Access Control Lists | Cisco CCNA 200-301
Summary
TLDRThis video from 'Cert Bros' offers a comprehensive guide to Access Control Lists (ACLs), explaining their role in network security. ACLs, used by switches and routers, are rule-based lists that permit or deny traffic based on criteria like source and destination addresses. The video delves into standard, extended, and named ACLs, highlighting their unique features and configurations. It also emphasizes the importance of rule order due to the 'implicit deny' rule at the end of every list, ensuring viewers understand the impact of list structure on network traffic control.
Takeaways
- 🔒 Access Control Lists (ACLs) are rule-based lists used by network devices like switches and routers to identify and control traffic based on various criteria.
- 📋 ACLs can be used for purposes beyond just permitting or denying traffic, including network address translation and quality of service configuration.
- 👉 ACLs consist of ordered rules that determine whether traffic should be allowed or blocked; the order is crucial as the first matching rule will be applied.
- ⚠️ There is an implicit 'deny all' rule at the bottom of every ACL, which applies if no other rule matches the traffic.
- 🔢 Standard ACLs use numbers from 1 to 99 or 1300 to 1999 and only consider the source IP address for traffic filtering.
- 🔎 Extended ACLs, with numbers from 100 to 199 or 2000 to 2699, allow for more granular control by considering source and destination IP addresses, protocol, and port numbers.
- 📝 Named ACLs provide a more human-readable alternative to numbered ACLs by assigning names to standard or extended ACLs for easier management.
- 🌐 A wildcard mask is used in standard ACLs to determine which bits of the IP address must match for the rule to apply.
- 🚫 Extended ACLs include an operator to match port numbers, offering options like 'greater than', 'less than', 'not equal to', 'equal to', and 'range'.
- 👀 The configuration of ACLs requires careful planning to ensure that the rules are ordered correctly to avoid unintended traffic blocking or allowing.
- 📚 Understanding how to read and interpret ACLs is essential for network management, as demonstrated by the examples provided in the script.
Q & A
What is an Access Control List (ACL)?
-An Access Control List, also known as ACLs or access lists, are rule-based lists used by switches and routers to identify traffic based on source and destination addresses, and port numbers. They are commonly used to permit or deny traffic and can also be used for network address translation and quality of service.
What is the purpose of an ACL in a network?
-The primary purpose of an ACL is to control traffic flow by allowing or denying traffic based on specific criteria such as source and destination IP addresses, port numbers, and protocols. This helps in enhancing security and managing network traffic effectively.
How does the order of rules in an ACL affect traffic processing?
-The order of rules in an ACL is crucial because the router or switch processes traffic starting from the top of the list and stops at the first matching rule. Therefore, the placement of rules can determine whether intended traffic is permitted or denied.
What is the 'implicit deny' in an ACL?
-The 'implicit deny' is an invisible rule at the bottom of every ACL that automatically denies traffic if no matching rule is found as the traffic is processed down the list.
What are the three types of access lists mentioned in the script?
-The three types of access lists mentioned are standard access lists, extended access lists, and named access lists. Each type serves different purposes and has different levels of specificity in identifying traffic.
How do standard access lists differ from extended access lists?
-Standard access lists use the source IP address only to identify traffic and are identified with numbers between 1 and 99 or 1300 to 1999. In contrast, extended access lists, identified with numbers between 100 and 199 or 2000 to 2699, allow identification based on source and destination addresses, protocol, and port numbers, providing more granular control.
What is the purpose of a wildcard mask in a standard access list?
-A wildcard mask in a standard access list works with an IP address to identify which bits of the address need to match the specified IP address. It is like an inverted subnet mask, with zeros indicating bits that must match and ones indicating bits that do not need to match.
What is a named access list and how does it differ from numbered access lists?
-A named access list assigns names instead of numbers to standard or extended access lists, making it easier to identify and manage multiple lists on a device. It provides the same functionality as numbered lists but with a more descriptive naming convention.
