The quick definition: An access control list (ACL) is an ordered list of rules used to filter traffic. Each rule states what’s permitted or what’s denied. When a packet attempts to enter or leave a router, it’s tested against each rule in the list — from first to last. If the packet matches a rule, its outcome is determined by the conditions of the statement: If the first rule the packet matches is a permit statement, it’s permitted; if it’s a deny statement, it’s denied.
What is an ACL?
An ACL is a list of permit or deny rules detailing what can or can’t enter or leave the interface of a router. Every packet that attempts to enter or leave a router must be tested against each rule in the ACL until a match is found. If no match is found, then it will be denied.
To get a bit more technical, when a packet is sent out, it must know where it’s going (destination) and where it came from (source). So it contains a source and destination IP address. The router looks at this information to determine if it matches any of the rules in its ACL.
If a router can’t find a match between the information in an ACL and the information in the packet that’s attempting to enter it, the packet is denied implicitly.
How Does Implicit Deny Work?
The last rule in every ACL is an implicit deny statement. Because it’s implicit, you won’t see it. Be aware that just because you don’t see it doesn’t mean it doesn’t do anything. This rule is very powerful. Every bit of traffic that doesn’t match a rule in an ACL will be denied.
What are Standard ACLs?
There are two types of ACLs: standard and extended. Standard ACLs are the oldest, dating back to the early days of Cisco’s IOS Software (Release 8.3). Unlike extended ACLs, standard ACLs are limited to controlling traffic based on the source IP address information — as opposed to the source and destination IP address information.
As you learned above, when a packet tries to enter or leave a router, its IP information is tested against each rule in an ACL. If the packet matches a rule, it’s permitted or denied.
Right about now, you might be wondering what the packet is permitted or denied to do. That depends on where you apply the ACL — inbound or outbound direction.
What is the Difference Between Inbound and Outbound?
If the ACL is inbound, it applies to packets that have arrived at the interface and are attempting to enter the router. This applies to traffic coming from the internet and going into your internal network. If the ACL is outbound, it applies to packets that have gone through the router and are attempting to leave the interface.
For example, this applies to traffic leaving your internal network and going off to the internet.
How Do You Configure Standard ACLs?
You can configure ACLs in global configuration mode:
Once in global configuration mode, you’ll need to specify which standard ACL you’d like to configure by choosing a number between one and 99. In this case, we’ll choose one (but you can choose any number between that range).
Each rule will start with the access list you chose, be followed by a permit or deny command and end with a source IP address:
(config) #access-list 1 permit 10.1.5.1
(config) #access-list 1 deny 192.168.1.53
Regardless of which number you choose for your access list, you can add an infinite number of rules. But there are some things to remember when configuring ACLs, such as wildcard masks.
What is a Wildcard Mask?
Some of you may know what subnet masks look like already, but for those of you who don’t, subnet masks start with the largest numbers on the left side. For a /16 subnet mask, it’d look like this:
However, masks for IP ACLs — called wildcard masks — are the opposite. To get your wildcard mask, just take your subnet mask and subtract it from the following:
If you subtracted the /16 subnet mask from the above address, you’d be left with a wildcard mask:
When and How Should You Use a Wildcard Mask?
If you’re adding an address with slash notation — an IP address followed by an oblique (/) and a number between 1 and 32 — you should use a wildcard mask. To permit 172.30.0.0/16, for example, you can use a wildcard mask:
A /16 is equal to 255.255.0.0
Subtract that from 255.255.255.255
The leftover is 0.0.255.255, which represents the wildcard mask. You can specify the wildcard mask by adding it after the IP address:
After you’ve configured an ACL, you’ll need to assign it to an interface. You can do this in global configuration mode, as well, by specifying the interface you want to apply the ACL to:
(config) #int fa 0/0
Next, you’ll need to specify which ACL you want to apply. With this command, you’ll need to determine if this ACL should be applied inbound or outbound, as well:
(config) #ip access-group 1 outbound
The above will apply access list 1 (the ACL we configured above) to interface fa (fast ethernet) 0/0 in the outbound direction.
What is a Standard Named ACL?
When we configured the above ACL, we identified the ACL with a number. But a number isn’t always easy to remember. That’s why we use things like domain names: Memorizing Google is much easier than memorizing the string of ones and zeros that represent Google’s IP address.
How Do You Configured Standard-Named ACLs?
Instead of using ip access-group, we can use ip access-list. Furthermore, instead of configuring and assigning standard ACLs with a number, we can use a name. The rest is similar to a numbered ACL configuration:
# configure terminal
(config) #ip access-list standard NAME
(config-std-nacl) #permit 10.1.5.1
(config-std-nacl) #deny 192.168.1.53
(config-std-nacl) #permit 172.30.0.0 0.0.255.255
How Do You Assign a Standard Named ACL?
To assign the above ACL to a specific interface, you can do the same you’d do for a numbered access list. But instead of using a number, you’d use the name:
(config) #int fa 0/0
(config) #ip access-group NAME outbound
CBT Nuggets Training on ACLs
The CBT Nuggets training library features a wide variety of networking training for Cisco devices. You can find training that will help you configure standard ACLs in the following courses: