Without network security, many businesses and home users alike would be exposed for all the world to see and access. Network security doesn’t 100% prevent unauthorized users from entering your network but it does help limit a network’s availability from the outside world. Cisco devices have many tools to help monitor and prevent security threats. One of the most common technologies used in Cisco network security are Access Control Lists or simply Access Lists (ACLs). When businesses depend on their network to generate income, potential security breaches become a huge concern.
ACL’s are implemented through Cisco IOS Software. ACL’s define rules that can be used to prevent some packets from flowing through the network. The rules implemented on access-lists are usually used to limit a specific network or host from accessing another network or host. However ACL’s can become more granular by implementing what’s called an extended access-list. This type of ACL allows you to deny or permit traffic based not only on source or destination IP address, but also based on the type data that is being sent.
Extended ACL’s can examine multiple parts of the packet headers, requiring that all the parameters be matched before denying or allowing the traffic. Standard ACL’s are easier to configure but do not allow you to deny or permit information based on more specific requirements. Standard Access-Lists only allow you to permit or deny traffic based on the source address or network. When creating ACL’s remember that there is always an implicit deny statement. This means that if a packet does not match any of your access list statements, it will be blocked by default. To over come this you should configure the permit any statement on Standard ACL’s and the permit any any statement on Extended ACL’s.
Packets can be filtered in many ways. You can filter packets as they enter a router’s interface before any routing decision is made. You can also filter packets before they exit an interface, after the routing decision is made. Configured ACL’s statements are always read from top to bottom. So if a packet matches a statement before going through the whole ACL, it stops and makes a forwarding decision based on that statement that it matches. Therefore the most critical and specific statements should be made at the beginning of your list and you should create statements starting from the most critical to the least critical.