Cloud & Networking
Reader small image

You're reading from  Implementing and Administering Cisco Solutions: 200-301 CCNA Exam Guide

Product typeBook
Published inNov 2020
PublisherPackt
ISBN-139781800208094
Edition1st Edition
Tools
Cisco UCS
Concepts
Network Security
Right arrow
Author (1)
Glen D. Singh
Glen D. Singh
author image
Glen D. Singh

Glen D. Singh is a cybersecurity author, educator and SecOps professional. His areas of expertise are cybersecurity operations, offensive security tactics and techniques, and enterprise networking. He holds a Master of Science (MSc) in cybersecurity and many industry certifications from top awarding bodies such as EC-Council, Cisco, and Check Point. Glen loves teaching and mentoring others while sharing his wealth of knowledge and experience as an author. He has written many books, which focus on vulnerability discovery and exploitation, threat detection, intrusion analysis, incident response, network security, and enterprise networking. As an aspiring game changer, Glen is passionate about increasing cybersecurity awareness in his homeland, Trinidad and Tobago.
Read more about Glen D. Singh

Right arrow

Chapter 13: Implementing Access Control Lists

Whenever the need arises to interconnect two or more networks, a router is always the preferred choice, simply because the primary function of a router is to forward packets between networks. However, the Cisco IOS router has many more features aside from simply forwarding. One major feature is to filter traffic based on its source and destination. This feature simply enables the Cisco IOS router to perform packet filtering in a similar fashion to a firewall appliance on the network.

Throughout this chapter, you will learn how Access Control Lists (ACLs) can be applied to a Cisco IOS router to filter both inbound and outbound traffic. Furthermore, you will discover the various types of ACLs and how they can be used in various situations to allow or deny traffic between networks.

In this chapter, we will cover the following topics:

  • What are ACLs?
  • ACL operation
  • ACL wildcard masks
  • Working with standard ACLs
  • Working...

Technical requirements

To follow along with the exercises in this chapter, please ensure that you have met the following hardware and software requirement:

  • Cisco Packet Tracer

The code files for this chapter are available at https://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2013.

Check out the following video to see the Code in Action:https://bit.ly/3cqh8JX

What are ACLs?

As you have learned so far, routers are used to forward traffic between different networks. As a packet enters an inbound interface of a router, the operating system has to read the Layer 3 header information, such as the source and destination IP addresses, and check the routing table for a suitable route. Once a route has been found, the router forwards the packet through an outbound interface to its destination. Ensuring that all users are able to send and receive messages is excellent in terms of connectivity, but what do security and the restriction of traffic flow between certain networks mean?

The Cisco IOS router has many amazing features and can perform a variety of roles on a network. One such feature is to perform traffic filtering between networks. This is done using a very special method that firewall appliances use to filter traffic, known as an ACL.

Important note

Firewall appliances use a variety of methods to filter inbound and outbound traffic...

ACL operation

ACLs are rules created by a network professional on the router or firewall appliance to filter traffic either entering or leaving the device. ACLs are a list of security rules, with each ACL containing either a permit or deny statement. Each statement within an ACL is referred to as an Access Control Entry (ACE). These ACEs are the real workers that allow and block packets between networks. When a router receives packets on an interface, the router checks each ACE, starting with the first entry at the top of the list and moving down until a match is found. Once a matching ACE is found, the router stops searching and executes the rule on the ACE, either permitting or denying the traffic. This process is known as packet filtering.

Important note

If no matches are found in the ACLs, the packet is discarded by the router. The last ACE within all ACLs is an implicit deny statement. An implicit deny statement simply states that if no matches are found in the previous...

ACL wildcard masks

When creating an ACE, you may need to specify a network ID and the subnet mask. However, within ACLs and ACEs, you cannot use a subnet mask as Cisco IOS on the router was not built or designed to accept subnet masks as part of an ACE. ACLs use a wildcard mask, which is a 32-bit binary string used by the Cisco IOS router to determine which bits within the address to match and which bits to ignore.

As with a subnet mask, ones and zeroes are used to indicate the network and host portions of an IP address. For example, the ones within a subnet mask are used to identify the network portion of an address, while the zeroes are used to identify the host portion. Within a wildcard mask, these bits are used for a different purpose. Here, the ones and zeroes are used to filter either a group of addresses or a single IP address to decide whether to permit or deny access to a network resource.

