Home / Certification / CCNA / Understanding Access Control Lists (ACL)

Understanding Access Control Lists (ACL)

Definining access control lists may seem a challenging and complex task, especially to those that have just dvelved into the world of computer networking and network security. The aim of this article is to explain the role of access control lists and basic concepts used to understand them. The article also teaches you how to configure them on a Cisco router.

Access control list (in further text: ACL) is a set of rules that controls network traffic and mitigates network attacks. More precisely, the aim of ACLs is to filter traffic based on a given filtering criteria on a router or switch interface.

Why use ACLs

Initially, ACLs were the only means of providing firewall protection. Even though there are many other types of firewalls and alternatives to ACLs in existence, they are still used today, even in combination with other technologies (like in virtual private networks to define which traffic should be encrypted and sent via VPN tunnel) and you should master them in order to achieve success at the CCNA level and beyond.

Reasons why you should use ACLs:

  • Limit network traffic to increase network performance
  • Provide traffic flow control
  • Provide a basic level of security for network access by defining which part of the network/server/service can be accessed by a host and which cannot
  • Granular control over traffic entering or existing the network

Types of Access Control Lists

ACLs are primarily divided into two types: standard and extended. We also differentiate between numbered and named ACLs.

Standard ACLs allow filtering traffic solely based on Layer 3 source address written in the header of the IP (Internet Protocol) packet.
The command syntax for configuring a standard numbered ACL:

ACL standard cli

The first value {1-99 or 1300-1999} specifies the standard ACL number range.

The second value specifies whether to permit or deny the configured source IP address traffic.

The third value is the source IP address that must be matched.

The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the range.

Extended ACLs filter traffic based on Layer 3 and 4 source and destination information thus giving greater flexibility and control over network access than standard ACLs.
The command syntax for configuring an extended numbered ACL:

ACL extended syntax

The first value {100-199 or 2000-2699} specifies the extended ACL number range.

The second value specifies whether to permit or deny traffic according to the criteria that follows.

The third value indicates protocol type, that is, IP, TCP, UDP, ICMP or other IP-sub protocol

The source and destination IP address and their associated wildcard masks determine where traffic originates and its final destination, respectively.

As already mentioned, it is also possible to create a named ACL, which must be specified as either standard or extended.
The command syntax for configuring a named standard or extended ACL:

Router(config)# ip access-list [standard | extended] ACL_name

Advertisement

Upon executing this command, a user is placed into subconfiguration mode where permit and deny commands are entered:

ACL named syntax

An extended named ACLs offer additional parameters:

ACL extended named syntax

After creating the standard or extended ACL, you must apply it to the appropriate interface (or to a VTY line). The command to apply the ACL to an interface:

ACL apply syntax

 

ACL Configuration Guidelines

When working with ACL or preparing the CCNA exam, it’s important to remember the following guidelines:

  • Only one ACL per interface, per protocol, per direction is allowed.
  • ACLs are processed top-down; the most specific statements must go at the top of the list. Once a packet meets the ACL criteria, the ACL processing stops and the packet is either permitted or denied.
  • ACLs are created globally and then applied to interfaces.
  • An ACL can filter traffic going through the router, or traffic to and from the router.
  • All ACLs have an implicit “deny all” statement at the end. Therefore, every ACL must have at least one permit statement to allow any traffic to pass.

 

ACL Example

ACL network diagram example

The idea of this example is to demonstrate the usage of standard and extended numbered ACLs.

On this network, you want to block all remote access to the routers except from PC C2.
First, you should create a numbered ACL on all three routers and then apply it to incoming traffic on the VTY lines as follows:

R1(config)# access-list 10 permit 192.168.3.10 0.0.0.0
R2(config)# access-list 10 permit 192.168.3.10 0.0.0.0
R3(config)# access-list 10 permit 192.168.3.10 0.0.0.0

R1(config-line)# access-class 10 in
R2(config-line)# access-class 10 in
R3(config-line)# access-class 10 in

Then suppose you want to block all packets containing the source IP address from the following pool of addresses on R1: any RFC 1918 private addresses and 127.0.0.0/8. The solution is as follows:

R1(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any
R1(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any
R1(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any
R1(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any
R1(config)# access-list 100 permit ip any any

R1(config)# interface s0/0/0
R1(config-if)# ip access-group 100 in

 

I hope this was enough to get you started with ACL or refresh some important notions when preparing for a Cisco Exam.

Is there anything related with ACL that you’d like us to dig into?

Advertisement
Understanding Access Control Lists (ACL)
5 (100%)

About Ingrid Beloša

Ingrid Belosa is a networking enthusiast from Croatia. She is here to help you with grasping networking concepts.

Check Also

Cisco ASA - NAT

NAT on Cisco ASA

In this article, we will be looking at Network Address Translation (NAT) on the Cisco …

5 comments

  1. Can you discuss about time based access lists

  2. I wish I had seen this years ago. The way the network masks are defined always confused me. Thanks for sharing this.

Leave a Reply

Your email address will not be published. Required fields are marked *