🌐 Access Control List (ACL)

📖 What is ACL

An Access Control List (ACL) is a set of rules or filters configured on a router or Layer 3 device that is used to permit or deny network traffic based on specific conditions such as IP address, protocol, or port number, helping in controlling and securing network communication.

🧠 Basic Idea

👉 ACL =  Permit or Deny traffic based on rules

📌 Why ACL is Used

In a network, not all devices should be allowed to communicate with each other freely, so ACL is used to control which traffic is allowed and which is blocked, thereby improving network security and management.

⚙️ Working of ACL

ACL works by checking each packet against a list of rules, where the rules are processed from top to bottom, and as soon as a match is found, the corresponding action (permit or deny) is applied, and the remaining rules are not checked.

📌 Simple Flow

• Packet arrives at router 
• Router checks ACL rules 
• Rule matches → Permit / Deny 
• If no match → Deny (implicit deny) 

⚠️ Important Concept: Implicit Deny

At the end of every ACL, there is a hidden rule called implicit deny, which means if a packet does not match any rule, it will be automatically denied.

📊 Where ACL is Applied ?

ACLs are applied on router interfaces to control traffic flow.

1️⃣ Inbound ACL

• Applied on incoming traffic 
• Filters packets before routing decision 

2️⃣ Outbound ACL

• Applied on outgoing traffic 
• Filters packets after routing decision 

📡 Uses of ACL :-

• To block unauthorized access 
• To allow only specific users or networks 
• To restrict services (like HTTP, FTP) 
• To improve network security 
• To control traffic flow 

⚡ Advantages of ACL :-

• Provides security 
• Controls traffic 
• Prevents unauthorized access 
• Flexible filtering 

❌ Disadvantages of ACL :-

• Complex in large networks 
• Requires proper planning 
• Misconfiguration can block valid traffic 

⚠️ Important Points :-

• ACL works on Layer 3 and Layer 4 
• Rules are checked top to bottom 
• First match is applied 
• Implicit deny at the end 
• Must be applied to interface to work 

📊 Main Types of ACL

ACLs are mainly classified based on the level of filtering they provide, where different types of ACLs allow filtering based on source address, destination address, protocol, and port numbers.

1️⃣ Standard ACL

A Standard ACL is used to filter traffic based only on the source IP address, meaning it can only decide whether to permit or deny traffic depending on where the packet is coming from.

📌 Key Points

• Filters based on source IP only 
• Cannot check destination or port 
• Simpler and easier to configure 
• Less control compared to extended ACL 

🔢 Numbered Standard ACL

In numbered ACL, a number is used to identify the ACL instead of a name.

📌 Syntax : access-list <1-99> permit | deny <source-ip> <wildcard-mask>

📖 Example : access-list 10 permit 192.168.1.0 0.0.0.255

🔢 Named Standard ACL

In named ACL, a custom name is given instead of a number, which makes it easier to understand and manage.

📌 Syntax :-

ip access-list standard <acl-name>
permit | deny <source-ip> <wildcard-mask>
exit

📖 Example :-

ip access-list standard BLOCK_USERS
deny 192.168.1.0 0.0.0.255
permit any

2️⃣ Extended ACL

An Extended ACL is used to filter traffic based on multiple parameters such as source IP, destination IP, protocol, and port number, providing more detailed and advanced control over network traffic.

📌 Key Points

• Filters based on source + destination IP 
• Can filter protocols (TCP, UDP, ICMP) 
• Can filter port numbers 
• More powerful and flexible 

🔢 Numbered Extended ACL

In numbered extended ACL, a number is used to identify the ACL.

📌 Syntax :-

access-list <100-199> permit | deny <protocol> <source-ip> <wildcard-mask> <destination-ip> <wildcard-mask> [port]

📖 Example :-

access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80

👉 (Allows HTTP traffic)

🔢 Named Extended ACL

In named extended ACL, a custom name is used instead of a number, which improves readability and flexibility.

