What is an access list?

In this session, we will learn about the access lists (ACLs) that the switch uses to control traffic. Let's find out what an access list is and when it's used.

 

 

1. What is an access list?

 

 

: Means to control network traffic

 

A network requires a method of identifying and filtering traffic from or to many other data networks. Access Control Lists (ACLs) are used to filter traffic to better manage network traffic.

 

 

● Why Access Lists?

 

1) Use when unwanted traffic can be accessed or accessed via the network and needs to be blocked

 

2) When you block unauthorized users from accessing certain resources on the network, including Router.

 

3) Overview when you want to apply an Access List to use security features such as firewalls

 

 

- Limit network traffic through Packet Filtering or limit network resources used by specific users & devices

- The Access List typically applies to all packets passing through a particular interface on the switch and allows or deny.

- Restrict Telnet access when an unauthorized user remotely connects to the switch

- Permit or deny access to other devices or hosts from the switch

 

 

1. Two types of access lists

 

★ Standard Access List: A method of determining the forward permit/deny of a packet by checking only the Source Address. It is a method that cannot be controlled for specific protocols (FTP, HTTP, Telnet, etc.).

 

★ Extended Access List : Check the Source Address and Destination Address modes to determine the forward permit/deny of the packet. This is a method that allows the packet to be controlled according to a specific protocol (FTP, TFTP, Telnet)

 

 

 

2. Access list application location

 

 

 

 

 

★ Inbound Access List

: When the access list is applied before the packet received from the switch is transferred to a specific interface of the switch. When the packet is Denied by Filtering, there is no internal processing of the switch, so it is an efficient method to reduce a separate routing overhead.

 

 

★ Outbound Access List

: How the access list is applied after packets received by the switch are delivered to a specific interface on the switch

 

 

 

 

3.  How to set up

 

 

- Access lists are policy applied sequentially from the top

- Declare a smaller scope first

 

(Declares small networks first because they are applied sequentially as mentioned above)

 

access-list 10 permit 2.2.2.2 0.0.0.0

access-list 10 permit 2.2.2.0 0.0.0.255

access-list 10 deny 2.2.0.0 0.0.255.255

access-list 10 permit any

- Frequently declare something that meets the conditions first

 

 

 

For example, you want to allow access to 164.124.116.0/24 and 164.124.118.0/24 when the systems in 164.124.116.0/24 have more frequent access.

access-list 10 permit 164.124.116.0 0.0.0.255

access-list 10 permit 164.124.118.0 0.0.0.255

access-list 10 deny 164.124.0.0 0.0.255.255

 

access-list 10 permit any

- Unless a special permit any is specified at the end of the access-list, it can be considered that 'deny any' is declared by default.

 

- Multiple access-list conditions must be added, and in order to add additional in the middle

 

- If you put the condition of the access-list, you must apply it to the interface at the end to apply the access list.

 

Ex) When you want to allow only 164.124.116.0/24 you don't need to add access-list 10 deny any below.

(Because it's Deny automatically)

 

 

•access-list 10 permit164.124.116.0 0.0.0.255

•access-list deny any

Ex) If only 164.124.116.0/24 were blocked and the rest were declared as follows when allowing?

 

•access-list 10 deny 164.124.116.0 0.0.0.255 All packets are blocked You must declare access-list 10 permit any.

 

•access-list 10 deny 164.124.116.0 0.0.0.255

 

• access-list 10 percent any Lastly, the interface must be applied to filter packets coming to that interface.

 

•interface ethernet 0

 

•ip access-group 1 out

 

 

저의 글을 읽어 주셔서 감사합니다. 오늘도 즐거운 하루 보내세요.