What is ACL in OSI Network Layer?
It stands for Access Control List and it is a packet filtering technique. It works in the same way as a router determines a route for an incoming packet. ACL is a sequential list of permits or denies statements and each statement is called Access Control Entry (ACE).
What is Packet Filtering in terms of ACL??
When network traffic passes through a router's interface which is configured with an ACL, that router takes the packet IP information and compares that information against each ACE, in sequential order, to determine if the packet matches one of the ACEs. This process is called packet filtering.
Understanding of the Difference between Inbound and outbound ACLs:
Inbound ACLs are best used to filter packets when the network attached to an inbound interface is the only source of packets that need to be examined. For example, a gateway router has an interface for a corporate private network and the admin of that network wants to impose Access Control on the browsing activities of office employers. So Admin can apply inbound ACLs on the gateway router's interface to implement his desire.
Outbound ACLs are best used when the same filter will be applied to packets coming from multiple inbound interfaces before exiting the same outbound interface. So it works when network packets are supposed to exit an interface.
Classes of ACLs seen from another perspective:
A. Standard ACLs: Let's understand the Characteristics of Standard ACLs:
- It only examines the source IP address of the network packet.
- Preferred placement is as close as the destination. If so, then the network system could utilise the bandwidth of the network.
- Command could be executed in global configuration mode while configuring numbered ACLs, or else using named ACL configuration mode. Example:
A command for Numbered ACLs
(config)# access-list <acl-number> [permit | deny] <source-IP-address> <wildcard-mask>
or
Command for Named ACLs
(config)# ip access-list standard <name>
(config-ext-nacl)# [permit | deny] <source-IP-address> <wildcard-mask>
B. Extended ACLs: Let's explore the Characteristics of Extended ACLs:
- It can examine the source and destination IP address along with layer-4 protocol (TCP/UDP) and port number.
- Preferred placement is as close as the source of network packet.
- Command could be executed in global configuration mode while configuring numbered ACLs or named ACL configuration mode. Example:
(config)# access-list 10 remark ACE permits ONLY host 192.168.10.10 to the internet
(config)# access-list 10 permit <layer-4-protocol> <source-IP-address> <wildcard-mask> <destination-IP> <wildcard-mask> eq www
or
(config)# ip access-list extended <name>
(config-ext-nacl)# permit <source-IP-address> <wildcard-mask> <destination-IP> <wildcard-mask>
```
Special note for Numbered and Named ACLs:
How to know the number range for standard and extended ACLs??
(config)# access-list ?
[ this will show the number range for standard and extended access-list. ]
But Named ACLs are the preferred method.
For example:
(config)# ip access-list extended FTP-FILTER
[ this will create an ACL named "FTP-FILTER". Use of Block letters in naming ACL is best practice.]
```
Now bind created ACLs (numbered/Named) with an router interface:
(config-if) # ip access-group [access-list-number | access-list-name] [in | out]
[ access-group is keyword and [in | out] is required for inbound / outbound respectively.]
Let's say, If an ACLs is created with some bug, now how to Remove that ACL??
(config)# no access-list <access-list-name or number>
Now how to verify whether the configuration succeeds or not:
Verification Commands:
# show IP interface <interface name>
[It helps to clarify which access lists are applied to it and in which direction.]
# show access-lists
```
ACL Statistics:
By default, for every ACEs a counter is showing while # show access-lists is entered.
If anyone wants to remove the counter, then the following command will clear the counter. privileged mode command:
# clear access-list counters <ACL-Name or Number>
```
How can you secure Vty line using ACLs??
It's an important concept about ACLs. To secure Vty (virtual teletype) line, network engineer can apply ACL to the Vty line.
That command is executed in line configuration mode.
(config-line)# access-class <access-list-number or name> <in | out>
Example:
R1(config)# username ADMIN secret class
R1(config)# ip access-list standard ADMIN-HOST
R1(config-std-nacl)# remark This ACL secures incoming vty lines
R1(config-std-nacl)# permit 192.168.10.10
R1(config-std-nacl)# deny any
R1(config-std-nacl)# exit
R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# access-class ADMIN-HOST in
R1(config-line)# end
Let's summarise the most important and useful ACLs Commands:
Suppose we are configuring numbered 10 ACLs or HTTP-FILTER named ACLs.
(config)# access-list 10 permit 192.168.0.1 0.0.0.0.
(config)# IP access-list standard HTTP-FILTER
(config-std-nacl)# remark HTTP filter for hosts
(config-std-nacl)# permit 192.168.0.1 0.0.0.0
(config-if)# IP access-group HTTP-FILTER in
(config-line)# access-class ADMIN-HOST in
```
The last ACE statement of an ACL is always implicit deny that blocks all traffic. This statement is automatically implied at the end of an ACL by default even though it is hidden and not displayed in the configuration.
```
0 comments:
Post a Comment