In computer network access control list (ACL) is set of rules that is usually used for controlling or filtering the network traffic and plays one of the crucial role in network security. Access list is configured in network devices such as routers, firewall for incoming and outgoing traffic. Access lists have list of conditions that categories the packets and allow or deny the traffic. ACLs also reduce the chance of spoofing and denial-of-service attacks in the network
How Access control list works
ACLs is typically a set of rules which is applied on the interface. Once the access control list is created, it will be applied to the interface of the device. Once the packet will come in device on respective interface, it will be checked through each rule one by one till it match the rule. Once the packet is matched with the respective rule, the action will be applied either permit or deny based on the rule. If none of the rule matches with the packet, then it will automatically dropped. Access list is applied at the interface level for inbound or outbound traffic.
Types of Access control list
There are below two types of access lists (ACL) which we can configure & apply on the network devices.
Standard Access control list
Standard ACL is the simplest type of ACL. Standard ACL is created based on the source address of the packet to filter the traffic. This will have permit or deny statement & applies for entire protocol suit. It can’t be configured based on the services. Standard Access control list is generally configured to control the access of network devices for remote access & network management. i.e. we can configure standard access control list in Router, Switch, etc. to define which systems are allowed to connect through telnet. Standard access control list is configured with number between 1 to 99. Instead of number we can use name also while configuring the standard access list.
Extended Access Control List
In extended ACL filtering happens based on the source and destination IP Address, Layer 4 Protocols and source and destination ports. Extended access list are more complex to configure but gives us granular level of control. For example. We can configure extended access list in Router, Firewall, etc. to block the access from particular system (Computer-1) to FTP Server but can allow the access from system (Computer-1) to Web Server. Extended access list is configured with number between 100 to 199. Instead of number like standard access list , extended access list can also be configured using name.
Advantages of access control list (ACL)
- Adds a layer of security in network for respective Servers & applications.
- Enhance the network performance as unwanted traffic is being dropped.
- Controls the network management by restricting /limiting the access of network devices.
- Provides control over the traffic to permit or to deny as per requirement in the network.
- Access list is also used in Network Address Translation as well.
- Access-list is also used in Quality-of-Service decisions.
Access control list rules
1. Standard Access list is usually applied closer to the destination.
2. Extended Access-list is usually applied closer to source.
3. Only one access list can be applied in one interface in each direction. i.e. we can configure 2 access lists in one interface , 1 for inbound traffic and 1 outbound traffic.
4. We can configure Standard access lists & extended access lists using name also but we cannot have the same name in standard and extended access list.
5. In numbered Access-list, If we remove a rule then the whole Access list will be will be removed but in named access control list we can delete a specific rule in that access list.
6. Every new rule which we added to the access list will be placed at the bottom of the access control list therefore before implementing the access lists, analyses the whole scenario carefully.
7. Access list also have an implicit “Deny all ” rule be default which is the last item in the list which means if the packet doesn’t match with permit rule it will be denied.
Frequently Asked Questions
Q. Can we have separate ACL for inbound traffic and separate for outbound traffic ?
A. Yes we can configure separate access list for inbound traffic and separate for outbound traffic.
Q. Can we configure 1 name and 1 numbered access list ?
A. Yes we can configure both, name based and number based as well but we can have only one ACL on one interface per direction.
Q. What is IP Access list in network ?
A. IP Access list or access list is set of rules that is usually used for controlling or filtering the network traffic.
Q. What is the difference between standard access list and extended access list?
A. Standard access list is created based on source address only but extended access list is created based on source & destination IP address, protocols and ports.
Q. What is the range of standard access ist ?
A. Range for Standard access list is 1 to 99
Q. What is the range of extended access list ?
A. Range for extended access list is 100 to 199
Q. Which type of access list should be placed closest to the source of traffic?
A. Standard Access list is usually configured closest to the source.
Q. What is blocked access list ?
A. Access list which has created entries with deny only for any source or destination is referred as blocked access list. This type of ACL is usually configured in Firewall to creating blacklisting / blocking external sources.
Q. Does ACL improve network availability?
A. Yes it improves the network availability & performance as it restricts the unwanted traffic.
Q. Which type of ACL is better standard or extended?
A. Extended access control list is better as it gives granular level of control. For network device management, standard access control list is always better as ports filtering is not required at that level.