Traffic that is generated by the router itself, ACL is going to filter only trit traffic.
At the end of each access list, there is an implicit deny statement denying any packet for which the match has not been found in the access list.
Access Control List is a packet filtering method that filters the IP packets based on source and destination address. It is a set of rules and conditions that permit or deny IP packets to exercise control over network traffic.
Access-List is going to filter incoming as well as outgoing traffic on the router interface.
We can apply access list in two directions:-
@Using a wildcard mask "0.0.0.0"
Example: - 192.168.1.1 0.0.0.0 or
@Using keyword "Host"
Example: - Host 192.168.1.1
Access lists are processed in sequential, logical order, evaluating packets from the top down, one statement at a time. As soon as a match is made, the permit or deny option is applied, and the packet is not evaluated against any more access list statements. Because of this, the order of the statements within any access list is significant. There is an implicit “deny” at the end of each access list which me that if a packet does not match the condition on any of the lines in the access list, the packet will be discarded.
When an access-list is applied to inbound packets on interface, those packets are first processed through ACL and then routed. Any packets that are denied won’t be routed. When an access-list is applied to outbound packets on interface, those packets are first routed to outbound interface and than processed through ACL.
Default Wild Card Mask for Access-List is 0.0.0.0
Wildcard mask is used with ACL to specify an individual hosts, a network, or a range of network. Whenever a zero is present, it indicates that octet in the address must match the corresponding reference exactly. Whenever a 255 is present, it indicates those octets need not to be evaluated.
Wildcard Mask is completely opposite to subnet mask.
Example:- For /24
There are two main types of Access lists:-
Extended Access List filters the network traffic based on the Source IP address, Destination IP address, Protocol Field in the Network layer, Port number field at the Trport layer. Extended Access List ranges from 100 to 199, In expanded range 2000-269@Extended Access List should be placed as close to source as possible. Since extended access list filters the traffic based on specific addresses (Source IP, Destination IP) and protocols we don’t want our traffic to traverse the entire network just to be denied wasting the bandwidth.
It is just another way of creating Standard and Extended ACL. In Named ACL names are given to identify access-list.
It has following advantage over Number ACL - In Name ACL we can give sequence number which me we can insert a new statement in middle of ACL.
Standard Access List examines only the source IP address in an IP packet to permit or deny that packet. It cannot match other field in the IP packet. Standard Access List can be created using the access-list numbers 1-99 or in the expanded range of 1300-199@Standard Access List must be applied close to destination. As we are filtering based only on source address, if we put the standard access-list close to the source host or network than nothing would be forwarded from source.
We can assign only one access list per interface per protocol per direction which me that when creating an IP access lists, we can have only one inbound access list and one outbound access list per interface. Multiple access lists are permitted per interface, but they must be for a different protocol.