Access Control Lists, ACLs, are traditionally used for a basic filtering of network packets going through as routers interface. Access Control Lists can also be used for providing classification for a number of other router features such as identifying particular networks in a routing protocol like BGP.
An ACL consists of Access Control Entries, ACEs. They are entries that identify the network, ports, and the action to be taken against that network. The evaluation of these access control entries begin at the top of the access control list and work their way down until a matching entry is found. At the bottom of every access control list is a hidden ‘deny all’ access control entry.
Access control lists are separated into two categories, standard access control lists and extended control lists.
Standard Access Control Lists
Standard access control lists match rules based only on the source network.
Standard access control lists are defined with a numbered entry between 1 to 99, or 1300 to 1999, or a named ACL.
A standard access control list can be defined using the command
ip access-list standard followed by the relevant ACL number or name.
Extended Access Control Lists
Extended access control lists match rules based on the source network, destination network, packet protocol, network port or a combination of these attributes
Extended access control lists use a numbered entry between 100 to 199, 2000 to 2699 or a named ACL.
An extended standard access control list can be defined using the command
ip access-list extended followed by the relevant ACL number or a chosen name.
ACL Use With Interior Routing Protocols
Access control lists can be used with routing protocols and their network selection. The source fields of the access control list are used to identify the network, and the destination fields identify the smallest prefix length in the network range.
it ip any any – Permits all networks
permit ip host 192.168.0.0 host 255.255.0.0 – Permits all networks in the 192.168.0.0/16 range
permit ip host 192.168.0.0 host 255.255.255.0 – Permits all networks in the 192.168.0.0/24 range
permit ip host 192.168.0.1 – Permits only the host address 192.168.0.1
ACL Use With Border Gateway Protocol
Access control list behaviour acts differently with BGP over the IGP routing protocols. The source field will match the network portion of the route, and the destination field will match the network mask.
permit ip 192.168.0.0 0.0.0.0 255.255.0.0 0.0.0.0 – Matches only the 192.168.0.0/16 network
permit ip 192.168.0.0 0.0.255.0 255.255.255.0 0.0.0.0 - Matches any 192.168.X.0 network with a prefix length of /24 (or subnet mask of 255.255.255.0)
permit ip 192.168.0.0 0.0.255.255 25.5255.255.0 0.0.0.255 – Matches any 192.168.X.X network with a /24 to /32 prefix length
permit ip 192.168.0.0 0.0.255.255 255.255.255.128 0.0.0.127 – Matches any 192.168.X.X network with a /25 to /32 prefix length