In this article I describe Access Control Lists in router for CCNA exam. Access Control Lists in router works as filter to allow or deny the routing updates and packets in particular interface of router. Access Control Lists provides an extra layer of security for network. An Access Control Lists control the incoming and outgoing traffic of a network. Access Control Lists do only two things permit the packets and deny the packets at layer 3 of OSI reference model.
On arrival a packet at the router interface, the router examined packet header and tally the information with the existing Access Control Lists in router. The comparison of both information give decision whether the packet should be drop or allow. This process works on network layer of the OSI or TCP/IP model. Access Control Lists in router can be apply on entrance or exit interface.
Access Control Lists are set of instructions use to filter the traffic passing through a router interface. The traffic may be incoming or outgoing from an interface. Access Control List is the integrated facility of IOS of a router. On arrival a packet on interface the router firstly check the destination address of the packet. Then, router check the destination address entry in its routing table. If destination address found in routing table router check for Access Control List on that interface. According to the Access Control Lists the packet permitted or dropped on that interface.
Requirement of Access Control Lists in router
Access control Lists required for some certain reasons. The main requirement of access control list in router is to limit the traffic in network. Access Control Lists limits the unwanted traffic like routing updates in network. An additional layer or security is provide to network by using access control lists. Access control lists applied by two types inbound access control list and outbound access control list. When an access control list inspects the incoming packets on an interface, it is known as inbound access control list. Similarly when an access applied on outbound packets on an interface, it is known as outbound access list.
Types of Access Control Lists in router
The Access control list in router divided in two types. One is standard access control lists and another is Extended access control lists. Both kinds of access control lists have different features for filtering the traffic on a particular interface of router. Standard access control lists identified by the numbers from 1 to 99 and 1300 to 1999. Extended access control lists have their own identification numbers 100 to 199 and 2000 to 2699. Lets see these two kinds of access lists in detail. you can see in the below command window the types of access lists available in router.
Router(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access list Router(config)#
Standard Access Control Lists in router (1-99 and 1300-1999)
The Standard Access control lists created by using the IP address of source device. Standard ACLs works on entire protocol suite. We can say the rule completely permit or deny the traffic from particular IP address. All decision of standard access control lists depends on the source IP address of the data packet. Standard access lists don’t check further service type or protocols of the data packet like web, telnet or mail services etc. Router determine the standard access control list by using the numbers 1 to 99 and 1300 to 1999. Standard access control lists used for normal filtering of data traffic. In early days such type of filtering is sufficient for network security. In today’s scenario there are many types of filtering required which can be done by firewalls and IPS devices.
Extended Access control lists in router (100-199 and 2000-2699)
Extended Access control lists created by using the source and destination IP addresses. In addition of the IP addresses extended access control lists also filter the other fields in layer 3 and layer 4 headers of an IP packet. The protocol field also checked by extended access control lists in router. These protocols are telnet, UDP, and mail service etc. This facility provides an additional layer of security than standard access control lists in router. We can say the extended access control lists can filter the packets by its source and destination IP address, port numbers and protocols. Router determine the extended access control lists by its number 100 to 199 and 2000 to 2699.
There are some other types of access control lists defines in networking. These are known as access control lists and numbered access control lists. don’t confused by the name of these additional types of ACLs. Keep reading them for knowledge base only. The main types of ACLs are standard and extended.
Named Access Control Lists in router
A name assigned to and access control list to create and name access control list in router. Network administrator can delete a named access control list in router. The named access control list can be used with standard and extended access control list in router. Don’t confuse on the last line. I mean to say that a named access control list can be used as either standard access control list or extended access control list in router. We can say the named access control lists are the extended versions of standard and extended access control lists in router. We can assign a name along with the number of access control lists.
Numbered Access Control Lists in rotuer
The numbered access control lists are not editable. Numbered access control lists can not be deleted once created. If we want to edit any rule in numbered access control list, it will not allow to do that. You have to delete the whole access list and create a new one with new rules. Numbered access control lists can also be used with both standard and extended ACLs.
Things to remember with Access Control Lists in router
Remember some basic rules for Access Control Lists. The standard ACLs applied close to destination. The extended ACLs applied close to source. Only one access control list can be assigned to on an interface. We can assign only inbound or outbound ACL on an interface. Every new rule added to an ACL will be added to its bottom. The name of standard and extended access control list should be distinct. Both ACLs can not have the same names.
I hope you enjoyed and understood this article about access control lists. For any query or suggestion on this article you may contact us or drop a comment below. Your suggestions are always welcome by us.