What is an Access Control List (ACL) and How to Configure Them! — SuperTechman

What Are The Components of An Access Control List?

The implementation for ACLs is pretty similar in most routing platforms, all of which have general guidelines for configuring them. Remember that an ACL is simply a set of rules or entries that with allow or deny traffic. You can have an Access Control List with single or multiple entries, where each one is supposed to do something, it can be to permit everything or block nothing.

  1. Sequence Number:
    Identify an ACL entry using a number.
  2. ACL Name:
    Define an ACL entry using a name. Instead of using a sequence of numbers, some routers allow a combination of letters and numbers.
  3. Remark:
    Some Routers allow you to add comments into an ACL, which can help you to add detailed descriptions.
  4. Statement:
    Deny or permit a specific source based on address and wildcard mask. Some routing devices, such as Cisco, configure an implicit deny statement at the end of each ACL by default.
  5. Network Protocol:
    Specify whether deny/permit IP, IPX, ICMP, TCP, UDP, NetBIOS, and more.
  6. Source or Destination:
    Define the Source or Destination target as a Single IP, a Address Range (CIDR), or all Addresses.
  7. Log:
    Some devices are capable of keeping logs when ACL matches are found.
  8. Other Criteria:
    Advanced ACLs allow you to use control traffic through the Type of Service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority.

What Are The Types of ACLs?

There are four types of ACLs that you can use for different purposes, these are standard, extended, dynamic, reflexive, and time-based ACLs.

1. Standard ACL

The standard ACL aims to protect a network using only the source address.

2. Extended ACL

With the extended ACL, you can also block source and destination for single hosts or entire networks.

3. Dynamic ACL

Dynamic ACLs, rely upon extended ACLs, Telnet, and authentication. This type of ACLs are often referred to as “Lock and Key” and can be used for specific timeframes.

4. Reflexive ACL

Reflexive ACLs are also referred to as IP session ACLs. These type of ACLs, filter traffic based on upper layer session information.

Where to configure an ACL

As an IT network or security professional, placement of your defences is critical to protecting the network, its assets and data. ACLs should be placed on external routers to filter traffic against less desirable networks and known vulnerable protocols. The devices that are facing unknown external networks, such as the Internet, need to have a way to filter traffic. So, one of the best places to configure an ACL is on the edge routers.

How to Implement An ACL On your Router?

Understanding ingress and egress traffic (or inbound and outbound) in a router, is critical for proper ACL implementation.

The general guideline when creating an ACL

  • ACLs are always processed from top to down in sequential order.
  • A packet is compared with ACL conditions until it finds a match.
  • Once a match is found for the packet, no further comparison will be done for that packet.
  • The interface will take action based on match condition. There are two possible actions; permit and deny.
  • If permit condition match, packet will be allowed to pass from interface.
  • If deny condition match, packet will be destroyed immediately.
  • Every ACL has a default deny statement at end of it.
  • If a packet does not meet with any condition, it will be destroyed (by the last deny condition).
  • Empty ACL will permit all traffic by default. Implicit deny condition will not work with empty ACL.
  • Implicit (default last deny) condition would work only if ACL has at least one user defined condition.
  • ACL can filter only the traffic passing from interface. It cannot filter the traffic originated from router on which it has been applied.
  • Standard ACL can filter only the source IP address.
  • Standard ACL should be placed near the destination devices.
  • Extended ACL should be placed near the source devices.
  • Each ACL needs a unique number or name.
  • We can have only one ACL applied to an interface in each direction; inbound and outbound.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Unique blog that is aimed to provide I.T professionals Systems/Network administrators technical solutions, insights & knowledge on a wide variety of topics.