Access lists are a stack of one-line filters that are processed sequentially to determine whether data packets are allowed to continue on through the router or as a part of a router process. Each statement in the stack tests for one set of criteria and, if the criterion matches, the packet is either permitted or denied, as defined in the same statement.
A simple analogy would be this: while grocery shopping, if the grapes are ripe, I will add them to my basket. The single criterion is whether the grapes are ripe and, based on their being ripe, they’re either permitted in my basket or denied. A more complex criterion could be if the grapes need to be ripe and from a domestic vineyard.
With all access lists, you have two separate and distinct steps in using them: the creation and the implementation. First, the ACL is always created using the access-list statement in Global Configuration mode. Second, the ACL is referenced by a process command or applied to an interface with commands unique to the application. If either part isn’t done, the ACL typically has no impact, as if it didn’t exist at all. The following output is an example of a simple standard access list and applying it to a Fast Ethernet interface.
interface Fastethernet 0/0 ip address 192.168.5.1 255.255.255.0 ip access-group 50 out ! access-list 50 deny 192.168.1.10 access-list 50 deny 192.168.2.0 0.0.0.255 access-list 50 permit any !
Access lists, when applied to an interface, called traffic filtering, only filter traffic traveling in the direction specified in the access-group statement. In the previous code output, only the outbound IP traffic is being filtered. While applying two ACLs for the same protocol for traffic going in one direction is impossible, you can have one for each direction for each protocol configured on the interface. The following code shows an example of an interface with multiple ACLs applied:
! interface Fastethernet 0/0 ip address 192.168.1.1 255.255.255.0 ip access-group 171 in ip access-group 15 out appletalk cable-range 10-19 15.11 appletalk access-group 615 out appletalk access-group 601 in ipx access-group 805 in ipx access-group 809 out ipx network 127 !
In determining whether to apply the ACL in- or outbound, visualize yourself at the center of the router. Is the data coming at you in the interface or is it traveling out through the interface? The perspective for determining in or out is always the center of the router, never the center of the network segment. A common mistake is to use an inbound filter to block traffic from entering a LAN. While the bad traffic is coming into the LAN, it’s passing out of the router. Figure A-1 shows graphically inbound and outbound traffic flows on a basic router.
Before looking at the details of standard and extended ACLs, consider the following characteristics of all numbered access lists:
An ACL is made up of one or more permit or deny statements
If an ACL doesn’t have at least one permit statement, it will deny everything
All ACL statements with the same number are part of the same ACL
ACL statements must be entered sequentially in order to be processed
An ACL can be added to (appended), but not edited. Any attempt to edit an item will delete the entire ACL
Tip? |
By default, router interfaces configured for a protocol “allow” all traffic in both directions without restriction. Once an ACL is applied to an interface, the default flips to “blocking” all traffic for that protocol in the specified direction, except what is explicitly allowed by the ACL. |
With numbered ACLs, the number is a list identifier that indicates the protocol used and whether the list is part of a standard or an extended ACL. Each statement in the ACL will have the same number. The following table is a recent listing of the ACL number ranges.
Range |
Description |
---|---|
1–99 |
IP standard access list |
1,300–1,999 |
IP standard access list (expanded range IOS v12.1) |
100–199 |
IP extended access list |
2,000–2,699 |
IP extended access list (expanded range IOS v12.1) |
200–299 |
Protocol type-code access list |
300–399 |
DECnet access list |
400–499 |
XNS standard access list |
500–599 |
XNS extended access list |
600–699 |
Appletalk access list |
700–799 |
48-bit MAC address access list |
800–899 |
IPX standard access list |
900–999 |
IPX extended access list |
1,000–1,099 |
IPX SAP access list |
1,200–1,299 |
IPX summary address access list |
1,100–1,199 |
Extended 48-bit MAC address access list |
While this text and the exam focus only on IP ACLs, it’s important to remember that similar features exist for IPX, Appletalk, and other even older protocols.