Learning Objectives
- Understand what ACLs are and why they exist
- Distinguish standard from extended ACLs
- Apply ACL entry ordering rules
- Troubleshoot common ACL misconfigurations
The Guard at the Gate
Imagine a bouncer at a club with a clipboard. Every person approaching gets checked: name, ID, maybe what they're wearing. Some get waved through, others are turned away. The bouncer checks each rule in order and stops at the first match.
That's an ACL.
An Access Control List (ACL) is a sequential list of permit or deny rules applied to a router or firewall interface. The device inspects each packet against the rules in order. As soon as a rule matches, the packet is either permitted or denied and no further rules are checked. An implicit deny at the end means if no rule matches, the packet is dropped.
Standard vs Extended ACLs
Standard ACLs filter only by source IP address and use numbers 1–99 or 1300–1999. Extended ACLs filter by source, destination, protocol, and port using numbers 100–199 or 2000–2699.
Extended ACLs are more precise. A standard ACL might block all traffic from 10.0.1.0/24, while an extended ACL can block only SSH traffic from 10.0.1.0/24 to a specific server.
ACL Placement Matters
Standard ACLs should be placed as close to the destination as possible because they only inspect source addresses. Extended ACLs should be placed as close to the source as possible to filter early and conserve bandwidth.
Rule Order is Critical
Rules are evaluated top-down. The first match wins. A common mistake is placing a broad permit before a specific deny, accidentally allowing traffic that should be blocked. On Cisco IOS, rules are numbered by sequence number, and new rules can be inserted between existing ones.
Standard ACL Configuration
Build a numbered standard ACL and apply it to an interface.
access-list {number} {action} {source}
interface {iface}
ip access-group {number} {direction}What is the resulting IP access list entry number that gets matched first?
Named ACLs
Modern networks use named ACLs, which allow descriptive names instead of numbers. Named ACLs also allow individual rule insertion and deletion by sequence number, making management much cleaner than numbered ACLs.
What happens to a packet that does not match any ACL rule?
An extended ACL should be placed as close as possible to the...
Key Takeaways
- ACLs are sequential rule lists applied to interfaces
- Standard ACLs filter by source only; extended ACLs filter by source, destination, protocol, and port
- Rules are evaluated top-down with first match winning
- An implicit deny all exists at the end of every ACL
- Place extended ACLs close to the source, standard ACLs close to the destination
- Named ACLs offer better management than numbered ACLs