How to place Standard ACL and Extended ACL

/ /

How to place Standard ACL and Extended ACL

Are you often puzzled by the differences between standard and extended access lists? You’re not alone. Understanding these two types of access lists is crucial for network security management. In this article, we dive deep into the world of access lists to unravel the secrets behind their functionalities.

As the name suggests, standard access lists are basic filters that allow or deny traffic based on source IP addresses. On the other hand, extended access lists offer more advanced features, allowing you to filter traffic based on source and destination IP addresses and other parameters such as protocols and port numbers.

By delving into the intricacies of these access lists, you’ll understand how each works and how to implement them effectively in your network infrastructure. Whether you’re an IT professional or a networking enthusiast, this article will provide you with the knowledge you need to enhance your network security.

So, let’s get started and unlock the secrets of standard and extended access lists!

Standard ACLs Placement

As the name suggests, standard access lists are basic filters that allow or deny traffic based on source IP addresses. When configuring a standard access list, you can specify a range of source IP addresses you want to permit or deny access to certain network resources. The main advantage of using standard access lists is their simplicity and ease of implementation.

Unlike extended access lists, standard access lists do not consider the destination IP address, protocols, or port numbers, which limits their filtering capabilities. Standard access lists are generally used for simple filtering tasks, such as blocking specific IP addresses or allowing access from a specific range of IP addresses.

To create a standard access list, you must assign a number, typically 1 to 99 or 1300 to 1999. The lower the number, the higher the priority of the access list. Each access list entry consists of a permit or deny statement followed by the source IP address or a wildcard mask. The wildcard mask specifies the range of IP addresses you want to permit or deny.

We know that standard ACLs only filter traffic based on a source address. The basic rule of standard ACLs requires placement that is possibly close to the destination network. This allows the traffic to arrive at all other networks except those where the packets will be filtered. In the figure below, we want to prevent traffic from the 192.168.2.0/24 network from reaching the 192.168.4.0/24 network.

Standard ACL

If we place the standard ACL on the inbound interface of Router0, this will stop the 192.168.2.0/24 network traffic from reaching any other network. If we place ACL on the outbound interface towards Router1, this will stop 192.168.2.0/24 traffic from reaching any network of Router1.

If we place the ACL on the router’s inbound or outbound interface, this will also prevent traffic from the 192.168.2.0/24 network from reaching any of Router1 and Router2’s networks. If we place the ACL inbound on interface Fa1/0 of Router2, this will also stop all traffic from the 192.168.2.0 network from reaching any of Router2’s networks.

So, the best place to place the ACL is Router 1’s Eth 1/0 interface. This is the closest interface to the destination. Therefore, we would apply a standard Ethernet 1/0 outbound interface ACL. This will prevent traffic from 192.168.2.0/24 from entering the Ethernet 1/0 interface and reaching 192.168.4.0/24 and all other networks reachable to the 192.168.4.0/24 network.

Extended ACLs Placement

On the other hand, extended access lists offer more advanced features. They allow you to filter traffic based on source and destination IP addresses and other parameters such as protocols and port numbers. Extended access lists provide a higher level of granularity and flexibility compared to standard access lists.

With extended access lists, you can specify the source IP address and the destination IP address. This allows you to control access to specific network resources based on source and destination. In addition, extended access lists consider the protocols and port numbers associated with the traffic, giving you even more control over the types of traffic allowed or denied.

To create an extended access list, you must assign it a number between 100 and 199 or 2000 and 2699. Similar to standard access lists, the lower the number, the higher the priority. Each entry in an extended access list consists of a permit or deny statement followed by the source and destination IP addresses, protocols, and port numbers.

It can filter traffic based on the source address, destination address, protocol type, and port number. Extended ACL gives more flexibility in filtering the kind of traffic and where to place the ACL. The basic rule for identifying an extended ACL is to put it close to the traffic’s source. Extended ACL filters unnecessary traffic from being sent across multiple networks.

Extended ACL

The network administrator places extended ACLs on devices that they can easily control. In the figure, the administrator wants to control FTP and telnet traffic from the 192.168.1.0/24 and 192168.2.0/24 networks. At the same time, all other traffic from both networks must be permitted to leave Router3 without any restriction.

