Access Control List What are ACLs?

ACLs are lists of conditions that are applied to traffic traveling across a router's interface. These lists tell the router what types of packets to accept or deny. Acceptance and denial can be based on specified conditions. ACLs enable management of traffic and secure access to and from a network. ACLs can be created for all routed network protocols, such as Internet Protocol (IP) and Internetwork Packet Exchange (IPX). ACLs can be configured at the router to control access to a network or subnet. ACLs filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. The router examines each packet to determine whether to forward or drop it, based on the conditions specified in the ACL. Some ACL decision points are source and destination addresses, protocols, and upper-layer port numbers. ACLs must be defined on a per-protocol, per direction, or per port basis. To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface. ACLs control traffic in one direction at a time on an interface. A separate ACL would need to be created for each direction, one for inbound and one for outbound traffic. Finally every interface can have multiple protocols and directions defined. If the router has two interfaces configured for IP, AppleTalk, and IPX, 12 separate ACLs would be needed. One ACL for each protocol, times two for direction in and out, times two for the number of ports.

How ACLs Work

An ACL is a group of statements that define whether packets are accepted or rejected at inbound and outbound interfaces. These decisions are made by matching a condition statement in an access list and then performing the accept or reject action defined in the statement. The order in which ACL statements are placed is important. The Cisco IOS software tests the packet against each condition statement in order from the top of the list to the bottom. Once a match is found in the list, the accept or reject action is performed and no other ACL statements are checked. If a condition statement that permits all traffic is located at the top of the list, no statements added below that will ever be checked. If additional condition statements are needed in an access list, the entire ACL must be deleted and recreated with the new condition statements. To make the process of revising an ACL simpler it is a good idea to use a text editor such as Notepad and paste the ACL into the router configuration. The beginning of the routers process is the same, whether ACLs are used or not. As a frame enters an interface, the router checks to see whether the layer 2 address matches or if it is a broadcast frame. If the frame address is accepted, the frame information is stripped off and the router checks for an ACL on the inbound interface. If an ACL exists, the packet is now tested

against the statements in the list. If the packet matches a statement, the action of accepting or rejecting the packet is performed. If the packet is accepted in the interface, it will then be checked against routing table entries to determine the destination interface and switched to that interface. Next, the router checks whether the destination interface has an ACL. If an ACL exists, the packet is now tested against the statements in the list and if the packet matches a statement, the action of accepting or rejecting the packet is performed. If there is no ACL or the packet is accepted, the packet is encapsulated in the new layer 2 protocol and forwarded out the interface to the next device. As a review, ACL statements operate in sequential, logical order. If a condition match is true, the packet is permitted or denied and the rest of the ACL statements are not checked. If all the ACL statements are unmatched, an implicit "deny any" statement is placed at the end of the list by default. Even though the "deny any" is not visible as the last line of an ACL, it is there and it will not allow any packets not matched in the ACL to be accepted. When first learning how to create ACLs, it is a good idea to add the implicit deny at the end of ACLs to reinforce the dynamic presence of the command line.

primary reasons to create ACLs Limit network traffic and increase network performance. By restricting video traffic, for example, ACLs could greatly reduce the network load and consequently increase network performance. Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved. Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For

example, Host A is allowed to access the Human Resources network and Host B is prevented from accessing it. Decide which types of traffic are forwarded or blocked at the router interfaces. Permit email traffic to be routed, but block all telnet traffic. Allow an administrator to control what areas a client can access on a network. Screen certain hosts to either allow or deny access to part of a network. Grant or deny user permission to access only certain types of files, such as FTP or HTTP.

If ACLs are not configured on the router, all packets passing through the router will be allowed onto all parts of the network.

ACLs are lists of instructions you apply to a router's interface to tell the router what kinds of packets to accept and what kinds to deny.