Access list rules: These are the rules of Access-lists.
- Access list is read from top to bottom.
- Stops at the first match.
- There's an Invisible implicit DENY at the bottom.
- ACL is applied to an interface INBOUND OR OUTBOUND.
Types of access lists:
1. Standard Access list: filtered by source ip address.
2. Extended Access List: filtered by source, dest, port, tos, etc.
3. Dynamic Access list: AKA: lock in key. First need to authenticate, then the acl is allowed. Ex. telnet in and login first.
4. Established or Reflexive Access-list: example, router has access to internet.
- permit ip tcp any any ESTABLISHED. Allow only the established session to return from the internet. Is replaced by Context-based access control (CBAC) AND THEN BY Zoned Based Access list / firewall. Define inspect rules. or in ASA MFP.
5. Time-based Access-list: normal extended access list that has a time based on it.
Example, from 8-5pm all this access-list applies.
- Example, to throttle only web traffic to 5 mbps: create an extended access list with time based range from 8-5 matching certain subnets to any destination, then apply to the QOS policy and policing on the interface to not go above that value.
No comments:
Post a Comment