Standard Access Lists

Standard IP access lists filter packets based exclusively on the network layer source address of a data packet. They either block (deny) or allow (permit) traffic, based solely on the origin of the packet. The IP standard access list number ranges are 1 to 99 and, since IOS release 12.1, numbers 1300 to 1399. These lists can be applied to a router interface to manage data traffic, applied to a virtual terminal connection to limit telnet sessions into the router, or used with a process like NAT to identify a pool of acceptable addresses.

A simple analogy for standard ACLs in many American communities would be election polling places. Voters are permitted in the voting area if they live within the election precinct, but denied access if they don’t.

Building a Standard ACL

Standard ACLs are created in Global Configuration mode using the access-list command. The syntax of a standard ACL statement is simply

access-list acl# {permit | deny} {source [source-wildcard] | any} [log]

acl#	A number (1–99 or 1,300–1,399) that identifies all statements in the list
permit \| deny	Choice of whether the packet passes through or not, and whether it lives or dies
source \| any	Choice between selected host(s) or keyword ANY includes all hosts
source-wildcard	Used if source isn’t a single host. The wildcard mask identifies the subnet, network, or supernet (see Wildcard Masks in the following)
log	Turns on the optional logging feature

Unless a packet matches a permit statement before it matches a deny statement or the last statement is processed, the packet will be discarded without recourse or appeal. A simple example would be the following code lines:

 Rtr1#conf t
Rtr1(config)#access-list 15 deny 192.168.1.14
Rtr1(config)#access-list 15 deny 192.168.1.195
Rtr1(config)#access-list 15 permit 192.168.4.45
Rtr1(config)#access-list 15 permit 192.168.4.211
Rtr1(config)#access-list 15 permit 192.168.1.195
Rtr1(config)#

The preceding example shows two host addresses being blocked (denied) and two being permitted. The fifth statement, while valid, serves no purpose because the packet was already discarded in ACL line two and can’t be recalled for ACL line five. This often happens when a person decides later to allow an address and adds the line to an existing ACL, where it can only go to the bottom of the stack. To change the order requires deleting the list and re-creating it, although techniques for using Notepad exist that makes this much less work than one might assume.

This clearly becomes tedious if each address must be handled individually. The next section looks at how to handle groups of addresses.

Source Identifier

The source identifier {source [source-wildcard] | any} is a choice between identified host(s) or any host, which equates to all addresses or all packets. The following example shows a common use of the Any option:

 Rtr1#conf t
Rtr1(config)#access-list 15 deny 192.168.1.14
Rtr1(config)#access-list 15 deny 192.168.1.195
Rtr1(config)#access-list 15 permit 192.168.4.45
Rtr1(config)#access-list 15 permit 192.168.4.211
Rtr1(config)#access-list 15 permit any
Rtr1(config)#

The final statement allows all packets from any source address to be permitted. Looking over the preceding results, what’s the impact of ACL Line five on Lines one and two? None, just like last time, it’s too late for packets identified by an earlier deny statement.

What is the impact of ACL Line five on Lines three and four? They are now redundant; the result would be the same if they weren’t present at all. A small amount of CPU usage could possibly be saved by rewriting the ACL to eliminate them.

What would happen if the line access-list 15 deny 192.168.3.11 was added now? Nothing, because the line would go to the bottom and, even if a packet from that host appeared, it would be permitted by ACL line five before it reached the new line.

Wildcard Masks

In identifying ranges of IP addresses, ACLs use a wildcard mask instead of a subnet mask. Initially, they might look quite similar, but closer observation reveals they’re basically opposites.

Subnet mask—a 32-bit binary value made up of consecutive 1’s indicting the network identifier, which then switches to 0’s, indicating the host. The functions and processes using the subnet mask, such as routing or packet forwarding, have no interest in the host bits.
Wildcard mask—a 32-bit binary value made up of consecutive 0’s indicating those bits that must match, and then changing to 1’s, indicating either bit value (1 or 0) is okay. In most cases, the 0’s represent the network identifier and the 1’s indicate the hosts to include.

The following example compares the classful subnet mask (netmask) for 192.168.1.0/24 with the wildcard mask. With both types of masks, the actual comparisons in network devices are all being done in binary, not in decimal.

 Address: ??192.168.1.0 ??????????11000000.10101000.00000001.00000000
Netmask: ??255.255.255.0 == /24 ?11111111.11111111.11111111.00000000
Wildcard: ?0.0.0.255 ????????????00000000.00000000.00000000.11111111

In this example, the netmask and wildcard mask are literally opposites. This is true in all cases using classful addresses. The following table shows the default host mask and the three classful netmask/wildcard mask options.

IP Address	Subnet Mask	Wildcard Mask
192.168.1.15	255.255.255.255	0.0.0.0 (default)
192.168.1.0	255.255.255.0	0.0.0.255
112.16.0.0	255.255.0.0	0.0.255.255
15.0.0.0	255.0.0.0	0.255.255.255
45.12.16.0	255.255.255.0	0.0.0.255

The last entry is an example of a class A address subnetted to a series of class C networks. Examples of each are demonstrated in the following code output:

 Rtr1#conf t
Rtr1(config)#access-list 15 deny 192.168.1.14 0.0.0.0
Rtr1(config)#access-list 15 deny 192.168.1.0 0.0.0.255
Rtr1(config)#access-list 15 permit 112.16.0.0 0.0.255.255
Rtr1(config)#access-list 15 permit 15.0.0.0 0.255.255.255
Rtr1(config)#access-list 15 permit 45.12.16.0.0.0.255
Rtr1(config)#access-list 15 permit any
Rtr1(config)#

Classful networks are quite easy because the change occurs on an octet boundary. But what about identifying only a subnet or a supernet? A couple of additional examples in decimal format might help.

