Configure and Verify Access Control Lists (ACLs)
Why ACLs Are Important
Access Control Lists are fundamental security mechanisms in network infrastructure. They act as gatekeepers, controlling which traffic is permitted or denied through network devices. ACLs protect sensitive resources, segment network traffic, and enforce security policies. For CCNA candidates, understanding ACLs is essential as they form the backbone of network security implementation.
What Are Access Control Lists?
An ACL is an ordered list of rules that filter network traffic based on specific criteria. Each rule, called an Access Control Entry (ACE), examines packet headers and makes permit or deny decisions. ACLs are applied to router or switch interfaces to control inbound or outbound traffic flow.
Types of ACLs:
Standard ACLs (1-99, 1300-1999):
- Filter based on source IP address only
- Should be placed close to the destination
- Less granular control
Extended ACLs (100-199, 2000-2699):
- Filter based on source IP, destination IP, protocol, and port numbers
- Should be placed close to the source
- More granular and precise control
Named ACLs:
- Use descriptive names instead of numbers
- Easier to identify and manage
- Can be standard or extended
How ACLs Work
1. Sequential Processing: ACLs process rules from top to bottom. The first matching rule is applied, and processing stops.
2. Implicit Deny: Every ACL has an invisible deny any statement at the end. Traffic not matching any permit rule is dropped.
3. Interface Application: ACLs must be applied to an interface with a direction (in or out) to take effect.
Configuration Commands:
Standard ACL:
access-list 10 permit 192.168.1.0 0.0.0.255
interface GigabitEthernet0/1
ip access-group 10 in
Extended ACL:
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.5 eq 80
interface GigabitEthernet0/0
ip access-group 100 out
Named ACL:
ip access-list extended WEB-TRAFFIC
permit tcp any host 10.0.0.5 eq 443
deny ip any any log
Verification Commands:
- show access-lists
- show ip access-lists
- show running-config | include access-list
- show ip interface (shows ACLs applied to interfaces)
Wildcard Masks
ACLs use wildcard masks, which are the inverse of subnet masks. A 0 bit means the corresponding bit must match, while a 1 bit means it can be anything.
- 0.0.0.0 = match exact host
- 0.0.0.255 = match /24 network
- 0.0.255.255 = match /16 network
Exam Tips: Answering Questions on Configure and Verify ACLs
1. Remember the implicit deny: If a question shows an ACL with only permit statements, understand that all other traffic will be blocked.
2. Standard vs Extended placement: Standard ACLs go near the destination; Extended ACLs go near the source. This is frequently tested.
3. Wildcard mask calculations: Practice converting subnet masks to wildcard masks quickly. Subtract each octet from 255.
4. Order matters: When analyzing ACL behavior, evaluate rules sequentially. A broad deny statement early in the list will override more specific permits that follow.
5. Interface direction: Inbound ACLs filter traffic entering the interface; outbound ACLs filter traffic leaving. Visualize the traffic flow before answering.
6. Common port numbers: Memorize key ports - HTTP(80), HTTPS(443), FTP(20,21), SSH(22), Telnet(23), DNS(53), DHCP(67,68).
7. Named ACL benefits: They allow insertion and deletion of individual entries, unlike numbered ACLs which require complete rewriting.
8. One ACL per interface per direction: You can only apply one ACL per protocol, per interface, per direction.
9. Read questions carefully: Determine if the question asks about configuration syntax, traffic behavior, or troubleshooting existing ACLs.