Can you provide an example of a rule in an extended access list?
-An example of a rule in an extended access list could be to deny all TCP traffic from a specific source IP address to a specific destination IP address and port number. For instance, 'deny tcp 192.168.10.0 0.0.0.255 192.168.20.50 21' denies FTP traffic to port 21 on the destination IP 192.168.20.50.
How can the order of rules in an ACL impact the network traffic?
-The order of rules in an ACL impacts network traffic because the router or switch stops processing the list at the first matching rule. If a 'permit' rule is placed before a more specific 'deny' rule, the 'deny' rule may never be reached, thus allowing traffic that was intended to be denied.
Outlines
🔒 Introduction to Access Control Lists
This paragraph introduces the concept of Access Control Lists (ACLs), explaining their role in network security. ACLs are rule-based lists used by switches and routers to identify and manage traffic. They can be based on source and destination addresses, as well as port numbers, and are primarily used to permit or deny traffic. The paragraph also discusses the importance of order in ACLs, as the first matching rule determines the action taken on the traffic. An implicit 'deny all' rule is present at the bottom of every list, emphasizing the need for careful rule placement to avoid unintended traffic blocking.
📝 Understanding Access List Configuration
This section delves into the specifics of configuring access lists, including standard and extended ACLs, as well as named access lists. It explains the use of access list numbers to differentiate between standard (1-99, 1300-1999) and extended (100-199, 2000-2699) lists. The paragraph clarifies that standard ACLs are limited to source address filtering, while extended ACLs offer more granular control by considering destination addresses, protocols, and port numbers. Named ACLs are introduced as a way to assign names to lists for easier identification and management. The paragraph also breaks down the components of ACL entries, including action, source and destination IP addresses, wildcard masks, and operators for port number matching.
🚫 Denying and Permitting Traffic with ACLs
This paragraph focuses on the practical application of ACLs to deny or permit specific types of traffic. It provides examples of standard and extended ACL entries, illustrating how to configure rules using IP addresses, wildcard masks, and port numbers. The explanation includes the use of keywords for common ports and the importance of the order of rules in an ACL. The paragraph emphasizes that the correct sequence of rules is crucial to avoid unintended traffic allowances or denials, as the last rule applied will be the one that matches first.
📚 Reading and Interpreting Access Lists
The final paragraph provides examples of ACLs to help viewers understand how to read and interpret them. It includes examples of extended and standard ACLs, both numbered and named, and explains the significance of each rule within the list. The paragraph clarifies the use of 32-bit wildcard masks and the 'any' keyword to match any IP address. It also highlights the implicit deny rule at the bottom of all ACLs and the importance of rule order for determining which traffic is permitted or denied.
Mindmap
Keywords
💡Access Control List (ACL)
💡Permit
💡Deny
💡Source Address
💡Destination Address
💡Port Numbers
💡Standard Access List
💡Extended Access List
💡Named Access List
💡Wildcard Mask
💡Implicit Deny
Highlights
Access control lists (ACLs) are rule-based lists used by switches and routers to identify traffic.
ACLs can be used to deny or permit traffic based on source and destination addresses, and port numbers.
Other uses for ACLs include network address translation and quality of service configuration.
ACLs are composed of rules that determine if traffic should be permitted or denied.
The order of rules in an ACL is crucial as it affects the application of rules to traffic.
An implicit deny rule exists at the bottom of every ACL if no match is found.
There are three types of ACLs: standard, extended, and named.
Standard ACLs use source addresses for traffic identification and range from 1 to 99 or 1300 to 1999.
Extended ACLs offer more granular control with source, destination, protocol, and port number identification.
Extended ACLs use numbers between 100 and 199 or 2000 to 2699.
Named ACLs assign names instead of numbers for easier identification and management.
Wildcard masks in standard ACLs act like inverted subnet masks to determine matching bits in an IP address.
