ACLs

ACL’s on Cisco routers allow to solve two groups of tasks:
1. traffic filtering;
2. traffic classification.
ACL’s can be attributed to packet filtering firewalls. That is, they allow you to filter packets by five parameters:
1. Source IP address
2. Destination IP address
3. Protocol encapsulated in an IP packet
4. Source port
5. Port of destination
⠀
ACL’s are divided into 2 types:
1. Standard
2. Extended
Standard ACL’s allow you to filter traffic by a single criterion-the IP address of the source. Extended ACLS filter on all five listed parameters.
An ACL consists of a set of rules. In each rule, you define the filtering parameters (addresses, ports, etc.) and the action to be taken on the package if it meets all the criteria of the rule. There are two actions: allow and deny. If allowed, the packet is processed further, if banned, it is reset. The rules are checked sequentially until a matching package is found. An action (permit/deny) is executed on the package and further validation of the rules is stopped. At the end of any ACL is implicitly a rule prohibiting all traffic. That is, restrictive access control is used: everything that is not explicitly allowed is prohibited.
⠀
Syntax
⠀
Two ways to create an ACL:
1. The “legacy” syntax. Numbers are used to identify ACLs. For standard ACLs assigned numbers 1-99 and 1300-1999, for extended-100-199 and 2000-2699.
2. The syntax for named ACLs. The name chosen by the administrator is used for identification.
⠀
The second method is more convenient. First, to identify the ACL, you use a name, not a number, i.e. by name you will be able to understand what you are using the ACL for. Second, the named sheets use their own configuration mode, allowing you to edit the ACL more conveniently.
Finally, after you create an ACL, you will need to apply it according to your goals and objectives. As for filtering, the ACL is applied on the interface. Keep in mind the following rules regarding access control lists (ACLs): one list per protocol, one list per direction, one list per interface.