Rules and Configuration Guidelines for Cisco ACLs

This tutorial explains the general guidelines and rules for Cisco ACLs configuration. Learn the basic principles of Cisco ACL implementation.

ACLs are not simple. They are one of the most complex features of the router. They work only when they are applied properly. An incorrectly applied ACL can lead to the opposite or strange results. For example, you have created an ACL to block a certain type of traffic but have implemented it on an interface that does not interact with that traffic, then this ACL will not work.

acl at wrong direction

To get the desired results from ACLs, you need to build and implement them properly.

There are some basic principles and rules for creating and implementing an ACL. In this tutorial, we will discuss them. Understanding these rules and principles will help you create and implement ACLs more effectively.

Access control lists (ACL) are implemented in two steps: creating and activating. In the first step, you create an ACL. In the second step, you apply it to an interface. Until you apply it to an interface, it remains in an inactive state. An access list does nothing in its inactive state. To activate an ACL, you have to apply it to an interface.

inactive acl

You can apply an ACL in two directions: inbound and outbound. If you apply the ACL in the inbound direction, it will filter the incoming traffic. If you apply the ACL in the outbound direction, it will filter the outgoing traffic.

You can apply only one ACL per interface per protocol per direction. For example, you can apply only one ACL to filter incoming IP traffic on an interface. When applying an ACL to an interface, you have to specify the direction in which you want to filter the traffic.

Processing ACLs

Once an ACL is applied to an interface, the interface processes all packets through the ACL. For each packet, it checks all ACL entries from top to bottom until it finds a match. If it finds a match between the packet and the entry, it executes the action defined in the entry. If it does not find the match, it checks the next entry.

If the next entry matches the packet, the interface executes the action defined in the next entry. If the next entry does not match the packet, the interface will keep checking entries until it finds a match.

processing acls

Once the interface finds a match for the packet, it does not check the remaining entries for the packet. For example, if you have two entries, one denying a host and one permitting the same host. The router will execute the action of the entry that appears first in the ACL. It will never read the second entry for the same host.

Since the order of entries is important, you should always place the most significant entries at the top of the list and the least significant entries at the bottom of the list. This arrangement will improve the router's performance because most of the time a match will be available at the top of the list and once a match is found, the router will not check the remaining entries.

The implicit deny statement

If a router goes through the entire list and does not find a match in the ACL entries for a packet, the router drops the packet. This aspect is known as implicit deny. In simple words, there is an invisible 'deny all' statement at the end of every ACL that drops all traffic that does not match any of the preceding statements in the ACL.

implicit deny statement

Because of the implicit deny, every ACL should have at least one permit statement; otherwise, an ACL with only deny statements will drop all traffic.

Let’s take an example. A segment 10.0.0.0/8 is connected to the F0/0 interface. You want to block only 10.0.0.10/8 from this segment. Since you want to block only one host, you created an ACL with a single entry 'deny 10.0.0.10' and applied it to the F0/0 interface in the inbound direction.

wrong order in acl

Can you guess what will happen in this scenario?

Yes, you guess it right. This ACL will block all incoming traffic on the F0/0 interface. Let us understand, why would this happen.

If the packet arrives from the host 10.0.0.10, the 'deny 10.0.0.10' statement will block the packet. If the packet arrives from the other host, the criteria of the first statement will not match and the interface will check the next statement to match the packet. Since there is no next statement, the interface will execute the implicit deny statement. The implicit deny statement blocks all packets. This way, all incoming packets will be blocked.

To fix this problem, you have to add one more entry just after the first entry. In this entry, write an allow statement for the network 10.0.0.0 as given below.

deny 10.0.0.10
allow 10.0.0.0

Now, this ACL will block only the host 10.0.0.10 while allowing all reaming hosts from the segment 10.0.0.10.

correct acl

Editing ACLs

A new entry is always placed at the bottom of the list. Once you have added an entry, you cannot edit, modify or delete it. If you want to change an entry, you have to delete the existing list and recreate the entire list.

Since modification is not allowed, you should create ACL entries on a text editor. After creating them on a text editor, you can copy them to the router. To edit or remove an entry from the existing ACL, you can use the following process.

Copy all entries into a text editor, modify the entries, and copy the updated entries back to the router.

This restriction does not apply to routers that support a feature called sequence editing. If a router supports the sequence editing, you can edit or remove a single entry from the existing ACL.

Placing ACLs

Access list filters the traffic passing through the router. They do not filter the traffic that originated from the router.

A standard access list can only filter traffic based on the source address. You should place a standard ACL as close as possible to the destination of the traffic you want to deny so that the source can reach intermediary networks.

An extended access list can filter traffic based on specific addresses and protocols. You should place an extended ACL as close as possible to the source of the traffic you wish to block.

There is no point in allowing the traffic to cross the entire network just to deny it. By placing an extended access list as close to the source address as possible, you can save precious network bandwidth.

Key points
  • We can apply the same ACL to multiple interfaces.
  • We can enable the same ACL twice on the same interface in separate directions: inbound and outbound.
  • We cannot enable the same ACL twice on the same interface in the same direction.
  • An empty ACL will permit all traffic.
  • Implicit deny condition will work only if ACL has at least one user-defined condition.

That’s all for this tutorial. In the next tutorial, we will discuss the commands and configurations that you need to create and implement access lists.

ComputerNetworkingNotes CCNA Study Guide Rules and Configuration Guidelines for Cisco ACLs