120 - 238 CCNA 2: Routers and Routing Basics v3.1 Instructor Guide – Module 11 Copyright © 2004, Cisco Systems, Inc.
11.1.1 Introduction to ACLs ACLs are lists of conditions that are applied to traffic that travels across a router interface.
These lists tell the router what types of packets to accept or deny. ACLs can be created for all
routed network protocols. ACLs filter network traffic and determine if routed packets are
forwarded or blocked at the router interfaces. The ACL parameters that can be defined include
source and destination addresses, protocols, and upper-layer port numbers. ACLs are created
on a per-protocol, per-direction, and per-port basis. ACLs control traffic in one direction on an
interface. Therefore, for every protocol, it is possible that two ACLs could be created, an
inbound and an outbound. The following are some of the primary reasons to create ACLs:
• Limit network traffic and increase network performance
• Provide traffic flow control
• Provide a basic level of security for network access
• Decide which types of traffic are forwarded or blocked at the router interfaces
• Allow an administrator to control what areas a client can access on a network
• Screen certain hosts to either allow or deny access to part of a network
• Grant or deny user permission to access only certain types of files such as FTP or
HTTP
The labs in CCNA 2 have allowed all traffic with no filtering. The students must understand the
path, or know the source and destination address of the packets to apply the concept of an
ACL. Review the OSI model and the protocols at each layer with the students. The reasons for
ACLs and the methods that ACLs use to accomplish these functions may not be apparent to
the students. ACLs may require some time to grasp. Do not rush through these sections. Give
the students enough time to absorb this information. Encourage the students to use the labs to
reinforce this knowledge. Encourage the students to experiment with various ACL scenarios.
11.1.2 How ACLs work An ACL is a group of statements to permit or deny traffic on an inbound or outbound router
interface. The order in which ACL statements are placed is important. The Cisco OS software
tests the packet against each condition statement in order from the top of the list to the bottom.
When a match is found in the list, an accept or reject action is performed and no other ACL
statements are checked.
If additional condition statements are needed in an access list, the entire ACL must be deleted
and recreated with the new condition statements. To simplify the process of revising an ACL it
is a good idea to use a text editor such as Notepad and paste the ACL into the router
configuration.
As a frame enters an interface, the router checks to see if the Layer 2 address matches or if it
is a broadcast frame. If the frame address is accepted, the frame information is stripped off
and the router checks for an ACL on the inbound interface.
As a review, ACL statements operate in sequential, logical order. If a condition match is true,
the packet is permitted or denied and the rest of the ACL statements are not checked.