Delana HallstedtIf my husband were to have a conversation about a “broken ACCL”, he would panic and start searching the Internet for evidence that Megatron was uninjured and that his anterior Cruciate ligament (ACL). This is especially true at this time of the year! Although I like the guy, fantasy football is not the type of ACL I would be referring to.
A dysfunctional access control listing (ACL), can be as crippling for a network as the above-mentioned torn knee ligament to a large receiver. An ACL is a list of rules that a network device (e.g. a router or Layer 3 switch) can use to allow or deny traffic. Although network traffic flow control and using ACLs are more complicated, this blog will focus on the basics. I will not be going into detail about ACLs.
ACLs can contain one or more access list statements. These statements are used for traffic identification. Each access list statement is set up with either the permit keyword or deny keyword. These keywords indicate whether packets matching the access list statement should or not be forwarded or dropped. The packet is deleted if it does not match any access list statements that have the permit keyword. This is known as the implicit deny rule.
Access list statements must be issued in the correct order. This is because ACL statements are evaluated in that order. The packets are compared to each access statement in order until a match is found. Once a match has been found, the packet is either explicitly permitted or denied. The packet will not be compared with any statements in the ACL later. It is important to order access list statements correctly so that you don’t accidentally allow traffic that should not be allowed or vice versa. Let’s say, for example, that you manage the network shown here.
You can create a standard ACL by using the syntax access-list ACL-number. To configure ACL 1 on RouterA you will need to issue the following commands.
RouterA(config)#access-list 1 permit 192.168.0.0 0.0.0.255RouterA(config)#access-list 1 deny host 192.168.0.1
You can apply ACL 1 to RouterA as an outbound ACL using FastEthernet0/2 interface.
RouterA(config)#interface fastethernet0/2RouterA(config-if)#ip access-group 1 out
An outbound ACL inspects traffic to be sent to an interface and an inbound ACL inspects the traffic that has been received by an interface. ACL 1 contains a list statement that allows traffic from the 192.168.0.0/24 network, and a list that denies traffic from the 192.168.0.1. ACL 1 blocks traffic from any network due to the implicit deny rule.
RouterA will examine packets that are destined for servers connected to FastEthernet 02/2 interface. The router will determine if the source IP address belongs to the 192.168.0.0/24 network. RouterA will forward packets from the FastEthernet 0./2 interface to packets that match the permit rules. RouterA will reject packets whose source IP address is not in compliance with the permit rule.
What do you think will happen if traffic comes from the source IP address of192.168.0.1? Because 192.168.0.1 is part the 192.168.0.0/24 network packets will be matched with ACL 1 and sent on their way. The second access list statement in ACL 1 is as effective as CJ sitting on a bench with a ruptured ligament. You can simply change the order of this list to fix it.