skip to content
Hankyu Kim's blog

ACL (Access Control List)

/ 2 min read

network, acl, router, udp, packet

Understanding Access Control List (ACL)

What is ACL?

Access Control List (ACL) is used to manage network traffic and mitigate attacks by defining rules on routers. Similar to firewalls, ACL filter packets to permit or deny access based on specific criteria. In the context of autonomous driving security, as the CAN network transitions to Gigabit Ethernet, it may become more vulnerable to external threats. Here is some features of ACL:

  • Traffic Filtering: ACLs help filter traffic by defining specific rules based on source/destination addresses, protocol types, and service port numbers.
  • Firewall Integration: ACLs often work alongside firewalls to enhance security. They play a critical role in controlling inbound and outbound network traffic.
  • Network Resource Access: ACLs control access to network resources by defining what can enter or leave the network.
  • QoS and Routing Policies: ACLs can also be used for Quality of Service (QoS) and routing policies by identifying subnets and hosts, further organizing traffic.

When to use ACL

Here are typical scenarios where ACL come into play:

  1. Network Access Control: ACLs limit traffic to and from network resources connected to routers.
  2. Router Protection: ACLs restrict access through protocols like SNMP, Telnet, and SSH to protect the router itself.
  3. Subnet and Host Definitions: Used to define policies in subnet and host configurations, including QoS implementation.
  4. NAT/PAT Functions: ACLs aid in implementing Network Address Translation (NAT) and Port Address Translation (PAT).
  5. VPN Security: ACLs can define user traffic for IPsec VPNs to ensure secure connections.

How to use ACL

To create effective ACL rules, follow these steps:

  1. Define the source and destination subnets/hosts.
  2. Specify the service type for server access or client provision.
  3. Decide whether to permit or deny the traffic.
  4. Determine whether the filtering should be applied inbound or outbound.

Example

  1. Small subnets should be configured first.

    • ACL entries are assigned in order as they are configured.

    • Routers inspect entries starting from the smallest order number.

    • Example: To block 172.16.1.0/24, configure:

      Terminal window
      access-list 55 permit 172.16.0.0 0.0.255.255
      access-list 55 deny 172.16.1.0 0.0.0.255

  2. The last ACL entry is always deny any.

    • Example:

      Terminal window
      access-list 77 deny 172.16.1.0 0.0.0.255
      access-list 77 permit any

  3. No partial deletion or addition in ACL entries:

    • Use Named ACL to allow partial deletion/addition of entries.

    • Example:

      Terminal window
      ip access-list standard TEST