There are several ways to accomplish these goals. We can configure an extended ACL inbound to Router3 Fa0/0 and Fa0/1 networks. However, this is not a best practice because we should configure an extended ACL inbound for both ACLs.

A best practice is to place an extended ACL on Router3 interface  Fa0/1 outbound. The extended ACL specifies both source and destination addresses and enforces the rule, “Telnet and FTP traffic from the 192.168.1.0/24 and 192.168.2.0/24 network is not allowed to go to the 192.168.3.0/24 network.

The above type of ACL may also depend on the following:

  • Ease of configuration– If we want to deny traffic coming from several networks, The first option is to use a single standard ACL on the closest to the destination. However, the main disadvantage of this ACL is the unnecessary use of bandwidth. So, we can configure an extended ACL on each router source router. This will save bandwidth by filtering the traffic at the source, but this requires creating extended ACLs for several routers.
  • The extent of the network administrator’s control– Placement of the ACL also depend on the network administrator. He can control both the source and destination networks using an ACLs.
  • The bandwidth of the networks – Filtering unwanted traffic at the source prevents consumption of the bandwidth. This is important in low bandwidth networks.
  • Entering Criteria Statements. Then router receives traffic, the traffic is compared to all the access control entries in the order that the entries listed. The router continues comparing the access control entries until it finds the first match. The router will process the packet based on the first match found, and it will terminate by comparing more access control entries.
  • If no matches are found in the access control entries and the router reaches the end of the list, the traffic is denied. This is because, by default, there is an implied deny at the end of all access control lists for traffic that was not matched to a configured entry. A single-entry access control list with only one denied entry has the effect of banning all traffic. So, one permit entry must be configured in an access control list.

Key Differences Between SACLs and EACLs

Now that we have a basic understanding of standard and extended access lists let’s explore their key differences.

The first major difference is that standard access lists only consider the source IP address, while extended access lists consider both the source and destination IP addresses. This means standard access lists are limited in controlling access to specific network resources based on the destination.

The second difference is that extended access lists provide more granular control over the types of traffic allowed or denied. With extended access lists, you can filter traffic based on protocols and port numbers, allowing you to have fine-grained control over the types of traffic that are permitted or denied.

Another important difference is the range of access list numbers that can be used. Standard access lists typically use numbers ranging from 1 to 99 or 1300 to 1999, while extended access lists use numbers ranging from 100 to 199 or 2000 to 2699. Choosing the appropriate range when creating access lists is important to avoid conflicts and ensure proper functionality.

Understanding the Syntax and Structure of SACLs

To effectively configure and implement standard access lists, it is crucial to understand their syntax and structure. Standard access lists are created using the access-list command, followed by the access list number and the permit or deny statement. The source IP address or wildcard mask is then specified to define the range of IP addresses allowed or denied.

For example, to create a standard access list that denies access from a specific IP address, you would use the following syntax:

access-list <access-list-number> deny <source-ip-address>

To create a standard access list that permits access from a specific range of IP addresses, you would use the following syntax:

access-list <access-list-number> permit <source-ip-address> <wildcard-mask>

It’s important to note that standard access lists are processed top-down, meaning that the first match determines the outcome. Therefore, it’s crucial to carefully consider the order of the access list entries to ensure that they are applied correctly.

Common use cases for Standard Access Control Lists (SACLs)

Standard Access Control Lists (SACLs) are the simpler of the two types of access lists. They are used primarily for filtering traffic based on source IP addresses. Let’s explore some common use cases for SACLs:

1. Restricting access to internal resources

One main use case for SACLs is restricting access to internal resources within a network. For example, you may want to allow access to a specific server from only a certain range of IP addresses. By configuring a SACL with the appropriate source IP addresses, you can effectively control access to the server and prevent unauthorized access from other IP ranges.

2. Blocking specific IP addresses

Another common use case for SACLs is blocking specific IP addresses or ranges from accessing your network. This can be useful when dealing with known malicious IP addresses or when you want to block traffic from a specific country or region. By creating a SACL that denies traffic from the specified IP addresses, you can effectively block unwanted traffic and enhance the security of your network.

