Access Control List (ACL) is used for filtering traffic based on a given filtering criteria on a router or switch interface. Based on the conditions supplied by the ACL, a packet is allowed or blocked from further movement.
ACLs for TCP/IP traffic filtering are mainly divided into two types:
- Standard Access Lists
- Extended Access Lists
Standard Access Control Lists: Standard IP ACLs range from 1 to 99. A Standard Access List allows you to permit or deny traffic FROM specific source IP addresses or source network. The destination IP or network of the packet and the ports involved can be anything.
Extended Access Control Lists: Extended IP ACLs range from 100 to 199. An extended ACL gives you much more flexibility than standard ACL. Extended IP ACLs check both the source and destination addresses from L3 header of IP packet. It can also check for specific protocols, port numbers, and other parameters, which allow administrators more flexibility and control on the filtering.
Access Control list (ACL) can be configure in two different way;
- Numbered ACL
- Named ACL
Named Access Control Lists: One of the disadvantages of using number based standard and extended ACLs is that you reference them by number, which is not too descriptive. With a named ACL, you can put a short name to describe an ACL. This is not the case because you can name your ACL with a descriptive name. Named ACL also use IP standard and IP extended named ACLs. Another advantage to named ACLs is that they allow you to remove individual lines out of an ACL. With numbered ACLs, you cannot delete individual statements. Instead, you will need to delete your existing access list and re-create the entire list.
Until unless you apply an ACL to any interface it won’t work. Now question is, on which Router i will configure ACL and on which interface ACL will be applied? Basic rule says,
Standard ACL we configure “nearest to destination Router” and Extended ACL we configure “nearest to source Router”. Same rule we apply for interface, we check the nearest to destination interface to apply Standard ACL and nearest to source interface to apply Extended ACL.
Note: this rule does not apply when you will study advanced.
When applying an ACL on an interface, you must specify in which direction the traffic should be filtered, every interface has two directions as mentioned below. On which direction you will apply ACL it will depend on traffic flow.
- Inbound (as the traffic comes into an interface)
- Outbound (before the traffic exits an interface)
Incoming packets are processed before they are routed to an outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookup if the packet will be discarded after it is denied by the filtering tests. If the packet is permitted by the tests, it is processed for routing.
Incoming packets are routed to the outbound interface and then processed through the outbound ACL.
- If no match is found, by default implicit deny statement at the end of the ACL drops the packet.
- ACL itself cannot filter route from routing table, it just permit or deny traffic. One ACL can be applied in per direction.
- One more important point, ACL use wild card mask, not subnet mask.
Information about Access Control Lists:
- ACLs are always processed from top to down in sequential order.
- A packet is compared with ACL conditions until it finds a match.
- Once a match is found for packet, no further comparison will be done for that packet.
- Interface will take action based on match condition. There are two possible actions; permit and deny.
- If permit condition match, packet will be allowed to pass from interface.
- If deny condition match, packet will be destroyed immediately.
- Every ACL has a default deny statement at end of it.
- If a packet does not meet with any condition, it will be destroyed (by the last deny condition).
- Empty ACL will permit all traffic by default. Implicit deny condition will not work with empty ACL.
- Implicit (default last deny) condition would work only if ACL has at least one user defined condition.
- ACL can filter only the traffic passing from interface. It cannot filter the traffic originated from router on which it has been applied.
- Standard ACL can filter only the source IP address.
- Standard ACL should be placed near the destination devices.
- Extended ACL should be placed near the source devices.
- Each ACL needs a unique number or name.
- We can have only one ACL applied to an interface in each direction; inbound and outbound.