ACL

Today I am going to talk about ACL which means Access Control Lists. ACLs are used to filter traffic based on a certain kind of criteria which are usually found in IP headers. ACLs can be used on their own but can also be used with protocols such as NAT and NTP. NAT uses ACLs that can filter whose addresses get translated, and NTP servers  use ACLs that can filter who is able to synchronize timing with it. There are two types of ACLs which are standard and extended. Traffic can be filtered by either an entire network, subnet, or just a single host.

Access Control Entries- Every ACL has a group of ACE (Access Control Entries) that are assigned sequence numbers. In an analogy, the ACL is like a rulebook and the ACE are the rules inside that book. Every ACE defines a certain action such as permit or deny, and a certain criteria such as source IP address or destination IP address. The sequence numbers are incorporated to have a certain order which is important because every ACL whether standard or extended are processed sequentially top down. 

Standard ACLs- Standard ACLs are a simple type of ACL that filters traffic based on source IP address and is unable to filter on any other type of criteria. You can configure a standard ACL with a name or a number. It is best practice for standard ACLs to be implemented as close to the destination network as possible. The reason being is that since source IP is looked at with no other context (like protocol), if placed too close to the source, traffic may be filtered that is not intended to be filtered. 

Extended ACLs- Extended ACLs offer a more granular set of ACEs. An extended ACL can be identified with a number or a name as well. Instead of it only being able to filter source IP, extended ACLs are able to filter multiple criteria such as destination IP address, source and destination port numbers, and protocols. This allows network administrators to be more specific as to what to permit or deny. Extended ACLs can allow network admins to block a certain host from accessing another host on another subnet only via SSH. It can block a whole subnet from sending any type of ICMP messages to another subnet. The variety and range of rules that can be made is much more pronounced in extended ACLs. It is best practice for extended ACLs to be placed as close to the source of the host as much as possible in order to avoid unnecessary packet traversal. When it comes to extended ACLs, more specific rules must come before more general rules because of the “first match rule.”

First Match Rule- The first match rule is a logic incorporated in both standard and extended ACLs. This rule structures an ACL in a way that an address will be compared to the ACE rules on the ACL. The first ACE that matches determines the action (permit or deny) and every other ACE rule will be ignored. So if I have a “permit ip any any” (it means allow all traffic) as the first entry and a deny 203.0.113.1 as the second entry, the host 203.0.113.1 will be permitted to reach its destination because the “permit ip any any” takes precedence over the deny statement. This is exactly the reason why specific rules must come before generally rules because an action may be taken before it would match. 

Implicit Deny- In addition to the first match rule, there is also an “invisible” rule that is applied to every ACL whether standard or extended. This rule is called an “implicit deny” and it means that after all the ACEs have been processed if there was no match found then the packet will be denied. This is invisible because when you look at the ACL list on the running or starting config, you will not see it and there will also be no incremental counter. This rule can only be ruled out by adding a “permit ip any any” at the end of the list. Although it is implicit, if a network admin wants to keep track of the denied packets at the end they can manually add an explicit “deny ip any any log” to account for denied packets via incremental counter. 

Inbound/Outbound- An ACL in and of itself is just a list with rules, in order for it to actually filter traffic the ACL has to be configured with a specific interface. Traffic can be filtered either inbound or outbound. Inbound means the packet will be inspected when the packet is entering an interface. Outbound means the packet will be inspected against the ACL when it is leaving the interface. Without this configuration the ACL will not be applicable.