CCNA Study Guide

This tutorial explains Cisco Access Control Lists in detail with examples including ACL types, ACL direction and ACL location.

Cisco Access Control Lists are the set of conditions grouped together by name or number. These conditions are used in filtering the traffic passing from router. Through these conditions we can filter the traffic; either when it enters in router or when it exits from router.

What is access control list?

Basically ACL is the integrated feature of IOS software that is used to filter the network traffic passing through the IOS devices. Network traffic flows in the form of packets. A packet contains small piece of data and all necessary information which are required to deliver it. By default when a router receives a packet in interface, it takes following actions:-

  • Grab destination address from the packet
  • Find an entry for destination address in routing table
  • If match found, forwards the packet from associate interface
  • If no match found, discard the packet immediately.

This default behavior does not provide any security. Anyone who know the correct destination address can send his packet through the router. For example following figure illustrates a simple network.

routing example

In this network, no security policy is applied on router. So router will not be able to distinguish between user’s packet and adversary’s packet. From router’s point of view, both packets have correct destination address so they should be forwarded from exit interface.

This tutorial is the first part of our article "Cisco IP ACL Configuration Guide". You can read other parts of this article here:-

Standard ACL Configuration Commands Explained

This tutorial is the second part of this article. In this part I will explain Standard Access Control List configuration commands and its parameters in detail with examples.

Configure Standard Access Control List Step by Step Guide

This tutorial is the third part of this article. In this part I will provide a step by step configuration guide for Standard Access Control List.

Extended ACL Configuration Commands Explained

This tutorial is the fourth part of this article. In this part I will explain Extended Access Control List configuration commands and its parameters in detail with examples.

Configure Extended Access Control List Step by Step Guide

This tutorial is the last part of this article. In this part I will provide a step by step configuration guide for Extended Access Control List.

Suppose we tell the router that only 10.0.0.10 has the right to access the 30.0.0.1. To match with this condition router will take following actions:-

  • Grab source and destination address from the packet
  • Match both addresses with given condition
  • If packet is not arrived from 10.0.0.10, drop the packet immediately.
  • If packet is not intended from 30.0.0.1, drop the packet immediately.
  • If both condition match find an entry for destination address in routing table
  • If match found, forwards the packet from associate interface
  • If no match found, discard the packet immediately.
ACL simple routing

Now only the packets from 10.0.0.10 are allowed to pass from router. With this condition adversary will not be able to access the server. We can create as much conditions as we want. Technically these conditions are known as ACLs. Besides filtering unwanted traffic, ACLs are used for several other purposes such as prioritizing traffic for QoS (Quality of Services), triggering alert, restricting remote access, debugging, VPN and much more. Due to complexity, these uses of ACLs are not tested in CCNA level exams. CCNA level exams test only basic uses of ACLs such as filtering the traffic and blocking specific hosts.

Okay now we have basic understating of what ACLs are and what they do. In next section we will understand technical concept of ACLs.

Direction and location of ACLs

A packet interacts with three locations during its journey from router:-

  1. Packet arrives in interface (Entrance)
  2. Router makes forward decision
  3. Packet outs from interface (Exit)

We cannot filter the packet in the middle of router where it makes forward decision. Decision making process has its own logic and should not be interfered for filtering purpose. After excluding this location, we have two locations; entrance and exit. We can apply our ACLs conditions on these locations.

ACL conditions applied on entrance work as inbound filter. ACL conditions applied on exit work as outbound filter.

Inbound ACLs filter the traffic before router makes forward decision. Outbound ACLs filter the traffic after the router makes forward decision.

An ACL filter condition has to two actions; permit and deny. We can permit certain types of traffic while blocking rest or we can block certain types of traffic while allowing rest.

ACL Location

Key points

  • We must have to apply ACLs on interface which process the packet.
  • ACLs must be applied in data flow direction. Inbound ACLs must be placed in entrance interface. Outbound ACLs must be placed in exit interface.
  • Once applied, ACL will filter every packet passing through the interface.
Router without ACLs Router with inbound ACLs Router with outbound ACLs
Packet enters in router. Packet enters in router. Packet enters in router.
Grab source and destination address from the packet Grab source and destination address from the packet Grab source and destination address from the packet
Run ACL conditions to determine the action. If deny condition matches, drop the packet immediately. If permit condition matches, let the packet enter in router.
Find an entry for destination address in routing table Find an entry for destination address in routing table Find an entry for destination address in routing table
If match found, forwards the packet from associate interface. If no match found, discard the packet. If match found, forwards the packet from associate interface. If no match found, discard the packet. If match found, forwards the packet from associate interface. If no match found, discard the packet.
Run ACL conditions to determine the action. If deny condition matches, drop the packet immediately. If permit condition matches, let the packet out from interface.
Packet outs from router. Packet outs from router. Packet outs from router.

Types of ACLs

There are two types of ACLs:

  1. Standard ACLs (1 – 99 and 1300 - 1999)
  2. Extended ACLs (100 – 199 and 2000 - 2699)

Standard ACLs (1 – 99 and 1300 - 1999)

ACLs are the part of Cisco IOS from its beginning. In earlier days simple filtering was sufficient. Standard ACLs are used for normal filtering. Standard ACLs filter the packet based on its source IP address.

Extended ACLs (100 – 199 and 2000 - 2699)

Over the time security becomes more challenging. To mitigate current security threats, advance filtering is required. Extended ACLs takes this responsibility. Extended ACLs can filter a packet based on its sources address, destination address, port number, protocol and much more.

Named ACLs

Named ACLs are the extended version of existing ACLs. Named standard ACL is the extended version of standard ACL. Named extended ACL is the enhanced version of extended ACL. Existing ACLs (Standard and Extended) assign a unique number among all the ACLs. While Named ACLs assign a unique name among all the ACLs.

I will explain above ACLs in detail with examples in next parts of this article.

General guide line for ACL

  • ACLs are always processed from top to down in sequential order.
  • A packet is compared with ACL conditions until it finds a match.
  • Once a match is found for packet, no further comparison will be done for that packet.
  • Interface will take action based on match condition. There are two possible actions; permit and deny.
  • If permit condition match, packet will be allowed to pass from interface.
  • If deny condition match, packet will be destroyed immediately.
  • Every ACL has a default deny statement at end of it.
  • If a packet does not meet with any condition, it will be destroyed (by the last deny condition).
  • Empty ACL will permit all traffic by default. Implicit deny condition will not work with empty ACL.
  • Implicit (default last deny) condition would work only if ACL has at least one user defined condition.
  • ACL can filter only the traffic passing from interface. It cannot filter the traffic originated from router on which it has been applied.
  • Standard ACL can filter only the source IP address.
  • Standard ACL should be placed near the destination devices.
  • Extended ACL should be placed near the source devices.
  • Each ACL needs a unique number or name.
  • We can have only one ACL applied to an interface in each direction; inbound and outbound.

That’s all for this part. In next part of this article I will explain Standard Access Control List configuration commands in detail with examples.