ccna 210-065

ccna 210-065.Standard ACL packetfiltering ( standard ACLpacketfiltering) -------------- Standard ACLs filter packets based on source addresses only. Extended ACLs may be more appropriate for creating complete security policies.Order of statements ( order ofstatements)-----------ACLs have a first-match policy. When a statement matches, the list is no longer checked. Therefore, more detailed statements should be placed earlier in the ACL. For example, if all UDP traffic is blocked at the top of the list, then if there is a statement at the bottom of the list that allows SNMP packets (which uses UDP), this statement will not work. Administrators should ensure that the statement at the top of the ACL does not invalidate the following statement. The administrator should verify the direction of the data filtered by the ACL.ModifyingACL - The router compares the packets to the ACL by checking the ACEs one by one from top to bottom. When the router finds a matching statement, it stops checking the ACL and allows or denies packets based on this matching statement. When a new statement is added to the ACL, it can only be added at the bottom by default. If the preceding statement applies more broadly, it may render the new entry inoperative. For example, if the ACL has a statement to deny network 172.16.1.0/24 access to the server, and the next line allows a host 172.16.1.5 access to this server, that host is still denied. This is because the router matches packets from 172.16.1.15 to the 172.16.1.0/24 network and therefore does not check the next line of the statement again and the traffic is denied. Since it is possible that the new statement will not work, be careful about the correct order of statements when creating ACLs. Delete the old ACL,and apply the new ACL to the router interface. If you are using CiscoIOS 12.3 and later, you can use the serial number to ensure that the new statement is added in the correct place in the ACL. ACL checks are performed based on the order of the ACE sequence numbers (lowest to highest).Special packets - Packets generated by the router (such as routing table updates) are not controlled by ACL statements in the outbound direction of the source router. If a security policy requires filtering these types of packets, you must perform the filtering on the neighboring router using an inbound ACL or other router filtering mechanism that uses ACLs.Now that we have covered the syntax and principles of standard and extended IPACLs, here are some scenarios where ACLs are used to provide security solutions.4.L1.6 Standard ACL ExampleThe determination of whether to use a standard ACL or an extended ACL is based on the overall goal of the ACL as a whole. For example, consider a scenario where all traffic from one subnet 172.16.4.0 must be denied access to another, but other traffic is allowed to access it. In this example, the standard ACL should be placed in the outbound direction of the FaO/O interface.R1(config)# access-list 1 deny172.16.4.0 0.0.0.255 R1(config)# access-list 1 permit any R1(config)# interface FastEthernet 0/0 R1(config-if)# ip access-group 1 outAll hosts on the 172.16.4.0 subnet are blocked from accessing the 172.16.3.0 subnet from the Fa0/0 interface. The parameters of the access-list command are as follows.