Skip to content
  • There are no suggestions because the search field is empty.

Types of ACLs

Cisco devices support two types of ACLs, which can be configured to filter network traffic based on various criteria, such as IP addresses, protocols, and port numbers: standard ACLs and extended ACLs. 

Even though they operate similarly and provide identical services, there is a difference in the conditions used inside the ACL statements or entries. Therefore, based on the requirements, you will configure and apply one of the two types.

Standard ACLs 

A standard ACL is the simpler ACL type that permits or denies traffic based solely on the source IP address. These ACLs cannot filter based on destination IP address, protocol type, or port number.

Because of this approach, the correct placement of the ACL is crucial for proper data filtering, otherwise, undesired results might be experienced. The best practice is to place a standard ACL as close to the destination of the data traffic as possible.

Example showing the difference when placing standard ACL close and far from the destination

Take a look at the image above. The users from Sales should have access to the internet, but not to the IT department. If the ACL is placed on R1 (filtering traffic coming in), then Sales cannot access IT or the internet. The reason is simple: the processing is based only on the source IP, and there are no other criteria.

Therefore, the best place for applying the ACL is R2 (filtering outbound traffic), which is closest to the destination. Now, Sales cannot communicate with IT, but internet access is allowed.

Extended ACLs 

In contrast to standard ACLs, extended ACLs can filter traffic based on several criteria, including source and destination IP addresses, protocol type (e.g., TCP, UDP, ICMP, OSPF, etc.), and port numbers. Extended ACLs are more flexible than standard ACLs, allowing for more granular control over traffic flow.

Because this approach allows several parameters to be included instead of just one, traffic can be processed more precisely, leading to better optimization. The best practice is to place an extended ACL as close as possible to the source of the data traffic.

Example showing the difference when placing extended ACL close and far from the destination

Take a look at the image above. If you apply the ACL to R2, the requirement will be satisfied. However, when the packets are denied, this happens on R2 instead of earlier on R1. This configuration leads to extra resource consumption on R1.

Because of that, it is best to configure and apply the ACL on R1 instead of R2. This way, when packets should be denied (from Sales to IT), it will happen at the very beginning of the path and no unnecessary resources are spent, just so the packets are denied later on another device.