Rules and Configuration Guidelines for Cisco ACLs

ACLs are one of the most complex features of the router. They work only when applied correctly. An incorrectly applied ACL can lead to unexpected results. For example, you created an ACL to block a specific type of traffic, but implemented it on an interface that does not interact with that traffic, then this ACL will not work.

To achieve the desired results from ACLs, you must build and implement them correctly. There are some basic principles and rules for creating and implementing ACLs. This tutorial explains them. Understanding these rules and principles helps you design and implement ACLs more effectively.

Implementing ACLs

ACLs implementation is a two-step process: creation and activation. In the first step, you create an ACL. In the second step, you apply it to an interface. Until you apply it to an interface, it remains in an inactive state. An access list is inactive and has no effect. To activate an ACL, you have to apply it to an interface.

Inactive acl

You can apply an ACL in two directions: inbound and outbound. If you use the ACL in the inbound direction, it will filter the incoming traffic. If you apply it in the outbound direction, it will filter the outgoing traffic. You can apply only one ACL per interface per protocol per direction. For example, you can apply only one ACL to filter incoming IP traffic on an interface. When using an ACL on an interface, you have to specify the direction in which you want to filter the traffic.

Processing ACLs

Once you apply an ACL to an interface, the interface uses it to process all packets that pass through it. For each packet, it checks all ACL entries from top to bottom until it finds a match. If an entry matches the criteria defined for the packet, it executes the action specified in the entry. If not, it checks the next entry. If the next entry matches the packet criteria, it executes the action defined in the next entry. If not, it will keep checking entries until it finds a match.

processing acls

Once the interface finds a match for the packet, it does not check the remaining entries for that packet. For example, if you have two entries, one denying a host and another permitting the same host. The router will execute the action of the entry that appears first in the ACL. It will never read the second entry for the same host. Since the order of entries is essential, you should always place the most significant entries at the top of the list and the least significant entries at the bottom of the list. This arrangement improves the router's performance because, most of the time, a match will be available at the top of the list, and once it finds a match, it does not check the remaining entries.

The implicit deny statement

If a router finds no entry for a packet in the applied ACL, it drops the packet. This aspect is known as implicit deny. In simple words, there is an invisible 'deny all' statement at the end of every ACL that drops all traffic that does not match any of the preceding statements in the ACL.

Implicit deny statement

Because of the implicit deny, every ACL should have at least one permit statement; otherwise, an ACL with only deny statements will drop all traffic. Let's take an example. A router has a segment 10.0.0.0/8 connected to its F0/0 interface. You want to block only 10.0.0.10/8 from this segment. Since you want to block only one host, you created an ACL with a single entry 'deny 10.0.0.10' and applied it to the F0/0 interface in the inbound direction.

Wrong order in ACL

Can you guess what will happen in this scenario?

This ACL will block all incoming traffic on the F0/0 interface. Let us understand why this happens.

If a packet arrives from the host 10.0.0.10, the 'deny 10.0.0.10' statement will block the packet. If the packet arrives from the other host, the criteria of the first statement will not match, and the interface will check the following statement to match the packet. Since there is no following statement, the interface will execute the implicit deny statement. The implicit deny statement blocks all packets. In this way, this ACL blocks all incoming packets. To fix this problem, you have to add one more entry just after the first entry. In this entry, write an allow statement for the network 10.0.0.0 as given below.

deny 10.0.0.10
allow 10.0.0.0

Now, this ACL will block only the host 10.0.0.10 while allowing all remaining hosts from the segment 10.0.0.10.

Correct acl

Editing ACLs

An ACL places a new entry at the bottom of the list. Once you have added an entry, you cannot edit, modify, or delete it. To change an entry, you must delete the existing list and recreate it entirely. Since modification is not allowed, you should create ACL entries in a text editor. After creating them in a text editor, you can copy and paste them into the desired ACL. To edit or remove an entry from the existing ACL, you can use the following process.

Copy all entries into a text editor, modify them as needed, and then paste the updated entries back into the ACL.

Editing acl

This restriction does not apply to routers that support a feature called sequence editing. If a router supports sequence editing, you can edit or remove a single entry from the existing ACL.

Placing ACLs

ACLs filter the traffic passing through the router. They do not filter the traffic that originated from the router. There are two types of ACLs: standard and extended.

A standard access list only filters traffic based on the source address. Place it as close as possible to the destination of the traffic you want to deny so that the source can reach intermediary networks.

An extended access list filters traffic based on specific addresses and protocols. Place it as close as possible to the source of the traffic you wish to block. There is no point in allowing the traffic to cross the entire network to deny it. By placing an extended access list as close to the source address as possible, you can save precious network bandwidth.

Key points

  • You can apply the same ACL to multiple interfaces.
  • You can enable the same ACL twice on the same interface in separate directions: inbound and outbound.
  • You cannot configure the same ACL twice on the same interface in the same direction.
  • An empty ACL will permit all traffic.
  • An implicit deny condition will only take effect if the ACL contains at least one user-defined condition.
Best practice
  • When simple blocking based on IP address is sufficient, standard ACLs are the appropriate choice due to their simplicity and lower impact on network performance.
  • For scenarios requiring detailed packet inspection or selective filtering across multiple criteria (IP addresses, protocol types, ports), extended ACLs are the best choice due to their wide range of supported options and filtering parameters.
  • Avoid overlapping rules in extended ACLs, as this can lead to unintended traffic allowance.
  • Prioritize the order of access list entries and use comments for clarity when necessary.
  • Periodically review your network's security posture by examining ACL configurations.
  • Identify potential misconfigurations or outdated rules to ensure ongoing protection against unauthorized threats while maintaining optimal network performance and accessibility.

This tutorial is part of the tutorial "Cisco Access List Commands, Concepts, and Configurations". Other parts of this tutorial are as follows:

Chapter 01  Definition, purposes, benefits, and functions of ACL
Chapter 02  Basic concepts and fundamentals of ACLs
Chapter 03  How Access Lists work on Cisco routers
Chapter 04  Types of access control lists explained
Chapter 05  Wildcard Masks in ACLs Explained
Chapter 06  Rules and configuration guidelines for Cisco ACLs
Chapter 07  Access Control List Explained with Examples
Chapter 08  The ip access-list command options and arguments
Chapter 09  Standard ACL Configuration Commands Explained
Chapter 10  Configure Standard Access Control List Step-by-Step Guide
Chapter 11  How to secure VTY access to the Router
Chapter 12  Extended ACL Configuration Commands Explained
Chapter 13  Configure Extended Access Control List Step-by-Step Guide
Chapter 14  How to block ICMP Ping on Cisco Routers

Conclusion

Configuring Cisco ACLs requires a solid understanding of their implementation, processing order, and the inherent rules governing their functionality. You need to carefully plan the direction and order of ACL entries to ensure the desired traffic is permitted or denied. The implicit deny statement highlights the importance of including at least one permit statement in your ACLs. By following the guidelines explained in this tutorial, you can effectively manage network traffic, enhancing both security and performance.

ComputerNetworkingNotes CCNA Study Guide Rules and Configuration Guidelines for Cisco ACLs

We do not accept any kind of Guest Post. Except Guest post submission, for any other query (such as adverting opportunity, product advertisement, feedback, suggestion, error reporting and technical issue) or simply just say to hello mail us ComputerNetworkingNotes@gmail.com