Cisco Systems CCNA 2 manual Introduction to ACLs, How ACLs work

11.1.1 Introduction to ACLs

ACLs are lists of conditions that are applied to traffic that travels across a router interface. These lists tell the router what types of packets to accept or deny. ACLs can be created for all routed network protocols. ACLs filter network traffic and determine if routed packets are forwarded or blocked at the router interfaces. The ACL parameters that can be defined include source and destination addresses, protocols, and upper-layer port numbers. ACLs are created on a per-protocol, per-direction, and per-port basis. ACLs control traffic in one direction on an interface. Therefore, for every protocol, it is possible that two ACLs could be created, an inbound and an outbound. The following are some of the primary reasons to create ACLs:

•Limit network traffic and increase network performance

•Provide traffic flow control

•Provide a basic level of security for network access

•Decide which types of traffic are forwarded or blocked at the router interfaces

•Allow an administrator to control what areas a client can access on a network

•Screen certain hosts to either allow or deny access to part of a network

•Grant or deny user permission to access only certain types of files such as FTP or

HTTP

The labs in CCNA 2 have allowed all traffic with no filtering. The students must understand the path, or know the source and destination address of the packets to apply the concept of an ACL. Review the OSI model and the protocols at each layer with the students. The reasons for ACLs and the methods that ACLs use to accomplish these functions may not be apparent to the students. ACLs may require some time to grasp. Do not rush through these sections. Give the students enough time to absorb this information. Encourage the students to use the labs to reinforce this knowledge. Encourage the students to experiment with various ACL scenarios.

11.1.2 How ACLs work

An ACL is a group of statements to permit or deny traffic on an inbound or outbound router interface. The order in which ACL statements are placed is important. The Cisco OS software tests the packet against each condition statement in order from the top of the list to the bottom. When a match is found in the list, an accept or reject action is performed and no other ACL statements are checked.

If additional condition statements are needed in an access list, the entire ACL must be deleted and recreated with the new condition statements. To simplify the process of revising an ACL it is a good idea to use a text editor such as Notepad and paste the ACL into the router configuration.

As a frame enters an interface, the router checks to see if the Layer 2 address matches or if it is a broadcast frame. If the frame address is accepted, the frame information is stripped off and the router checks for an ACL on the inbound interface.

As a review, ACL statements operate in sequential, logical order. If a condition match is true, the packet is permitted or denied and the rest of the ACL statements are not checked.