Router Access Control Lists:
Access control lists filter network traffic by controlling whether packets that are being routed are sent or blocked at the router's interface. The router checks each packet to determine if it fits the criteria specified within the access lists, before deciding to forward or drop the packet.
The criteria could be the source address of the packet, the destination of the packet, the protocol or other information. Because no authentication is required, some access lists can be fooled by smarter users.
Why user configure access lists?
Access lists can be used to restrict contents of routing updates, or to provide traffic flow control. However, the most important aspect of access lists are its usage to provide a basic level of security for accessing a network. If access lists are not configured, all packets passing through the router can be allowed to all parts of the network.
Implied "Deny All Traffic" criteria statement:
At the end of every access lists, there is an implied "deny all traffic" criteria statement. When the packet does not satisfy any conditions of the access lists, it is dropped when it ultimately reaches the end of the access list.
Limitations when entering criteria statements:
Each additional criteria statement that a user enters is added to the end of the access list statements. Also, individual statements cannot be deleted after they have been created. Only the entire access list can be deleted.
The order of access list statements are important as well. When the router is deciding if it should forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order that the statements were created. After a match is found, the checking stops. E.g.: If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked, meaning all packets that reach that router interface will be forwarded
References:
http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scacls.html
YO BOY!I also don't know what to comment because this topic like quite simple. I'll write some common sense things here. I think ACL is useful for small companies that can't afford a firewall because firewall is more expensive than a router.
ReplyDeleteSir Don,
ReplyDeleteYour post and mine are similar :/ but not the same, of course.
Anyway, I like your posts because it is straight to the point and you have paragraphed all your ideas very nicely:) good job! and, compared to others, you have "discussed" the limitations when entering criteria statements. :D
Hmm...perhaps, you may want to discuss how to configure ACLs on a router? By giving examples, I believe that readers can understand the topic better -> Random, idk what to say.
So yeap, that concludes my comment. Hope to read more of your blog posts! Keep up with the good job, sir!
Regards,
CO Hetty