<\/p>\n
Access Control Lists (ACLs)<\/strong> are rules used to filter network traffic on routers and switches.<\/p>\n <\/p>\n <\/p>\n Purpose:<\/strong> Access control, security enhancement, and traffic management.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n <\/p>\n\n Access Control Lists (ACLs) are rules used to filter network traffic on routers and switches.<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"categories":[],"tags":[],"_links":{"self":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages\/769"}],"collection":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=769"}],"version-history":[{"count":1,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages\/769\/revisions"}],"predecessor-version":[{"id":770,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages\/769\/revisions\/770"}],"wp:attachment":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=769"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=769"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=769"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
Filters traffic is based only on the source IP address.
Number range:<\/strong> 1\u201399, 1300\u20131999.<\/li>\n \n
Filters traffic based on source, destination, protocol type, ports, and other parameters.
Number range:<\/strong> 100\u2013199, 2000\u20132699.<\/li>\n<\/ul>\n\n#ACL - Access Control List\n#Configuring an ACL in Global Config Mode will not the ACL take effect\n#The ACL must be applied to an interface\n#ACLs are applied ether inbound or outbound\n#ACLs are made up of one or more ACEs (Access Control Entry)\n#Then the router checks a packet against the ACL, it processes the ACEs in order, from top to bottom\n#If the packet matches on of the ACEs in the ACL, the router takes the action and stops processing the ACL,\n#All entries below the matching entry qill be ignored\n#Maximum of one ACL can be applied to a single interface per direction. Indound -max one ACL, outbound -max one ACL\n\n#ACL 1\n#1: if source IP=192.168.1.0\/24 then permit\n#2: if source IP=192.168.2.0\/24 then deny\n#3: if source ip=any then permit\n#\n#ACL 2\n#1: if source IP=192.168.1.0\/24 then permit\n#2: if source IP=192.168.0.0.\/16 then deny\n#A packet 192.168.1.0\/24 will go out, but if you reverse entries in ACL will not\n\n#Implicit deny\n#What happen if a packet doesn`t match any ot the enteries in an ACL?\n#There is an "implicit deny" at the end of all ACLs\n#3: if source IP=any, then deny\n\n#ACL Types\n#Standart ACLs: Match based on Source IP address only\n#\t-Standart Numbered ACLs <1-99>\n#\t-Standart Named ACLs\t<1300-1999>\n#Extended ACLs: Match on Source\/Destination IP address and Source\/Destination port\n#\t-Extended Numbered ACLs\t<100-199>\n#\t-Extended Named ACLs\t<2000-2699>\n\n# The basic command to configure a standart numbered ACL is:\n\t\taccess-list <number> {deny | permit} <IP address + wildcard mask>\n#Example (all rules do the same):\n\t\taccess-list 1\tdeny 1.1.1.1 0.0.0.0\n\t\taccess-list\t1\tdeny 1.1.1.1\n\t\taccess-list 1\tdeny host 1.1.1.1\n#Because we have an implicit deny in each ACL it will deny all traffic too\n#To avoid that, add this (rules below do the same action):\n\t\taccess-list 1 permit any\t\n\t\taccess-list 1 permit 0.0.0.0 255.255.255.255\n#To add the description on the ACL use:\n#\t\taccess-list 1 remark ##Block bad guy## \t\t# "#" is not nessesary\n\tshow access-list\t\t\t\t\t\t\t\t#to show all ACLs\n\tshow ip access-list\n\tshow running-config | include access-list\n#To apply the ACL on the interface do:\n\t\tinterface <interface>\n\t\t\tip access-group <ACL`s number> {in | out} \n\n# Standart ACLs should be applied as close as to the desstination as possible!