ACCESS CONTROL LIST

IPv4 access control lists (IP ACL) give network engineers a way to identify
different types of packets. To do so, the ACL configuration lists values that the
router can see in the IP, TCP, UDP, and other headers.
For example, an ACL can match packets whose source IP address is 1.1.1.1, or
packets whose destination IP address is some address in subnet 10.1.1.0/24,
or packets with a destination port of TCP port 23 (Telnet).
IPv4 ACLs perform many functions in Cisco routers, with the most common use
as a packet filter.
Engineers can enable ACLs on a router so that the ACL sits in the forwarding
path of packets as they pass through the router. After it is enabled, the router
considers whether each IP packet will either be discarded or allowed.

Access-list (ACL) is a set of rules defined for controlling the network traffic and
reducing network attacks. ACLs are used to filter traffic based on the set of
rules defined for the incoming or outgoing of the network.

What Are The Components of An ACL?

The implementation for ACLs is pretty similar in most routing platforms, all of which
have general guidelines for configuring them.

Remember that an ACL is a set of rules or entries. You can have an ACL with single
or multiple entries, where each one is supposed to do something, it can be to permit
everything or block nothing.
When you define an ACL entry, you’ll need necessary information.

1. Sequence Number:
Identify an ACL entry using a number.
2. ACL Name:
Define an ACL entry using a name. Instead of using a sequence of numbers,
some routers allow a combination of letters and numbers.
3. Remark:
Some Routers allow you to add comments into an ACL, which can help you to
add detailed descriptions.
4. Statement:
Deny or permit a specific source based on address and wildcard mask. Some
routing devices, such as Cisco, configure an implicit deny statement at the
end of each ACL by default.
5. Network Protocol:
Specify whether deny/permit IP, IPX, ICMP, TCP, UDP, NetBIOS, and more.
6. Source or Destination:
Define the Source or Destination target as a Single IP, a Address Range
(CIDR), or all Addresses.
7. Log:
Some devices are capable of keeping logs when ACL matches are found.
8. Other Criteria:
Advanced ACLs allow you to use control traffic through the Type of Service
(ToS), IP precedence, and differentiated services codepoint (DSCP) priority.

Types of ACL
Cisco has added many ACL features, including the following:
1.Standard numbered ACLs (1–99)
2.Extended numbered ACLs (100–199)
Additional ACL numbers (1300–1999 standard, 2000–2699 extended)
Standard Access-List

These are the Access-list which are made using the source IP address only.
These ACLs permit or deny the entire protocol suite. They don’t distinguish
between the IP traffic such as TCP, UDP, Https etc. By using numbers 1-99
or 1300-1999, router will understand it as a standard ACL and the specified
address as source IP address.
Features –
1. Standard Access-list is generally applied close to destination (but
not always).
2. In standard access-list, whole network or sub-network is denied.
3. Standard access-list uses the range 1-99 and extended range
1300-1999.
4. Standard access-list is implemented using source IP address
only.
 5. If numbered with standard Access-list is used then remember rules
can’t be deleted. If one of the rules is deleted then the whole
access-list will be deleted.
6. If named with standard Access-list is used then you have the
flexibility to delete a rule from access-list.

Note – Standard Access-list are less used as compared to extended access-

list as the entire IP protocol suite will be allowed or denied for the traffic as it
can’t distinguish between the different IP protocol traffic.

Extended Access-List

It is one of the types of Access-list which is mostly used as it can distinguish

IP traffic therefore the whole traffic will not be permitted or denied like in
standard access-list. These are the ACL which uses both source and
destination IP address and also the port numbers to distinguish IP traffic. In
this type of ACL, we can also mention which IP traffic should be allowed or
denied. These use range 100-199 and 2000-2699.
Features –
1. Extended access-list is generally applied close to the source but
not always.
2. In Extended access-list, packet filtering takes place on the basis
of source IP address, destination IP address, Port numbers.
3. In extended access-list, particular services will be permitted or
denied.
4. Extended ACL is created from range 100 – 199 & extended range
2000 – 2699.
5. If numbered with extended Access-list is used then remember rules
can’t be deleted. If one of the rules is deleted then the whole
access-list will be deleted.
6. If named with extended Access-list is used then we have the
flexibility to delete a rule from access-list.