User privileges for gaining access to system locations and resources are managed by an access control list (What is ACL in Networking & How to Implement It?). Although they have their uses in personal computers, ACLs are more frequently used in professional settings.
To monitor network traffic and prevent unwanted access to database servers, content management systems, etc., ACLs are recognized as standard network security practices in networking.
The role of ACLs in networking will be the main topic of this paper. It will go over the parts of an access control list, popular ACL kinds, and offer suggestions for how an access control list should be implemented on a network.
What is ACL (Access Control List)?
A computer network’s access is controlled by a collection of rules called an ACL (Access Control List). What is ACL in Networking & How to Implement It? ACL statements are applied to ingress (incoming) and egress (outgoing) network traffic by the network devices, i.e., routers and switches, allowing them to regulate which traffic is allowed to travel across the network.
How Does an ACL Work?
ACLs function as stateless firewalls. A stateless firewall just verifies that the packets adhere to the established security rules, but a Stateful firewall analyses the contents of network packets.
On network interfaces like switches and routers, there are tables called ACLs that contain access rules. A router or switch turns into a traffic filter when the user creates an ACL on it.
ACLs inform the router, as shown in the diagram above, whether or not traffic from a user (IP address) can travel through the device.
Numbered and Named ACLs
What is ACL in Networking & How to Implement It? The user has the option to format an access control list as a named or numbered list when generating it.
Each list in numbered access control lists has a unique number for identification:
Numbers 1-99 and 1300-1999 are accepted on standard access lists.
The ranges for extended access lists are 100–199 and 2000–2699.
Because names make it possible for network managers to describe an ACL’s purpose, named access control lists are preferred to numbered ones.
The following command can be entered at the command line of the router configuration mode to generate an expanded list, for instance, when configuring an extended ACL that establishes rules for the InfoSec office in a business building:
120 Access-List Extending [rule1] [rule2]
Although the features of the numbered list produced in this manner would be identical to those of its named counterpart, the named list’s creation clarifies its goal:
extended access-list Rule 1 for INFOSEC [rule2]
ACL Types
Standard, extended, dynamic, reflexive, and time-based ACLs are the five different varieties.
Each ACL type is described in the sections that follow.
1: Standard ACL
According to the originating IP address, the fundamental type of ACL filters traffic. The system compares a packet’s IP information with the ACL’s set of restrictions whenever it tries to enter or exit the switch. Once a rule is discovered that permits the specified IP address, the checking process is over.
For instance, the hosts on the 192.168.15.0/24 network are permitted by access list number 5, as shown below:
permit access-list 5 192.168.15.0 0.0.0.255
The whole syntax for constructing a typical ACL is:
list-number-or-name access-list Permit | Disallow Any | host | source [source-wildcard]
The inverse mask is the source-wildcard parameter’s input. Subtract 255 from each subnet mask field to determine the inverse masks. In the previous illustration, 0.0.0.255 is the inverse mask of the subnet mask 255.255.255.0.
2: Extended ACL
Extended Access Control Lists (ACLs) accept rules depending on source and destination IP addresses, in contrast to normal ACLs. Additionally, filtering by protocol type, TCP or UDP ports, etc., may be included in extended ACL rules.
If the destination has HTTP port 80 set as the host port, the extended access list number 150 will permit all traffic from the 192.168.15.0/24 network to any IPv4 network: The example below:
p
ermit tcp 192.168.15.0 0.0.0.255 any eq www access-list 150
What is ACL in Networking & How to Implement It? The enhanced ACL’s complete syntax is as follows:
access-list access-list-number-or-name {deny | permit} protocol source source-wildcard destination destination-wildcard precedence [precedence] tos [tos] [fragments] time-range [time-range-name] [log]
3: Adaptive ACL
Extended lists with dynamic ACL rules are known as dynamic ACLs. Another name for this ACL type is lock-and-key security.
Dynamic ACLs deal with problems brought on by the IP address change of the permitted host, such as when a trusted system is moved physically. The customer must provide their username and password to verify their identification. The network device changes its access rules to permit connections from the new IP address if the validation is successful.
4: Reflexive ACL
A reflexive ACL can restrict traffic to sessions coming from the host network while a regular ACL does not keep track of the sessions. A reflexive ACL must often be nested in an extended named access list because it cannot be applied directly to the interface. Applications like FTP clients that change port numbers in the middle of a session are not supported by this access control type.
5: Time-Based ACL
Time-based access control is possible with this enhanced ACL type. For instance, a company might restrict employee access to particular websites to lunchtimes only.
The time-range command is used to build time-based rules. Users can use the command to create absolute rules with a single start and end time as well as periodic rules, which are used to set up recurring periods.
Components of ACL
What is ACL in Networking & How to Implement It? An access control list is made up of the following elements:
- The ACL entry is identified by its Sequence number.
- An ACL is identified in a descriptive manner by its Name.
- Most of the ACL is contained in the Statement. The user grants or refuses access to an IP address or IP range using statements.
- Specific network protocols, including IP, TCP, UDP, and others, can be accessed or blocked by the Network protocol component.
- The source or destination component specifies the IP addresses or ranges for the source or destination.
ACL components can be added to some routers, including:
- Logs, used to record ACL occurrences.
- Remarks, to allow room for additional remarks about the ACL’s goal.
- Based on the ToS (type of service) or DSCP priority, complex ACLs have components for finer-grained network traffic control.
Advantages of ACL
ACLs are most important for network security, but they are also helpful for other areas of network traffic control:
- Allow for granular access control based on addresses, protocols, traffic kinds, etc. by blocking particular users or traffic. For servers that access the internet, this capability is especially helpful.
- Simplify the local and remote host identification of users and hosts.
- Aid in managing and avoiding congestion.
- Controlling bandwidth will help networks run more efficiently by reducing network traffic.
- Help stop spoofing and DoS (Denial of Service) attacks.
The Best Way to Use ACL
Knowing the router traffic flow is crucial for good ACL implementation since the router is the best place to apply ACL rules. Grasp network traffic requires an understanding of the terms ingress (inbound) and egress (outbound) traffic.
The flow of traffic into and out of the network is depicted in the following diagram:
- The traffic entering the router is referred to as ingress traffic.
- The traffic that exits the router is known as egress traffic.
For instance, creating an ingress rule is necessary to prevent all traffic originating from the internet. The source for this rule will be the wildcard value 0.0.0.0, which stands for all external IP addresses. The IP address of the local network serves as the destination.
In contrast, creating an egress rule with 0.0.0.0 as the destination and the machine’s IP address as the source is necessary to prohibit internet access for a single machine within a network.
What is ACL in Networking & How to Implement It? The following are suggestions for using ACL:
- Before using the ACL on the router or switch, create it. The implicit refuse statement included by default on network devices may snarl your network traffic if you begin by generating an empty list on that device.
- Make sure the ACL contains at least one permit statement to stop it from denying all traffic.
- Prioritize more detailed regulations over general ones.
- Make a clear denial statement. Although each ACL has an implicit deny statement, when you use the show access-list command to report the number of packets refused, only explicit statements are displayed.
- When possible, use the remark command to provide information about the ACL.
Conclusion
You should know more about What is ACL in Networking & How to Implement It? after reading this article, including their types, elements, and advantages. The post offered guidance on how to set up ACL on your network.