Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
ACLs
Standard ACL:
Standard access lists (1 – 99) match packets by examining the source IP address field in the packet's IP
header. Any bit positions in the 32-bit source IP address can be compared to the access list statements.
However, the matching is flexible and does not consider the subnet mask in use.
Access lists use the inverse mask, sometimes called the wildcard mask or I-mask. This mask is named
because it inverts the meaning of the bits. In a normal mask, ones mean "must match," while zeroes
mean "may vary." For example, for two hosts to be on the same Class C network, the first 24 bits of their
address must match, while the last 8 may vary. Inverse masks swap the rules so that zeroes mean "must
match" and ones mean "may vary."
Extended ACL:
An extended access-list (100 – 199) is an ordered list of statements that can deny or permit packets
based on source and destination IP address, port numbers and upper-layer protocols. Standard access
list can deny or permit packets by source address only and permit or deny entire TCP/IP protocol suite.
Therefore by extended, it means greater functionality and flexibility. Extended access list is a good
example of “packet filtering” where the flow of data packets can be controlled in your network. It can
filter based on source and destination, specific IP protocol and port number.
Note that an access list is an ordered list and therefore the sequence of your statements is crucial. Also,
at the end of the list is an implicit deny of everything that is not permitted. The best security practice is
to only allow packets that are explicitly permitted and deny everything else. The access list can always
be modified to include needed services.
Lab:
In this activity you will learn to configure and apply a Standard and Extended access list to control access
to devices within the network lab as well as apply an access list as an access class to restrict telnet
access to some devices.
In addition to the basic activity there are some bonus tasks that will challenge you to create additional
Extended Access Control List to create a DMZ and allow certain types of traffic to and from some end
devices while deny all external access to other devices.
The initial Packet Tracer configuration of all routers, switches, and end devices has been completed. In
addition the router labeled ISP has been configured as a route generator to simulate the internet.
The initial and finished router startup configuration files have been supplied to allow those that wish to
use GNS3 to complete the lab.