Information About Access Control List
An Access Control List (ACL) is an ordered set of rules that you can use to filter traffic. Each rule specifies a set of conditions that a packet must satisfy to match the rule. You can use ACLs to protect your network and specific hosts from unwanted traffic.
When an ACL applies to a packet, it tests the packet against the conditions of all rules. The first match determines whether the packet is permitted or denied. If there is no match, the device applies the applicable default rule. The device continues processing packets that are permitted and drops packets that are denied.
Types of ACL
ACL is divided into the following types, based on the purpose of application:
-
Standard ACL: Defines the rules based on source IP addresses only. Standard ACLs control traffic by comparing the source address of the IP packet to the addresses defined in the ACL.
-
Extended ACL: Defines the rules based on the source IP address, destination IP address, protocol type, and the protocol attributes of packets.
-
Layer 2 ACL: Defines the rules based on the source MAC address, destination MAC address, VLAN priority, and Layer 2 protocol type.
Matching Order
An ACL consists of multiple permit or deny rules. The rules may overlap or conflict. In such cases, the matching order decides which rule is executed. ACL supports two matching orders:
-
config: Matches the ACL rules according to the configuration order.
-
auto: Matches the ACL rules according to the depth-first rule, wherein the longest subitem in a rule takes priority. The longest subset of a rule is matched first before the rule.
Naming Methods
An ACL is classified into the following types, based on the naming methods:
-
Numbered ACL: The ACL is identified by the number assigned to it. You can create an ACL and assign a number to it. If you don't specifiy a number, the system assigns a number to the created ACL.
For a Standard ACL, the numbers range from 1 through 99. You can create upto 99 Standard ACLs.
For an Extended ACL, the numbers range from 100 through 199. You can create upto 100 Extended ACLs.
For a Layer 2 ACL, the numbers range from 200 through 299. You can create a maximum of 100 Layer 2 ACLs.
-
Named ACL: The ACL is identified by the name assigned to it. A named ACL consists of a name and number.
You can create a maximum of 1000 named ACLs and also define upto 128 subrules for each ACL.
Time Range
A time-based ACL allows for access control based on time. You can create a time range to define specific times of the day and week in order to implement time-based ACLs. A time range is identified by a name and then referenced by a function. Time range can depend on the network access behavior of the users and network congestion condition.
Time range configurations include the absolute time range and periodic time range. A periodic time range configuration is in the form of days of the week. An absolute time range is in the form of start time to the end time.