Access Control
The use of technology continues to aggrandize in this agenda age with the ever-increasing aggregate of data. An
exponential bulk of abstracts is bridge the networks today. Without any aegis apparatus in place, each
network has complete admission to the added with no way of appropriate amid accustomed and unauthorized
activity.
One of the axiological accomplish all-important to ascendancy arrangement admission is the adequacy to ascendancy the abstracts flow
within a network. One of the abounding means to accomplish this is to use an ACL, or admission ascendancy account (commonly
referred to as ACL). ACLs are effective, accessible to configure, and accessible beyond all above Cisco products.
This affiliate focuses primarily on the use and agreement of ACLs accessible on Cisco IOS and added accessories for
traffic filtering. The affiliate additionally gives an overview of IP addressing, IP classes, subnets, and masks.
Traffic Clarification Application ACLs
Cisco IOS provides traffic-filtering capabilities for ACLs with the adequacy to anticipate cartage from entering or
exiting the network. The use of an ACL is additionally sometimes referred to as filtering, because it regulates cartage by
allowing or abstinent arrangement access.
ACL Overview
An ACL is about a account of admittance or abjure statements that ascendancy arrangement admission to accomplish a aegis policy.
ACLs are an basal allotment of the end-to-end aegis solution. Articles and technologies such as firewalls,
encryption and authentication, and advance apprehension and blockage solutions, however, should be allotment of an
integrated admission to implementing any accumulated aegis policy.
ACL Applications
ACLs accept abounding applications (available beyond all Cisco platforms), including cartage filtering; however, ACLs
cannot be acclimated as a backup or acting for context-based stateful firewalls, which will be discussed
further in Affiliate 5, "Cisco IOS Firewall," and Affiliate 6, "Cisco Firewalls: Appliance and Module."
ACLs are acclimated in abundant ways. Some accepted applications of ACLs accommodate the following:
Filtering acquisition advice accustomed from or beatific to the adjoining neighbor(s)
Controlling alternate admission to anticipate crooked admission to the accessories in the network—for example,
Console, Telnet, or SSH access
Controlling cartage breeze and arrangement admission through devices
Securing the router by attached admission to casework on the router such as Hypertext Transfer Protocol
(HTTP), Simple Arrangement Management Protocol (SNMP), and Arrangement Time Protocol (NTP)
Defining absorbing cartage for dial-on-demand acquisition (DDR)
Defining absorbing cartage for IPsec basal clandestine arrangement (VPN) encryption
Several applications in IOS affection of account (QoS) features
Extensive use in aegis techniques and technologies (for example, TCP Intercept and IOS Firewall)
ACLs can be acclimated to accommodate a basal akin of aegis for all cartage accessing or traversing the network. If ACLs
are not configured, all packets casual through the router would be accustomed assimilate all genitalia of the network.
For example, ACLs can acquiesce one host to admission the Internet and anticipate addition host from accessing the
Internet, as apparent in Figure 2-1. Host A can admission assets on the Internet, admitting admission for Host B is
denied. ACLs can additionally be acclimated to actuate what blazon of cartage is forwarded or blocked at the router interfaces.
For example, all HTTP cartage can be permitted, while FTP cartage is blocked. This is aloof a simple example; much
more circuitous scenarios can be accomplished by application ACLs.
Figure 2-1. Secure Router Application ACL
When to Configure ACLs
ACLs can be acclimated on a accessory as the aboriginal band of aegis for the network. This can be accomplished application an ACL on
routers, switches, or firewalls that are placed amid an centralized arrangement (protected zone) and an external
network (unprotected zone), such as the Internet. ACLs can additionally be acclimated on a accessory placed amid two parts
of the network, to ascendancy cartage entering or departure a specific allotment of the network. Addition another is to use
ACLs to clarify entering cartage or outbound cartage on a device, or both for that matter. ACLs should be authentic on
a per-protocol and per source/destination/port base to accomplish added granularity and ascendancy on assorted types of
traffic.
To bigger accept the use of ACLs, the abutting sections accommodate an overview of basal IP addressing, subnets and
masks, and IP classes.