Ciphers Security

Difference between Standard and Extended ACLs (Access Control List)

Difference between Standard and Extended ACLs

ACL or access control lists are the set of rules that are used in networking devices such as routers for regulating the network traffic between the devices or interfaces. ACLs are used to allow or deny the network between the devices connected in the network segments.

They operate as gatekeepers, figuring out, based on established rules, which packets are permitted to travel through the gate and which are blocked.

how it works in routers

  1. ACL Creation:- The process of creating an ACL involves defining a series of rules based on predetermined requirements, such as source and destination IP addresses, protocols, ports, etc.
  2. ACL Application:- You apply the ACL to a router interface (or interfaces), choosing which traffic is filtered outbound or incoming.
  3. Traffic inspection:- The router checks each packet that reaches the interface, one after the other, against every rule in the ACL.
  4. Rule Matching:- If a rule matches the packet’s characteristics, the router takes the action specified in that rule (permit or deny).
  5. Packet Handling:- The router either forwards the packet (if permitted) or discards it (if denied).

Basic application of ACL in network

Security

  1. Ensure that no undesired traffic enters or exits critical network segments.
  2. Restrict unauthorized access to particular resources or services.
  3. Protect against denial-of-service (DoS) attacks.

Traffic Management

  1. Set some traffic categories as priorities to manage the amount of bandwidth used.
  2. Redirect traffic for load balancing or network optimization.
  3. Implement Quality of Service (QoS) policies to ensure reliable performance for critical applications.

Routing Optimization

  1. Filter routing updates to control network topology information.
  2. Limit the scope of routing protocols to specific network segments.

Types of ACLs in networking devices

  • Standard ACL: Filter traffic based solely on the source IP address.
  • Extended ACL: Offer more granular control, filtering based on source/destination IP addresses, protocol types, and port numbers.
  • Named ACL: This allows for easier management and identification of ACLs, using names instead of numbers.
  • Time-based ACL: Enable filtering to be active only during specified periods.

Standard ACLs

Basic traffic flow management techniques known as standard ACLs (Access Control Lists) are based entirely on the packet source IP address. They are the most basic kind of ACL, providing a constrained but effective means of allowing or blocking traffic from particular networks or devices.

Main characteristics

  1. Filtering Criteria: look only for the source IP of the packet
  2. Numbering Range: Assigned numbers between 1-99 or 1300-1999.
  3. Placement: Usually applied as close to the destination as possible (e.g., near the destination network or subnet).
  4. Implicit Deny: Every standard ACL implicitly ends with a “deny all” rule, even if not explicitly configured.
  5. Application: Can be applied to both inbound and outbound traffic on interfaces.

Common use cases for standard ACLs:

  • Restricting access to specific networks or subnets.
  • Blocking unwanted traffic from known sources (e.g., spam or denial-of-service attacks).
  • Permitting only certain hosts to access a particular resource.
  • Controlling routing updates in specific scenarios.

How to configure Standard ACL in router

Make the ACL

access-list <acl-number> permit/deny <Source-IP-Address>

Apply this to the router interface

interface <interface name>
ip access-group <number> {in/out}

Example:-

access-list 40 deny 10.10.2.30   // Deny traffic from 10.10.2.30
access-list 40 permit any          // Allow traffic from all other sources
interface GigabitEthernet0/0/1
ip access-group 40 in              // Apply ACL 40 to inbound traffic on interface G0/0/1

Some Drawbacks

  • Limited detail: Incapable of filtering by port, protocol, or destination IP.
  • Location: Inadequate positioning may inadvertently obstruct valid traffic.
  • Top Methods:
    • Use standard ACLs for basic requirements in filtering.
    • For even more detailed control, think about extended ACLs.
    • Plan and test ACLs thoroughly before deploying.
    • ACL configurations should be documented for future reference and clarity.

Extended ACLs

The Swiss Army Swords of packet filtering in routers are extended ACLs. When it comes to managing traffic flow, they provide a far more detailed and advanced method than their more straightforward cousins, conventional ACLs.

Main characteristics

  • Filtering Standards: They can match a range of parameters in addition to the source IP address, such as:
    • Destination IP address: Control which networks can interact with one another using the destination IP address.
    • Protocol: Allow or deny specific protocols like TCP, UDP, or ICMP.
    • Port numbers: Allow or prohibit communication on particular ports that are used by services such as SSH, FTP, and HTTP.
    • Time range: schedule for filtering rules to only be in effect at specific times.
    • Additional options: You can further filter by flags, precedence, and other factors.
  • Numbering Range: Allotted numbers from 2000 to 2699 or from 100 to 199.
  • Placement: For maximum effectiveness, it is usually applied as close to the traffic source as feasible.
  • Explicit Deny: In contrast to regular ACLs, “deny” rules must be specifically defined, permitting everything else by default.
  • Application: Applicable to interface traffic on both incoming and outgoing channels.

Common uses of extended ACLs

  • constructing strong network security frameworks that stop malicious traffic, unauthorized access, and targeted attacks.
  • Putting in place strong application control depending on business requirements, approving or rejecting particular services and procedures.
  • Enhancing bandwidth and performance of networks: Setting aside essential traffic flow and controlling congestion.
  • Optimizing the routing behaviour: managing network topology data and filtering routing changes.

How to configure Extended ACL in router

Make the ACL

access-list <number> [permit/deny] [protocol] [source IP address/mask] [destination IP address/mask] [options]

Apply it to the Interface

interface <interface name>
ip access-group <number> {in/out}

Example:-

access-list 150 permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq 80   // Allow HTTP traffic from 192.168.1.0 subnet to 10.0.0.0 subnet on port 80

access-list 150 deny udp any any 0.0.0.0 0.0.0.0 eq 137             // Deny NetBIOS broadcasts from any source

interface GigabitEthernet0/1/1
ip access-group 100 out                                              // Apply ACL 150 to outbound traffic on interface G0/1/1

Some Drawbacks

  • Enhanced Complexity: Needs a more thorough comprehension of network settings and protocols.
  • Resource-intensive: Requires more processing power than standard ACLs.
  • Misconfiguration Risks: To prevent inadvertent disruptions, thorough planning, and testing are essential.
  • Top Techniques:
    • For complicated control requirements, use extended ACLs.
    • Start with basic guidelines and add more complexity over time.
    • ACL configurations should be documented for future reference and clarity.

Difference between Standard and Extended ACLs

FeatureStandard ACLExtended ACL
DetailsSource IP address onlySource and destination IP addresses, protocol, ports, time range, etc.
ComplexitysimpleMore Complex and large
Resource UsageLowHigh
Suited ForBasic Filtration requirementComplex security requirements and traffic contol

If you have any queries regarding the above content, or you want to update anything in the content, then contact us with your queries. You can directly post your question in the group.

Connect with us on these platforms