Open in app

Sign in

Write

Sign in

Access Control List

Glitch
4 min readJan 6, 2023

--

We know how to route packets but what if we wanna block a packet or manage permission as to who can access a packet?ACL contains predefined rules that control which packets or routing updates are allowed or denied access to a network.

What is ACL?

An ACL is typically defined as a list of rules that specify the conditions under which a packet should be allowed or denied. These rules can be based on various packet attributes, such as the source and destination IP addresses, the protocol being used (such as TCP or UDP), and the port number being used.

For example, a network administrator might use an ACL to allow only certain types of traffic to pass through a firewall, such as HTTP or HTTPS traffic. The ACL would specify the IP addresses and port numbers associated with these types of traffic and would allow packets that match these criteria to pass through the firewall. Packets that do not match the criteria specified in the ACL would be denied access.

ACLs can be used to secure a network by limiting the types of traffic that are allowed to pass through it. They can also be used to improve the performance of a network by allowing only the traffic that is necessary for the operation of the network to pass through while blocking unnecessary or unwanted traffic.

Types of ACL

There are several types of access control lists (ACLs) that can be used in different contexts:

  1. Standard ACLs: These ACLs use basic criteria, such as source IP address, to control access to a resource. Standard ACLs are typically used to filter traffic based on the source of the packet.
  2. Extended ACLs: These ACLs use more complex criteria, such as protocol and port number, to control access to a resource. Extended ACLs are typically used to filter traffic based on both the source and destination of the packet.
  3. Named ACLs: These ACLs are defined by a name, rather than a number, and can be used to organize and manage large numbers of ACLs more easily.
  4. Dynamic ACLs: These ACLs can be configured to allow or deny access to a resource based on conditions that are evaluated at runtime, rather than being statically defined in the ACL.
  5. Time-based ACLs: These ACLs allow or deny access to a resource based on the time of day or the day of the week. They can be used to implement different access policies at different times.
  6. Role-based ACLs: These ACLs allow or deny access to a resource based on the role or permissions of the user requesting access. They can be used to implement fine-grained access control based on the responsibilities of different users within an organization.

Masks

Masks are used with IP addresses in IP ACLs to specify what must be permitted and denied. Masks, in order to configure IP addresses on interfaces, start with 255 and have large values on the left side, for example, IP address 10.165.202.129 with a 255.255.255.224 mask. Masks for IP ACLs are the reverse, for example, mask 0.0.0.255. This is sometimes called an inverse mask or a wildcard mask. When the value of the mask is broken down into binary (0s and 1s), the results determine which address bits to consider when traffic is processed. A 0 indicates that the address bits must be considered (exact match); a 1 in the mask is a do not care. This table further explains the concept.

Mask Example network address (traffic that is to be processed)10.1.1.0mask0.0.0.255network address (binary)00001010.00000001.00000001.00000000mask (binary)00000000.00000000.00000000.11111111

Based on the binary mask, you can see that the first three sets (octets) must match the given binary network address exactly (00001010.00000001.00000001). The last set of numbers are do not cares (.11111111). Therefore, all traffic that begins with 10.1.1. matches since the last octet is do not care. Therefore, with this mask, network addresses 10.1.1.1 through 10.1.1.255 (10.1.1.x) are processed.

Subtract the normal mask from 255.255.255.255 in order to determine the ACL inverse mask. In this example, the inverse mask is determined for network address 172.16.1.0 with a normal mask of 255.255.255.0.

  • 255.255.255.255–255.255.255.0 (normal mask) = 0.0.0.255 (inverse mask)

Notice the ACL equivalents.

  • The source/wildcard of 0.0.0.0/255.255.255.255 means any.
  • The source/wildcard of 10.1.1.2/0.0.0.0 is the same as host 10.1.1.2.

Implementation

Configuration

Standard ACL Commands

Router >en
Router# conf t
Router (config)#access-list 10 deny host 192.168.0.2
Router (config)# access-list 10 permit any

Router (config)#int g 0/0/1
Router (config-if)#ip access-group 10 out
Router (config-if)#exit
Router (config)#exit
Router# wr

Extended ACL Commands

Router>en
Router #config t
Router(config)#access-list 110 deny tcp any host 192.168.1.100 eq 80
Router(config)#access-list 110 permit ip any any

Router (config)#int g 0/0/1
Router (config-if)#ip access-group 110 out
Router (config-if)#exit
Router (config)#exit
Router#wr

Output

Acl
Computer Network
Cisco Packet Tracer
Routing
Filtering

--

--

Glitch
Glitch

Written by Glitch

154 Followers
37 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams