CCNA Class 18: ACL Concept and Configuration

-

Access Control List Concept & Its Configuration

An Access Control List (ACL) in networking is a set of rules used to control and filter network traffic. It defines which traffic is allowed or denied based on various criteria, such as source and destination IP addresses, ports, or protocols. ACLs are used to enhance network security, manage bandwidth, and control access to network resources.

Types of ACLs

There are two types of Access Control Lists (ACLs) in networking:

  1. Standard ACL is the simplest type of ACL in networking, designed to control traffic based solely on the source IP address. It does not consider destination IP addresses, protocols, or ports. Standard ACLs are typically used for basic traffic filtering and are applied closer to the destination address to avoid unnecessary filtering in the network.

  2. An Extended Access Control List (ACL) is a more advanced type of ACL in networking that allows filtering traffic based on multiple criteria, such as source and destination IP addresses, protocols, port numbers, and other parameters. Extended ACLs provide granular control over traffic and are commonly used for complex security and traffic management tasks and near to source address.


Key Features of Standard ACLs:

  1. Source-Based Filtering:

    1. Matches traffic based on the source IP address only.

    2. No consideration for destination IP, protocol type, or port numbers.

  2. Numbered ACLs: Assigned numbers in the range 1–99 (or 1300–1999 for expanded ranges).


Key Features of Extended ACLs:

  1. Multiple Criteria Filtering:

    1. Source IP address.

    2. Destination IP address.

    3. Protocol type (e.g., TCP, UDP, ICMP).

    4. Source and destination port numbers.

    5. Other fields, such as precedence or time-to-live (TTL).

  2. Granular Control:

    1. Enables highly specific traffic filtering.

    2. Suitable for complex policies, such as allowing web traffic but blocking file-sharing services.

  3. Numbered and Named ACLs:

    1. Assigned numbers in the range 100–199 (or 2000–2699 for expanded ranges). Can also be configured as named ACLs for better readability and management.


Basic Configuration of Standard ACL

Step 01: Initial IP Configuration of Devices

Step 02: Configure the OSPF Routing Protocol (Initially we Configure the Default Routing Protocol)

Step 03: Configuring the Standard ACL (at DST Router)

  1. Access Deny Only PC3

    1. DST_R(Config)#access-list 1 deny 171.171.30.10 0.0.0.0

    2. DST_R(config)#access-list 1 permit 0.0.0.0 255.255.255.255

    3. DST_R(config)#int gi0/0

    4. DST_R(config-if)#ip access-group 1 out 

  2. Test from PC3 to Server PC




Part 03: Configuring the Extended ACL (At Source Router)

SRC_R(config)#access-list 100 deny ip host 171.171.10.10 host 10.200.200.10

SRC_R(config)#access-list 100 permit ip any any 

SRC_R(config)#int gi0/0

SRC_R(config-if)#ip access-group 100 in



How to Configure Extended ACL in Cisco


PKT File

Step-01: Basic Configuration

SCR_R(config)#interface gigabitEthernet 0/0 SCR_R(config-if)#no shutdown SCR_R(config-if)#ip address 172.31.0.1 255.255.255.0 SCR_R(config-if)#int se0/0/0 SCR_R(config-if)#no shutdown SCR_R(config-if)#ip address 20.21.22.1 255.255.255.252 DST_R(config)#interface gigabitEthernet 0/0 DST_R(config-if)#no shutdown DST_R(config-if)#ip address 8.0.0.1 255.0.0.0 DST_R(config-if)#int se0/0/0 DST_R(config-if)#no shutdown DST_R(config-if)#ip address 20.21.22.2 255.255.255.252

Step-02: Routing Protocol Configuration

SCR_R(config)#router rip SCR_R(config-router)#version 2 SCR_R(config-router)#no auto-summary SCR_R(config-router)#network 172.31.0.0 SCR_R(config-router)#network 20.21.22.0 DST_R(config)#router rip DST_R(config-router)#version 2 DST_R(config-router)#no auto-summary DST_R(config-router)#network 20.21.22.0 DST_R(config-router)#network 8.0.0.0

