ACLs (access control lists) are used to filter network traffic by permitting or denying packets based on source/destination addresses, protocols, ports, and other packet attributes. There are two main types - standard ACLs filter based on source IP address, while extended ACLs filter on source/destination IP addresses, protocols, ports and other fields. ACL rules are ordered and the first matching rule determines if a packet is permitted or denied. If no rules match, the implicit deny at the end of the ACL is applied.

1. ACL Principle
V1.1

2. Objectives
Understand the basic function of ACL
Know when and how to use ACL

3. Contents
ACL conception and function
ACL types
ACL working principle
ACL rule

4. FDDI
172.16.0.0
172.17.0.0
Token
Ring
Internet
Why Use Access Lists?
Manage IP traffic as network access grows
Filter packets as they pass through the router

5. Access List Applications
Permit or deny packets moving through the
router
Permit or deny telnet access to or from the
router
Without access lists all packets could be
transmitted onto all parts of your network
telnet access (IP)
Transmission of packets on an interface

6. ACL Configuration Procedure
Define trigger condition
Define packet matching rules
Bind to interface or service
Packet outgoing
interfacePacket incoming
interface
ACL process
permit?
Source IP、
Destination IP
protocol

7. Contents
ACL conception and function
ACL types
ACL working principle
ACL rule

8. Dest Address
Source Address
Protocol
Port number
Segment Header
(TCP Header) Data
Packet Header
(IP Header )
Frame Header
(e.g. HDLC)
Use ACL to check
data
Deny Permit
ACL Types and Matching Conditions
Standard ACL
Use source address as filtering standard
Can generally restrict a kind of protocol
Extend ACL
Use five elements to filter packets
Can restrict a concrete protocol accurately

9. ACL Types and Matching Conditions

10. IPv6 ACL Command Structure
Command structure for standard ACL
Command structure for extend ACL

11. Contents
ACL conception and function
ACL types
ACL working principle
ACL rule

12. Inbound
Interface
Packets
N
Y
Packet Discard Bucket
Choose
Interface
NAccess
List
?
Routing
Table
Entry
?
Y
Outbound
Interface
Packets
S0
Outbound Access Lists

13. Outbound
Interface
Packets
N
Y
Packet Discard Bucket
Choose
Interface
Routing
Table
Entry
?
N
Packets
Test
Access List
Statements
Permit
?
Y
Outbound Access Lists
Access
List
?
Y
S0
E0
Inbound
Interface
Packets

14. Notify Sender
Outbound Access Lists
If no access list statement matches then discard the packet
N
Y
Packet Discard Bucket
Choose
Interface
Routing
Table
Entry
?
N
Y
Test
Access List
Statements
Permit
?
Y
Access
List
?
Discard Packet
N
Outbound
Interface
Packets
Packets
S0
E0
Inbound
Interface
Packets

15. Contents
ACL conception and function
ACL types
ACL working principle
ACL rule

16. A List of Tests: Deny or Permit
Packets to Interface(s)
in the access group
Packet
Discard
Bucket
Y
Interface(s)
Destination
Deny
Deny
Y
Match
First
Rule
?
Permit

17. A List of Tests: Deny or Permit
Packets to Interface(s)
in the Access Group
Packet
Discard
Bucket
Y
Interface(s)
Destination
Deny
Deny
Y
Match
First
Rule
?
Permit
N
Deny Permit
Match
Next
Rule(s)
?
YY

18. A List of Tests: Deny or Permit
Packets to Interface(s)
in the Access Group
Packet
Discard
Bucket
Y
Interface(s)
Destination
Deny
Deny
Y
Match
First
Rule
?
Permit
N
Deny Permit
Match
Next
Rule(s)
?
Deny
Match
Last
Rule
?
YY
N
YY
Permit

19. A List of Tests: Deny or Permit
Packets to Interface(s)
in the Access Group
Packet
Discard
Bucket
Y
Interface(s)
Destination
Deny
Y
Match
First
Rule
?
Permit
N
Deny Permit
Match
Next
Rule(s)
?
Deny
Match
Last
Rule
?
YY
N
YY
Permit
Implicit
Deny
If no match
deny all
Deny
N

20. ACL Rule Conclusion
Q：How to arrange
the sequence of rules
when configuring
ACL
ACL matching execute from top to bottom, if one statement
match the packets, it will execute the corresponding rule (permit
or deny) and then jump out of ACL.
There is an implicit rule “Deny all” at the end of each ACL.
ACL can be applied to inbound or outbound direction of a
concrete IP interface
ACL can be applied to a specific system service (e.g. Telnet
service on device)
Before applying ACL, we should create it
We can set only one ACL for a specific protocol on one direction
of an interface at one time

21. Where to apply ACL？
Standard ACL： near the destination
Extend ACL： near the source
E0
E0
E1
S0
To0
S1
S0
S1
E0
E0Token
Ring
BB
AA
DD
PC_A
PC_B

22. Content Review
ACL conception and usage
ACL working principle
ACL types
ACL rule

23. Questions
Where to place standard ACL in the network?
Where to place extend ACL?
What will be done to the packet if there are no
matches in the ACL?
How to arrange the sequence of rules when
configuring ACL?
What will happen if a data packet pass an
interface that no ACL is defined?