Understanding Access Control Lists (ACLs) on Cisco Devices - Intro

Home > Blogs > Cisco > ACLs on Cisco devices-introduction

ACLs on Cisco devices-introduction

Added by Mark Jacob May 12, 2014

If you are starting out on your journey to become CCNA R&S certified, one hurdle to clear is understanding Access Control Lists (ACLs). As I encounter students who are new to Cisco, I find that many have been lead to believe that ACLs are complicated, difficult to decipher, and difficult to deploy. Second after subnetting, this topic seems to inspire the most trepidation. If merely seeing the term ACL on this blog did not dissuade you from reading further, come with me on part one of a journey to understand this vital networking concept.

The first aspect of ACLs to consider is the answer to the question, “What exactly IS an ACL? Many who have familiarity with this topic might be quick to answer that ACLs provide for security within a company’s network. While this is assuredly a great description of a common use of ACLs, it is not a definition in and of itself. In my mind, this is similar to someone asking for the definition of a hammer and being told that a hammer drives nails. Sounds good, right? Yet driving a nail is merely one use of the tool which is the hammer. So if providing security is but a use of the tool which is an ACL, how do we define the tool itself?

An ACL is a means to IDENTIFY network traffic. This is part one. Once the desired traffic is identified, the next step is to decide what to do with it. A common comparison I use is that of a grade school campus on the first day of school. As all the children come out of their classrooms at the end of the day, they head to where the buses are parked and waiting. If you think back to how you were on the first day of first grade, you probably recall nervousness and anxiety. Not a great frame of mind when trying to figure out which bus is the correct one to get you home. After all, in first grade, they all look the same. (In fact they still look rather similar to me.) So let’s say that there is one employee of the school who is watching the children as they leave their classrooms and as they pass her, she places colored stickers on their shirts, based on which bus they need to board. Thus she is IDENTIFYING the traffic.

Now for the second part – what to do with the identified traffic. Let’s say there is a second school employee near the exit that leads to the buses, and as the students pass through the gate, she directs them to the correct bus based on the color of their sticker. Without the second part, identifying the traffic would be meaningless. You would just have lost children with stickers on their shirts.

This is a fitting scenario to gain an understanding of the complete story of ACLs. First, identify the traffic. Second, decide what to do with it. The ‘L’ in ACL stands for List. That’s all an ACL is – a list of permit or deny statements which is used to assess (identify) traffic of interest to the network administrator. This list could be likened to a list held by a bouncer at a club. As potential revelers attempt to gain admittance, the bouncer check the list, one line at a time, starting at the top and working to the bottom, to see if a particular person is allowed to enter the club. Once a match is found, the bouncer stops looking at the list and does whatever the matching line says. Remember, it could be a permit or a deny statement. For example, if the bouncer has a list that says deny Mark Jacob, and I show up and try to enter the club, I will not be allowed to go inside the club. If the bouncer checks every line and finds no match, the person is denied by what is called the ‘implicit deny.’ In the same manner, if your Cisco device checks every line of an ACL and finds no match, the packet is denied.

A little more information on the structure of the ACL is in order. Going back to the example above where I was denied entry, what if the next line under deny Mark Jacob said permit Cisco Instructors? I could attempt to challenge the bouncer by pointing out that I am a Cisco instructor and therefore should be allowed entry, but why does that not work? Recall that the list is processed top-down, and upon finding a match, processing stops and whatever the matching instructs is what is performed. Since I am denied before I am permitted, I don’t get to join the festivities. This means that sequence of ACL statements is very important. You now can see the importance of placing the more specific statements near the top of the list.

There are two flavors of ACLs – standard lists and extended lists. They can be numbered or they can be named. Most long-time Cisco admins prefer to name their ACLs for memory retention reasons. If you create a list number 125, what are the chances that 6 months later you will remember straight away what that list was doing? On the other hand, let’s say you name a list RandD-No_Internet, In 6 months, a year, or even longer, just seeing the name of the list will remind you that R & D is not permitted Internet access.

This blog is just an introduction to the topic of ACLs. In part 2 – ACLs on Cisco devices | Understanding Wildcard Masks, I will be following it up with blogs which show the syntax of configuring them, as well as even more in-depth blogs which will show an ACL from creation to deployment, as well as how traffic flows both pre-ACL and post-ACL. Please tune in again for the continuation of this mission-critical skill.