What is an access control list? Secure Your Network.
Introduction to Access Control List
What is an Access Control List? An access control list is a group of commands that work together to classify IP packets entering or leaving a router interface. We can define an ACL as a sequential list of rules that either will permit or deny the traffic based on the condition. The rules inside the access control list are called access control entries or ACEs. So, ACLs are made up of multiple ACEs. ACL means to identify a packet. After identification, the router will decide whether it is allowed or not. ACL is not only used for packet filtration but also in some other areas of networking.
- QoS
- Dial on demand
- NAT
- Policy-based routing
Working of ACL
ACL consists of lines of commands in sequential form, e.g., one line after another. It read instructions from top to bottom. It is just like an if-else condition in programming. If the condition is matched in the first line, it will stop at that line and follow the instructions that are matched in the condition. An invisible denial statement is at the end of each ACL’s line.
If we deny any single IP or network and don’t apply the permit command at the end, will it block all other network IPs to that denied network or IP? Writing ACL isn’t enough, but it will activate after being applied to the interface. ACL is applied on the interface in two ways.
- Inbound ii) Outbound
An interface entering a router is called an inbound ACL, while an interface leaving a router is called an outbound interface.
Function of ACL
- ACL filters network traffic
- ACL reduces network traffic by eliminating unnecessary traffic
- It provides security to our network devices and servers.
Types of ACL
There are two main types of ACL
- Number ACL ii) Named ACL
We use a unique number and a unique name to apply for the ACL.
Number ACL
There are two types of number ACL
- Standard ACL ii) Extended ACL
Named ACL
Unlike number ACLs, which use numbers for their identification. A named ACL permits or denies traffic based on descriptive names. The name feature in ACL is useful in complex networks where maintaining readability is crucial.
Top 5 mistakes when configuring ACLs:
Configuring ACLs is not straightforward, just like configuring RIP, OSPF, or EIGRP. It requires great attention to work on it. Here, we will find 5 mistakes when configuring ACLs.
1) incorrect Order of ACL statements
One of the major common errors in configuring ACLs is its incorrect statement order. Usually, ACLs are written from top to bottom. If you insert or write a general statement before a specific one, then the specific rule may never be evaluated. So, you must write a specific rule on top of the general rule. So, it will be evaluated first.
2) Forgetting the Implicit Deny All Rule
Normally, ACL has an implicit “deny all” rule at the end, which blocks traffic that is not explicitly permitted by previous rules. Sometimes, it also blocks legitimate traffic. So, you should explicitly permit all necessary traffic before the implicit denial rule.
3) Using Incorrect IP address and Wildcard Masks
Sometimes, we use incorrect IP addresses and wildcard masks because our ACL doesn’t meet our requirements. It either blocks legitimate traffic or allows unwanted traffic.
4) Considering the Direction of Traffic
As we have already defined, ACLs are applied either in the inbound or outbound interface. Applying ACL in the wrong direction can lead to ineffective filtering and unexpected network behavior.
5) Overlooking Protocol-Specific ACLs
Network engineers or administrators sometimes create an ACL that doesn’t fulfill any specific protocol need. The result of it is either excessive traffic being blocked or allowed. So, create an ACL rule that specifies protocols like TCP, UDP, and ICMP, along with their port numbers and IP addresses.
