This tutorial explains the definition, purposes, benefits, features, and functions of access lists. Learn what access lists are and why they are used.
Access lists on routers
Routers connect different networks. When a router receives a data packet on its interface, it reads the destination address of the packet and forwards the packet from the interface that is connected to the destination address. This process is known as routing. Routers follow this procedure for all packets.
By default, routers do not differentiate between genuine packets and fake packets. Any host that knows the correct destination address can send packets through the router. If an adversary knows the correct destination address, the adversary can also send packets through the router.
If you want to allow or deny only certain packets, you have to define the criteria and actions for the packets. Once the criteria and actions are defined and applied, the router processes all packets through the defined criteria and actions. To define the criteria and actions, routers support ACLs.
What is an access list?
An access list is a list of statements. An ACL statement consists of criteria and actions. The criteria define the pattern to be matched and the actions define the functions that must be performed when the pattern is matched.
To match a pattern, a router checks an access list from top to bottom in sequential order. Once a pattern is matched, no more statements are checked. There is an implicit 'deny any' statement at the end of the ACL. If a packet does not match any of the statements in the ACL, it is dropped.
This tutorial is the first part of the article 'Cisco Access Lists Explained with Examples.'. Other parts of this article are the following.
Basic concepts and fundamentals of ACLs
How Access Lists work on Cisco routers
Types of access control lists explained
Wildcard masks in ACLs Explained
Rules and configuration guidelines for Cisco ACLs
Access Control List Explained with Examples
The ip access-list command options and arguments
Standard ACL Configuration Commands Explained
Configure Standard Access Control List Step by Step Guide
How to secure VTY access to the Router
Extended ACL Configuration Commands Explained
Configure Extended Access Control List Step by Step Guide
How to block ICMP Ping on Cisco Routers
Purposes and uses of ACLs
In addition to the routing, many other features of a router also use ACLs for their functions. Some features that use ACLs are Dial-on-demand routing (DDR), quality of service (QoS), Network Address Translation (NAT), and Port Address Translation (PAT).
ACLs are not only used for blocking unauthorized packets but are also used for many other purposes. For example, they are also used in filtering routing information, restricting remote access, prioritizing traffic, changing the administrative distance of routes, triggering phone calls, etc.
Let's discuss some common uses of ACLs.
Controlling traffic
Administrators use ACLs to control network traffic. For example, an administrator can apply an ACL on a slow WAN link. In the ACL, the administrator can define the traffic that can go through the WAN link. This setup improves performance and decreases excess traffic.
Through ACLs, an administrator can also specify the allowed addresses for various services such as NAT, PAT, and DDR. Once an ACL is applied, the service will allow traffic only from the allowed addresses.
Mitigating security risks
ACLs are also used to mitigate several security risks. Through ACLs, you can block IP spoofing and denial of service attacks. You can also define applications and ports that can receive traffic from users. If allowed applications are specified, the router will allow traffic only if it belongs to the specified applications. For example, to secure a web server, you can create an ACL that allows only web traffic. After this ACL, all traffic apart from the web traffic will be blocked.
Authentication
ACLs are also used to set up a database of the allowed users that can access the router for management and administration purposes. For example, RSH (remote shell) and RCP (remote copy) protocols use a database created by ACLs for authentication.
Benefits or advantages of ACLs
The main benefits or advantages of ACLs are the following.
Securing network
ACLs allow an administrator to filter and block unauthorized traffic. An administrator can filter traffic based on source IP address, destination IP address, protocol, flow direction, and many more criteria.
An administrator can also use ACLs to secure remote access to the router. For example, through an ACL, the administrator can permit only one specified remote terminal access to an inbound VTY session and disallow all other Telnet traffic entering or leaving the network.
Reducing network traffic
Many services depend on broadcast messages for various functions. For example, routers use broadcast messages to send and receive periodic routing table updates. Broadcast messages generate a lot of network traffic and reduce the performance of the network.
An administrator can limit routing updates by using ACLs. The administrator can create an ACL that specifies which networks are to be advertised and can apply it to the dynamic routing protocol that is configured on the router. The ACL that is applied to a protocol instead of an interface is called a distribute-list.
Prioritizing traffic
ACLs allow an administrator to prioritize traffic. The administrator can prioritize traffic based on the address, type, protocol, and purpose of the data. For example, an administrator can prioritize live video streaming data over text data.
Watch Video Edition of this Tutorial
That's all for this tutorial. In this tutorial, we discussed what ACLs are and how they are used. In the next tutorial, we will discuss the basic concepts and fundamentals of ACLs.
