Access Control Lists for Traffic Control - www.ipcisco.com : www.ipcisco.com
Content Protection by DMCA.com

Access Control Lists for Traffic Control


There are various ways for network traffic control. One of the common ways for this job is using Access Contorol Lists. There are three types of access lists. These are;

Router Access Control Lists( RACLs)
Port Access Control Lists (PACLs)
VLAN Access Control Lists (VACLs)

RACL is the most known Access Control List. Generally when ACL abbreviation is used it means RACL. RACL is used to control traffic for layer 3. Port Access Control is used to control the traffic for inbound layer 2. It is only used inbound direction because there is an hardware limitation for outbound direction.The last one, VLAN Access Control List is used to control the traffic within the VLAN.

Here to explain all these ACL types the below topology will help us.


RACLs (Router Access Control Lists)


As mentined before, RACLs are used for controlling layer 3 traffic. These ACLs can be issued for both inbound and outbound direction. Below, the links that RACLs can be implemented is highlighted.


RACL for both direction

RACLs Configuration


Assume that we have a gigabitethernet 1/0/1 port on our router and we will add a RACL to this interface for both inbound and outbound direction. Firstly we must define the RACL and then we will apply the RACL to the interface.

Here is the configuration commands…

RouterA# configure terminal
RouterA(config)# ip access-list extended my_out
RouterA(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 any
RouterA(config-ext-nacl)# permit ip 192.168.20.0 0.0.0.255 any
RouterA(config-ext-nacl)# exit
RouterA(config)# interface gig 1/0/1
RouterA(config-if)# ip access-group my_out out
RouterA(config-if)# exit
RouterA(config)# ip access-list extended my_in
RouterA(config-ext-nacl)# deny tcp any 192.168.10.0 0.0.0.255 eq ftp
RouterA(config-ext-nacl)# deny ip host 192.168.2.3
RouterA(config-ext-nacl)# permit ip any any
RouterA(config-ext-nacl)# exit
RouterA(config)# interface gig 1/0/1
RouterA(config-if)# ip access-group my_in in
RouterA(config-if)# exit

To control the configuration and the RACL assignation to the port, use the following show commands:

show ip interface gigabitethernet 1/0/1
show running-config interface gigabitethernet 1/0/1

PACLs (Port Access Control Lists)



In layer layer 2 interfaces PACLs are used instead of RACLs. PACLs are implemented only inbound direction because of the switches’s hardware limitations. Below, the ports that PACLs can be implemented are highlighted.


PACL for inbound direction only

PACLs Configuration

Here, PACL will be assigned to the same interface of the router. As before gigabitethernet 1/0/1 will be used.

Here is the configuration commands orderl

RouterA# configure terminal
RouterA(config)# ip access-list extended pacl1
RouterA(config-ext-nacl)# permit ip host 192.168.10.15 any
RouterA(config-ext-nacl)# exit
RouterA(config)# interface gig 1/0/1
RouterA(config-if)# ip access-group pacl1 in
RouterA(config-if)# exit

VACLs (VLAN Access Control Lists)


VACLs are used within the VLANs. The direction is not important for VLANs, so direction is not used with VACLs. Here, two different keywords are used. One of them is “match” and the other is “action”. We use the “match” keyword for matching the related traffic. The other keyword “action” is used for the action after match. We can define mor e than one rule with match and action keywords and each of these rules must have an unique sequence number.

For VACL assignation, firstly we must define access-list with permit keyword. Access-list is not the exact trigger mechanism that permit and deny the traffic, so we use permit only for matching.

Here, there is an important point. If we don t use “match” keyword, all the packets will match.


VACL location

VACLs Configuration
Here, VACL will be assigned to the same interface of the router. As before gigabitethernet 1/0/1 will be used.

Here is the configuration commands…

RouterA# configure terminal
RouterA(config)# ip access-list extended vacl1_acl
RouterA(config-ext-nacl)# permit tcp any any eq telnet
RouterA(config-ext-nacl)# exit
RouterA(config)# vlan access-map vacl1 10
RouterA(config-access-map)# match ip address vacl1_acl
RouterA(config-access-map)# action drop
RouterA(config-access-map)# exit
RouterA(config)# vlan access-map vacl1 20
RouterA(config-access-map)# action forward
RouterA(config-access-map)# exit
RouterA(config)# vlan filter vacl1 vlan-list 2
RouterA(config)# exit

In the above ocnfiguration, firstly we create an extended ACL. After that we define two rule for VACL. With one of them, we drop all the telnet traffic, and with the other we allow all the remaining traffic.Lastly we assign the VACL to a VLAN, VLAN 2.

To verify the configuration use the following commands:

show vlan filter
show vlan access-map

Youn can join OUR Facebook Group with the below links!!!




About the Author
Gokhan Kosem is a telecommunation and network engineer. His ambition to IP networks and end-to-end system installation made him to prepare this web-site. By sharing his experiences about various networking protocols beside different system installation experiences and Cisco, Juniper, Alcatel-Lucent devices configurations, he is aimed to be helpful for his collegues in all over the world. He is currently lives in Istanbul, Turkey.

One comment for “Access Control Lists for Traffic Control”

1
vikas

thanks boss its really help full for learning.

January 11th, 2017 at 21:16

Leave a Reply


Copy Protected by Chetan's WP-Copyprotect.