By Delana Hallstedt
If I were to start a conversation with my husband about a “broken ACL,” he would immediately panic and begin searching the Web for evidence that his beloved Megatron was free from injury and that his anterior cruciate ligament (ACL) was in perfect working order. Especially this time of year! Although I’m rather fond of the guy myself, for fantasy football purposes, that’s not the sort of ACL I’d most likely be referring to.
A dysfunctional access control list (ACL) can be just as debilitating to a network as the aforementioned torn knee ligament can be to a wide receiver. In the technology world, an ACL contains a list of rules that a networking device, such as a router or Layer 3 switch, can use to permit or deny traffic. Although network traffic flow control and using ACLs can be a lot more complex, for the purpose of this blog, I want to explore the basics and therefore will stick to standard ACLs.
ACLs can consist of one or more rules called access list statements. These statements are used to identify traffic. Each access list statement is configured with the permit keyword or the deny keyword; these keywords are used to indicate whether packets that match the access list statement should be forwarded or dropped, respectively. If the packet does not match any of the access list statements configured with the permit keyword, the packet is dropped. This is called the implicit deny rule.
The order in which access list statements are issued is important because the statements in an ACL are evaluated in the order they are issued. Packets are compared to each access list statement in sequence until a match is found. As soon as a match is found, the packet will be explicitly permitted or denied and the packet will not be compared to any statements later in the ACL. Therefore, it is critical to issue the access list statements in the proper order so that you do not accidentally permit traffic that should be denied, or vice versa. For example, let’s say you administer the network shown here:
To create a standard ACL you should use the syntax access-list acl-number {deny | permit} {host ip-address | source source-wildcard | any}. So to configure ACL 1 on RouterA, you should issue the following commands:
RouterA(config)#access-list 1 permit 192.168.0.0 0.0.0.255
RouterA(config)#access-list 1 deny host 192.168.0.1
To apply ACL 1 as an outbound ACL to the FastEthernet 0/2 interface on RouterA, you should issue the following commands:
RouterA(config)#interface fastethernet0/2
RouterA(config-if)#ip access-group 1 out
An outbound ACL inspects traffic that is to be sent out an interface, and an inbound ACL inspects traffic that is received by an interface. ACL 1 has a list statement that permits traffic from the 192.168.0.0/24 network and a list statement that denies traffic from 192.168.0.1. Because of the implicit deny rule, ACL 1 denies traffic from any other network.
When a packet that is destined for the server that is connected to the FastEthernet 0/2 interface arrives on RouterA, the router will examine the packet to determine whether the source IP address is part of the 192.168.0.0/24 network. Packets from the 192.168.0.0/24 network will match the permit rule that is configured in ACL 1, and RouterA will forward those packets out of the FastEthernet 0/2 interface. If the source IP address does not match the permit rule, RouterA will drop the packet because of the implicit deny rule.
Now, in the case of traffic coming from the source IP address of 192.168.0.1, what do you suppose will happen there? Since 192.168.0.1 is part of the 192.168.0.0/24 network, packets coming from that source address will be matched with the first access list statement in ACL 1 and will be sent on their merry way. In this case, the second access list statement of ACL 1 is about as effective as my friend CJ would be sitting on a bench with a torn ligament! In order to correct this, you could simply change the order of the list statements to make the deny 192.168.0.1 statement appear before the permit 192.168.0.0/24 statement.
If only the knee recovered so quickly and easily, right?
Studying for a CCNA exam or a CCNP exam? We can help!
Download NetSim Network Simulator and the Boson Exam Environment and demo our IT learning software today.
