Access Control Lists (ACLs) are the first-line defense mechanism in a network. ACLs are configured on the router to filter out the traffic that’s traversing through the router and to allow only the desired traffic. ACLs are used in two contexts:
1. Packet filtering : When ACLs are used either to allow or to deny the packets according to a set of rules, ACLs are equivalent to a firewall.
2. Traffic classification : ACLs can identify and mark the traffic of interest which can be used by other services such as NAT, VPN, routing protocols etc. ACLs are often used in this context.
ACL has an associated direction
The ACL is applied on a router’s interface for either to the inbound (incoming) or to the outbound (outgoing) traffic. For an inbound ACL, the packets are filtered as they hit the router’s interface whereas for an outbound ACL, the filtering of packets will be done after the route look up which determines the next hop.
Both the inbound and outbound ACLs have their significance depending on the nature of the traffic. What we should do is to pick up a style and stick to it. I prefer inbound ACLs always.
ACL is a list of rules
Just like firewall, an ACL is a list of rules and the rules are applied against the traffic from top to bottom. When a packet matches the rule, the corresponding action is performed (permit/deny). Once the matched rule is found, the rest of the statements within the ACL are ignored.
The important point to pay attention is that there’s an implicit deny statement in every ACL. Meaning if none of the rules in the ACL gets matched, the packet will be dropped by default. Hence there must be at least one permit statement in the ACL, otherwise all the traffic will be blocked (including the legitimate traffic!).
Types of ACL
There are two types of ACLs depending on the granularity they provide in filtering the traffic.
1. Standard ACL : Standard ACLs filter or classify the traffic based on the source IP address of the packet. Standard ACLs are numbered 1 through 99.
2. Extended ACL : Extended ACLs can filter or classify the traffic based on source/destination IP address, source/destination port number and/or protocol type. Extended ACLs are numbered 100 through 999.
Surely Extended ACLs provide more granularity and control on the traffic being filtered. Extended ACLs are extensively used compared to Standard ACLs.
Both Standard and Extended ACLs can be configured in two ways:
1. Numbered ACL :
Standard ACL –> 1-99
Extended ACL –> 100-999
2. Named ACL :
Standard ACL : standard ACL_NAME
Extended ACL : extended ACL_NAME
There are two steps in any ACL configuration:
1. Define the ACL
2. Apply the ACL on to an interface or service
Configuring Standard ACL
i ) Numbered Standard ACL
ii) Named Standard ACL
Configuring Extended ACL
i) Numbered Extended ACL
ii) Named Extended ACL
In both Standard and Extended ACLs, there must be at least one permit statement to allow all the legitimate traffic. Otherwise the implicit deny statement will prevent any communication from happening.
i. Standard ACL
ii. Extended ACL
Note that 0.0.0.0 255.255.255.255 represents any host with any wildcard mask. In other words, all the traffic.
Vambar has made a great video explaining the concept of ACL and the configuration of standard and extended ACLs using practical examples.