Professional Documents
Culture Documents
CCNA Day 15
CCNA Day 15
We will stop the search when it finds a matching statement > Takes the decision
(permit or deny)
If you configured the ACL but it is not applied over one interface, the ACL is
useless
Functionality: Flow control, basic security, manage the performance, (NAT {PAT/Dyn
NAT}, ZBFW, VPN tunnel {S2S}, QoS, Inspection, AAA)
-----------------------------------------------How ACL
works---------------------------------------------
------------------PC4
|
------------------PC3
PC5--------------------- |
| |
PC1-----------------f0/0--router-f0/2-------------------------PC2
|
-------------------Webserver
PC1:192.168.1.1/24
PC2: 192.168.2.1/24
PC3: 192.168.2.2/24
PC4: 192.168.4.1/24
PC5: 192.168.5.1/24
Webserver 8.8.8.8
interface f0/0
ip access-group test in
interface f0/2
ip access-group test out
icmp (permit)
SRC:192.168.1.1
DST:192.168.4.1
icmp
SRC:192.168.5.1
DST:192.168.4.1
---------------------------------------------Types of the
ACL------------------------------------------------
Numbered ACL:------------
1 to 99 and 1300 to 1999: Standard IP acl
100 to 199 and 2000 to 2699: Extended IP acl
Allow or deny traffic based on the source IP address (it is not taking in consider
the destination ip address, the ports or the protocol)
Extended ACL:------------
Allow or deny traffic based on the source/destination (IP address or ports) and
protocol type (TCP, UDP, IP, OSPF, ICMP, etc)
Where is the best place for locating ACL extended? (best practice)
-------------------------------------Configuration
ACL----------------------------------------
Standard-----------------------------------
Numbered:
1. Configure ACL entry
interface <type>
ip access-group <name/number> <in|out> (ipv4)
line vty 0 15
access-class <number/name> <in|out> (ipv4)
ip access-class <name> <in|out> (ipv6)
Naming:
ip access-list standard <number/name>
<1-2147483647><permit|deny|remark> <ip address match | host | any> <wildcard>
Extended--------------------------------------
Numbered:
interface <type>
ip access-group <name/number> <in|out> (ipv4)
line vty 0 15
access-class <number/name> <in|out> (ipv4)
ip access-class <name> <in|out> (ipv6)
Naming:
Other types-------------------------------------------------------------------
Dynamic ACL: Users need to authenticate by using telnet connection to the router
for passing through the device. (Requires Authentication)
Time-based: Allows for access control based on the time of day and week. (Access
control during specific time)