In computer network access control list (ACL) is set of rules that is usually used for controlling or filtering the network traffic and plays one of the crucial role in network security. Access control list is configured in network devices such as routers, firewall for incoming and outgoing traffic. Access control list have list of conditions that categories the packets and allow or deny the traffic. Access control lists also reduce the chance of spoofing and denial-of-service attacks in the network
How Access control list works
ACLs is typically a set of rules which is applied on the interface. Once the access control list is created, it will be applied to the interface of the device. Once the packet will come in device on respective interface, it will be checked through each rule one by one till it match the rule. Once the packet is matched with the respective rule, the action will be applied either permit or deny based on the rule. If none of the rule matches with the packet, then it will automatically dropped. Access control list is applied at the interface level for inbound or outbound traffic.
Types of Access control list
There are below two types of access control lists (ACL) which we can configure & apply on the network devices.
Standard Access control list
Standard Access control list is the simplest type of ACL. Standard Access control list is created based on the source address of the packet to filter the traffic. This will have permit or deny statement & applies for entire protocol suit. It can’t be configured based on the services. Standard Access control list is generally configured to control the access of network devices for remote access & network management. i.e. we can configure standard access control list in Router, Switch, etc. to define which systems are allowed to connect through telnet. Standard access control list is configured with number between 1 to 99. Instead of number we can use name also while configuring the standard access control list.
Extended Access control list
In extended access control list filtering happens based on the source and destination IP Address, Layer 4 Protocols and source and destination ports. Extended access control list are more complex to configure but gives us granular level of control. For example. We can configure extended access control list in Router, Firewall, etc. to block the access from particular system (Computer-1) to FTP Server but can allow the access from system (Computer-1) to Web Server. Extended access control list is configured with number between 100 to 199. Instead of number like standard access control list , extended access control list can also be configured using name.
Advantages of access control list (ACL)
- Adds a layer of security in network for respective Servers & applications.
- Enhance the network performance as unwanted traffic is being dropped.
- Controls the network management by restricting /limiting the access of network devices.
- Provides control over the traffic to permit or to deny as per requirement in the network.
- Access control list is also used in Network Address Translation as well.
- Access-list is also used in Quality-of-Service decisions.
Access control list rules
1. Standard Access control list is usually applied closer to the destination.
2. Extended Access-list is usually applied closer to source.
3. Only one access control list can be applied in one interface in each direction. i.e. we can configure 2 access control lists in one interface , 1 for inbound traffic and 1 outbound traffic.
4. We can configure Standard access control lists & extended access control lists using name also but we cannot have the same name in standard and extended access control list.
5. In numbered Access-list, If we remove a rule then the whole Access control list will be will be removed but in named access control list we can delete a specific rule in that access control list.
6. Every new rule which we added to the access control list will be placed at the bottom of the access control list therefore before implementing the access control lists, analyses the whole scenario carefully.
7. Access control list also have an implicit “Deny all ” rule be default which is the last item in the list which means if the packet doesn’t match with permit rule it will be denied.
Frequently Asked Questions
Q. Can we have separate ACL for inbound traffic and separate for outbound traffic ?
A. Yes we can configure separate access control list for inbound traffic and separate for outbound traffic.
Q. Can we configure 1 name and 1 numbered access control list ?
A. Yes we can configure both, name based and number based as well but we can have only one ACL on one interface per direction.
Q. What is IP Access control list in network ?
A. IP Access control list or access control list is set of rules that is usually used for controlling or filtering the network traffic.
Q. What is the difference between standard access control list and extended access control list?
A. Standard access control list is created based on source address only but extended access control list is created based on source & destination IP address, protocols and ports.
Q. What is the range of standard access control list ?
A. Range for Standard Access control list is 1 to 99
Q. What is the range of extended access control list ?
A. Range for extended access control list is 100 to 199
Q. Which type of ACL should be placed closest to the source of traffic?
A. Standard Access control list is usually configured closest to the source.
Q. Does ACL improve network availability?
A. Yes it improves the network availability & performance as it restricts the unwanted traffic.
Q. Which type of ACL is better standard or extended?
A. Extended access control list is better as it gives granular level of control. However for network device management access standard access control list is better as ports filtering is not required at that level.