Access Control Lists (ACLs)
Introduction¶
Access Control Lists (ACLs) are filters that routers use to control which routing updates or packets are permitted or denied in or out of a network. An ACL contains a sequential list of permit or deny statements that apply to IP packets originating from or destined to specific hosts, IP addresses, and upper-layer IP protocols.
An ACL tells the router what types of packets to permit or deny. The router using the ACL does the following when it finds packets inbound to or outbound from a network:
If the router finds packets categorized against the permit statements, the router forwards the packets to the next hop in the network.
If the router finds packets categorized against the deny statements, the router blocks and drops the packets at the router interface. The packets cannot reach the intended destination host or IP address.
ACLs control traffic in one direction at a time on an interface. To allow inbound and outbound traffic from a host, IP address, or protocol, two ACLs are required: one inbound and one outbound.
The precedence of the ACL commands is from top to bottom.
For example, if an ACL is configured in a router as follows:
PERMIT OUTBOUND TCP ANY ANY 0 0 3
PERMIT INBOUND TCP ANY ANY 0 0 3
DENY BOTH ANY ANY ANY 0 0 3The permit statements override the deny statements. Outbound TCP packets through interface 3 are permitted first, followed by inbound TCP packets through interface 3. All other packets through the third interface are denied in both directions.