good idea to use a text editor to create them.
Consider the following before implementing named
ACLs. Named ACLs are not compatible with Cisco IOS releases
prior to Release 11.2. The same name may not be used for
multiple ACLs. For example, it is not permissible to specify
both a standard and extended ACL named George. It is important
to be aware of named access lists because of the advantages
just discussed. Advanced access list operations such as named
ACLs will be presented in the CCNP curriculum. A named ACL is
created with the ip access-list command. This places the
user in the ACL configuration mode. In ACL configuration mode,
specify one or more conditions to be permitted or denied. This
determines whether the packet is passed or dropped when the ACL
statement matches. The configuration shown creates a standard
ACL named Internet filter and an extended ACL named
“marketing_group”. Also shown is how the named access lists are
applied to an interface. Lab Activity Lab Exercise:
Configuring a Named Access List In this lab, the student will
create a named ACL to permit or deny specific traffic. Lab
Activity Lab Exercise: VTY Restriction In this lab, the
student will use the access-class and line commands to control
telnet access to the router. Lab Activity Lab Exercise:
Simple DMZ Extended Access Lists In this lab, the student will
use extended access lists to create a simple DeMilitarized Zone
(DMZ). Lab Activity Lab Exercise: Multiple Access Lists
Functions (Challenge Lab) In this lab, the student will
configure and apply an extended access control list to control
Internet traffic using one or more routers. Lab
Activity e-Lab Activity: Named ACL In this lab, the
students will configure a named access-control list for the
local router "Ougoudou". Lab Activity e-Lab
Activity: Configuring a Named Access List In this lab, the
students will create a named ACL to permit or deny specific
traffic and test the ACL to determine if the desired results
were achieved. Web Links ip access-list Command
http://www.cisco.com/en/US/products/sw/ iosswrel/ps1835/
products_command_reference_ chapter09186a00800873c8.html#1018731
Content 11.2 Access Control Lists
(ACLs) 11.2.4 Placing ACLs ACLs are used to
control traffic by filtering packets and eliminating unwanted
traffic on a network. Another important consideration of
implementing ACLs is where the access list is placed. If the
ACLs are placed in the proper location, not only can traffic be
filtered, but it can make the whole network more efficient. If
traffic is going to be filtered, the ACL should be placed where
it has the greatest impact on increasing efficiency.Suppose the
enterprise policy aim is to deny telnet or FTP traffic from
Router A Ethernet LAN segment to the switched Ethernet LAN
Fa0/1 on Router D. At the same time, other traffic must be
permitted. Several approaches can accomplish this policy. The
recommended approach uses an extended ACL specifying both
source and destination addresses. Place this extended ACL in
Router A. Then, packets do not cross Router A's Ethernet, do
not cross the serial interfaces of Routers B and C, and do not
enter Router D. Traffic with different source and destination
addresses will still be permitted. The general rule is to put
the extended ACLs as close as possible to the source of the
traffic denied. Standard ACLs do not specify destination
addresses, so they should be placed as close to the destination
as possible. For example, a standard ACL should be placed on
Fa0/0 of Router D to prevent traffic from Router A. An
administrator can only place an access list on a device that
they control. Therefore access list placement must be
determined in the context of where the network administrator’s
control extends. Interactive Media Activity Point and
Click: ACL Placement After completing this activity, the
student will be able to place ACLs. Web Links ACLs Usage
Guidelines http://www.cisco.com/en/US/products/sw/
iosswrel/ps1835/ products_command_reference_
chapter09186a00800873c8.html#1018684
Content
11.2 Access Control Lists (ACLs)
11.2.5 Firewalls A firewall is an architectural
structure that exists between the user and the outside world to
protect the internal network from intruders. In most
circumstances, intruders come from the global Internet and the
thousands of remote networks that it interconnects. Typically,
a network firewall consists of several different machines that
work together to prevent unwanted and illegal access.In this
architecture, the router that is connected to the Internet,
referred to as the exterior router, forces all incoming traffic
to go to the application gateway. The router that is connected
to the internal network, the interior router, accepts packets
only from the application gateway. In effect, the gateway
controls the delivery of network-based services both into and
from the internal network. For example, only certain users
might be allowed to communicate with the Internet, or only
certain applications might be permitted to establish
connections between an interior and exterior host. If the only
application that is permitted is mail, then only mail packets
should be allowed through the router. This protects the
application gateway and avoids overwhelming it with packets
that it would otherwise discard. ACLs should be used in
firewall routers, which are often positioned between the
internal network and an external network, such as the Internet.
The firewall router provides a point of isolation so that the
rest of the internal network structure is not affected. ACLs
can be used on a router positioned between the two parts of the
network to control traffic entering or exiting a specific part
of the internal network. A configuration of ACLs on border
routers, which are routers situated on the boundaries of the
network, is necessary to provide security benefits. This
provides basic security from the outside network, or from a
less controlled area of the network, into a more private area
of the network. On these border routers, ACLs can be created
for each network protocol configured on the router interfaces.
Web Links Cisco IOS Firewall http://www.cisco.com/en/US/
products/sw/secursw/ ps1018/index.html
Content
11.2 Access Control Lists (ACLs)
11.2.6 Restricting virtual terminal access
Standard and extended access lists apply to packets traveling
through a router. They are not designed to block packets that
originate within the router. An outbound Telnet extended access
list does not prevent router initiated Telnet sessions, by
default.Just as there are physical ports or interfaces, such as
Fa0/0 and S0/0 on the router, there are also virtual ports.
These virtual ports are called vty lines. There are five such
vty lines, numbered 0 through 4, as shown in figure . For
security purposes, users can be denied or permitted virtual
terminal access to the router but denied access to
destinations from that router. The purpose of restricted vty
access is increased network security. Access to vty is also
accomplished using the Telnet protocol to make a nonphysical
connection to the router. As a result, there is only one type
of vty access list. Identical restrictions should be placed on
all vty lines as it is not possible to control which line a
user will connect on. The process to create the vty access list