Standard ACLs
Day 34
Last updated
Day 34
Last updated
ACLs (Access Control Lists) have multiple uses but the primary one is security. ACLs function as a packet filter instructing the router to permit or discard the specific traffic based on source/destination IP, source/destination Layer 4 ports, etc. ACLs are configured globally on the router but after that, they have to be applied to an interface. ACLs are applied either inbound or outbound. ACL consists of an ordered sequence of ACEs (Access Control Entries). The order of these entries is very important. When a router checks a packet against ACL, it processes the ACEs in order from top to bottom. If the packet matches one of the ACEs, the router takes an action and stops processing the ACL. All entries below the matching entry are ignored. A maximum of one ACL per direction can be applied to an interface.
If a packet doesn't match any entries, it is denied. There is an implicit deny (if source IP = any, then deny) at the end of all ACLs which tells the router to deny all traffic that doesn't match any of the ACEs.
There are two types of ACLs:
Standard ACLs - match based on source IP only. Can use the number ranges 1-99 and 1300-1999. Standard ACLs should be applied as close to the destination as possible.
Standard Numbered ACLs
Standard Named ACLs
Extended ACLs - match based on source/destination IP, source/destination port, etc.
Extended Numbered ACLs
Extended Named ACLs
The basic command to configure a standard numbered ACL entered from the global config mode is access-list followed by the number followed by deny/permit and IP address with a wildcard mask, e.g. access-list 1 deny 1.1.1.1 0.0.0.255. To add a description use the command access-list with the number followed by remark and description. To apply the ACL on an interface, use the command ip access-group followed by the number and in/out.
Named ACLs are configured by entering the standard named ACL config mode. To do so, the command is ip access-list standard followed by a name. Then each entry is entered one by one. There is an optional field you can use at the beginning of each entry to control the order of the entries. So the command begins with an optional entry number followed by deny/permit and IP address with a wildcard mask. Named ACLs are applied on an interface in the same way as numbered ACLs. A router may re-order the /32 entries to improve the efficiency of processing the ACL but it doesn't change the effect of the ACL.