Which of the following are required when creating a standard access control list?
Standard Access-ListPrerequisite – Access-lists (ACL) Show Standard Access-list – Features –
Note – Standard Access-list are less used as compared to extended access-list as the entire IP protocol suite will be allowed or denied for the traffic as it can’t distinguish between the different IP protocol traffic. Configuration – Here is a small topology in which there are 3 departments namely sales, finance, and marketing. The sales department has a network of 172.16.40.0/24, the Finance department has a network of 172.16.50.0/24, and the marketing department has a network of 172.16.60.0/24. Now, want to deny connection from the sales department to the finance department and allow others to reach that network. Now, first configuring numbered standard access – list for denying any IP connection from sales to finance department. Here, like extended access-list, you cannot specify the particular IP traffic to be permitted or denied. Also, note that wildcard mask has been used (0.0.0.255 which means Subnet mask 255.255.255.0). 10 is used from the number standard access-list range. Now, as you already know there is an implicit deny at the end of every access list which means that if the traffic doesn’t match any of the rules of the access list then the traffic will be dropped. Now, you have to apply the access list on the interface of the router: As you remember that the standard access-list is generally applied to the destination and here also if you apply access-list close to the destination, it will satisfy our need, therefore, outbound to interface fa0/1 has been applied. Named standard Access-list example – Now, considering the same topology, you will make a named standard access list. By using this command you have made an access-list named blockacl. And then the same configuration you have done in numbered access-list. Standard access-list for Telnet example – Here, in the given figure, you want to deny telnet to the Finance department from any network. Configuring for the same:
Article Tags :
Computer Networks
Practice Tags :
Computer Networks
Read Full Article
Understanding Access Control ListsAccess Control Lists (ACLs) are a collection of permit and deny conditions, called rules, that provide security by blocking unauthorized users and allowing authorized users to access specific resources. ACLs can also provide traffic flow control, restrict contents of routing updates, and decide which types of traffic are forwarded or blocked. Normally ACLs reside in a firewall router or in a router connecting two internal networks. You can set up ACLs to control traffic at Layer 2, Layer 3, or Layer 4. MAC ACLs operate on Layer 2. IP ACLs operate on Layers 3 and 4. FeaturesACL support features include Flow-based Mirroring and ACL Logging.
Using ACLs to mirror traffic is called flow-based mirroring because the traffic flow is defined by the ACL classification rules. This is in contrast to port mirroring, where all traffic encountered on a specific interface is replicated on another interface. LimitationsThe following limitations apply to ACLs. These limitations are platform dependent.
MAC ACLsMAC ACLs are Layer 2 ACLs. You can configure the rules to inspect the following fields of a packet (limited by platform):
L2 ACLs can apply to one or more interfaces. Multiple access lists can be applied to a single interface - sequence number determines the order of execution. You can assign packets to queues using the assign queue option. IP ACLsIP ACLs classify for Layers 3 and 4. Each ACL is a set of up to ten rules applied to inbound traffic. Each rule specifies whether the contents of a given field should be used to permit or deny access to the network, and may apply to one or more of the following fields within a packet:
1. Create a MAC ACL by specifying a name. 2. Create an IP ACL by specifying a number. 3. Add new rules to the ACL. 4. Configure the match criteria for the rules. 5. Apply the ACL to one or more interfaces. Setting Up an IP ACL via CLIThe script in this section shows you how to set up an IP ACL with two rules, one applicable to TCP traffic and one to UDP traffic. The content of the two rules is the same. TCP and UDP packets will only be accepted by the Sun Netra CP3240 switch if the source and destination stations have IP addresses that fall within the defined sets. FIGURE 22-1 IP ACL Example Network Diagram Example 1: Create ACL 179 and Define an ACL RuleAfter the mask has been applied, it permits packets carrying TCP traffic that matches the specified Source IP address, and sends these packets to the specified Destination IP address.
Example 2: Define the Second Rule for ACL 179Define the rule to set similar conditions for UDP traffic as for TCP traffic.
Example 3: Apply the rule to Inbound Traffic on Port 1/0/2Only traffic matching the criteria will be accepted.
Setting Up a MAC ACL via CLIThe following are examples of the commands used for the MAC ACLs feature. Example 1: Set up a MAC Access ListCODE EXAMPLE 22-1 Set Up a MAC Access Label
Example 2: Specify MAC ACL AttributesCODE EXAMPLE 22-2 Specify MAC ACL Attributes
Example 3: Configure MAC Access GroupCODE EXAMPLE 22-3 Configure MAC Access Group
Example 4: Set up an ACL with Permit ActionCODE EXAMPLE 22-4 Set Up ACL with Permit Action
Example 5: Show MAC Access ListsCODE EXAMPLE 22-5 Show MAC Access Lists
Setting Up ACLs via Web InterfaceThe following web pages are used in the ACL feature. FIGURE 22-2 MAC ACL Configuration Page - Create New MAC ACL FIGURE 22-3 MAC ACL Configuration Page FIGURE 22-4 MAC ACL Summary FIGURE 22-5 MAC ACL Rule Configuration - Create New Rule FIGURE 22-6 MAC ACL Rule Configuration Page - Add Destination MAC and MAC Mask FIGURE 22-7 MAC ACL Rule Configuration Page - View the Current Settings FIGURE 22-8 MAC ACL Rule Configuration Page - Add Destination MAC and MAC Mask FIGURE 22-9 MAC ACL Rule Configuration Page - Add Destination MAC and MAC Mask FIGURE 22-10 ACL Interface Configuration FIGURE 22-11 IP ACL Configuration Page - Create a New IP ACL FIGURE 22-12 IP ACL Configuration Page - Create a Rule and Assign an ID FIGURE 22-13 IP ACL Configure IP ACL Rule Properties FIGURE 22-14 IP ACL Rule Configuration Page - Rule with Protocol and Source IP Configuration FIGURE 22-15 Attach IP ACL to an Interface FIGURE 22-16 IP ACL Summary © 2007 Diversified Technology, Inc. All Rights Reserved. © 2009 Sun Microsystems, Inc. All rights reserved. What is an Access Control List?Access Control Lists “ACLs” are network traffic filters that can control incoming or outgoing traffic. ACLs work on a set of rules that define how to forward or block a packet at the router’s interface. An ACL is the same as a Stateless Firewall, which only restricts, blocks, or allows the packets that are flowing from source to destination. When you define an ACL on a routing device for a specific interface, all the traffic flowing through will be compared with the ACL statement which will either block it or allow it. The criteria for defining the ACL rules could be the source, the destination, a specific protocol, or more information. ACLs are common in routers or firewalls, but they can also configure them in any device that runs in the network, from hosts, network devices, servers, etc. |