Extended ACLs require specifying protocol, source and destination IP addresses, masks, and port operators.
Port numbers can be matched using operators like 'gt', 'lt', 'neq', 'eq', and 'range'.
The importance of rule order is emphasized to avoid unintended traffic denial or permission.
Examples provided demonstrate the configuration and interpretation of standard, extended, and named ACLs.
An implicit deny at the bottom of ACLs ensures all unmatched traffic is denied by default.
The video is part of a full CCNA course, available for further learning.
Transcripts
hey what's up guys welcome to cert bros
in this video we're going to be talking
about access control
[Music]
lists
so what is an access control list
access control lists also known as acls
or simply access lists are rule-based
lists that are used
by switches and routers to identify
traffic
they can identify traffic based on the
source address destination address
and port numbers the most common use for
an access list is to deny or permit
traffic but there are other uses for
access lists such as configuring network
address translation
and quality of service let's take a look
at a quick example
this router has an acl configured the
acl
is configured with rules that tell it
which traffic is allowed to pass
and which traffic is not for example
we may want to allow all traffic
destined for this server
but at the same time we may want to
block all other traffic to any other
host
this is all possible with a very simple
access list
okay so now we have an idea about what
an access list does
let's see what one looks like
here is a simple access list it consists
of one or more lines
called rules which specify if traffic
should be permitted
or denied don't worry we'll look at what
each bit means
in just a moment the first thing you'll
probably notice is the number on the
left
this represents the order of each rule
the reason it goes up in tens
is to give you the flexibility to come
back at a later date
and add rules in between the existing
ones
why does that matter well the order of
the list is very
important when a router or switch
receives some traffic
it checks the access control list it
starts at the top of the list and it
works its way
down it keeps going until it finds a
matching rule
as soon as a matching rule is found it
stops looking and applies that rule
this means you have to be very careful
to put the rules
in the right place otherwise you could
deny traffic that you're trying to
permit
or permit traffic that you're trying to
deny we'll see this more as we go
another very important note here is that
if no matching rule is found
the traffic will automatically be denied
there is an invisible deny everything
rule at the bottom of every access list
this is known as the implicit deny
okay so now we know what an access list
does and what it looks like
now let's take a closer look
there are three types of access list the
first
is a standard access list now
when you configure an access list you
use a number to identify the type of
access list you want to configure
a standard access list uses any number
between 1
and 99 then cisco decided to expand this
to also include 1300 to 1999
this expansion meant we can configure a
lot more access lists
per device standard access lists
only use the source address to identify
traffic so this can be quite limiting
the second type of access list is called
an extended
access list extended access lists uses
any number between 100 and 199
and expanded numbers between 2000 to
2699
extended access lists allow us to
identify traffic not only on the source
address
but the destination address protocol and
port number as well
so we can have a lot more granular
control with extended access lists
the last type i want to mention is
called a named access list
a named access list allows standard or
extended lists to be given
names rather than numbers if you have
multiple access lists on a device
named lists make it easier to identify
what each list does
making them easier to manage we're going
to look at all three of these in a bit
more detail
first let's look at standard access
lists
this is a command to configure a single
standard access list entry
it can look a bit intimidating at first
so we're going to break it down
the first part specifies the access list
number remember
any number between 1 and 99 or 1
300 to 1 999 means this will be a
standard
access list the next part is the action
do we want to permit this traffic or do
we want to deny it
we then have our source ip address and
finally
something called a wildcard mask now the
wildcard mask will need some further
explaining
a wildcard mask works with an ip address
it's like an inverted subnet mask the
job of a wildcard mask is to identify
the bits of an ip address that needs to
match
and the bits that don't to do this you
need to compare the wildcard mask
with the ip address wherever you see a
zero
this means that corresponding bit must
match
wherever you see a 1 this means the bit
does not need to match
so in our example here we have the
address 192.168.10.0
and the wildcard mask of 0.00
this means it will match any traffic
with the source address between
192.168.10.0
to 192.168.10.255.