IP Address	Subnet Mask	Wildcard Mask
192.168.1.16	255.255.255.240	0.0.0.15
192.168.96.0	255.255.254.0	0.0.1.255

Remember, each octet (8 bits) is interpreted separately when converted to decimal. The following example shows the binary equivalents for the subnet with addresses 192.168.1.16 to 192.168.1.31.

 Address: ??192.168.1.16 ?????????11000000.10101000.00000001.00010000
Netmask: ??255.255.255.240 = /28 11111111.11111111.11111111.11110000
Wildcard: ?0.0.0.15 ?????????????00000000.00000000.00000000.00001111

The remaining rows are for the supernet with address range of 192.168.96.0 to 192.168.97.255.

 Address: ??192.168.96.0 ?????????11000000.10101000.01100000.00000000
Netmask: ??255.255.254.0 == /23 ?11111111.11111111.11111110.00000000
Wildcard: ?0.0.1.255 ????????????00000000.00000000.00000001.11111111

To create a wildcard mask for a subnet or supernet requires understanding the previous concepts, but interpreting an existing properly defined one is quite simple. The value 192.168.96.0 /19 (subnet mask: 255.255.224.0) has a wildcard mask of 0.0.31.255. The original value 192.168.96.0 is the starting value. Then add the wildcard mask octet by octet to get the maximum value 192.168.(96+31).(0+255) or 192.168.127.255.

Creating a Wildcard Mask for a Subnet or Supernet

Creating a wildcard mask for a subnet or supernet can seem a little overwhelming. After all, there must be an infinite number of possibilities, right? No, like subnets few combinations occur. Figure A-2 shows a simple tool for demonstrating this.

The top table in Figure A-2 shows the eight bit positions in an octet and their corresponding decimal values. The middle table represents carrying the same logic out to 12 bits, which would be handy when working with supernet—networks with more than 8 bits for host addresses. The bottom example shows how the Binary Digits row can be used to calculate the decimal equivalent of binary number. This process works for subnets as well: a 3-bit subnet mask would be ones in the leftmost location equaling 224.

Figure A-2: Binary to decimal conversion tool

The table is built by counting bit positions, right to left, by ones. The Value row also starts with one, and then doubles with each bit position to the left.

Other information the table reveals is the limited number of subnet increments that can be defined without ambiguity. These are the numbers in the Value row. For example, a subnet mask of 5 bits (248) would have an increment of 8 or values like the following:

Class C	Class B	Class A
192.168.0.0	172.16.0.0	15.0.0.0
192.168.0.8	172.16.8.0	15.8.0.0
192.168.0.16	172.16.16.0	15.16.0.0
192.168.0.24	172.16.24.0	15.24.0.0
to	to	to
192.168.0.240	172.16.240.0	15.240.0.0
192.168.0.248	172.16.248.0	15.248.0.0

Just as each of the previous values is a subnet address, each value would also be the first value used with a wildcard mask. In this case, the wildcard mask would be 0.0.0.7, as in 192.168.0.24 0.0.0.7, which identifies the range 192.168.0.24–31. In the second octet, this would look like 192.168.24.0 0.0.7.255, which identifies the range 192.168.24.0-192.168.31.255.

Rule of thumb: the starting octet value must be a multiple of a number on the Value line of the table (increment). The wildcard mask for that same octet is the sum of the bits to the right of the Value line entry (always one less than the increment). If the starting value is in the second or third octet, the mask value is unique for that octet, but then all remaining octets must be 255. So, if the increment is 32 and the starting value is 10.96.0.0, then the mask is 0.31.255.255.

Exercise A-1

Objective: Practice the skills required to interpret and create wildcard masks.

Required: Use the conversion table covered in the text or any method you choose (except using a subnet calculator). To confirm your results, the correct answers are at the end of the exercise.

1.?	What would be the starting address (first acceptable) and ending address (last acceptable) for the address/mask combination 192.15.75.0 0.0.0.255?
2.?	What would be the starting address and ending address for the address/mask combination 172.16.0.0 0.0.255.255?
3.?	What would be the starting address and ending address for the address/mask combination 210.10.0.0 0.0.1.255?
4.?	What would be the starting address and ending address for the address/mask combination 209.10.25.128 0.0.0.31?
5.?	What would be the starting address and wildcard mask for the IP network 210.119.60.0/24?
6.?	What would be the starting address and wildcard mask for the IP host address 210.119.60.10/24?
7.?	What would be the starting address and wildcard mask for the third subnet of 192.168.145.0/26?
8.?	What would be the starting address and wildcard mask for the fifth subnet of 201.110.150.0/30?
9.?	What would be the starting address and wildcard mask for the second subnet of 145.110.0.0/18?

Answers

1.?	192.15.75.0 to 192.15.75.255
2.?	172.16.0.0 to 172.16.255.255
3.?	210.1.10.0 to 210.1.11.255
4.?	209.10.25.128 to 209.10.25.159
5.?	210.119.60.0 0.0.0.255
6.?	210.119.60.10 0.0.0.0
7.?	192.168.145.128 0.0.0.63
8.?	201.110.150.16 0.0.0.3
9.?	145.110.64.0 0.0.63.255

Removing an Access List

To remove the entire list, type no access-list acl-num in Global Configuration mode or you can unapply the list by typing the no ip access-group acl-num command while in the Interface Configuration mode. The following code demonstrates both techniques:

 Rtr1#config t
Rtr1(config)#no access-list 50
Rtr1(config)#int e0
Rtr1(config-if)#no ip access-group 50

If you remove the list, but leave the access-group command on versions of the IOS since v12.0, the result is the same as if there were a single permit any list item. Older versions defaulted to a deny any and would, therefore, block all traffic.