CCDTT

Standard Access List ACL Full Explanation and Configuration

Download Lab HERE

Access-list (ACL) is a set of rules defined for controlling the network traffic and reducing network attack. ACLs are used to filter traffic based on the set of rules defined for the incoming or out going of the network.

ACL features –

  1. The set of rules defined are matched serial wise i.e matching starts with the first line, then 2nd, then 3rd and so on.
  2. The packets are matched only until it matches the rule. Once a rule is matched then no further comparison takes place and that rule will be performed.
  3. There is an implicit deny at the end of every ACL, i.e., if no condition or rule matches then the packet will be discarded.

Once the access-list is is built, then it should be applied to inbound or outbound of the interface:

  • Inbound access lists – When an access list is applied on inbound packets of the interface then first the packets will processed according to the access list and then routed to the outbound interface.
  • Outbound access lists – When an access list is applied on outbound packets of the interface then first the packet will be routed and then processed at the outbound interface.

Types of ACL –
There are two main different types of Access-list namely:

  1. Standard Access-list – These are the Access-list which are made using the source IP address only. These ACLs permit or deny the entire protocol suite. They don’t distinguish between the IP traffic such as TCP, UDP, Https etc. By using numbers 1-99 or 1300-1999, router will understand it as a standard ACL and the specified address as source IP address.
  2. Extended Access-list – These are the ACL which uses both source and destination IP address. In these type of ACL, we can also mention which IP traffic should be allowed or denied. These use range 100-199 and 2000-2699.

Also there are two categories of access list:

  1. Numbered access list – These are the access list which cannot be deleted specifically once created i.e if we want to remove any rule from an Access-list then this is not permitted in the case of numbered access list. If we try to delete a rule from access list then the whole access list will be deleted. The numbered access list can be used with both standard and extended access list.
  2. Named access list – In these type of access list, a name is assigned to identify an access list. It is allowed to delete a named access list unlike numbered access list. Like numbered access list, these can be used with both standard and extended access list.

Rules for ACL –

  1. The standard Access-list is generally applied close to the destination (but not always).
  2. The extended Access-list is generally applied close to the source (but not always).
  3. We can assign only one ACL per interface per protocol per direction, i.e., only one inbound and outbound ACL is permitted per interface.
  4. We can’t remove a rule from an Access-list if we are using numbered Access-list. If we try to remove a rule then whole ACL will be removed. If we are using named access lists then we can delete a specific rule.
  5. Every new rule which is added into the access list will be placed at the bottom of the access list therefore before implementing the access lists, analyse the whole scenario carefully.
  6. As there is an implicit deny at the end of every access list, we should have at least a permit statement in our Access-list otherwise all traffic will be denied.
  7. Standard access lists and extended access lists cannot have the same name.

Access-list (ACL) is a set of rules defined for controlling the network traffic and reducing network attacks. ACLs are used to filter traffic based on the set of rules defined for the incoming or out going of the network.

Standard Access-list –

These are the Access-list which are made using the source IP address only. These ACLs permit or deny the entire protocol suite. They don’t distinguish between the IP traffic such as TCP, UDP, Https etc. By using numbers 1-99 or 1300-1999, router will understand it as a standard ACL and the specified address as source IP address.

Features –

  1. Standard Access-list is generally applied close to destination (but not always).
  2. In standard access-list, whole network or sub-network is denied.
  3. Standard access-list uses the range 1-99 and extended range 1300-1999.
  4. Standard access-list is implemented using source IP address only.
  5. If numbered with standard Access-list is used then remember rules can’t be deleted. If one of the rule is deleted then the whole access-list will be deleted.
  6. If named with standard Access-list is used then you have the flexibility to delete a rule from access-list.

Note – Standard Access-list are less used as compared to extended access-list as the entire IP protocol suite will be allowed or denied for the traffic as it can’t distinguish between the different IP protocol traffic.

Configuration –

 

Here is a small topology in which there are 3 departments namely sales, finance and marketing. Sales department having network 172.16.40.0/24, Finance department having network 172.16.50.0/24 and marketing department having network 172.16.60.0/24. Now, want to deny connection from sales department to finance department and allow others to reach that network.

Now, first configuring numbered standard access – list for denying any IP connection from sales to finance department.

Share the Post:

Related Posts

Help Us By Donating