Menu
What is an Access Control List (ACL)? – Brief Explanation

What is an Access Control List (ACL)? – Brief Explanation

An Access Control List (ACL) refers to a set of rules usually used to filter network traffic. The rules specify which users are granted access to that object and the operations it is allowed to perform.  We can configure the Access Control List (ACL) on network devices with packet filtering compatibilities, such as routers and firewalls.

An Access Control List (ACL) contains a list of specific conditions and categories that help you determine when to allow or deny network traffic. We can also apply these conditions on the interface basis to packets leaving or entering an interface. There are two types of Access Control Lists (ACL) available on a Cisco device:

  • Standard Access Control List
  • Extended Access Control List

An Access Control List (ACL) is the most commonly used feature of Cisco IOS software, and the ACL can perform the following tasks in our network:

Increase Network Performance

The ACLs increase network performance due to reducing the network load. For example, if company policy does not allow video traffic on the network, it uses ACLs to block video traffic and increase its network performance.

Provide traffic flow control.

We can use ACLs to limit the delivery of routing updates when updates not required. This can preserved network bandwidth.

Network Security

An Access Control List (ACL) can also provide a basic level of network security. It can allow one host to access a part of the network and stop another host from accessing the same area.

Filtering Network Traffic

We can also use ACLs to filter network traffic based on the traffic type. For example, an ACL can permit email traffic but block all Telnet traffic.  We can also use ACL to permit or deny hosts access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP.

By default, a router does not have ACLs configured, so a router does not filter traffic by default. Traffic enters the router and is routed exclusively using the information within the routing table.

But, when an ACL is configured and applied to an interface, the router filters and checks each packet to determine if the packet can be forwarded or not. We can also use ACLs to classify traffic to enable priority processing.  We can use ACL to permit or deny a specific type of network traffic.

Packet Filtering with Access Control List (ACL)

ACL is a technique that monitors outgoing and incoming packets and allows them to pass or halt based on the source and destination IP address protocols and ports. Packet filtering is also known as static filtering.

We can configure a filter rule on the network, and then the router acts as a packet filter during sending, receiving, forwarding, and denying packets according to filtering rules. The router is configured with packet filtering rules to open, read, and extract specific information from the packet header. The router makes routing decisions from this information based on configured rules on whether the packet can pass through or be required to be discarded.

Packet filtering can work at the transport layer, the network layer of the OSI model, and the internet layer of the TCP/IP model. Rules configured on the router determine whether to permit or deny traffic. A router also performs packet filtering at the transport layer. It can filter packets based on the source and destination port of the TCP or UDP segment.

An ACL contains a list of permit or deny statements, also known as access control entries. Access Control Entries (ACEs), commonly known as ACL statements. We configure the ACL statements to filter traffic based on specific criteria, such as the packet’s source address, destination address, protocol, and port numbers.

When a packet passes through an interface configured with an ACL, the router compares the information within the packet with every ACE in chronological order to decide on statement matching. In case of a founding match, the router processed the packet accordingly. So, the ACLs control access to a network or subnet using the rules. The ACLs extracts the following information from the packet:

Layer 3 Information:

  • Source IP address
  • Destination IP address
  • ICMP message type

Layer 4 Information:

  • TCP/UDP source port
  • TCP/UDP destination port

Asad Ijaz

Hey there, I'm Asad Ijaz Khattak, and I'm not your typical writer and blogger – I'm the voice behind the scenes at the renowned website, "networkustad.com." When it comes to the digital realm, I'm all about technology, networking, and cybersecurity. Picture this: I'm not just someone who writes about tech; I'm a certified expert in the field. I proudly hold the titles of Cisco Certified Network Professional (CCNP) and Cisco Certified Network Associate (CCNA). So, when I talk about networking, I'm not just whistling in the dark; I know my stuff! My website is like a treasure trove of knowledge. You'll find a plethora of articles and tutorials covering a wide range of topics related to networking and cybersecurity. It's not just a website; it's a learning hub for anyone who's eager to dive into the world of bits, bytes, and secure connections. And here's a fun fact: I'm not a lone wolf in this journey. I'm a proud member and Editor of Team NetworkUstad. Together, we're on a mission to empower people with the knowledge they need to navigate the digital landscape safely and effectively. So, if you're ready to embark on a tech-savvy adventure, stick around with me, Asad Ijaz Khattak. We're going to unravel the mysteries of technology, one article at a time!"

→ Asad Ijaz

Related Posts

9 Comments

  1. ACL Operation » Networkustad
    September 2, 2019 @ 10:50 am

    […] I discuss the Access Control List (ACL) in my previous articles that it is a technique used for monitoring outgoing traffic as well as […]

    Reply

  2. IPv4 ACLs Types – Cisco Routers » Networkustad
    September 2, 2019 @ 1:25 pm

    […] are many different IPv4 ACLs types, for example, access control lists for IP version 4, for IP version 6, for IPX, for DECnet, […]

    Reply

  3. Wildcard Masking – ACL » Networkustad
    September 2, 2019 @ 3:01 pm

    […] ACLsWildcard Mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match. We use wildcard masking in several places, for example: To indicate the size of a network or subnet for some routing protocols, such as OSPF. The IPv6 ACLs uses prefix-length to indicate how much of an IPv6 source or destination address should be matched. […]

    Reply

  4. General Guidelines for Creating ACLs » Networkustad
    September 2, 2019 @ 3:16 pm

    […] Access Control List (ACL) configuration is not an easy task. There may be multiple policies required to manage the type of traffic allowed to enter or exit to the interface. Suppose we have a router with two interfaces. Both interfaces configured with IPv4 and IPv6. If we required ACLs for both IPv4 and IPv6, on both interfaces and in both directions (inbound and outbound), each interface required four ACLs, one ACL for IPv4, one ACL for IPv6, one ACL for inbound traffic and one ACL for outbound traffic. […]

    Reply

  5. Standard and Extended ACL Placement » Networkustad
    September 2, 2019 @ 4:43 pm

    […] ACL should be placed where it has the greatest impact on efficiency. Improper implementation causes […]

    Reply

  6. ACL Statistics » Networkustad
    September 10, 2019 @ 2:38 pm

    […] ACL has configured and applied to an interface and block some traffic then we can check the statistics […]

    Reply

  7. Extended ACLs » Networkustad
    September 21, 2019 @ 4:13 am

    […] number of extended ACLs starts from 100 to 199 and 2000 to 2699, providing a total of 799 possible extended numbered ACLs. […]

    Reply

  8. Inbound and Outbound ACL Logic » Networkustad
    September 21, 2019 @ 4:26 pm

    […] a router receives a packet the router start comparing the information in packet header with the ACL, If packet header information and an ACL entry match, the rest of the entries in ACLs are skipped, […]

    Reply

  9. Troubleshooting Common ACL Errors » Networkustad
    September 22, 2019 @ 10:21 am

    […] can troubleshoot the ACL error using the show commands as we discussed earlier. The wrong order ACEs are the most common […]

    Reply

Leave a Reply

Back To Top
All Rights Reserved to NetworkUstad Team Powered by team NetworkUstad