What Is ACLs?
Access Control Lists (ACLs) are a set of rules used in networking to control the flow of traffic into and out of network devices like routers and switches. These rules determine which packets (small units of data) are allowed or denied passage through a network interface. ACLs are crucial for network security and traffic management.
Types of ACLs.
Standard ACLs: These are the simplest form, filtering traffic based solely on the source IP address. They can permit or deny packets from certain IP addresses but lack the ability to filter based on other packet details.
Extended ACLs: More advanced than standard ACLs, extended ACLs can filter based on various criteria, including source and destination IP addresses, protocol type (e.g., TCP, UDP, ICMP), and port numbers. This allows for more granular control over network traffic.
How ACLs Work
Rule-Based: ACLs work on a set of predefined rules. Each rule specifies what action (permit or deny) to take for traffic that matches certain conditions.
Sequential Processing: The rules in an ACL are processed in a sequential order. The first rule that matches the traffic is applied, and the rest of the rules are ignored.
Default Deny: If traffic does not match any of the rules in the ACL, it is denied by default.
How To Configure ACLs.
Configuring Access Control Lists (ACLs) on an interface is an essential operation for safeguarding network security.
ACLs serve to filter traffic based on specified criteria such as IP addresses, port numbers, or protocols.
Below is an overview that delineates the key steps for configuring ACLs on a network interface, predominantly in a Cisco environment, as it is one of the most widely used platforms for this task.
Overview of Steps to Configure Access Control Lists on an Interface:
Step 1: Access the Network Device
Log into the router or switch using console access, SSH, or Telnet.
Step 2: Enter Global Configuration Mode
Use the command enable to enter privileged EXEC mode and configure the terminal to enter global configuration mode.
Step 3: Define the ACL
Create an ACL using the access-list command.
Standard ACL: access-list [1-99] {permit | deny} {source}
Extended ACL: access-list [100-199] {permit | deny} {protocol} {source} {destination}
Step 4: Apply the ACL to an Interface
Use the interface command to navigate to the interface configuration mode where you intend to apply the ACL.
Use the ip access-group command to apply the ACL.
Inbound: ip access-group [ACL number] in
Outbound: ip access-group [ACL number] out
Step 5: Verify the Configuration
Use the show access-lists command to view the configured ACLs.
Use the show running-config to verify the ACL is applied to the intended interface.
Step 6: Save Configuration
Use the write memory or copy the running-config startup-config command to save the configuration to the startup configuration file.
Example Configuration
We going to Configure a standard access list according to a given set of conditions.
Instructions:
1. Hosts on Router R3 to be denied access to hosts on R2.
2. Only host A on R1 can access/permit to hosts on R2.
3. All other communication is allowed. Use standard access lists with ACL 1.
4. Apply the access-list 1 on serial interfaces se0 and se1.
R2>enable
R2#configure terminal
R2(config)#access-list 10 deny 172.16.2.0 0.0.0.255
R2(config)#access-list 10 permit host 172.16.3.2
R2(config)#access-list 10 deny 172.16.3.0 0.0.0.255
R2(config)#access-list 10 permit any
R2(config)#interface se0
R2(config-if)#ip access-group 1 in
R2(config-if)#exit
R2(config)#interface se1
R2(config-if)#ip access-group 1 in
R2(config-if)#exit
With the above configuration, all hosts on Router3 are denied access to hosts on Router2, and a single IP address / host A from router1 is permitted access to Router 2 while other addresses/hosts are denied access.
Note:
Always include a “permit any” statement at the end of an ACL to allow other unspecified traffic.
Be cautious when applying ACLs, as incorrect configurations can lead to network outages.
ACLs are processed top-down; the first match determines the action (permit/deny).
This brief overview aims to provide you with a foundational understanding of configuring ACLs on an interface. Always consult your device’s specific documentation for detailed instructions and guidelines.
Extended ACL Configuration Complex ACLs
Dynamic or Lock-and-Key ACL Configuration
Reflexive ACLs Configuration
