Wednesday, August 3, 2016

How ACL's are Intrepreted

 on  with No comments 
In , ,  
A quick and dirty post as I'm taking a much needed vacation.

Often times, an explanation of an ACLs layout used very simple ACLs with only one or two ACEs.  However, in practice, ACLs can grow to lengths of hundreds of ACEs.  This makes the planning of their layout a very important and complex affair. An ACL is processed from top to bottom.  Each packet which flows through an interface in a direction with an ACL applied will be inspected.  Being processed from the top down means that each packet will be examined against the ACL until a match is made.  The packet will be compared against the first line of the ACL. If a match is made, it will take the action specified by the ACE.  If no match is made, it will then be compared against the second line of the ACL, and so on.  It will continue through the ACL until a match is made, it will take the action specified by that line, and then it will stop processing.  The packet will not be compared to any other ACE after the first match.

One important note that is often overlooked is that every ACL has an implicit deny all at the end.  What this means is that if the final statement of an ACL, which will not be shown in the router’s configuration, is “deny all.”  All traffic that was not matched by an ACE will therefore be dropped.  If an ACL is only denying certain traffic, then there should be a “permit any” added to the end. This permit any will then be processed before the implicit deny all.

The following image shows the logic that a router uses when processing an ACL.

From Network Security Technologies and Solutions, Cisco Press © 2008

In order to find a match, a process of binary math is performed.  For brevity, I will describe the process of a standard ACL, but the concepts are the same for other types of ACLs. First, the source address used in the actual packet and the wildcard mask specified in the ACE are processed using a bitwise OR operation.  This is result one.  Next, the address specified in the ACE and the wildcard mask specified in the ACE are processed using another bitwise OR operation.  This is result two.  Result one and result two are then processed using a bitwise XOR operation.  If every bit in the result of this XOR operation is zero, then the ACE action is applied, and the packet is either permitted or denied based on what is specified.  If every bit in the result is not zero, then the packet fails this comparison and the router moves on to the next ACE in the ACL and the process begins all over again.  All of these mathematical operations are performed each time a packet moves in the correct direction through an interface with an ACL applied, and can potentially trigger the processing of 2 or more ACLs. This should make it apparent why an ACL should be constructed with great care.


Post a Comment

Discuss this post!