Access List Basics

Access List Basics

Access lists are a stack of one-line filters that are processed sequentially to determine whether data packets are allowed to continue on through the router or as a part of a router process. Each statement in the stack tests for one set of criteria and, if the criterion matches, the packet is either permitted or denied, as defined in the same statement.

A simple analogy would be this: while grocery shopping, if the grapes are ripe, I will add them to my basket. The single criterion is whether the grapes are ripe and, based on their being ripe, they’re either permitted in my basket or denied. A more complex criterion could be if the grapes need to be ripe and from a domestic vineyard.

Two-Step Process

With all access lists, you have two separate and distinct steps in using them: the creation and the implementation. First, the ACL is always created using the access-list statement in Global Configuration mode. Second, the ACL is referenced by a process command or applied to an interface with commands unique to the application. If either part isn’t done, the ACL typically has no impact, as if it didn’t exist at all. The following output is an example of a simple standard access list and applying it to a Fast Ethernet interface.

 interface Fastethernet 0/0
 ip address 192.168.5.1 255.255.255.0
 ip access-group 50 out
!
access-list 50 deny 192.168.1.10
access-list 50 deny 192.168.2.0 0.0.0.255
access-list 50 permit any
!

Access lists, when applied to an interface, called traffic filtering, only filter traffic traveling in the direction specified in the access-group statement. In the previous code output, only the outbound IP traffic is being filtered. While applying two ACLs for the same protocol for traffic going in one direction is impossible, you can have one for each direction for each protocol configured on the interface. The following code shows an example of an interface with multiple ACLs applied:

 !
interface Fastethernet 0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group 171 in
 ip access-group 15 out
 appletalk cable-range 10-19 15.11
 appletalk access-group 615 out
 appletalk access-group 601 in
 ipx access-group 805 in
 ipx access-group 809 out
 ipx network 127
!

In determining whether to apply the ACL in- or outbound, visualize yourself at the center of the router. Is the data coming at you in the interface or is it traveling out through the interface? The perspective for determining in or out is always the center of the router, never the center of the network segment. A common mistake is to use an inbound filter to block traffic from entering a LAN. While the bad traffic is coming into the LAN, it’s passing out of the router. Figure A-1 shows graphically inbound and outbound traffic flows on a basic router.


Figure A-1: Inbound and outbound traffic flows on router interfaces

Numbered ACL Common Characteristics

Before looking at the details of standard and extended ACLs, consider the following characteristics of all numbered access lists:

  • An ACL is made up of one or more permit or deny statements

  • If an ACL doesn’t have at least one permit statement, it will deny everything

  • All ACL statements with the same number are part of the same ACL

  • ACL statements must be entered sequentially in order to be processed

  • An ACL can be added to (appended), but not edited. Any attempt to edit an item will delete the entire ACL

    Tip?

    By default, router interfaces configured for a protocol “allow” all traffic in both directions without restriction. Once an ACL is applied to an interface, the default flips to “blocking” all traffic for that protocol in the specified direction, except what is explicitly allowed by the ACL.

The Numbers Matter

With numbered ACLs, the number is a list identifier that indicates the protocol used and whether the list is part of a standard or an extended ACL. Each statement in the ACL will have the same number. The following table is a recent listing of the ACL number ranges.

Range

Description

1–99

IP standard access list

1,300–1,999

IP standard access list (expanded range IOS v12.1)

100–199

IP extended access list

2,000–2,699

IP extended access list (expanded range IOS v12.1)

200–299

Protocol type-code access list

300–399

DECnet access list

400–499

XNS standard access list

500–599

XNS extended access list

600–699

Appletalk access list

700–799

48-bit MAC address access list

800–899

IPX standard access list

900–999

IPX extended access list

1,000–1,099

IPX SAP access list

1,200–1,299

IPX summary address access list

1,100–1,199

Extended 48-bit MAC address access list

While this text and the exam focus only on IP ACLs, it’s important to remember that similar features exist for IPX, Appletalk, and other even older protocols.




Part III: Virtual Private Networks (VPNs)