What Is an Access Control List?
Access Control Lists (ACLs) are filters that enable you to control which routing updates or packets are permitted or denied in or out of a network. They are specifically used by network administrators to filter traffic and provide extra security for their networks. This can be applied to routers (Cisco).
ACLs provide a powerful way to control traffic into and out of your network; this control can be as simple as permitting or denying network hosts or addresses.
You can configure ACLs for all routed network protocols.
The most important reason to configure ACLs is to provide security for your network. However, ACLs can also be configured to control network traffic based on the TCP port being used.
How ACLs work
A router acts as a packet filter when it forwards or denies packets according to filtering rules. As a Layer 3 device, a packet-filtering router uses rules to determine whether to permit or deny traffic based on source and destination IP addresses, source port and destination port, and the protocol of the packet.
These rules are defined using access control lists or ACLs.
To simplify how ACL or a router uses packet filtering work, imagine a guard stationed at a gate or entrance of a club or party. The guard’s instruction is to allow only people whose names appear on a quest list to pass through the door. The guard is filtering people based on the condition of having their names on the authorized list.
When a packet arrives at the router, the router extracts certain information from the packet header and makes decisions according to the filter rules as to whether the packet can pass through or be dropped. The packet filtering process works at the Network layer of the Open Systems Interconnection (OSI) model, or the Internet layer of TCP/IP.
ACLs Placement Location/ Direction.
Cisco routers possess the capability to implement Access Control List (ACL) logic on IP packets either at the moment they enter an interface or when they exit one. Essentially, an ACL is linked with an interface and a specific direction of packet flow, which can be either incoming or outgoing. In the case of incoming packets, the ACL is applied before the router conducts its routing decision. Conversely, for outgoing packets, the ACL is enforced after the router has made its routing decision and identified the appropriate exit interface.
The figure above illustrates the points where packet filtering can occur in a network flow from Host to Server. Consider a scenario where it is desired to permit packets from host A to server S1, but block packets from host B to the same server.
Each line with an arrow in the figure denotes a potential point and direction where a router might implement an ACL to filter packets originating from host B.
The red arrowed lines in the foto point out the location and direction for the router interfaces used to forward the packet from host B to server S1. In the example above, those interfaces and direction are inbound on R1’s F0/0 interface, outbound on R1’s
S0/0/0 interface, inbound on R2’s S0/0/1 interface, and outbound on R2’s F0/0 interface. If, for example, you enabled an ACL on R2’s F0/1 interface, in either direction, that ACL could not possibly filter the packet sent from host B to server S1, because R2’s F0/1 interface
is not part of the route from B to S1.
Types of ACLs.
Standard ACLs
These are the simplest or basic forms of access control lists. Primarily this enables the filtering of traffic based on source IP addresses. Standard ACLs are used to permit or deny traffic from certain IP addresses but lack the coercive configuration to distinguish between different types of traffic from those addresses.
Extended ACLs
Extended ACLs provide more control. They filter traffic based on multiple criteria: source and destination IP addresses, protocol type, port numbers, etc.
This extended configuration makes them more suitable for complex network environments.
Complex ACLs
The configuration of complex Access Control Lists (ACLs) into a network is essential, particularly in environments that require detailed control over network traffic. It provides enhanced Security and control over both inbound and outbound traffic. By specifying not only IP addresses but also ports, protocols, and even packet types, these ACLs can tightly regulate the types of data allowed to enter or leave a network.
In conclusion, Access Control Lists (ACLs) serve as a fundamental tool in network security, enabling administrators to control traffic flow in a network by permitting or denying packets based solely on source IP addresses. Their simplicity and effectiveness make them a valuable asset in a network administrator’s toolkit.