📌 Syntax :-

ip access-list extended <acl-name>
permit | deny <protocol> <source-ip> <wildcard-mask> <destination-ip> <wildcard-mask> [port]
exit

📖 Example :-

ip access-list extended WEB_TRAFFIC
permit tcp any any eq 80
deny ip any any

📊 Number Ranges

• Standard ACL → 1 – 99 
• Extended ACL → 100 – 199 

📌 Wildcard Mask in ACL

📖 Formula :

👉 Wildcard Mask = 255.255.255.255 – Subnet Mask

📌 Example :

• Subnet Mask → 255.255.255.0 
• Wildcard Mask → 0.0.0.255 

⚠️ Important Differences

⚠️ Important Points :-

• ACL can be Numbered or Named 
• Named ACL is easier to manage 
• Rules are checked top to bottom 
• First match is applied 
• Implicit deny at end 
• Must be applied to interface 

🎯 Key Idea

👉 Standard ACL = Basic Filtering
👉 Extended ACL = Advanced Filtering
👉 Named ACL = Better readability

🌐 ACL Configuration in 4 LAN Topology 🔐

📖 Introduction

In this practical, we are configuring different types of Access Control Lists (ACLs) in a multi-LAN topology to control network traffic between devices. The objective is to restrict specific communication by applying Standard and Extended ACLs on appropriate routers and interfaces. Standard ACL will be used to block a specific device completely from accessing a destination network, while Extended ACL will be used to block only specific types of traffic (such as ICMP ping) between selected devices. This practical helps in understanding how ACL placement (inbound/outbound) and type of ACL affect traffic filtering in a network.

📌 REQUIREMENTS :-

🔹 Standard ACL

👉 Block Laptop1 (192.168.100.2) from LAN4

🔹 Extended ACL

👉 Block:

• Laptop1 → Server1 (Ping) 
• PC2 → Server2 (Ping) 

1️⃣ 🔢 STANDARD NUMBERED ACL (GATEWAY2)

In this configuration, we are using a Standard Numbered ACL, which filters traffic based only on the source IP address. Since Standard ACL cannot check destination, it is always applied near the destination to avoid blocking unnecessary traffic.

👉 Therefore, the ACL is applied on GATEWAY2 (LAN4 side) in OUT direction, so that only traffic going towards LAN4 is filtered.

📖 Configuration

GATEWAY2(config)# access-list 11 deny 192.168.100.2 0.0.0.0
GATEWAY2(config)# access-list 11 permit any

GATEWAY2(config)# interface fa0/1
GATEWAY2(config-if)# ip access-group 11 out
GATEWAY2(config-if)# exit

📌Ping Verification :

• When ping is performed from Laptop1 (192.168.100.2) to any device in LAN4 (Server1 / Server2) → ❌ Request Timed Out (Blocked)  
• This is because Standard ACL blocks the entire traffic from Laptop1 towards LAN4 
• When ping is performed from other devices (PC1 / PC2) to LAN4 → ✅ Replies received (Allowed) 

👉 Conclusion:
Standard ACL successfully blocks Laptop1 completely from LAN4 network

📌 ACL Verification

GATEWAY2# show ip access-list

📖 Explanation

• access-list 11 → Standard ACL 
• Blocks Laptop1 completely 
• Applied OUT on FA0/1 (towards LAN4) 
• Only LAN4 traffic is blocked 

2️⃣ 🏷️ STANDARD NAMED ACL (GATEWAY2)

In this configuration, we are using a Standard Named ACL, which works the same as numbered ACL but uses a name instead of a number for better readability and management.

👉 Like standard ACL, it is also applied near destination (GATEWAY2) in OUT direction, to block Laptop1 only when it tries to access LAN4.

📖 Configuration

GATEWAY2(config)# ip access-list standard BLOCK-LAPTOP1
GATEWAY2(config-std-nacl)# deny 192.168.100.2 0.0.0.0
GATEWAY2(config-std-nacl)# permit any
GATEWAY2(config-std-nacl)# exit

GATEWAY2(config)# interface fa0/1
GATEWAY2(config-if)# ip access-group BLOCK-LAPTOP1 out
GATEWAY2(config-if)# exit

📌Ping Verification :

• When ping is performed from Laptop1 → LAN4 devices → ❌ Ping fails 
• Because named ACL also blocks source IP completely 
• When ping is performed from other devices → LAN4 → ✅ Ping successful 

👉 Conclusion:
Named ACL behaves same as numbered ACL, only difference is naming

📌 Deletion Command

no ip access-list standard BLOCK-LAPTOP1

📖 Explanation

• Named ACL → BLOCK-LAPTOP1 
• Same working as numbered ACL 
• Easier to understand and manage 
• Applied towards LAN4 

3️⃣ 🔢 EXTENDED NUMBERED ACL (GATEWAY1)

In this configuration, we are using an Extended Numbered ACL, which can filter traffic based on source IP, destination IP, and protocol.