because the wildcard mask states that
the last eight bits don't need to match
so to summarize this rule it will permit
any traffic coming from the source
address
192.168.10.something
okay so that was nice and simple let's
now look at an extended access list
this is a command to configure a single
extended access list entry
as you can see there is a bit more to it
than the standard access list
don't worry though we're going to break
it down the first part specifies the
access list number
because we're now configuring an
extended access list we will use
something between
100 and 199 or 2000 to 2699
the next part is the action so this time
we will be denying this traffic
next we have a new section this matches
the traffic protocol
in this example we have tcp but this
could be
udp eigrp ospf etc
then we have the source ip address
followed by the source wildcard mask
then we have the destination ip address
and the destination wildcard mask
after that we have something called an
operator
an operator is used to match port
numbers
we have a few different operator options
gt
means greater than lt
means less than neq
means not equal to
and eq means equal to
range means included in the range you
specify
in this example we're going to use eq
which means
equals two and then we'll specify the
port number
we can do this using the port number
itself or we can use a keyword
for common ports here i typed ftp
meaning port 21. an important note here
when configuring an extended access list
the source ip
and port number always comes first
okay so to summarize this rule deny all
tcp traffic coming from
[Music]
192.168.10.something with a destination
ip address
of 192.168.20.50
and a destination port number of 21. the
last one we need to look at is a named
access list now luckily named access
lists are pretty similar
they're just configured slightly
differently
the first thing you need to do is type
ip access list
then you specify if you want to
configure a standard or an extended
access list then you just need to choose
a name
here i've chosen serpros for the name
then you enter the access list
configuration mode where you can add the
rules in the same way as before
so this access list will deny any tcp
traffic with a source ip address of
192.168.10.something
with a destination ip address of
192.168.20.50
and a destination port number of 21
which is
ftp after that it will permit any ip
traffic
with a source ip address of 192.168
and a destination ip address of
192.168.20.50.
can you see the importance of having the
correct order
if these two entries were the other way
around then ftp traffic would be
permitted
because the bottom rule would never be
checked
so that is how you configure the three
types of access list
but you also need to be able to read the
lists
let's take a look at a few examples and
try and figure out what they do
here's our first list we know it's an
extended list
because well because it says extended at
the top
but not only that it also has a number
of 101
which hopefully by now we know is an
extended access list number
below this we have our list rules the
first one states
deny all tcp traffic destined for
192.168.10.something
with a destination host address of
192.168.20.50
and the destination port number of 21.
now access lists that have a 32-bit
wildcard mask
or 0.0.0.0 meaning one ip
exactly will show a host address
you can even use the keyword host when
configuring it
the next rule is the same but this time
we are blocking telnet traffic
and the bottom one permits any ip
traffic from 192.168.10.something
with a destination host address of
192.168.20.50
nice and easy right well the next one is
even easier
this is a standard list of course it
says standard at the top
but it's also using a standard number
remember standard access lists only
filter based on the source ip address
so this list is permitting traffic from
host 192.168.10.10
15 and dot 20.
remember all access lists have an
implicit deny
at the bottom so everything else will be
denied
okay let's look at the last example
this is an extended access list but this
time it doesn't have a number
instead it has a name
the first rule permits tcp traffic
and there is a keyword here that we
haven't seen yet
we can use the any keyword to specify
any ip address so in this case any
source ip
and then we have the destination host
address of 192.168.20.50
and which port do you think www means
http port 80.
the second rule is the same but it's
permitting ftp traffic on port
21 hopefully this has given you a good
understanding of access lists
what they're used for and the different
types this video is part of the full
ccna course which can be found
in the description so please feel free
to go and check that out
if you like this video don't forget to
give it a thumbs up leave a comment
and subscribe the support from you guys
really helps this channel grow
other than that thank you for watching
you
5.0 / 5 (0 votes)