Access Control Lists (ACLs) are a set of rules defined on a router or switch interface to filter traffic. They are the first line of defense in network security.
Traffic Control
ACLs can permit or deny packets based on source IP, destination IP, port numbers, and protocols (TCP/UDP/ICMP).
Types of ACLs
| Feature | Standard ACL | Extended ACL |
|---|---|---|
| Range | 1-99, 1300-1999 | 100-199, 2000-2699 |
| Filters | Source IP Only | Source, Dest, Protocol, Port |
| Placement | Close to Destination | Close to Source |
How ACLs Work
- Sequential Processing: Rules are checked from top to bottom. Once a match is found, the action is taken immediately.
- Implicit Deny: At the very end of every ACL, there is an invisible "deny all" rule. If no match is found, the packet is killed.
- Directional: Must be applied Inbound or Outbound on a specific interface.
The Implicit Deny Trap
Always remember that an ACL with only `deny` statements will block ALL traffic, because if it doesn't match a `deny`, it hits the implicit `deny any` at the end anyway!
Wildcard Masks
ACLs use wildcard masks (the inverse of a subnet mask) to define matching ranges.
Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255 Router(config)# interface g0/0 Router(config-if)# ip access-group 10 in