ACCESS

CONTROL
LIST
What is Access Control List
(ACL)
• In computer networking, an Access Control List (ACL) is a set of rules
that is used to control network traffic and enforce security policies.

• These rules define what types of traffic are allowed or denied in a

network, based on various criteria such as IP addresses, protocols, and
port numbers.

• ACLs are typically implemented on routers, switches, firewalls, and

other network devices to regulate the flow of traffic into and out of the
network, providing a way to enforce security measures and manage
access to network resources.
 ACL guidelines
1. Use ACLs in firewall routers positioned between your internal network and an
external network such as the Internet.

2. Use ACLs on a router positioned between two parts of your network to control
traffic entering or exiting a specific part of your internal network.

3. Configure ACLs on border routers-routers situated at the edges of your

networks.
• This provides a very basic buffer from the outside network, or between a less controlled area
of your own network and a more sensitive area of your network.

4. Configure ACLs for each network protocol configured on the border router
interfaces.
• You can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both.
 Guidelines continue
5. The standard Access-list is generally applied close to the destination (but not
always).
6. The extended Access-list is generally applied close to the source (but not always).
7. We can assign only one ACL per interface per protocol per direction, i.e., only one
inbound and outbound ACL is permitted per interface.
8. We can’t remove a rule from an Access-list if we are using numbered Access-list. If
we try to remove a rule, then the whole ACL will be removed. If we are using named
access list, then we can delete a specific rule.
9. Every new rule which is added to the access list will be placed at the bottom of the
access list therefore before implementing the access lists, analyses the whole
scenario carefully.
10. As there is an implicit deny at the end of every access list, we should have at least a
permit statement in our Access-list otherwise all traffic will be denied.
11. Standard access lists and extended access lists cannot have the same name.
 ACL Operation
• Inbound ACLs
• Incoming packets are processed before they are routed to
the outbound interface.
• An inbound ACL is efficient because it saves the overhead of
routing lookups if the packet is discarded.

• Outbound ACLs
• Incoming packets are routed to the outbound interface, and
then they are processed through the outbound ACL.
 Types of ACL
• There are two main different types of Access-list namely:

1. Standard Access-list –

• These are the Access-list that are made using the source IP address only.
These ACLs permit or deny the entire protocol suite. They don’t distinguish
between the IP traffic such as TCP, UDP, HTTPS, etc. By using numbers 1-99
or 1300-1999, the router will understand it as a standard ACL and the
specified address as the source IP address.

2. Extended Access-list –

• These are the ACL that uses source IP, Destination IP, source port, and
Destination port. These types of ACL, we can also mention which IP traffic
 CATEGORIES OF ACCESS CONTROL LIST
There are two categories of access-list:

1. Numbered access-list –

• These are the access list that cannot be deleted specifically once created i.e. if we
want to remove any rule from an Access-list then this is not permitted in the case
of the numbered access list. If we try to delete a rule from the access list, then the
whole access list will be deleted. The numbered access-list can be used with both
standard and extended access lists.

2. Named access list –

• In this type of access list, a name is assigned to identify an access list. It is allowed
to delete a named access list, unlike numbered access list. Like numbered access
lists, these can be used with both standard and extended access lists.
 Benefits of Access Control
List
• Boost network efficiency.

• Security is provided because the administrator can

customize the access list to meet specific requirements and
prevent malicious packets from entering the network.

• provides control over the traffic by allowing or disallowing it

based on the requirements of the network.