets will be dropped because there is an implicit deny any at the
end of the access list.
R2(config)#access-list
5 deny 192.168.10.0 0.0.0.255
R2(config)#access-list 5 permit any
2- The
access list is applied on an interface in a specific direction: no
action(permit or deny) will be taken
until the access list is applied on an interface in a specific direction.
you
should know this packet will enter interface f0/1 as you see in the diagram. if
you apply this acl on the f0/1 interface of
R2 in inbound direction, the router after checking the acl (that prevent
network 192.168.10.0/24), will prevent this packet from being routed to the
outbound interfaces f0/0,f1/0 based on
the action in the first line of the acl. So, network 192.168.10.0/24 will not
access not ony network 192.168.30.0/24 but also network 192.168.50.0/24. So you
should be care where you will apply the acl and in which direction.
The
Solution applying the acl on the interface f0/0 in outbound direction, means
the router will permit the packets from entering f0/1 and route the packets to
the outbound interfaces f0/0 and f1/0, after that, the packet are processed
through the acl. In our example will apply the acl on f0/0 to prevent network
10 to reach network 30 but will not
apply the acl on the f1/0 because we want allowing network 10 from accessing
network 50.
before
writing the commands below, host 192.168.10.2 can reach 192.168.30.2
R2(config)#int
f0/0
R2(config-if)#ip access-group 5 out
After
writing the above commands (applying the acl on the interface), host
192.168.10.2 can't access 192.168.30.2
For
more details and explanation , watch this video on youtube
To
get automatic updates on your facebook, join a facebook group
No comments:
Post a Comment