Access List - Introduzione alle ACL (standard ex extended) e configurazione tramite CISCO Packet Tracer
An ACL is a series of commands that control whether a router forwards or drops packets based on
information found in the packet header ACL's can perform the following tasks
- Limit network traffic to increase network performance For example video traffic could be blocked if it's not permitted
- Provide traffic flow control ACLs can help verify routing updates are from a known source
- ACLs provide security for network access and can block a host or a network
- Filter traffic based on traffic type such as Telnet traffic
- Screen hosts to permit or deny access to network services such as FTP or HTTP
An ACL is a sequential list of permit or deny statements, known as access control entries ( commonly called ACL statements
When network traffic passes through an interface configured with an ACL, the router compares the
information within the packet against each ACE, in sequential order, to determine if the packet matches one of the ACEs this is referred to as packet filtering
The last statement of an ACL is always an implicit deny This is automatically inserted at the end of each ACL and blocks all traffic Because of this, all ACLs should have at least one permit statement
ACLs can be configured to apply to inbound traffic and outbound traffic
- Inbound: ACLs Incoming packets are processed before they are routed to the outbound interface
(coming into the router)
- Outbound: ACLs Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL (coming out of the router)
The proper placement of an ACL can make the network operate more efficiently For example, and ACL can be placed to reduce unnecessary traffic Every ACL should be placed where it has the greatest impact on efficiency
Standard Access List
- Since standard ACLs do not specify destination addresses, they should be configured as close to the destination as possible
- id: 1-99
- denies or permits source IP address
Extended Access List
- Configure extended ACLs as close as possible to the source of the traffic to be filtered. This will prevent undesirable traffic as close to the source without itcrossing the network infrastructure
- Id: 100-199
- denies or permits source IP address
- denies or permits destination