As we already discussed ACLs in our Previous Post let’s see the different types of ACLs in Networking:

An access control list (ACL) contains rules that grant or deny access to certain digital environments. There are two types of ACLs:

  • Filesystem ACLs: filter access to files and/or directories. Filesystem ACLs tell operating systems which users can access the system, and what privileges the users are allowed.
  • Networking ACLs: filter access to the network. Networking ACLs tell routers and switches which type of traffic can access the network, and which activity is allowed.
    • There are mainly four types of ACL available in Networking:
  1. Standard ACL
  2. Extended ACL
  3. Dynamic ACL
  4. Reflexive ACL

1. Standard ACL:

An access-list that is developed solely using the source IP address. These access control lists allow or block the entire protocol suite. They don’t differentiate between IP traffic such as UDP, TCP, and HTTPS. They use numbers 1-99 or 1300-1999 so the router can recognize the address as the source IP address.

Standard ACLs check the source address of IP packets that are routed. The comparison will result in either permit or deny access for an entire protocol suite, based on the network, subnet, and host addresses.

The standard version of the access-list global configuration command is used to define a standard ACL with a number in the range of 1 to 99 (also from 1300 to 1999 in recent IOS).

If there is no wildcard mask. the default mask is used, which is 0.0.0.0 (This only works with Standard ACLs and is the same thing as using host.)

The full syntax of the standard ACL command is:

Router(config)#access-list access-list-number {deny | permit} source [source-wildcard ] [log]

The no form of this command is used to remove a standard ACL. This is the syntax:

Router(config)#no access-list access-list-number

2. Extended ACL:

An access-list that is widely used as it can differentiate IP traffic. It uses both source and destination IP addresses and port numbers to make sense of IP traffic. You can also specify which IP traffic should be allowed or denied. They use the numbers 100-199 and 2000-2699.

Extended ACLs are used more often than standard ACLs because they provide a greater range of control. Extended ACLs check the source and destination packet addresses as well as being able to check for protocols and port numbers.

The syntax for the extended ACL statement can get very long and often will wrap in the terminal window. The wildcards also have the option of using the host or any keywords in the command.

At the end of the extended ACL statement, additional precision is gained from a field that specifies the optional Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number.

Logical operations may be specified such as equal (eq), not equal (neq), greater than (gt), and less than (lt), that the extended ACL will perform on specific protocols.

Extended ACLs use an access-list-number in the range 100 to 199 (also from 2000 to 2699 in recent IOS).

The full syntax of the Extended ACL command is:

Router(config)#access-list access-list-number {permit | deny} protocol source

access-list 101 permit tcp 200.100.50.0 0.0.0.255 any eq 80
#or
access-list 101 permit tcp 200.100.50.0 0.0.0.255 any eq www
#or
access-list 101 permit tcp 200.100.50.0 0.0.0.255 any eq http

NOTE: Just like all Standard ACLs end with an implicit “deny any”, all Extended ACLs end with an implicit “deny ip any any” which means deny the entire internet from anywhere to anywhere.

Explanation of the parameter:

ParameterDescription
access-list-numberIdentifies the list using a number in the range 100 to 199
permit | denyIndicates whether this entry allows or blocks the specified address
protocolThe protocol such as IP, TCP, UDP, ICMP, GRE, and IGRP.
source and destinationIdentifies source and destination addresses.
source-mask and destination-maskwildcard mask: zeros indicate positions that must match, and ones indicate do not care positions.
operator operand<,>,=,!= and port numbers
establishedAllows TCP traffic to pass if the packet uses an established connection (for example, has ACK bits set)

Leave a Reply