Abstract
Cisco Access Control Lists (ACLs) are used in nearly all product lines for several purposes, including filtering packets (data traffic) as it crosses from an inbound port to an outbound port on a router or switch, defining classes of traffic, and restricting access to devices or services. Knowing how to design, configure, and troubleshoot ACLs is required for all network engineers working within a Cisco network.
Sample
Introduction
Cisco Access Control Lists (ACLs) are used in nearly all product lines for several purposes, including filtering packets (data traffic) as it crosses from an inbound port to an outbound port on a router or switch, defining classes of traffic, and restricting access to devices or services. Knowing how to design, configure, and troubleshoot ACLs is required for all network engineers working within a Cisco network.
The objective is to provide a fundamental explanation of Cisco ACLs with the following topics:
1. An analogy about filtering
2. The uses of ACLs
3. Types of ACLs, operations and best practices
4. Wildcard Masks
5. Configuring named ACLs with examples
6. Monitoring ACLs
An Analogy about Filtering
Honolulu-with its famous Waikiki Beach, Pearl Harbor, zoo, aquarium, and Hawaiian historical sites-is a favorite vacation spot. However, transportation to the beach and other local sites can be an issue, so it is important to know the criteria for using the transportation (filter) and the services offered (route, etc.). The following is a list of options.
-The Pink Line trolley passes all the beach hotels and the shopping center. If the passenger is staying at a beach hotel and has a key, then there is no fare. Otherwise, it is $2.50.
-Charted Trolleys have the same route as the Pink Line but the passenger must show proof of having paid for the service as part of a vacation tour package.
-The city bus will go anywhere on the island for a fare of $2.50 or $1.00 for seniors. However each bus has a strict route and schedule.
-Shuttle Buses and Taxis will follow any route chosen but with a higher metered or published fare. In other words, the only criterion is cash.
The point of the analogy is that filtering happens all of the time everywhere, not just in networks. Depending on the type of transportation service chosen, the passenger will be permitted if the fare conditions are met and denied if the conditions are not met. So, as the graphic shows, there are multiple levels of service and well defined permit/deny conditions. Another way to state this is that if proper criteria is matched, either a permit or deny is executed. With networks, the method to match must be defined and the application of the filter must be designed as well, and using an ACL is a method to do it.
The Uses for Access Control Lists
One of the two major reasons to use ACLs in a Cisco network is to either filter traffic going through the router or switch, or traffic to and from the device. The other reason is to classify traffic for access to services or to trigger an event.
As the graphic shows, a good place for a filter is between the enterprise network and the Internet. An entire range of firewalling technologies exist here, and ACLs are one tool.
The graphic further clarifies the idea. It is the company's policy that not all traffic from the computer on the left will be allowed to exit the router via the interface on the right. Virtually all companies have detailed security policy (or should have one) and the policy is followed to implement proper filtering.
The graphic illustrates three more uses of ACLs to classify traffic (IP addresses) for specific purposes. For example, filtering can be used to identify the traffic which is allowed to traverse a virtual private network (VPN), and the block of IP addresses to be translated by the network address translation (NAT) process.
Also, routers and multi-layer switches run dynamic routing protocols such as Open Shortest Path First (OSPF) and Enhanced Interior Gateway Protocol (EIGRP) to exchange lists of reachable IP networks. These updates can be filtered with ACLs to limit the number of IP addresses in the list of routes learned.