|
| Here's a (hopefully) brief explanation of ACLs:
An ACL consists of three parts: an identifier, a type and a list of rules. The identifier is a number or a name. When the id is a number, it implies the type of the ACL. When the id is a name (in which case the ACL is called a "named ACL"), the type must be provided explicitly. The type is either standard, or extended. Example:
1. access-list 22 permit any
2. access-list 111 deny any any
3. ip access-list standard STDACL
list of rules here
4. ip access-list extended EXTACL
list of rules here
1 is a standard IP ACL; you know it's standard and IP because the id, 22, falls between 1 and 99. 2 is a extended IP ACL; you know it because the id, 111, falls between 100 and 199. Ids from 200 up denote ACL for other protocols, but let's stick with IP for now; the idea is the same 
3 and 4 are "named ACLs". You may use named ACL only with IP. As you can see, the type is provided explicitly.
When you use numbered lists, you repeat the "access-list xx ..." command for all the rules you want. Here's your original ACL:
access-list 101 permit ip any any
access-list 101 deny tcp any any eq 21
You can rewrite this as a named ACL:
ip access-list extended ONEOHONE
permit ip any any
deny tcp any any eq 21
In both cases you have an extended ACL with id 101/ONEOHONE, that has a list of THREE rules. The third rule is a "deny any any", that is automatically appended at the end of the list of rules for ALL ACLs.
Now for the rules. A rule consists of two parts: an action (permit or deny), and a "matching criterion", so to speak. Here's the idea: you have a rule, and an IP packet. You want to see if your IP packet "matches" the rule. Say your rule is "deny tcp any any eq 21", and the IP packet carries telnet data (telnet is tcp port 23; 21 is the tcp port for ftp). You read the rule: is this a tcp packet? It is; go ahead. Does it come from "any host"? Yes; go ahead. Is it destined to "any host"? Yes. Is the port number 21 (you have to look in the tcp header to see this)? NOPE! This means that the rule did NOT match, so you do nothing. Now suppose you get an IP packet that carries ftp data. When you get to the question "is the port number 21?", the answer is YES. In this case you execute the action, which is to deny this packet. Makes sense?
Let's go back to the list of rules in the ACL. Note that the ORDER of rules is important. It works this way: you have your IP packet. You try the first rule; does it match? If YES, you carry on the action in that rule, and you stop processing the ACL -- that is, you ignore the following rules. If NO, you try the next rule. And so on. If nothing matches you'll eventually hit the implicit rule at the end of the list (the "deny any any"), so you will drop that packet. Do you see, now, why the order of rules is important?
Let's analyze again your example; I'll rewrite it to highlight the ACL's components:
ACL's ID is 101;
ACL's type is extended IP;
ACL's list of rules is:
1. permit ip any any (permit IP packets that come from any host and are destined to any host -- you don't care about what kind of data your IP packet carries);
2. deny tcp any any eq 21 (deny IP packets from any host, to any host, IF the packet carries TCP segments and IF those TCP segments carry ftp data)
3. deny any any (the implicit rule).
- Consider non-IP traffic. Rule 1 doesn't match, rule 2 doesn't match, rule 3 matches. Therefore, non-IP traffic is denied.
- Consider IP traffic, non-FTP. Rule 1 matches, so the action in rule 1 is executed (permit), so IP non-FTP traffic is permitted.
- Consider IP traffic, FTP. Rule 1 matches, because it's IP, so IP FTP traffic is also permitted.
Therefore, ALL IP traffic is permitted and ALL NON-IP traffic is denied; correct answer is B
PS
If what you want is to deny FTP traffic and allow all other IP traffic, switch rules 1 and 2 (I hope you can see why). If you also want to permit all non-IP traffic, EXPLICITLY insert a third rule "permit any any". In this case the implicit "deny any any" rule becomes the FOURTH rule in you ACL.
Hope this helps 
PPS
So much for a "brief" explanation
------------------
Regards.
[This message has been edited by dmaftei (edited 01-27-2001).] |
|