Access Control Lists - CSU359 - Shoolini University

Access Control Lists

1. Access Control Lists (ACLs) in Detail

An Access Control List (ACL) is a list of permit and deny statements that define how traffic flows in and out of a network. It acts as a filter at a network device’s interface (router, firewall, etc.) to control the flow of traffic and restrict access to and from various network segments. ACLs are widely used for improving security, managing traffic, and applying network policies.

1.1 Purpose of ACLs

The primary purpose of ACLs is to control network traffic and enhance network security. ACLs are used to:

1.2 How ACLs Work

An ACL is a series of sequential rules applied to network traffic. These rules define whether the network device should forward or block packets based on criteria such as IP address, protocol type, or port number. The process involves the following steps:

1.3 ACL Components

ACLs consist of the following components:

1.4 Types of ACLs

There are two primary types of ACLs: Standard and Extended.

1.4.1 Standard ACLs

Standard ACLs filter traffic based only on the source IP address. They are simple and less granular in control.

1.4.2 Extended ACLs

Extended ACLs provide more control by allowing traffic filtering based on multiple criteria, such as source and destination IP addresses, protocols, and port numbers.

1.5 Wildcard Masks

Wildcard masks are used in ACLs to specify which bits in the IP address should be matched. The mask works as follows:

For example, a wildcard mask of 0.0.0.255 means that the first three octets of the IP address must match exactly, while the last octet can be any value. This allows you to filter a range of IP addresses.

1.6 ACL Placement

The placement of an ACL in a network topology is critical to its effectiveness. Here are the general guidelines:

1.7 ACL Best Practices

1.8 Monitoring and Verifying ACLs

After configuring ACLs, it is important to verify and monitor their behavior. Use the following commands to check ACLs:

1.9 Numbered vs. Named ACLs

ACLs can be configured using either numbers or names. Each method has its advantages and specific use cases.

1.9.1 Numbered ACLs

Numbered ACLs use a predefined number range to identify different types of ACLs:

While easy to configure, numbered ACLs can become hard to manage and track when many ACLs are in place.

1.9.2 Named ACLs

Named ACLs allow more flexibility, as administrators can assign descriptive names to the ACLs, making them easier to manage and identify. This is particularly useful in complex networks with multiple ACLs.


Router(config)# ip access-list standard <ACL_NAME>
Router(config-std-nacl)# permit 192.168.1.0 0.0.0.255
Router(config-std-nacl)# deny any

1.10 Time-Based ACLs

Time-based ACLs allow network administrators to control traffic based on time periods, adding more granularity to network security policies.

For example, you can restrict access to certain resources during non-business hours. Time-based ACLs are defined using a time range that specifies when the rules should be active.


Router(config)# time-range <TIME_RANGE_NAME>
Router(config-time-range)# periodic weekdays 8:00 to 18:00
Router(config)# access-list 101 permit tcp any any eq 80 time-range <TIME_RANGE_NAME>

1.11 Reflexive ACLs

Reflexive ACLs provide additional security by dynamically creating temporary access list entries based on outbound traffic. These entries allow only response traffic to return, which enhances security against spoofing and unauthorized access.

Example configuration:


Router(config)# ip access-list extended OUTBOUND
Router(config-ext-nacl)# permit tcp any any reflect TCP-TRAFFIC
Router(config)# ip access-list extended INBOUND
Router(config-ext-nacl)# evaluate TCP-TRAFFIC

1.12 ACLs and IPv6

IPv6 uses a similar approach to ACLs as IPv4 but includes some differences due to the larger address space and specific IPv6 features. IPv6 ACLs are used to control traffic in IPv6 networks.

Example configuration:


Router(config)# ipv6 access-list <ACL_NAME>
Router(config-ipv6-acl)# permit ipv6 2001:db8::/64 any
Router(config-ipv6-acl)# deny ipv6 any any
Router(config)# interface gigabitEthernet 0/1
Router(config-if)# ipv6 traffic-filter <ACL_NAME> in

1.13 ACL Logging

ACL logging is used to track ACL rule matches in real time. When a packet matches a rule with logging enabled, it generates a log entry. This is useful for monitoring network traffic and detecting potential security breaches.

Logging can be enabled on both permit and deny statements:


Router(config)# access-list 101 permit tcp any host 10.1.1.1 eq 80 log
Router(config)# access-list 101 deny ip any any log

1.14 Access Control Lists and Network Address Translation (NAT)

ACLs can be used in conjunction with Network Address Translation (NAT) to filter traffic before or after it is translated.

Using ACLs with NAT helps to ensure that only specific traffic is allowed to be translated and passed through the network.

1.15 ACL and Quality of Service (QoS)

ACLs are often used with Quality of Service (QoS) policies to prioritize or limit network traffic based on specific criteria. By defining rules with ACLs, administrators can prioritize critical services like VoIP or video conferencing while controlling less critical traffic.

2. Configure and Verify Access Control Lists (ACLs)

An Access Control List (ACL) is a set of rules applied to network traffic to control whether packets are allowed or denied passage through a network interface. ACLs help improve security by restricting access to sensitive resources and controlling the flow of data. Configuring and verifying ACLs is a fundamental task in network management and security.

2.1 Types of ACLs

There are two main types of ACLs:

2.2 Configuring Standard ACLs

Standard ACLs are applied based on the source IP address. These ACLs are usually applied close to the destination to minimize traffic through the network. The basic syntax for configuring a standard ACL on Cisco devices is:


Router(config)# access-list <ACL_NUMBER> {permit | deny} <source_IP>
Router(config)# interface <INTERFACE>
Router(config-if)# ip access-group <ACL_NUMBER> {in | out}

Example: To allow traffic from 192.168.1.0/24 and deny all others:


Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 10 deny any
Router(config)# interface gigabitEthernet 0/1
Router(config-if)# ip access-group 10 in

2.3 Configuring Extended ACLs

Extended ACLs offer more granularity by allowing filtering based on multiple criteria such as source and destination IP addresses, ports, and protocols. These ACLs are often applied close to the source to limit unwanted traffic early. The syntax for configuring an extended ACL is:


Router(config)# access-list <ACL_NUMBER> {permit | deny} <protocol> <source_IP> <source_wildcard> <destination_IP> <destination_wildcard> [eq <port_number>]
Router(config)# interface <INTERFACE>
Router(config-if)# ip access-group <ACL_NUMBER> {in | out}

Example: To allow HTTP traffic (port 80) from 192.168.1.0/24 to 10.1.1.0/24, but deny all other traffic:


Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 80
Router(config)# access-list 100 deny ip any any
Router(config)# interface gigabitEthernet 0/1
Router(config-if)# ip access-group 100 in

2.4 Verifying ACL Configuration

After configuring ACLs, it's crucial to verify their correct implementation to ensure the expected behavior. You can use the following commands to verify and monitor ACLs:


Router# show access-lists
Router# show ip interface <INTERFACE>

2.5 Best Practices for ACL Configuration