How ACLs Work

1. Visualizing an ACL

Let’s begin with an example of a Standard Access Control List (ACL) to understand how it works. Imagine you need to allow the Legal network (192.168.1.0/24) to access the Legal server while blocking the HR network (192.168.2.0/24) from accessing the Legal server.

Create your first ACL

🔹 Here’s what a basic Standard ACL might look like in a router configuration:

R1(config)# ip access-list standard 10 
R1(config-std-nacl)# permit 192.168.1.0 0.0.0.255
R1(config-std-nacl)# deny 192.168.2.0 0.0.0.255

✅ Breakdown:

  • The first line creates the Standard ACL numbered 10.
  • The second line permits traffic from the 192.168.1.0/24 network.
  • The third line denies traffic from the 192.168.2.0/24 network.

These rules form the building blocks of an ACL, which we’ll explore further in the next sections.

2. Access Control Entries (ACEs)

🔍 Each rule in an ACL is called an Access Control Entry (ACE). Think of an ACL as a list, and each ACE as an item in that list.

Access Control Entries ACEs Reading Order

✅ In the example above:

  • ACE 10: Permits traffic from the 192.168.1.0/24 network.
  • ACE 20: Denies traffic from the 192.168.2.0/24 network.

🔍 Reading Order

Routers process ACLs from top to bottom. As soon as a packet matches an ACE, the router stops checking further rules.

💡 Why it’s important: If the rules are in the wrong order, you might unintentionally block or allow traffic. Always plan the order carefully.

3. ⚠️ Implicit Deny

At the end of every ACL, there’s an implicit deny rule. This means that if a packet doesn’t match any ACE, it’s automatically denied. You won’t see this rule listed, but it’s always there.

Implicit Deny ACL Cisco Router

💡 Why Implicit Deny Matters

The implicit deny ensures that any traffic not specifically allowed is blocked. This is a critical safety measure to prevent unintended access.

4. Inbound vs Outbound ACLs

When applying an ACL to a router interface, you need to decide whether it filters traffic inbound or outbound. Let’s explore the difference.

🛠️ Inbound ACLs

  • Applied to packets as they enter the router interface.
  • Filters traffic before any routing decisions are made.
  • Ideal for blocking unwanted or harmful traffic early, saving resources.

✅ Example: Blocking malicious traffic from external sources before it enters your network.

Inbound ACL

🛠️ Outbound ACLs

  • Applied to packets as they leave the router interface.
  • Filters traffic after routing decisions are made.
  • Useful for applying consistent security policies to outgoing traffic.

✅ Example: Logging all outgoing connections from a specific department.

Outbound ACL

📢 Next Steps: Now that we’ve learned the fundamentals of how ACLs work, the next course will focus on configuring a Standard ACL.

Standard ACL