In a wildcard mask, the zeroes are used to match the corresponding bit value...

Working with standard ACLs

When creating a numbered standard ACL on a Cisco IOS router, the ACL must first be created on the device and then applied to an interface to filter traffic. Numbered standard ACLs use the following range of numbers:

  • 1 to 99
  • 1300 to 1999

To create a numbered standard ACL on a Cisco IOS router, use the global configuration command followed by a number within the range of 1 to 99 or 1300 to 1999 on the device. Therefore, with this range of numbers, there can be up to 798 unique standard ACLs on a single router.

Creating a numbered standard ACL

The following is the full syntax used to create a numbered standard ACL:

Router(config)# access-list access-list-number [ deny | permit | remark ] source [ source-wildcard ][ log ]

The remark command will allow you to insert a description for the ACL and the log command will generate a Syslog message when matches are found. Additionally, there can be more than one ACE within an ACL.

The...

Working with extended ACLs

Extended ACLs are sometimes the preferred choice as they allow you to filter specific traffic types compared to standard ACLs. Extended ACLs use the following range of numbers:

  • 100 to 199
  • 2000 to 2699

To create a numbered extended ACL on a Cisco IOS router, use the global configuration access-lists command, followed by a number within the range of 100 to 199 or 2000 to 2699 on the device.

Creating a numbered extended ACL

The following is the full syntax used to create a numbered extended ACL:

Router(config)# access-list access-list-number [ deny | permit | remark ] protocol [source source-wildcard] [operator port] [port-number or name] [destination destination-wildcard] [operator port] [port-number or name]

The following is a description of the new syntax used within an extended ACL:

  • protocol: Specifies the protocol type, such as IP, ICMP, TCP, and UDP.
  • operator: Used to compare the source or destination ports....

Summary

Throughout this chapter, we've discussed the roles and functions that ACLs play on an enterprise network. We also dived into discussing the operations of ACLs on a Cisco IOS router and how they are applied to an interface. Lastly, we covered both standard and extended ACLs and how they can be used in various situations.

Having completed this chapter, you have learned how to configure both standard and extended ACLs on a Cisco router. Furthermore, you have learned how ACLs function and filter traffic based on their ACEs.

I hope this chapter has been informative for you and that it will prove helpful in your journey toward learning how to implement and administrate Cisco solutions and prepare for the CCNA 200-301 certification. In the next chapter, Chapter 14, Implementing Layer 2 and Wireless Security, you will learn about various Layer 2 attacks and how to implement mitigation techniques and countermeasures.

Questions

The following is a short list of review questions to help reinforce your learning and help you identify areas that may require some improvement:

  1. Which type of ACL allows you to filter Telnet traffic?

    A. Inbound

    B. Outbound

    C. Standard

    D. Extended

  2. Which type of ACL allows you to filter traffic based on its origin?

    A. Outbound

    B. Standard

    C. Inbound

    D. Extended

  3. If a packet does not match any ACEs within an ACL, what will the router do?

    A. Allow the packet.

    B. Return the packet to the sender.

    C. Drop the packet.

    D. Do nothing.

  4. An inbound ACL has which of the following characteristics?

    A. It filters traffic as it enters a router.

    B. It filters traffic before it leaves a router.

    C. It stops a router from performing a route lookup.

    D. It filters traffic after it leaves a router.

  5. Which command can be used to verify the direction in which an ACL is filtering traffic?

    A. show access-lists

    B. show access control lists

    C. show interface

    D. show ip interface

  6. Which of the following...
lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 19 of 26
Next Chapter
You have been reading a chapter from
Implementing and Administering Cisco Solutions: 200-301 CCNA Exam Guide
Published in: Nov 2020Publisher: PacktISBN-13: 9781800208094
© 2020 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Glen D. Singh

Glen D. Singh is a cybersecurity author, educator and SecOps professional. His areas of expertise are cybersecurity operations, offensive security tactics and techniques, and enterprise networking. He holds a Master of Science (MSc) in cybersecurity and many industry certifications from top awarding bodies such as EC-Council, Cisco, and Check Point. Glen loves teaching and mentoring others while sharing his wealth of knowledge and experience as an author. He has written many books, which focus on vulnerability discovery and exploitation, threat detection, intrusion analysis, incident response, network security, and enterprise networking. As an aspiring game changer, Glen is passionate about increasing cybersecurity awareness in his homeland, Trinidad and Tobago.
Read more about Glen D. Singh