Step-03:Configure Extended ACL (At the Source Router)

SCR_R(config)#ip access-list extended 101 SCR_R(config-ext-nacl)#remark Extended ACL Configuration at the Source Router SCR_R(config-ext-nacl)#permit tcp 172.31.0.10 0.0.0.0 8.8.8.8 0.0.0.0 eq 80 SCR_R(config-ext-nacl)#permit icmp 172.31.0.10 0.0.0.0 8.8.4.4 0.0.0.0 echo SCR_R(config-ext-nacl)#permit tcp host 172.31.0.20 8.8.4.4 0.0.0.0 eq www SCR_R(config-ext-nacl)#permit icmp host 172.31.0.20 host 8.8.8.8 echo SCR_R(config-ext-nacl)#deny tcp host 172.31.0.30 any eq www SCR_R(config-ext-nacl)#permit icmp host 172.31.0.30 any SCR_R(config)#interface gigabitEthernet 0/0 SCR_R(config-if)#ip access-group 101 in



Popular posts from this blog

RHCSA-EX200: Vendor Exam Problem Solving

-
Image
Vendor Exam Module List following this link:  https://www.redhat.com/en/services/training/ex200-red-hat-certified-system-administrator-rhcsa-exam?section=objectives   Question-01: Manage basic networking  Configure network and set the static parameters. Consider a machine configured as DHCP, and need to configure it with static parameters. IP-ADDRESS= 172.25.250.10 | 192.168.213.10/24 NETMASK= 255.255.255.0 GATEWAY= 172.25.250.254 | 192.168.213.1 Nameserver= 172.24.254.254 | 192.168.213.1 Hostname= servera.lab.example.com Solution Step-01: Changed the hostname of Linux Machine.  #hostnamectl set-hostname servera.lab.example.com #hostname or hostnamectl #cat /etc/hostname Step-02: Changed/Create/Modify Network Adapter following information #nmcli connection show #nmcli device status #nmcli connection modify <profile_name> ipv4.addresses 172.25.250.10/24 ipv4.gateway 172.24.250.254 ipv4.dns 172.24.254.254 ipv4.method manual connection.autoconnect yes #systemctl r...
Read more

CCNA Class 11: Distance vector Routing Protocol (RIPv1 & RIPv2) Configuration

-
Image
DISTANCE VECTOR ROUTING PROTOCOL RIP is known as Distance Vector Routing Protocol. Here Distance means number of hop counts which is calculated by Router to reach traffic source to destination and Vector means direction. In a word, RIP - to choose the least path by calculating metric value from the entire network direction while travelling traffic from source to destination. Here the scenario, when the traffic travels from R1 to destination subnet X via the upper path (R1=>R2....R8=>Subnet-X) of Network, It takes the Metric 4 value. Or, the metric will be 3 while traveling R1 to Destination Subnet X via the middle path (R1=> R5...R8=>Subnet-X) of the network and Vice versa. How to RIP Work - RIP is a distance vector protocol that exchanges routing information between routers periodically. Each router maintains a routing table that contains the next hop and the hop count for each destination network. Every 30 seconds, the router sends its entire routing table to its dir...
Read more

CCNA Class 10: Introduction of Routed & Routing Protocols and Configuration

-
Image
Introduction of Routing Protocols Routing Fundamental Routing is the process of forwarding data packets from their source to their destination across interconnected networks. It is a critical function in both small-local area networks (LANs) and large-scale wide-area networks (WANs), including the Internet. There are two types of data packets - Routed Protocols and Routing Protocols.   Fig: Basic Routing Key Concepts in Routing Router: A router is a networking device responsible for forwarding data packets between networks based on their IP addresses. It operates at the network layer (Layer 3) of the OSI model. Routing Table: A database stored in a router that contains information about network destinations and how to reach them. Consists of: Destination network Next hop: The next router or device to which the packet should be sent. Metric: A value indicating the "Cost" of reaching a destination (hop count, bandwidth, latency, reliability, load). Interface: The router i...
Read more