Access Control Lists are very important to ensure that network traffic is well managed and under control. Just like a toll both checks every car before it proceeds on the highway, Access Control Lists can be set up on a router to check each and every packet as it comes through and block unwanted traffic.
A proper Access Control List configuration will increase security and ensure proper network speeds for time sensitive traffic like voice calls or video conferences.
A couple of examples where you may want to use an ACL (we are going to use the abbreviated version now) is blocking all peer 2 peer traffic. I remember when programs like Kazaa and Napster were popular, if these programs were being used in a corporate network they could end up using valuable bandwidth that could be needed for a Voice over IP phone call. An extended ACL could then be used to block the ports that Napster uses so that none of Napster’s traffic is allowed to enter the network. Or sense you are the network administrator you could block everybody else from using Napster and only allow Napster connections to your ip address. It’s completely up to you, they are your access control lists. Don’t have too much fun now!
Let’s say there is a toll booth to cross a bridge. There is only a toll booth on one end of the bridge. Those just entering the bridge have to pay to go across and those just leaving the bridge after crossing it have to pay the toll to get off. ACL’s work much the same way when applied to interfaces on Cisco routers. Each interface can have an inbound ACL and an outbound ACL.
Once you have ACL’s configured on a router they get processes one at a time in a top down fashion. If you were in a car wanting to cross our toll bridge and before you could pay your car also had to meet certain criteria. The lady at the booth would then get her clipboard out and starting at the top would check each item on her list. Does it have 4 wheels? Is the car blue? Does it have a California license place? Is it a sedan? Let’s say your car was yellow. Because it wasn’t blue your car would immediately be discarded. Somehow you would have to turn around even though there is a long line of cars honking at you. Once an ACL finds a statement that is not true in its top-down approach it literally stops right there discards the packet and does not even look at the rest of the list.
Some of the toll booth workers are only allowed to check the source of your car and doesn’t care at all about your final destination. It only checks your license place to see if you came from Arizona or Nevada. These are called Standard Access Control Lists. They can only check the source IP of the packet. And you will want to place the Standard ACL as close to the destination as possible to prevent accidentally discarding the packet too early.
All Numbered ACL’s must be given a number when the are configured. Standard ACL’s have the range from 1-99. Many years later an additional range was provided as well. That range is 1300-1999.
The senior toll booth workers are able to check the source, the destination, and also the port you are traveling too. Because there is a lot more criteria they have to work worth these ACL’s are highly customizable. These are known as Extended Access Control Lists. Because Extended ACL’s have the ability to be customized a lot further than Standard ACL’s you can place them very close to the source to prevent packets from traversing the network and using up valuable bandwidth if they are just going to be discarded anyway. This is why it is much better to place them as close to the source as possible.
The range of Extended ACL numbers is 100-199 and 2000-2699.
ACL’s for Controlling Telnet Access
ACL’s can also be used to control access to the telnet VTY lines. This way you can make sure that telnet access to a router can only be from certain IP Addresses only. When configuring an ACL for telnet be sure to use the access-class command when applying the ACL.
All ACL’s have what is called an Implicit Deny statement at the very bottom of the list. Even though it isn’t listed when you look at the ACL it looks like this, “Deny Any” meaning that if will discard every packet. This means that when you are configuring an ACL you need to make sure you at least have 1 permit statement, otherwise every single packet will be discarded.
You can only have one ACL per protocol, per interface, and per direction. This means that If you have an IP ACL on interface ethernet 0/0, going OUT, you can’t configure another one with the exact same criteria.
Named or Numbered
An ACL can either be entered as a named ACL or a numbered ACL. The difference between these two types is that with a named ACL you can add/remove individual lines in your ACL, but with a numbered ACL to make any changes you will have to delete the entire ACL and start over.
Configuring an ACL
For example configuration of all the different types of ACL’s please refer to the ACL section in my ICND2 Cram Sheet
ICND1 Study Guide – The Fastest Way To Get Cisco Certified Guaranteed!