Thursday, 11 October 2012

Basic IP Traffic Management with Access lists

Introduction : 

The Access Control List (ACL) is a set of commands, which are grouped together. These commands enable to filter the traffic that enters or leaves an interface. A wildcard mask enables to match the range of address in the ACL statements. There are two references, which a router makes to ACLs, such as, numbered and named. These reference support two types of ;filtering, such as standard and extended. You need to first configure the ACL statements and then activate them.

Access Control List

Access Control lists are created in the global configuration mode. These statements enables the administrator to deny or permit traffic that enters the interface. After creating the basic group of ACL statements, you need to activate them. In order to filter between interfaces, ACL needs to be activated in interface Sub-configuration mode.
The Two types in which the router will refer the ACL are:
  • Numbered – Similar to an index value
  • Named – Assigns a unique name to every ACL among the other ACLs. The router users these ACLs to filter the traffic.
Each of the above reference to ACLs supports the following filtering types:
  • Standard – Filter only on the source IP Address inside a packet.
  • Extended – Filters on the source IP and destination IP addresses in packet.

Creating an ACL

You can use the access-list command to create  an ACL.
To syntax to create an ACL is :
access-list ACL_# permit | deny conditions
  • ACL_#  - Enables you to group statements into a single list
  • permit | deny – Specifies the action that will be performed
  • conditions - Specifies which packet needs to match, for the router to execute an action

Working Of ACL

ACL are statements, which are grouped together by using a name or number. When ACL precess a packet on the router from the group of statements, the router performs a number to steps to find a match for the ACL statements. The router processes each ACL in the top-down approach. In this approach, the packet in compared with the first statement in the ACL. If the router locates a match between the packet and statement then the router executes one of the two actions, permit or deny, which are included with statement.
For example, you want to configure the router to enable traffic from all th hosts of the subnet except the host You create an ACL on the router, which has statements in the following order:
  • permit traffic from subnet
  • Deny traffic from host
The router receives a packet from the host with a source IP address When this address is matched with the first statement, it is foudn that the router must permit the traffic from that host as the host belongs to the subnet The second statement is never executed, as the first statement will always match. As a result, your task of denying traffic from host with IP Address is not accomplished.
To achieve the required, you must reverse the order. The new order of the statements is as follow:
  • Deny traffic from host
  • Permit traffic from subnet

Editing Entries

You may need to add, delete, or modify an entry in the ACL. In a numbered ACL, you cannot delete a specific entry in an ACL. You need to delete the entire the list in which the entry exist.
To delete an ACL, enter the following at the command prompt:
no access-list number
  • number -  Specifies the number of the ACL to be deleted
To edit the ACL, perform the following steps:
  1. Enter the following at the command prompt:  show running-config
  2. Move the cursor to the required ACL entry to the router.
  3. Copy the existing ACL commands and paste it into a text editor.
  4. Enter the following at the command prompt, to remove the application of the ACL on the interface       no ip access-group ACL_#
  5. Enter the the following at the command prompt, to delete the old access list:                                               no access-list ACL_#
  6. Copy the ACL from the text editor and paste in the Configuration mode.
  7. To activate the ACL on the router interface, enter the following at the command prompt:        ip access-group ACL_#

Standard ACL

To create  an entry in a standard numbered IP ACL, enter the following at the command prompt:
access-list 1-199|1600 permit | deny source
sources_IP_address [wildcard_mask]   [log]

Extended Numbered ACLs

The command for configuring an extended ACL is more complicated as compated to the standard ACL. The command to configure an extended numbered ACL is:
access-list 100-199|2000-2699 permit | deny IP_protocol source_address source_wildcard mask   [operator port]   destination_address   destination_wildcard_mask   [operator port] [established] [log]

Source :