3. Prioritizing network traffic

SACLs can also prioritize network traffic based on source IP addresses. This can be particularly useful in scenarios where you have limited bandwidth and must ensure that critical traffic gets priority over non-critical traffic. By configuring a SACL that allows traffic from necessary IP addresses while denying or limiting traffic from other IP addresses, you can effectively manage your network resources and ensure optimal performance.

In summary, SACLs are primarily used to filter traffic based on source IP addresses. They can also restrict access to internal resources, block specific IP addresses, and prioritize network traffic. Now, let’s explore the common use cases for Extended Access Control Lists (EACLs).

Common use cases for Extended Access Control Lists (EACLs)

Extended Access Control Lists (EACLs) offer more advanced filtering capabilities than SACLs. In addition to source IP addresses, EACLs can filter traffic based on destination IP addresses, protocols, and port numbers. Let’s dive into some common use cases for EACLs:

1. Controlling traffic based on source and destination IP addresses

One of the key advantages of EACLs is the ability to filter traffic based on source and destination IP addresses. This allows for more granular control over network traffic. For example, you may want to allow traffic from a specific source IP address to a specific destination IP address while denying traffic from other combinations of source and destination IP addresses. EACLs can be configured to achieve this level of control and enhance network security.

2. Filtering traffic based on protocols and port numbers

EACLs also allow traffic to be filtered based on protocols and port numbers. This is particularly useful when dealing with specific applications or services that use well-known port numbers. For example, you may want to allow traffic on port 80 for web browsing but block traffic on port 23 for Telnet access. By configuring an EACL with the appropriate protocol and port number restrictions, you can effectively control the flow of network traffic and ensure the security of your network.

3. Implementing access control for different network segments

EACLs can be used to implement access control between different network segments. For example, if you have a network with multiple VLANs, you may want to allow communication between specific VLANs while blocking communication between others. By configuring EACLs on the router or switch connecting the VLANs, you can control traffic flow between the different segments and enforce network segmentation for improved security.

In summary, EACLs offer advanced filtering capabilities compared to SACLs. They can control traffic based on source and destination IP addresses, filter traffic based on protocols and port numbers, and implement access control between network segments. Now, let’s conclude our exploration of standard and extended access lists.

Conclusion

This article has unlocked the secrets behind standard and extended access lists (SACLs and EACLs). We have explored the everyday use cases for both and understand how each type of access list can enhance network security.

Standard access lists are primarily used for filtering traffic based on source IP addresses. In contrast, extended access lists offer more advanced features, such as filtering based on source and destination IP addresses, protocols, and port numbers. By understanding the differences between these two types of access lists, you can effectively implement access control measures in your network infrastructure.

Whether you’re restricting access to internal resources, blocking specific IP addresses, prioritizing network traffic, controlling traffic based on source and destination IP addresses, filtering traffic based on protocols and port numbers, or implementing access control for different network segments, access lists play a crucial role in network security management.

Asad Ijaz

NetworkUstad's lead networking architect with CCIE certification. Specializes in CCNA exam preparation and enterprise network design. Authored 2,800+ technical guides on Cisco systems, BGP routing, and network security protocols since 2018. Picture this: I'm not just someone who writes about tech; I'm a certified expert in the field. I proudly hold the titles of Cisco Certified Network Professional (CCNP) and Cisco Certified Network Associate (CCNA). So, when I talk about networking, I'm not just whistling in the dark; I know my stuff! My website is like a treasure trove of knowledge. You'll find a plethora of articles and tutorials covering a wide range of topics related to networking and cybersecurity. It's not just a website; it's a learning hub for anyone who's eager to dive into the world of bits, bytes, and secure connections. And here's a fun fact: I'm not a lone wolf in this journey. I'm a proud member and Editor of Team NetworkUstad. Together, we're on a mission to empower people with the knowledge they need to navigate the digital landscape safely and effectively. So, if you're ready to embark on a tech-savvy adventure, stick around with me, Asad Ijaz Khattak. We're going to unravel the mysteries of technology, one article at a time!"

→ Asad Ijaz

1 Comment

  1. IPv6 ACLs Types and Configuration » Networkustad
    September 22, 2019 @ 5:11 pm

    […] than IPv6 ACLs are not difficult for you to understand and configure. IPv4 are two types of ACLs, standard and extended, both can either numbered or named ACLs but IPv6 ACLs are only one type, similar to IPv4 extended […]