Access Control Lists are most commonly used to filter packets over a network. As the name suggests, it lets network access to only those packets that pass the parameters set on the list. We can enable ACLs on a router so that it sits in the forwarding path of the router and as per the configuration of the ACL router will decide whether to discard the packet or let it pass. ACLs can also be used to apply quality of service (QoS) features, as it can match packets based on their content and queue them, or give preference to them, based on the set QoS parameters.
ACLs can either be applied on the point at which the packet enters the interface or at the point at which the packet exits the interface. We just have to be sure that in order to filter the packet we apply ACL in the direction of the flow of the packet through the interface, either inbound or outbound. Each ACL can have one or more configurations specifying values to be looked for in a packet and following a logic that asks the router to look for specific values inside the packet and, if found, discard, or allow, as per the requirement, the packet to pass through.
ACLs use first-match logic, which means that once the packet matches one line of an ACL it processes that line as configured and does not look any further in the ACL for that packet. And an ACL is always matched sequentially. If the packet does not match any line of the ACL then the packet is discarded, because every ACL has an implied deny command at the end, unless configured explicitly to permit the traffic.
ACLs can be classified as – standard numbered ACLs (1-99, 1300-1999), extended numbered ACLs (100-199, 2000-2699), and named ACLs. In the standard ACL, only the source IP address is matched and it should be placed as close as possible to the destination of the packet to avoid discarding the packet unintentionally. In the extended numbered ACLs, the matching parameters include – the IP protocol type, the port number is optional, the source IP address, and the destination IP address. An extended ACLs should be placed as close as possible to the source of the packet. The commands for both standard and extended numbered ACLs are global configuration commands. A named ACL differs from the standard and extended numbered ACLs only in terms that it uses names instead of numbers, the commands are configured as ACL sub-commands, and we can even edit the ACL. The most important thing to keep in mind while applying an ACL is that it should always be applied in the right, intended, direction, whether inbound or outbound, on the interface.
ACLs are very helpful in the security of that network, as they filter out the unauthorised packets and saves the network from unwanted traffic and can, therefore, improve the performance of the network, and also saves the bandwidth as the unwanted traffic is filtered out. And in terms of QoS, it allows us to prioritise a certain type of data over the other.
Info about Cisco Exam