Access Control Lists Primer

When I ask my CCNA classes the question “what is an ACL?” not surprisingly I get the answer “to filter traffic!” I used to also believe this was the purpose of an ACL when I first encountered one.

So if an ACL does not filter traffic then what is it?. Simply put an ACL is a statement which we can use to tell a router or switch which traffic we would like it to match. That’s it, nothing more nothing less, ACL’s are used to match packets

The next question is what does the router or switch do when they have matched packets, answer is that it is down to us, we may then choose to tell the device to drop the traffic i.e filter the traffic, but that is simply only one of many uses for an ACL, we could also used the matching for prioritising traffic out of an interface, alternatively we may want to use the match to determine which traffic from which source will be NAT’ed, the list of uses for our good ole Access Control Lists is amazing, they will be with us for a long time.

It does not matter for what purpose we want to employ the Access Control List, since the structure of the command is the same independent of it’s ultimate use. We first of all have to learnt that there are two major types of Access Control Lists,

Note: in the CCNA course you will employ these for traffic filtering

The two major types are standard and extended lists

Standard lists are very, very simple to write and understand: A standard access list will allow you to match traffic based on the source Layer 3 address within a packet, that’s all.

Extended lists are more powerful and require a little more practice but regardless they are logical in construction and operation. Extended lists allow you to match Source and Destination Layer 3 IP addresses and some other Layer 3 field for instance the Differentiated services code points (DSCP, which is a field in the Layer 3 header which we can use to mark traffic), we can also match traffic based on Source and destination Layer 4 ports and various control fields.

Being able to match on more elements with extended lists permits network engineers to be more granular with which traffic they identify and then subsequently filter, unlike a standard list which will only allow matching on the source Layer 3 address.

Joe Spoto is a senior lecturer at Commsupport networks in the United Kingdom. Joe teaches, CCNA courses CCNP, CCVP courses when he is not out on the road fixing and building networks, if you want to find out more about what we do at Commsupport please visit us at CCNA courses Commsupport run free one day training sessions and free on-line webinars, CCNA training, we also run Live On-line CCNA courses as Virtual Classes