Wednesday, July 20, 2011

Introduction to ACLs

 on  with No comments 
In , ,  
In any network device with the responsibility of moving data, the ability to inspect and filter data is absolutely critical. In routers running Cisco IOS software, this inspection and filtering is conducted by an Access Control List (hereafter referred to as ACL). Within an ACL, entries known as Access Control Entries (hereafter referred to as ACEs) describe which traffic to permit through, and which traffic to deny. In this paper, I will assume that you already have a basic understanding of IP addressing, VLSM, CIDR, subnet masks and wildcard mask. These building blocks are elementary topics in IP networking, but are crucial to the understanding of ACLs. I will also assume you have a basic knowledge of how to configure a router or switch running IOS software. The commands used may appear familiar to someone knowledgeable in Cisco PIX or ASA firewalls, but there are differences.

There are many different types of ACLs used in Cisco routers. The most basic are Standard ACLs. These simple ACLs can only filter traffic based on the source IP address of the packet. Building on the standard ACL is the extended ACL. These follow a similar format, but allow filtering based on the source and destination IP address and optionally, the source and destination port number of the packet. However, with additional functionality comes additional cost in terms of router memory and processer utilization. Named ACLs are simply extended ACLs which use names rather than numbers as identification and allow additional features such as line numbers and editing capability. Reflexive ACLs allow a router to inspect packets based on a basic session table, allowing the router to act as a rudimentary stateful firewall. Time-based ACLs allow permitting or denying traffic based on the time of day. And finally, Cisco routers running IOS version 12.0.5T and higher support Context -Based Access Control (better known as CBAC), which extends traditional ACLs to allow a router to provide full stateful packet inspection. While the more advanced ACL types are quite useful for a network administrator, the focus of this paper will be standard and extended ACLs.


Post a Comment

Discuss this post!