Other recommended products

Related to this chapter

CCENT/CCNA: ICND1 100-105 Certification Guide

CCENT/CCNA: ICND1 100-105 Certification Guide

CCENT is the entry-level certification for those looking to venture into the networking world. This book is designed to help you prepare for the ICND Part 1 (100 – 105) exam, thus obtaining the CCENT certification. Apart from learning computer network essentials, you will be able to enhance your networking skills by learning switching and routing, troubleshooting, security, and more

BookApr 2018362 pages
Cisco Certified CyberOps Associate 200-201 Certification Guide

Cisco Certified CyberOps Associate 200-201 Certification Guide

The Cisco Certified CyberOps Associate 200-201 certification exam helps you gain the skills and knowledge needed to prevent, detect, analyze, and respond to cybersecurity incidents. This book offers complete up-to-date coverage of the 200-201 exam so you can confidently pass first time while getting hands-on cybersecurity experience.

BookJun 2021660 pages
CCNA Security 210-260 Certification Guide

CCNA Security 210-260 Certification Guide

With a CCNA Security certification, you can demonstrate the skills required to develop a security infrastructure, recognize threats to networks, and mitigate security threats. Geared towards Cisco Security, the practical aspects of this book will help you clear the CCNA Security Exam (210-260) by increasing your knowledge of Network Security.

BookJun 2018518 pages
CCNA Routing and Switching 200-125 Certification Guide

CCNA Routing and Switching 200-125 Certification Guide

Cisco Certified Network Associate (CCNA) Routing and Switching is one of the most important certificates in order to stay up-to-date with networking skills. This Certification Guide covers everything you need to know in order to pass the CCNA Routing and Switching 200-125.

BookOct 2018504 pages
CompTIA Network+ Certification Guide

CompTIA Network+ Certification Guide

CompTIA Network+ Certification Guide makes the most complex Network+ concepts easy to understand despite having no prior knowledge. It offers exam tips in every chapter along with access to practical exercises and exam checklist that map to the exam objectives and it is the perfect study guide to help you pass CompTIA Network+ exam.

BookDec 2018422 pages
Implementing Cisco Networking Solutions

Implementing Cisco Networking Solutions

Most enterprises use Cisco networking equipment to design and implement their networks. However, some networks outperform networks in other enterprises in terms of performance and meeting new business demands, because they were designed for the present while keeping the future in mind. This book talks about how to design and implement enterprise networks for small to mid-size organizations efficiently and effectively, so that the network design can accommodate newer demands from the users in a seamless manner, ranging from adding more branches/ users to adding new services, and evaluating and implementing new technologies to optimize costs, or enhance the user experience.

BookSep 2017436 pages5
Networking Fundamentals

Networking Fundamentals

Networks are a collection of computers, servers, mobile devices or other computing devices connected with a view to sharing data. This book will help you get well-versed with the basic concepts of networking and will help you to pass Microsoft's MTA Networking Fundamentals Exam 98-366

BookDec 2019510 pages
Learn Kali Linux 2019

Learn Kali Linux 2019

The current trend of various hacking and security breaches displays how important it has become to pentest your environment, to ensure end point protection. This book will take you through the latest version of Kali Linux to efficiently deal with various crucial security aspects such as confidentiality, integrity, access control and authentication.

BookNov 2019550 pages
MCSA Windows Server 2016 Certification Guide: Exam 70-741

MCSA Windows Server 2016 Certification Guide: Exam 70-741

This practical certification guide covers the most important exam objectives in exam 70-741. Additionally, this certification guide will come in handy when preparing to take exam 70-743.

BookApr 2019182 pages
Advanced Infrastructure Penetration Testing

Advanced Infrastructure Penetration Testing

This book is a hands-on experience and a comprehensive understanding of advanced penetration testing techniques and vulnerability assessment and management. It takes you far beyond common techniques to compromising complex network devices , modern operating systems and help you secure high security environments.

