ACL (Access Control List)

Q. what is the purpose of access control list?
Ans. ACLs are used to match the traffic.
Q. what is traffic?
Ans. Traffic is a flow of data from a source to destination.
Q. why do we match traffic?
Ans. We match the to take permit or deny decisions on the traffic, that weather the traffic will be allowed to go, or it will be dropped.

• Access control list act as very good security tools.
• ACLs are used to exercise control over network traffic.
• ACL is a list as the name says, and it can contain multiple statements within it.
• With the help of those statements we either match traffic or unmatch traffic.
• Matched traffic is allowed  – permit statement
• Unmatched traffic is dropped  – Deny statement
• With ACLs router works as packet filtering firewall
• Router takes filtering decisions based on L3 header and L4 header
  • L3 header contain source IP, destination IP, protocol number.
  • L4 header contain source port, destination port numbers.
• To perform network traffic filtering we apply the ACL on the interface of a router.

Access Control List Rules:

• The traffic is compared to the Access Control List statements in a sequential order (top to bottom).
• The moment there is a match with a particular statement, then the associated action is taken and no further comparisons are done.
• Every ACL contains an invisible statement which is placed at the bottom of the Access List.
• This statement says deny everything else.
• We do not have to configure this statement.
• This invisible statement is also called implicit deny statement.
• Implicit deny can be overridden by “permit any” statement.

Types of ACLs:

1. Standard ACL : (1-99)
   • With standard ACLs we can only match the source address for the traffic.
   • With standard ACLs we cannot match traffic specifically.
2. Extended ACL : (100-199)
   • With extended ACLs we can match source address, destination address, protocol for the traffic.
   • We can match traffic specifically with an extended ACL.

Differences between Standard – Extended ACL

Standard ACL	Extended ACL
It takes decisions based on the source IP.	It can take decision based on source IP, destination IP, Protocol, source port, destination port.
Implemented close to destination.	Implemented close to source.
ACL number range: 1 – 99.	ACL number range: 100 – 199.
Works on both direction.	Works on single direction.
Works on all services.	Can work on single service.

Note:

• We know that ACLs are applied on the interfaces of a router to perform network traffic filtering.
• But an ACL can be applied on an interface of a router in one of the two directions.
  1. Inbound
     • Inbound means while coming into the interface we match with the statements and decide to allow or deny.
  2. Outbound
     • Outbound means while going outside the interface we match with the statements and decide to allow or deny.
• Two different formats for configuring ACLs
  1. Numbered Access List Format:
     • With numbered access list format, we can only make numbered ACLs.
     • Ex:    access-list 100
     • Numbered ACL can’t be modified once created.
     • Number ACL has limited number range to create ACL’s
     • To overcome these limitation, named ACL is introduced.         
  2. Named Access List Format.
     • With named access list format, you can make both numbered and named ACLs.
     • Ex:    ip access-list extended
     • Named ACL have no limitation. ( as alphanumerical names are unlimited)
     • Named ACL are case sensitive.
     • With named ACL format we can delete particular statement from the ACL.
     • We can insert a particular statement between two already configured statements. (ACL order can be changed)
     • These configured statements automatically get sequence numbers.
     • Sequence numbers start from 10 and they can increment by 10
     • Example:   
       • 10 statement
       • 20 statement 2
       • 30 statement 3
     • If you want to delete any particular statement, then just no to the sequence number of that particular statement.
     • Ex:      no 20
     • If you want to insert a new statement between two already configured statements, then just 15 statement or 25 or 35.
     • Example:   
       • 10 statement 1
       • 15 statement
       • 20 statement 2
       • 30 statement 3

ACL Implementation:

• First understand the requirement.
  • First understand need to implement ACL.
  • Which traffic should be denied and which traffic should be allowed.
• Identify source IP, destination IP, protocol, source port, destination port.
  • Identify Ip addresses from which to which the traffic should be filtered.
  • Identify IP protocols to filter the traffic.
  • Ex: TCP, UDP, IP, EIGRP, ICMP, OSPF….
  • Identify TCP/UDP ports that should be filtered.
  • Ex: HTTP, FTP, DNS, SMTP, TELNET…..
• Select the type of ACL (standard/extended) to implement.
  • Select standard or extended ACL which is best suitable for the task.
  • Standard ACL is a subset of extended ACL.
  • Extended ACL can be implemented for all types of scenarios.
• Identify the traffic flow (in bound/out bound)
  1. In bound:  The traffic entering into the router.
     • It filters the traffic before the packet is processed, does not consumes router resources.
  2. Out bound:  The traffic leaving from router.
     • It filters the traffic after the packet is processed, consumes router resources.
• Select the router as a filtering point.
• Create the ACL on the router and implement ACL on appropriate interface.
  • Create ACL in global configuration mode.
  • Implement ACL on one of the interface, in interface mode.

Differences between Numbered and Named ACL:

Numbered ACL	Named ACL
Numbers are used: Standard: 1-99                Extended: 100-199	Alphanumeric names are used: Standard: ccna Extended: ccnp23 Names are unique and sensitive.
Can’t be modified	Can be modified
Statement order can’t be changed	Statement order can be changed
Limited features	Enhanced features
Types: standard & Extended	Types: standard & Extended