Network designers use firewalls to protect networks from unauthorized use. Consider a lock on a door to a class inside a building. The lock allows only authorized users with a key or access card to pass through the door. Similarly, a firewall filters unauthorized or potentially dangerous packets from entering the network. On a Cisco router, you can configure a simple firewall that provides basic traffic filtering capabilities using ACLs. Administrators use ACLs to stop traffic or permit only specified traffic on their networks.
An ACL is a sequential list of permit or DENY statements this apply to addresses or Upper-layer protocols. ACLs provide a powerful-to-control traffic into and out of a network. ACLs can configured for all routed network protocols.
The most important reason to configure ACLs are to provide security for a network.
1. Purpose of ACLs
When configured, ACLs perform the following tasks:
- Limit network traffic to increase network performance. For example, if corporate policy does don't allow video traffic on the network, ACLs this block video traffic could be confi Gured and applied. This would greatly reduce the network load and increase network performance.
- provide traffic flow control. ACLs can restrict the delivery of routing updates. IF updates is not required because of the network conditions, bandwidth is preserved.
- provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, access to the Human Resources network can is restricted to authorized users.
- Filter traffic based on traffic type. For example, an ACL can permit e-mail traffic, but block all Telnet traffic.
- Screen hosts to permit or deny access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP.
ACLs is configured to apply to inbound traffic or to apply to outbound traffic as shown in the figure.
- Inbound ACLs -Incoming packets is processed before they is routed to the outbound interface. An inbound ACL was efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it's then processed for routing. Inbound ACLs was best used to filter packets when the network attached to a Inbound interface is the only source of the P Ackets needed to be examined.
- Outbound ACLs -Incoming packets is routed to the Outbound interface, and then they is processed through the OU Tbound ACL. Outbound ACLs is best used when the same filter would be applied to packets coming from multiple inbound interfaces before Exiting the same outbound interface.
2. Standard VS Extended IPv4 ACL
R1 (config) #access-list?
<1-99> IP standard access list
<100-199> IP extended access list
<1000-1099> IPX SAP Access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX Summary Address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code Access list
<2000-2699> IP Extended access list (expanded range)
<300-399> DECnet access List
<600-699> Appletalk access List
<700-799> 48-bit MAC Address access list
<800-899> IPX Standard Access list
<900-999> IPX Extended access list
Compiled Enable IP access-list compilation
dynamic-extended Extend The dynamic ACL Absolute timer
Rate-limit Simple Rate-limit specific access list
Here is some guidelines for using ACLs:
- Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet.
- Use ACLs on a router positioned between a parts of your network to control traffic entering or exiting a specific part O F your internal network.
- Configure ACLs on border routers, that's, routers situated at the edges of your networks. This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a mo Re sensitive area of your network.
- Configure ACLs for each network protocol configured on the border router interfaces.
Every ACL should be placed where it had the greatest impact on efficiency:
- Extended ACLs -Locate Extended ACLs as close as possible to the source of the traffic to be filtered. This, undesirable traffic are denied close to the source network without crossing the network infrastructure.
- Standard ACLs -Because standard ACLs does not specify destination addresses, place them as close to the Destinatio n as possible. Placing a standard ACL at the source of the traffic would effectively prevent that traffic from reaching any other networks Through the interface where the ACL is applied.
R1 (config) #access-list 1 Permit ip 192.168.10.0 0.0.0.255
ACL (Access Control List)
