ACL Implementation Guide

If you find yourself in a situation where you need to filter traffic somewhere on your network, then knowing how to configure access control lists (ACLs) is an essential skill to have. An IP ACL can be configured on a specific interface in order to permit/deny traffic based on IP address and/or TCP/UDP port(s).

In this guide, you will learn how access control lists work, the two most commonly used ACL types and how to configure an ACL. We will also show you how to edit ACLs and discuss how they can be used for functions other than filtering IP traffic. This guide uses Cisco hardware and software in the configuration examples, although ACLs largely function the same across all enterprise network equipment.

ACL Rules

No matter what ACL type you are configuring, there are a few rules you must first understand before trying to configure your own. The two key rules to understand are how rules follow a top-down order and use an implicit deny rule at the end of each ACL.

Top-down

When configuring an ACL that has multiple entries, each entry is read in a top-down fashion. As soon as an ACL entry is matched, the device stops the matching process. Because of this, you want to make sure that your most specific access control entries are toward the top of the list so they can be matched first.

Implicit deny-all at the end of an ACL

At the end of every ACL, there is an implicit "deny-all" statement applied. So if you want to configure an ACL to block traffic from 10.0.0.0/8 and permit all other traffic, you must specify the permit entry. If you don't, the implicit deny-all at the end of the ACL will prevent any IP traffic from traversing the interface where the ACL is applied.

(Image: guitario/iStockphoto with modification)