Access Control Lists

Access Control List Overview

Access Control Lists (ACLs) are one of the security and control mechanism used in routers. It is an important lessons of Cisco CCNA 200-301 and CCNP Encore 350-401 Certifications. They mainly filters incoming and outgoing traffic coming to a router or going from it. In other words, with the help of access list control, we can filter traffic coming from any where and going to any where. We can create Access lists by using various parametters like source ip address, destination ip address, protocol, port number etc.

 

For example, with an access control list, we can deny some users to access a specific server or service. Or we can allow only the people in a specific network to use FTP towards another network. Or we can limit one network to ping another. There can be many combinations and different ACL lines according to your need.

 


 

Access List Types

There are different access control list types used in networking. Each of them is used for various purposes and needs. According to your need, you can use one of these access list.

 

These access control list types are given below:

 

Now, let’s briefly explain these ACL types. We will explain these ACL types in the following lessons detailly.

 

Standard Access-Lists are the ACLs which uses only source addresses of the traffic. In other words, they filter the traffic according to their source. ACL numbers 1-99 and 1300-1999 are used for standard access control lists. Standard ACLs are added close to the destination.

 

Extended Access-Lists are enhanced versions of standard ACLs. In Extended ACLs, source, destination addresses, port numbers and protocol types are used to filter the traffic. ACL numbers 100-199 and 2000-2699 are used for extended access control lists. Extended ACLs are added close to the source.

 

Named Access-Lists are the ACLs, which uses ACL names instead of ACL numbers. They can be used with both Standard and Extended ACLs. These type of ACLs are more memorable because of the explanatory names.

 

ACLs are created according to their type and each line after this creation is suitable to this type. This means that, if you are using standard ACLs, you can use only source addresses in the lines of ACLs. Or if you use extended ACL, you can use source, destination addresses and protocol or port information.

 


 

Access List Usage

To use Access Lists in a network, there are some steps. These steps are given below:

  • Create ACL With ACL Number or Name
  • Add Required Entries (Permit/Deny)
  • Determine interface
  • Determine Inbound or Outbound Direction
  • Apply to Interface

 

Firstly we need to create the ACL. To do this we will need an ACL number or a memorable name for our access control list.

 

Secondly, we should add required entries to the ACL according to our needs. These entries consist of one or more permit/deny lines.

 

Then, we will determine the interface that we will add this access list. According to used ACL type the location can be different.

 

After determining the interface, it is time to determine the direction of this apply. This can be also different according to used ACL type.

 

Laslty, we will add the linet hat will add our ACL to the interface.

 


 

How ACLs Work?

ACLs works not when they are created but when they are added to an interface. After adding them to an interface, they controls the traffic of that interface and according to its entries, it determines what to do to the traffic of this interface.

 

After creating and adding an ACL to an interface, whenever a traffic comes this interface, it firstly checks the lines of the access list control orderly. If it finds any entry that matches to the traffic, it stops and acts as the matched line. For example if it is a deny line, it denies  the traffic that matches it. Or if it is a permit line, it alllows this traffic.

 

After checking all the lines, if you do not use “permit any any” command, it will reject all the other traffic because of the invisible implicit deny at the end of the line. Implicit deny  denies all the other traffic that do not match your entries. So, if you use ACL to deny some specific traffic only, you should use “permit ip any any” line to accept any other traffic. If you do not add this entry, not only your deny lines are denies but also all the other traffic are denied. This is an important problem and can cause critical traffic drops. So, you should be careful during access list configuration.

 

Back to: CCNA 200-301 v1.1 > Security Fundamentals

Leave a Reply

Your email address will not be published. Required fields are marked *

CCNA 200-301 v1.1

Collapse
Expand
Latest Blog Posts