Quick definition: An access control listing (ACL) is an organized list of rules that are used to filter traffic. Each rule outlines what is allowed and what is denied. Each rule is tested when a packet attempts entry or exit a router. If the packet matches a rule it is allowed to enter or leave a router. If it matches a permit statement it is permitted. If it matches a deny statement it is denied.
SPOTO trainer Jeremy Cioara discusses this topic in the MicroNugget below:
What is an ACL?
An ACL is a list containing permit and deny rules that specify what can and cannot be entered or left the router’s interface. Each packet that attempts entry or exit to a router’s interface must be checked against the ACL until it matches. If there is no match, it will be denied.
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Start training It contains both the source and destination IP addresses. This information is compared to the router’s ACL to determine if it matches.
A router will deny a packet implicitly if it can’t match the information in an ACL with the packet that’s trying to enter it.
How does Implicit Deny work?
An implicit deny statement is the last rule in every ACL. It’s implicit so you won’t be able to see it. It doesn’t have to be obvious. This rule is extremely powerful. Traffic that doesn’t meet an ACL rule will be denied.
What are Standard ACLs and how do they work?
There are two types: extended and standard ACLs. The oldest ACLs can be traced back to Cisco’s IOS Software (Release 8.3). Standard ACLs can only control traffic based on the source IP address information, not the destination and source IP addresses.
As you have seen, when a packet attempts to enter or exit a router, its IP information will be checked against each rule in an ACL. If the rule matches, the packet is allowed or denied.
You might be curious as to what the packet can do. It all depends on where the ACL is applied — inbound or outside direction.
What is the difference between Inbound and Outbound?
If the ACL for inbound is set, it applies to packets arriving at the interface and trying to enter the router. This applies to traffic that comes from the internet and goes into your internal network. If the ACL is inbound, it applies only to packets that have passed through the router and are trying to leave the interface.
This applies, for example, to traffic that leaves your internal network and goes off to the Internet.
How do you configure standard ACLs?
Global configuration mode allows you to configure ACLs:
#configure terminal
Once you are in global configuration mode you will need to select which standard ACL you want to configure. You can choose a number between 1 and 99. In this instance, we will choose one (but you have the option to choose any number in that range).
Each rule begins with the access list that you have chosen, is followed by a permit/deny command, and ends with a source IP address.
(config) #access-list 1 permit 10.1.5.1
(config) #access-list 1 deny 192.168.1.53
You can add unlimited rules to your access list regardless of the number you choose. There are some things you should remember when configuring ACLs.
What is a Wildcard Mask and how does it work?
You may be familiar with subnet masks, but those who don’t know will find it confusing. Subnet masks begin with the largest numbers on your left side. It would look like this for a /16 subnet masque:
255.255.0.0
The wildcard masks, which are masks for IP ACLs, are the opposite. Take y to get your wildcard mask.