2. Access Control List
• It is a Layer 3 security which controls the flow of
traffic from one router to another.
• It is also called as Packet Filtering Firewall.
2
3. ACL - Network Diagram
10.0.0.1/8
S0
HYD
11.0.0.1/8
S0
S1
10.0.0.2/8
E0
192.168.1.150/24
1.1
1.2
1.3
LAN - 192.168.1.0/24
2.1
CHE
S1
11.0.0.2/8
E0
192.168.2.150/24
2.2
2.3
LAN - 192.168.2.0/24
3.1
BAN
E0
192.168.3.150/2
3.2
3.3
LAN - 192.168.3.0/24
1.0 should not communicate with 2.0 network
3
1.0 should not communicate with 2.0 network
5. Standard Access List
• The access-list number lies between 1 – 99
• Can block a Network, Host and Subnet
• Two way communication is stopped
• All services are blocked.
• Implemented closest to the destination. (Guideline)
5
6. Extended Access List
• The access-list number lies between 100 – 199
• Can block a Network, Host, Subnet and Service
• One way communication is stopped
• Selected services can be blocked.
• Implemented closest to the source. (Guideline)
6
7. Terminology
• Deny : Blocking a Network/Host/Subnet/Service
• Permit : Allowing a Network/Host/Subnet/Service
• Source Address : The address of the PC from where
the request starts. Show Diagram
• Destination address : The address of the PC where the
request ends.
• Inbound : Traffic coming into the interface
• Outbound : Traffic going out of the interface
7
9. Wild Card Mask
• Tells the router which addressing bits must
match in the address of the ACL statement.
• It’s the inverse of the subnet mask, hence is also
called as Inverse mask.
• A bit value of 0 indicates MUST MATCH (Check Bits)
• A bit value of 1 indicates IGNORE (Ignore Bits)
• Wild Card Mask for a Host will be always 0.0.0.0
9
10. Wild Card Mask
• A wild card mask can be calculated using
the formula :
Global Subnet Mask
– Customized Subnet Mask
------------------------------Wild Card Mask
E.g.
255.255.255.255
– 255.255.255.240
--------------------0. 0. 0. 15
10
12. ACL - Network Diagram
10.0.0.1/8
S0
HYD
11.0.0.1/8
S0
S1
10.0.0.2/8
E0
192.168.1.150/24
1.1
1.2
1.3
LAN - 192.168.1.0/24
2.1
CHE
S1
11.0.0.2/8
E0
192.168.2.150/24
2.2
2.3
LAN - 192.168.2.0/24
3.1
BAN
E0
192.168.3.150/2
3.2
3.3
LAN - 192.168.3.0/24
1.0 should not communicate with 2.0 network
1.0 should not communicate with 2.0 network
12