What are Access Control Lists?

ACLs are a network filter utilized by routers and some switches to permit and restrict data flows
into and out of network interfaces. When an ACL is configured on an interface, the network
device analyzes data passing through the interface, compares it to the criteria described in the
ACL, and either permits the data to flow or prohibits it.
Why Do We Use Access Control Lists?

There are a variety of reasons we use ACLs. The primary reason is to provide a basic level of
security for the network. ACLs are not as complex and in depth of protection as stateful
firewalls, but they do provide protection on higher speed interfaces where line rate speed is
important and firewalls may be restrictive. ACLs are also used to restrict updates for routing
from network peers and can be instrumental in defining flow control for network traffic.
When do we use Access Control Lists?

As I mentioned before, ACLs for routers are not as complex or robust as stateful firewalls, but
they do offer a significant amount of firewall capability. As an IT network or security
professional, placement of your defenses is critical to protecting the network, its assets and data.
ACLs should be placed on external routers to filter traffic against less desirable networks and
known vulnerable protocols.
One of the most common methods in this case is to setup a DMZ, or de-militarized buffer zone in
your network. This architecture is normally implemented with two separate network devices.
An example of this configuration is given in Figure 1.

Standard access-list example on Cisco Router

Lets configure some access-lists so I can demonstrate to you how this is done on Cisco IOS
routers. In this article well cover the standard access-list. Heres the topology:

Two routers and each router has a loopback interface. I will use two static routes so that the
routers can reach each others loopback interface:
ED209(config)#ip route 2.2.2.0 255.255.255.0 192.168.12.2
Robocop(config)#ip route 1.1.1.0 255.255.255.0 192.168.12.1

If you choose to use a routing protocol to advertise networks, be careful that your access-list
doesnt block your RIP, EIGRP or OSPF traffic
Now lets start with a standard access-list! Ill create something on router Robocop that only
permits traffic from network 192.168.12.0 /24:
Robocop(config)#access-list 1 permit 192.168.12.0 0.0.0.255

This single permit entry will be enough. Keep in mind at the bottom of the access-list is a deny
any. We dont see it but its there. Lets apply this access-list inbound on router Robocop:
Robocop(config)#interface fastEthernet 0/0
Robocop(config-if)#ip access-group 1 in

Use the ip access-group command to apply it to an interface. I applied it inbound with the in
keyword.
Robocop#show ip interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 192.168.12.2/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1

You can verify that the access-list has been applied with the show ip interface command. Above
you see that access-list 1 has been applied inbound.
Now lets generate some traffic
ED209#ping 192.168.12.2
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Our ping is successful; lets check the access-list:

Robocop#show access-lists
Standard IP access list 1
10 permit 192.168.12.0, wildcard bits 0.0.0.255 (27 matches)

As you can see the access-list shows the number of matches per statement. We can use this to
verify our access-list. Let me show you something useful when you are playing with access-lists:
ED209#ping 192.168.12.2 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
U.U.U
Success rate is 0 percent (0/5)

When you send a ping you can use the source keyword to select the interface. The source IP
address of this IP packet is now 1.1.1.1 and you can see these pings are failing because the
access-list drops them.
Robocop#show access-lists
Standard IP access list 1
10 permit 192.168.12.0, wildcard bits 0.0.0.255 (27 matches)

You wont see them with the show access-list command because the deny any is dropping
them.
What if I wanted something different? Lets say I want to deny traffic from network
192.168.12.0 /24 but permit all other networks? I can do something like this: