An Access Control List (ACL) is a set of rules that is usually used to filter network traffic.
ACLs can be configured on network devices with packet filtering capabilities, such as routers and firewalls.
ACLs contains a list of conditions that categorize packets and help you determine when to allow or deny network traffic.
They are applied on the interface basis to packets leaving or entering an interface. Two types of ACLs are available on a Cisco device:
standard access lists – allow you to evaluate only the source IP address of a packet. Standard ACLs are not as powerful as extended access lists, but they are less CPU intensive for the device.
extended access lists – allow you to evaluate the source and destination IP addresses, the type of Layer 3 protocol, source, and destination port, and other parameters. Extended ACLs are more complex to configure and require more CPU time than the standard ACLs, but they allow a more granular level of control.
To understand the benefits of using ACLs in your network, consider the following network topology:
Now let’s Analyse and dissect a typical Access List.
IP access-list TEST_Labs_Inbound
1 permit TCP any any eq 443 (permit in the inbound direction any IP To Any IP only TCP packet with port 443)
2 permit TCP any any eq 445 (permit in the inbound direction any IP To Any IP only TCP Packet with port 445)
3 permit UDP any any eq 443 (permit in the inbound direction any IP To Any IP only UDP packet with port 443)
4 permit UDP any any eq 445 (permit in the inbound direction any IP To Any IP only UDP Packet with port 445)
7 deny TCP any any eq www (permit in the inbound direction from any IP To Any IP only TCP packet with port 80)
8 permit IP X.X.X.0/24 X.X.X.X/24 (permit in the inbound direction from any SUBNET To any SUBNET any protocol )
41 deny IP any 192.168.0.0/16 (Deny in the inbound direction from any IP to 192.168.0.0/16 any protocol)
42 permit IP any any (Permit all in the inbound direction)
Deny All ( Default Rule (Not Visible to you)
So access-list “Test_Labs_Inbound” what it means?
In the inbound direction, we basically permit only TCP and UDP port 443, 445 and deny port 80.
in line 8 we only permit communication form specific subnet to another subnet in any port.
in line 41 we deny any IP to all private IP address
Because we block all communication to the private IP addresses
and we don’t want to block communication to the outside world so we need to permit IP to any IP in line 42.
and then we have the default rule that is at the end of any access list you create and it’s not visible to you is the rule “Deny All”
and now after we create our access list we can apply it to the interface we want
and at the end of the command, we need to choose in which direction you want to apply it IN/OUT.
for this access-list, we put it in the inbound direction.
ip access-group Test_Inbound in
ip access-group Test_Outbound out
no ip redirects
ip address 192.168.X.X
Example of an access list that only permits connection to the switch from specific IPs.
ip access-list standard Line_Vty
permit 192.168.X.0 0.0.0.255
permit 192.168.X.0 0.0.0.255
line vty 0 15
access-class Line_Vty in
transport input ssh
transport output ssh