Describe the types, features, and applications of ACLs

Exam: 200-120 - CCNA Cisco Certified Network Associate CCNA (803)

In this section we will discuss the Cisco implementation of IP access control lists (ACLs). The ACLS is used to filter the network traffic. The ACLs can also be used for define traffic to the NAT (network address translate). It can also be used to encrypt and filter non IP- protocols. The non IP- protocols include Apple talk.

The IP protocols can be mainly of the following types:

  • Internet Control Message Protocol (ICMP)
  • Open Shortest Path First (OSPF)
  • Internet Protocol (IP)
  • User Datagram Protocol (UDP)
  • Transmission Control Protocol (TCP)

Some common concepts that are used in ACLs are:

  1. Masks – These are used in IP ACLs to clearly mention what should be allowed and what should not be. The masks usually start with 255 and on the left they have a huge number.
  2. ACL summarisation – this is a concept that is used to sum up a large range of network into one particular network.

One can always define the ACLs and keep. The ACLs do not how any affect unless they are applied on an interface or a router. It is suggested that the ACL should be applied at the interface that is situated nearest to the source of the traffic. This will help you to block and allow the traffic as and when you please. For the UDP traffic to pass the ACL must be given exclusive permission.

You can also edit the ACLs as you want and even delete the same if the requirement arises. As soon as you put a no in front of the access group command the ACL will be removed from the interface.

We will now discuss each type of the ACL in details so that you understand the concept better:

Standard (editing and sequence numbers)

The first type of the ACL is the standard ACL. It is also the oldest form of ACL. The standard ACL can control the traffic by comparing the source address of the IP packet with the address that is already configured in the ACL. The command for standard ACL is

access-list access-list-number {permit|deny}

{host|source source-wildcard|any}

The access list number in this case can vary from 1 to 99. Now even list name can be used in standard ACL. After the ACL is defined the direction must be specified too.

Extended

The next type of ACL that we will discuss is the extended ACL. In this case the traffic is controlled by destination and source address of the IP packets with the address that is already configured in the ACL. The access list number can be in this case anything from 100 to 199. Now even list names can be used in the extended ACLs. The defined ACL must be applied clearly to the interface. The command used for this purpose is

interface <interface>

ip access-group {number|name} {in|out}

The extended ACL can ensure that unwanted pings from outside is prevented from entering the interface.

Named

The named ACL is also known the IP named ACLs. They are called named as they do not use numbers but names. They are alpha numeric in nature too. You can configure up to 100 named ACLs on a server. The command used for this named ACL is

ip access-list {extended|standard} name

The named ACLs can be used to block traffic other than the telnet connection that comes from host to host.

Some examples of named ACLs are:

permit host 5.6.7.8

permit any

deny host 1.2.3.4 and the list just goes on

Numbered

We will now try to discuss in details what a numbered ACL is. Any ACL that is represented by a number is called a numbered ACL. Both standard and extent ACLs are numbered ACL as they are numeric in nature. In standard ACL the numbers range from 1- 99 and in extended the number range from 100 to 199. When an ACL is numbered it can be edited easily. We have already mentioned before that an ACL can be edited as per the requirement. We will now explain how exactly the ACL can be edited.

The extended numbered ACL will deny or allow packets based on the following information:

  • Source of IP address
  • IP protocol
  • Destination of IP address
  • The source of the UDP or the TCP
  • Destination of the UDP or the TCP

One can also add ACL lines to the numbered or standard ACLs by using sequence numbers. The new entries made can be checked with the show list command. The new ACLs are supported with security appliances. Unless you remove the crypto map now you will not be able to make the changes in ACL. Not removing the crypto map can also leads to strange behaviour.

Log option

The log option is used in ACL quite often. The log option allows the SNMP trap and the Syslog messages for packets that are usually denied by the ACL. One can use the log option even when the ACL and filters are already in use. All that one needs to do is enter again the ACL or the filter command. After that you need to add the log parameter to the very end of the ACL or the filter. The software is designed in such a way that it will replace the ACL or the filter command with a new command. The new ACL with the log option will start to function with immediate effect.

Apart from these there are many more types of ACLs and they are lock and key or dynamic ACL, reflexive ACL, time based ACL, context based access control and commented IP ACL entries, the list just goes on. However, the ones that we have explained above are essential from the exam point of view. We hope that this chapter will help you to clearly understand and describe the types, features, and applications of ACLs. Just keep these terms and points in mind and you will be able to answer most of the questions in this particular section.

Related IT Guides

  1. Configure and verify ACLs in a network environment
  2. Configure and verify an ACLs to limit telnet and SSH access to the router
  3. Configure and verify DHCP (IOS Router)
  4. Configure and verify initial switch configuration including remote access management
  5. Configure and verify interVLAN routing (Router on a stick)
  6. Configure and verify VLANs
  7. Identify and correct common network problems
  8. Select the appropriate media, cables, ports, and connectors to connect switches to other network devices and hosts
  9. Select the Components Required to Meet a Network Specification
  10. Verify network status and switch operation using basic utilities

Close 100% Pass Guarantee or Your Money Back

How to Claim the Refund / Exchange?

In case of failure your money is fully secure by BrainDumps Guarantee Policy. Before claiming the guarantee all downloaded products must be deleted and all copies of BrainDumps Products must be destroyed.


Under What Conditions I can Claim the Guarantee?

Full Refund is valid for any BrainDumps Testing Engine Purchase where user fails the corresponding exam within 30 days from the date of purchase of Exam. Product Exchange is valid for customers who claim guarantee within 90 days from date of purchase. Customer can contact BrainDumps to claim this guarantee and get full refund at billing@braindumps.com. Exam failures that occur before the purchasing date are not qualified for claiming guarantee. The refund request should be submitted within 7 days after exam failure.


The money-back-guarantee is not applicable on following cases:

  1. Failure within 7 days after the purchase date. BrainDumps highly recommends the candidates a study time of 7 days to prepare for the exam with BrainDumps study material, any failures cases within 7 days of purchase are rejected because in-sufficient study of BrainDumps materials.
  2. Wrong purchase. BrainDumps will not entertain any claims once the incorrect product is Downloaded and Installed.
  3. Free exam. (No matter failed or wrong choice)
  4. Expired order(s). (Out of 90 days from the purchase date)
  5. Retired exam. (For customers who use our current product to attend the exam which is already retired).
  6. Audio Exams, Hard Copies and Labs Preparations are not covered by Guarantee and no claim can be made against them.
  7. Products that are given for free.
  8. Different names. (Candidate's name is different from payer's name).
  9. The refund option is not valid for Bundles and guarantee can thus not be claimed on Bundle purchases.
  10. Guarantee Policy is not applicable to Admission Tests / Courses, CISSP, EMC, HP, Microsoft, PMI, SAP and SSCP exams as braindumps.com provides only the practice questions for these.
  11. Outdated Exam Products.
Close
Spring Sale! Get 30% Discount for All Exams!

This is a ONE TIME OFFER. You will never see this Again

Instant Discount
Braindumps Testing Engine

30% OFF

Enter Your Email Address to Receive Your 30% OFF Discount Code Plus... Our Exclusive Weekly Deals

A confirmation link will be sent to this email address to verify your login.


* We value your privacy. We will not rent or sell your email address.
Close
Your 30% Discount on Your Purchase

Save 30%. Today on all IT exams. Instant Download

Braindumps Testing Engine

Use the following Discount Code during the checkout and get 30% discount on all your purchases:

May17Off30

Start Shopping