Escolar Documentos
Profissional Documentos
Cultura Documentos
An access list (ACL) is a mechanism for identifying particular traffic. One application of
an access list is for filtering traffic into or out of a router interface. There are numerous
different types of ACLs. IP standard access lists filter on source ip address only while
extended access lists filter on both source and destination ip addresses. You can
specify different protocols to filter on (i.e. ip, tcp, udp, icmp, etc.). When specifying tcp
and udp, port numbers are chosen to permit or deny specific layer 4 data.
More detailed information regarding standard and extended ACLs are explained on the
slides that follow.
As a general rule, extended ACLs should be placed close to the source while standard
ACLs should be placed close to the destination.
The order of ACLs is very important as each statement is checked from top to bottom
and exiting upon the first match. That means the most specific statements should be
placed at the top of the list. The last ACL is always an implicit deny so every ACL needs
at least one permit statement to be useful.
The Cisco IOS software receives the Telnet packet. It performs a user authentication
process. The user must pass authentication before access is allowed. The
authentication process is done by the router or a central access server such as a
TACACS+ or RADIUS server.
Reflexive access lists are similar in many ways to other access lists. Reflexive access
lists contain condition statements (entries) that define criteria for permitting IP packets.
These entries are evaluated in order, and when a match occurs, no more entries are
evaluated.
However, reflexive access lists have significant differences from other types of access
lists. Reflexive access lists contain only temporary entries; these entries are
automatically created when a new IP session begins (for example, with an outbound
packet), and the entries are removed when the session ends. Reflexive access lists are
not themselves applied directly to an interface, but are nested within an extended
named IP access list that is applied to the interface. Also, reflexive access lists do not
have the usual implicit deny all traffic statement at the end of the list, because of the
nesting.
Time-Based ACLs implement access lists based on the time of day. To do so, you
create a time range that defines specific times of the day and week. The time range is
identified by a name and then referenced by a function, so that those time restrictions
are imposed on the function itself.