Categories
Labs

Access Control Lists

We learned about ACL in the CCENT course but there we only tired to understand the standard ACL which filters traffic using source IP address.

ACL is basically a filtering mechanism that makes a router a small firewall that inspect the traffic and filters it.

Extended ACL are the one we are going to discuss here, they are very powerful because they can work on the basis of IPs, ports, protocols, and more.

The important thing in ACL is interface either outbound or inbound. The question here is that does it matter to assign on either inbound or outbound?

 The answer is yes it does, the outbound takes more processing, because the router opens the packets picks the destination sends the packet to suitable interface performs CRC and then when the packet is filtered if the packet needs to be dropped it means all the working by router went useless.
The inbound checks the packet before operating it and if the packet needs to be dropped then it does not send packet to router operations so it makes less processing and it is recommended to use inbound filtering than outbound.

image002

In above case if we are to filter the traffic from R1 to R4 then the inbound & outbound interfaces will be like this.

Standard ACL

There are two things when we create a completely new ACL, a list and an entry. When we create a filter we create an ACL and an ACE (access-control entry). The list tells the type of ACL (standard or extended) and entry defines the filter.
Note that when you create another rule in the existing ACL then you only create and ACE.

We created the ACL to deny the traffic from host 192.168.1.1 and entire network 192.168.0.0/24.

image004

image006

We have created 2 ACEs in an ACL and both entries are for denying the traffic, but in background there is another deny rule in the ACL that is so called Implicit deny and this rule resides at the end of list and denies all the traffic. So if we leave this ACL as it is then it will deny all the traffic excluding 192.168.1.1 and 192.168.0.0/24.
We need to create a rule to allow some of the traffic.

image008

Now we have a good ACL that allows some traffic and denies some, but this is not enough we have to attach this to an interface and this is where we decide whether this is going to be on inbound or outbound.
As we are using the above diagram and blocking traffic for R3 from R1 in R2 so we are going to attach this on inbound.

image010

Now I have created an ACL that tells router that when you gets traffic from interface gig1/0 then use the ACL and check for filters and if the traffic is from 192.168.1.1 or 192.168.0.0/24 then deny it and allow all the other traffic.

Now what if I had set the direction to out on this interface. In this case the traffic will be received and it will routed to the R4 and when R4 sends back the packet in this interface then the packets would be filtered and hence the source address would not match the filters all the traffic would move back and forward. This is why the direction is quite important.

Use the standard ACL if you are good at it because it is resource efficient. The extended ACLs are used because they are more flexible and offer a lot more control and easy to implement and understand as well.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo