ACCESS
CONTROL LIST
peed
Earliest method of providing network security.
1k provides layer3 and layer 4 security
Controls the flow of traffic from one network to another
Filters Packets (Packet Filtering Firewall)
rene
F rrscoane PF irae
ssaasenaae weooxe
‘aN192368.10728 ‘wn—10000/8 Un 19216820/28SI
Deny : Blocking a network/subnet/host/service.
Pernt: Allowing a network/subnet/host/service.
Source Adéres The address from where the request starts
Destination address: The address where the request ends.
Inbound: Traffic coming into the interface.
‘Outbound: Traffic gong out ofthe interface.
SI
+ Protocols: IP (Internet Protocol)
1 (ranason contol protocal)
oP User datagram protoet)
4 Ynernet control messaging protocol)
es (equalto
ea (ot equl 2)
eles han)
st lareater than)
+ Services: TTP, FTP, TELNET, DNS, DHCP et
PCs
“els the router which addressing bts must match to the address
ivenin the ACL statement.
Ws the Inverse ofthe subnet mask, hence is also called as Inverse
mask.
‘Abitvalue of O indicates MUST MATCH (Check Bits).
‘Abit value of indicates IGNORE Ignore Bits).
‘Wildcard Mask for 3 host willbe always 00.0.0,Wild Card Mask
‘+ Avil card mask canbe calculated using the formula
Global Subnet Mask
= Subnet Mask
‘Wild Card Mask
ee
255.255.255.255 255.255.255.255
= 255,255,255. 0 ~ 255.255.255.240
Pret
‘Works na sequential order from top to bottom.
a match sfound it does not check further
“There shouldbe at last one permit statement.
‘An implice deny blocks all traffic by default when there fs no match
(on invisible statement)
New entries are automatically added tothe bottom.
‘can have one access per interface per direction
Removing of specific statement in a access-list is not possible.
Se cotatngSCC
“The access list umber ange is 1-99.
‘Can fitera network subnet oF host.
“Two way communications stopped.
‘Allservices are blocked or allowed
Implemented closest tothe destination (Guideline)
Filters traffic based only on the source address.
SMe a
ssaawsa/ae
on 192. 168.20/2¢
Ce aadCe ead
tain oo _
ccessst 1 deny 192.168.13 09.0.0
ccessiet 1 permit
Ce aad
Sere te
Soren
—Croce
“The acess ist number ranges 100199.
Can filter a network, subnet, host and service.
‘One way communication is stopped.
‘Selected services can be blocked or allowed
Implemented closest tothe source. (Guideline)
Filters traffic based on the source adress, destination address and
service,
Cro Meg
ssaawsa/ae
9716820726
Foor) (WebService)
Fenner prea
ee
Tan 1921682/28oe eo
access 101 permitip any ary
SS
ee
oe eo