BookFeb 2018396 pages
Cisco ACI Cookbook

Cisco ACI Cookbook

Cisco ACI cookbook is a step by step guide that simplifies the complex Cisco Application Centric Infrastructure for you. Using the practical recipes in this book you can efficiently develop and adapt hybrid environments for your organisation. This book provides an all-round idea of Cisco ACI and will enable you to develop skills using which you can automate IT tasks efficiently.

BookMay 2017424 pages
Practical Network Automation

Practical Network Automation

Network automation is the process of automating the management and functionality of computer networks. Numerous tools, methodologies, and technologies are used to automate a network; this book covers all these functionalities.

BookNov 2017266 pages

Personalised recommendations for you

Based on your interests and search pattern

Designing and Implementing Microsoft Azure Networking Solutions

Designing and Implementing Microsoft Azure Networking Solutions

Designing and Implementing Microsoft Azure Networking Solutions Exam Ref AZ-700 is an all-encompassing guide to the AZ-700 exam and contains all the information you need to succeed in the world of virtual networking with Azure. With this book, you will be fully prepared for the exam and the world of cloud networking.

BookAug 2023524 pages
Microsoft 365 Security, Compliance, and Identity Administration

Microsoft 365 Security, Compliance, and Identity Administration

The Microsoft 365 Security, Compliance, and Identity Administration is a comprehensive guide that helps you employ Microsoft 365's robust suite of features and empowers you to optimize your administrative tasks.

BookAug 2023630 pages
Zero Trust Overview and Playbook Introduction

Zero Trust Overview and Playbook Introduction

Get started on Zero Trust with this step-by-step playbook and learn everything you need to know for a successful Zero Trust journey with tailored guidance for every role, covering strategy, operations, architecture, implementation, and measuring success. This book will become an indispensable reference for everyone in your organization.

BookOct 2023240 pages
The Self-Taught Cloud Computing Engineer

The Self-Taught Cloud Computing Engineer

This self-study book helps you master multiple clouds, including AWS, Azure, and GCP, and serves as a roadmap to becoming a certified cloud computing expert. The book will guide you to develop a professional cloud career by helping you build a broad cloud knowledge base, developing hands-on cloud computing skills, and getting cloud certified.

BookSep 2023472 pages
Technology Operating Models for Cloud and Edge

Technology Operating Models for Cloud and Edge

This book will help you build and create ownership of a technology operating model, as well as connect your leadership with engineering and operations, keeping your internal and external customers in mind. It provides practical tips on why, where, and how to make the cloud and edge platform paradigm sing for you, your team, and your organization.

BookAug 2023228 pages
Azure Architecture Explained

Azure Architecture Explained

Azure is the preferred platform to build mission-critical and secure apps. This book provides comprehensive coverage of essential Azure products, services, and solutions vital for every solution architect's success. Elevate your knowledge and master the critical components of Azure to excel in your role with Azure Architecture Explained.

BookSep 2023446 pages
Pentesting Active Directory and Windows-based Infrastructure

Pentesting Active Directory and Windows-based Infrastructure

This practical guide helps you explore the pentesting of Microsoft infrastructure in detail, and enhances your offensive skillset by showing you the different ways to perform security assessment. This book will help blue teamers and IT engineers get up to speed with possible security issues they may encounter in their Windows environments.

BookNov 2023360 pages
Practical Ansible

Practical Ansible

In Practical Ansible, you'll work with the latest release of Ansible and learn to solve complex issues quickly with the help of task-oriented scenarios. You'll start by installing and configuring Ansible to automate monotonous and repetitive IT tasks and get to grips with concepts such as playbooks, inventories, plugins, collections, and network modules.

BookSep 2023420 pages
Windows 11 for Enterprise Administrators

Windows 11 for Enterprise Administrators

Microsoft’s launch of Windows 11 is a step toward satisfying the enterprise administrator’s needs for better management and enhanced user experience customization. This book provides the enterprise administrator with the knowledge needed to fully utilize the advanced feature set of Windows 11 Enterprise.

BookOct 2023286 pages
The Linux DevOps Handbook

The Linux DevOps Handbook

This book is for software and IT professionals seeking knowledge on Linux systems and DevOps practices. This book will provide you with guidance and tools to learn and gain proficiency in managing Linux-based infrastructures and knowledge of DevOps.

BookNov 2023428 pages2