Access List Basics

Two-Step Process

With all access lists, you have two separate and distinct steps in using them: the creation and the implementation. First, the ACL is always created using the access-list statement in Global Configuration mode. Second, the ACL is referenced by a process command or applied to an interface with commands unique to the application. If either part isn’t done, the ACL typically has no impact, as if it didn’t exist at all. The following output is an example of a simple standard access list and applying it to a Fast Ethernet interface.

 interface Fastethernet 0/0
 ip address 192.168.5.1 255.255.255.0
 ip access-group 50 out
!
access-list 50 deny 192.168.1.10
access-list 50 deny 192.168.2.0 0.0.0.255
access-list 50 permit any
!

Access lists, when applied to an interface, called traffic filtering, only filter traffic traveling in the direction specified in the access-group statement. In the previous code output, only the outbound IP traffic is being filtered. While applying two ACLs for the same protocol for traffic going in one direction is impossible, you can have one for each direction for each protocol configured on the interface. The following code shows an example of an interface with multiple ACLs applied:

 !
interface Fastethernet 0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group 171 in
 ip access-group 15 out
 appletalk cable-range 10-19 15.11
 appletalk access-group 615 out
 appletalk access-group 601 in
 ipx access-group 805 in
 ipx access-group 809 out
 ipx network 127
!

In determining whether to apply the ACL in- or outbound, visualize yourself at the center of the router. Is the data coming at you in the interface or is it traveling out through the interface? The perspective for determining in or out is always the center of the router, never the center of the network segment. A common mistake is to use an inbound filter to block traffic from entering a LAN. While the bad traffic is coming into the LAN, it’s passing out of the router. Figure A-1 shows graphically inbound and outbound traffic flows on a basic router.

Figure A-1: Inbound and outbound traffic flows on router interfaces

Numbered ACL Common Characteristics

Before looking at the details of standard and extended ACLs, consider the following characteristics of all numbered access lists:

• An ACL is made up of one or more permit or deny statements

• If an ACL doesn’t have at least one permit statement, it will deny everything

• All ACL statements with the same number are part of the same ACL

• ACL statements must be entered sequentially in order to be processed

• An ACL can be added to (appended), but not edited. Any attempt to edit an item will delete the entire ACL

  Tip?

  By default, router interfaces configured for a protocol “allow” all traffic in both directions without restriction. Once an ACL is applied to an interface, the default flips to “blocking” all traffic for that protocol in the specified direction, except what is explicitly allowed by the ACL.

The Numbers Matter

With numbered ACLs, the number is a list identifier that indicates the protocol used and whether the list is part of a standard or an extended ACL. Each statement in the ACL will have the same number. The following table is a recent listing of the ACL number ranges.

While this text and the exam focus only on IP ACLs, it’s important to remember that similar features exist for IPX, Appletalk, and other even older protocols.