Access Control Lists for Traffic Control

access-lists, pacl,racl,vacl

There are various ways for network traffic control. One of the common ways for this job is using Access Contorol Lists. There are three types of access lists used for this purpose. These are;

Router Access Control Lists( RACLs)
Port Access Control Lists (PACLs)
VLAN Access Control Lists (VACLs)

RACL is the most known Access Control List. Generally when ACL abbreviation is used it means RACL. RACL is used to control traffic for layer 3. Port Access Control is used to control the traffic for inbound layer 2. It is only used inbound direction because there is an hardware limitation for outbound direction.The last one, VLAN Access Control List is used to control the traffic within the VLAN.

Here to explain all these ACL types the below topology will help us.

 

RACLs (Router Access Control Lists)

As mentined before, RACLs are used for controlling layer 3 traffic. These ACLs can be issued for both inbound and outbound direction. Below, the links that RACLs can be implemented is highlighted.


RACL for both direction

 

RACLs Configuration

Assume that we have a gigabitethernet 1/0/1 port on our router and we will add a RACL to this interface for both inbound and outbound direction. Firstly we must define the RACL and then we will apply the RACL to the interface.

Here is the configuration commands…

RouterA# configure terminal
RouterA(config)# ip access-list extended my_out
RouterA(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 any
RouterA(config-ext-nacl)# permit ip 192.168.20.0 0.0.0.255 any
RouterA(config-ext-nacl)# exit
RouterA(config)# interface gig 1/0/1
RouterA(config-if)#  ip access-group my_out out
RouterA(config-if)# exit
RouterA(config)# ip access-list extended my_in
RouterA(config-ext-nacl)# deny tcp any 192.168.10.0 0.0.0.255 eq ftp
RouterA(config-ext-nacl)# deny ip host 192.168.2.3
RouterA(config-ext-nacl)# permit ip any any
RouterA(config-ext-nacl)# exit
RouterA(config)#  interface gig 1/0/1
RouterA(config-if)# ip access-group my_in in
RouterA(config-if)# exit

To control the configuration and the RACL assignation to the port, use the following show commands:

show ip interface gigabitethernet 1/0/1
show running-config interface gigabitethernet 1/0/1

PACLs (Port Access Control Lists)

In layer 2 interfaces PACLs are used instead of RACLs. PACLs are implemented only inbound direction because of the switches’s hardware limitations. Below, the ports that PACLs can be implemented are highlighted.

Lesson tags: ACL, access-list
Back to: CCIE Enterprise Infrastructure > Access-Lists (ACLs)

Leave a Reply

Your email address will not be published. Required fields are marked *

CCIE Enterprise Infrastructure

Collapse
Expand