Access control List (ACL) is a network filter utilized by routers and a few switches to allow and restrict data flows into and out of network interfaces. When an ACL is configured on an interface, the network device analyzes data passing through the interface, compares it to the standards described within the ACL, and either permits the info to flow or prohibits it.
Purpose of the Access List
Access Control List (ACL) or the shortlist of access lists for some IPs or listings that may or may not work. These lists add a new layer to network security.
The ACL has to be used on the Border Router so that if one wants to access the external network or go to the external network, the data packet is filtered according to these access lists. These ACLs should also be used on a firewall router between two networks.
The purpose and benefits of using ACL are as follows:
- IP Packet Filtering: Inbound and outgoing IP packets can be filtered through various rules, especially by looking at their source IP address, destination IP address, protocol, user interface, etc. Such filtering rules can be set using ACL.
- Minimize routing table updates: Routers exchange their route updates. The ACL can be taken to ensure that it does not increase internal network traffic by unnecessarily accessing the network.
- Prioritizing traffic: It can be said through the ACL that some traffic should be given priority.
- Updating routers may be preferred.
- Traffic can also be given priority over sending based on a protocol.
- Traffic control: ACL can be used to control network traffic according to protocol, interface or any other criterion. For example, you can say dial on demand will be used if you want to connect to some haystack or if you want to connect using a protocol.
- Reduce Security Risk: The Denial of Service and IP spoofing attacks can be stopped by the ACL. According to the IP traffic pattern, those packets will be accepted or discarded. This reduces various network security risks.
- Authentication: Access to any remote shell (RSH) and remote copy (RCP) protocols can be accessed using ACL. As we can tell from some IP addresses using Telnet you can connect to that network.
When defining each ACL, a name or number is specified that identifies that ACL. Then those ACLs are processed one after the other sequentially – the first one after the next. For ACL processing, each ACL needs to be connected either to the inbound or outbound interface.
After adding to the interface an ACL is processed in the following way:
- Cisco IOS accepts an IP packet and checks the packet header information on the inbound or outbound interface.
- That packet is met with each ACL condition – one condition at a time, top to bottom. If the packet does not match the first condition in the access list, then it meets the next condition, followed by the third condition. Thus, all the conditions are met until one of the conditions is met.
- If the packet information and the ACL statement are matched, then according to that ACL statement the packet is either allowed to go in or not, and that is where the processing ends. It does not check whether the other conditions match this packet, only the conditions are matched up to the first matching. If the packet information is matched to a statement before the ACL statement ends and the packet is allowed on that statement, that packet may cross the router interface.
- When the ACL statement asks you to deny the packet and it matches the packet information, the router cancels the packet and sends the Host Unreachable message via the Internet Control Message Protocol (ICMP). Processing stops there. If the packet does not match any conditions until the end of the ACL, the packet will be discarded due to an unseen refuse enclosure. At the end of each access control list, Cisco IOS automatically requests a deny all statement. This will discard all packets that do not match any conditions. So if you really want to work through an ACL, you must have a permit statement before the end.