Packet Filtering with ACL

ACL is a technique used to monitoring outgoing and incoming packets and allowing them to pass or halt based on the source and destination IP addresses protocols and ports. Packet filtering is also known as static filtering.

We can configure a filter rule on network and then the router acts as a packet filter during sending, receiving, forwarding and denying packets according to filtering rules. Router configures with packet filtering rules open, read and extracts certain information from the packet header. The router makes routing decision from this information on the basis of configured rules whether the packet can pass through or required to discard. Packet filtering can work at transport layers and network layer of the OSI model of the OSI model and at the internet layer of TCP/IP model. Rules configured on the router determine whether to permit or deny traffic. A router also performs packet filtering at transport layer. The router can also filter packets based on the source and destination port of the TCP or UDP segment.

An ACL contain a list of permit or deny statements, also known as access control entries. Access Control Entries (ACEs) commonly known as ACL statements. We configure the ACL statements to filter traffic based on certain criteria for example, the source address of the packet, destination address for the packet, the protocol, and also a port numbers. When a packet passes through an interface configured with an ACL; the router compares the information within the packet with every ACE, in chronological order, to decide for statement matching. In case of founding match, the router processed the packet accordingly. So, the ACLs control access to a network or subnet using the rules. The ACLs extracts the following information from the packet:

Layer 3 Information:

  • Source IP address
  • Destination IP address
  • ICMP message type

Layer 4 Information:

  • TCP/UDP source port
  • TCP/UDP destination port