Blog

Access Lists

An access lists is essentially a list of conditions that categorize packets, and they really come in handy when you need to exercise control over network traffic.

Access-lists are one of the most common and an easiest-to-understand use of access list is to filter unwanted packets when implementing security policies. You can set them up to make very specific decisions about regulating traffic patterns so that they’ll allow only certain host to access web resources on the internet while restricting others. With the right combination of access list, network managers arm themselves with the power to enforce nearly any security policy they can invent.

Access lists statements

If a given condition is met, then a given action is taken. If the specific condition is not met, nothing happens and the next statement is evaluated. Access lists statement are basically packets filters that packets are compared against, categorized by, and acted upon accordingly. Once the lists are built, they can be applied to either inbound or out bound traffic on any interface. Applying an ACL cause the router to analyze every packet crossing that interface in the specified direction and take the appropriate action.

There are three important rules that a packet follow when it’s being compared with an access list:

• The packet is always compared with each line of the ACL in sequential order it will always started with the first statement of the ACL, moves on to 2 statement, then 3^rd statement, and so on.
• The packet is compared with statement of the access list until a match is made. Once it matches the condition on a statement of the access list, the packet is acted upon and no further comparisons take place.
• There is an implicit “deny” at the end of each access list, this means that if a packet doesn’t match any condition on any of the statements in the access list, the packet will be discarded.

Type of access list (ACL)

1. Standard access lists    these access list use only source IP address in an IP packet as the condition test. All decisions are made based on the source IP address. This means that standard ACLs basically permit or deny an entire suite of protocols. They do not distinguished between any of the many type of IP traffic such as web, telnet, UDP and so on.
2. Extended access lists extended ACLs can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the protocol field in the network layer header, and the port number at the transport layer header. This gives extended ACLs the ability to make much more granular decisions when controlling traffic.
3. Named access lists name access list are either standard or extended and not actually a district type. To use ACLs as a packet filter, you need to apply it to an interface on the router which you wanted the traffic filtered. And you’ve got to specify which direction of traffic you want the ACLs applied to. You must you different ACLs for inbound and outbound traffic on a single interface :

• Inbound ACLs: when an access lists is applied to inbound packet on an interface, those packets are processed through the access list before being routed to the outbound interface. Any packets that are denied won’t be routed.

• Outbound ACLs when an access list is applied to outbound packets on an interface, packets are routed to the outbound interface and then processed through the access list before being queued.