\n\n#Standart Named ACLs\n#Advantages of named ACLs config mode\n#\t1:You can delete individual entries, but in global mode can`t do that. You can only delete the entire ACL\n\t Use: no sequence-number\n\t2:You can insert new entries in between other entries by specifying the sequence-number\n\t\n\t\tip access-list standart <ACL name>\n\t\t\t[entry-number] {deny | Permit} <IP address + wildcard mask>\n\t\t\t\n#Example:\n\t\tip access-list standart BLOCK_BAD_GUY\n\t\t\t5 deny 1.1.1.1\n\t\t\t10\tpermit any\n\t\t\tremark ##Configured 12\/01\/2024##\n\t\t\texit\n\t\tinterface g0\/0\n\t\t\tip access-group BLOCK_BAD_GUY in\n\tshow access-list\t\t# If you add | include access-list you will see only a name\n\n#Resequencing ACLs\n\t\tip access-list resequence <ACL ID starting sequence-number increment>\n#If the rules go like 1,2,3,4,5, then there is no apportunity to add a new entry between them\n#That is why we should use like 10,20,30,40,50\n#Example:\n\t\tip access-list resequence 1\t10\t10\n\t\t\t\t\t\t\t\t | | |\n\t\t\t\t\t\t\t\t |\t |\t do step 10,20,30 ...\n\t\t\t\t\t\t\t\t |\t change the first entry number to 10\n\t\t\t\t\t\t\t\t The ACL number\n\t\t\t\t\t\t\t\t \n#Extended ACL\t\t\t\t\t\t\t\t \n#\t-Extended Numbered ACLs\t<100-199>\n\t\taccess-list <ACL number> [permit | deny] protocol Src-IP Dst-IP\n\t\t\n#\t-Extended Named ACLs\t<2000-2699>\n\t\taccess-list extended {name | ACL number} \n\t\t\t[sequence-number] {permit | deny} protocol Src-IP Dst-IP\n#Examples of Extended ACLs\n\t\taccess-list extended {name | ACL number}\n\t\t\tpermit ip any any\t\t\t\t\t\t\t\t\t#to allow all traffic\n\t\t\tdeny udp 10.0.0.0 0.0.255.255 host 192.168.1.1\t\t#to prevent 10.0.00\/16 from sending UDP traffic to 192.168.1.1\n\t\t\tdeny icmp host 172.16.1.1 192.168.0.0 0.0.0.255\t\t#to prevent 172.16.1.1\/32 from pinging hosts 192.168.0.0\/24\n\t\t\t\n#Extended ACL with matching the TCP or UDP port number\n\t\t\tdeny tcp <src-ip> {eq|gt|lt|neq|range} <src-port number> <dst-ip> {eq|gt|lt|neq|range} <dst-port-number>\n\t\t\t\n# eq=equal to port 80\n# gt=greater than 80 -->81 and greater\n# lt=less than 80\t -->79 and less\n# neq=not equal 80\t -->not 80\n# range 80 100\t\t -->from port 80 to port 100\n\n#Examples:\n#Allow traffic from 10.0.0.0\/16 to access the server at 2.2.2.2\/32 using HTTPS\n\t\taccess-list extended {name | ACL number}\n\t\t\tpermit 10.0.0.0 0.0.255.255 2.2.2.2 0.0.0.0 eq 443\n\t\t\t\n#Prevent all hosts using source UDP port numbers from 20000 to 30000 from accessing the server at 3.3.3.3\/32\n\t\t\tdeny udp any range 20000 30000 host 3.3.3.3\n\t\t\t\n# Allow hosts in 172.16.1.0\/24 using all TCP source ports greater than 9999 to access all TCP ports on the server 4.4.4.4\/32, exept port 23\n\t\t\tpermit tcp 172.16.1.0 0.0.0.255 gt 9999 host 4.4.4.4 neq 23\n\n#Extended ACLs should be applied as close to the source as possible, to limit how far packets travel in the network before being denided\n#Standart ACLs are less specific, so it they are applied close to the source there is a risk of blocking more traffic that intended\n\n\n<\/pre><\/div>","protected":false},"excerpt":{"rendered":"