Cisco:ACL(Access Control List)

An access control list (ACL) is a table that tells a computer operating system which access rights each user has to a particular system object, such as a file directory or individual file.

The purposes of using ACL
1. Limit network traffic and improve network performance. For example, queuing technology not only limits the network traffic but also reduces the congestion.
2. Provide control means for communication flow. For example, control network traffic through a certain router.
3. Provide a basic secure means for network accessing. For example, in companies, only the computers of the financial department can access the financial server.
4. Decide which traffic will be allowed to be transferred on the router interface. For example, the FTP communication traffic will be permitted, while the TELNET communication traffic will be denied.

Working principles:
ACL provides two operations, all applications are implemented according to these two operations: permit or deny
Note: ACL is a procedure of CISCO IOS and it adopts its own top-down execution sequence to implement the command input by the administrators. It searches the matching item line by line, if found, it will stop searching, if not, it will execute a length of Hidden codes—– discard DENY. Therefore, you must pay attention to the sequence when writing ACL.
For example: To deny flow from 172.16.1.0/24, write ACL form as following:
Permit 172.16.0.0/18
Deny 172.16.1.0/24
Permit 192.168.1.1/24
Deny 172.16.3.0/24
Well, the result will go counter to the purpose. Let’s see what will happen after exchange the place of Table I and Table II:
Deny 172.16.1.0/24
Permit 172.16.0.0/18
Permit 192.168.1.1/24
Deny 172.16.3.0/24
It is found that 172.16.3.0/24 has the same situation as before. This table does not function, because when implementing table 2, it finds matching item, the router will permit accessing, this is just opposite to our requests. The table 4 should be moved to the front to achieve the following goals:
Deny 172.16.1.0/24
Deny 172.16.3.0/24
Permit 172.16.0.0/18
Permit 192.168.1.1/24
An ACL configuration rule can be drawn from the aforesaid: the precise items will be placed ahead, and the general items will be put back.
ACL is a collection of judgment sentences, it is mainly used to control the following data:
inbound data;
outbound data;
relay data from the routers.

Working Process:
1. No matter whether the router has ACL or not, it uses the same method to deal with the received data packet: When data enters the inbound interface, the router will check it first to decide whether it could be routed, if not, then discard it, on the contrary, to get the detailed routing Information by checking the routing table-including AD, METRIC…… and the corresponding interface;
2. Assume that the data can be routed, the first step has been successfully completed and the interface to send it out has been found. At this time, the router will check whether the outbound interface has been edited in ACL, if not edited, then send it out through this interface, if edited, there will be more trouble. The first case -the router will match this data to the ACL from top to bottom one by one, when found it matches one of the ACL, then process it according to the specified ACL operation (permit or deny), and stop searching; if still not found the matching item till the end of the ACL, then discard this data packet using the hidden sentence-deny any which is at the end of ACL.
For ACL, it can be divided into two types on the basis of the working principles:
1. inbound ACL
2. outbound ACL
The above interpretation for the working process is for the outbound ACL. It performs matching operation after the data enters the router and implements routing to find the outbound interface; while inbound ACL refers to performing the matching operation when the data enters the router interface, it reduces the table checking process.
We can not say the inbound routing table is better than the outbound routing table, because it omitted the routing process. We should identify according to the actual situation.

Popularity: 26% [?]