👉 Since Extended ACL provides detailed filtering, it is always applied near the source to stop unwanted traffic as early as possible.

👉 Therefore, it is applied on GATEWAY1 (LAN1 side) in IN direction, so that unwanted ICMP (ping) traffic is blocked before entering the network.

📖 Configuration

GATEWAY1(config)# access-list 101 deny icmp 192.168.100.2 0.0.0.0 192.168.103.2 0.0.0.0 echo
GATEWAY1(config)# access-list 101 deny icmp 192.168.100.3 0.0.0.0 192.168.103.3 0.0.0.0 echo
GATEWAY1(config)# access-list 101 permit ip any any

GATEWAY1(config)# interface fa0/0
GATEWAY1(config-if)# ip access-group 101 in
GATEWAY1(config-if)# exit

📌Ping Verification :

• When ping is performed from Laptop1 → Server1 (192.168.103.2) → ❌Ping blocked 
• When ping is performed from PC2 → Server2 (192.168.103.3) → ❌Ping blocked 
• But when: 
  • Laptop1 → Server2 → ✅ Allowed 
  • PC2 → Server1 → ✅ Allowed 
  • Any other traffic (HTTP/normal communication) → ✅Allowed 

👉 Conclusion:
Extended ACL blocks only specific ICMP traffic, not full communication

📌 ACL Verification :

GATEWAY1# show ip access-list

📌 Deletion Command

no access-list 101

📖 Explanation

• 101 → Extended ACL 
• deny icmp → blocks only ping 
• Laptop1 → Server1 ❌ 
• PC2 → Server2 ❌ 
• Applied IN on FA0/0 (near source) 

4️⃣ 🏷️ EXTENDED NAMED ACL (GATEWAY1)

In this configuration, we are using a Named Extended ACL, which provides the same functionality as extended ACL but uses a meaningful name instead of a number.

👉 This ACL is applied near the source, but in this case it is applied in OUT direction on GATEWAY1, so that traffic leaving the router towards other networks is filtered.

👉 It blocks only specific ICMP traffic while allowing all other communication.

📖 Configuration

GATEWAY1(config)# ip access-list extended BLOCK-CLIENTS-LAN1
GATEWAY1(config-ext-nacl)# deny icmp 192.168.100.2 0.0.0.0 192.168.103.2 0.0.0.0 echo
GATEWAY1(config-ext-nacl)# deny icmp 192.168.100.3 0.0.0.0 192.168.103.3 0.0.0.0 echo
GATEWAY1(config-ext-nacl)# permit ip any any
GATEWAY1(config-ext-nacl)# exit

GATEWAY1(config)# interface fa0/1
GATEWAY1(config-if)# ip access-group BLOCK-CLIENTS-LAN1 out
GATEWAY1(config-if)# exit

📌Ping Verification :

• When ping is performed from: 
  • Laptop1 → Server1 → ❌ Blocked 
  • PC2 → Server2 → ❌ Blocked 
• When ping is performed between other combinations → ✅Allowed 
• All other protocols (non-ICMP traffic) → ✅ Working properly 

👉 Conclusion:
Named Extended ACL provides precise control over traffic using protocol + IP filtering

📌 Verification

GATEWAY1# show ip access-list

📌 Deletion Command

no ip access-list extended BLOCK-CLIENTS-LAN1

📖 Explanation

• Named Extended ACL → BLOCK-CLIENTS-LAN1 
• Blocks only specific ping traffic 
• Applied OUT on FA0/1 
• Other traffic allowed 

⚠️ Important Points

• Standard ACL → place near destination (GATEWAY2) 
• Extended ACL → place near source (GATEWAY1) 
• Always use → permit ip any any 
• Without permit → everything blocked 

🎯 Key Idea

👉 Standard ACL → Block full access
👉 Extended ACL → Block specific traffic (ping)

🎯 Summary

In this topology, Standard ACL is used to block Laptop1 completely from LAN4, while Extended ACL is used to block only specific ICMP traffic between selected devices, demonstrating both basic and advanced traffic filtering.

👉 👉 Explore ACL practical setup:

https://www.evisiontechnoserve.com/internships/it/45-days-job-internship-program-live