Standard Access Control Lists (ACL) are Cisco IOS-based commands used to filter packets on Cisco routers based on the source IP Address of the packet. Extended Access Control Lists have the ability to filter packets based on source and destination IP addresses.
Contents |
Numbers between 1 and 99, 1300 and 1999 or named explicitly with 'ip access-list standard name' can be used as a Standard ACL. The number used in this range doesn't affect how the ACL is processed or which ACL is more important to the router. A standard ACL is concerned with only one factor, the source IP address of the packet. The destination is not considered. The number takes the place of a name you might give to a specific rule. The number in no way corresponds to a list of pre-defined ACLs
The difference between Named and Numbered ACLs is that a name, not a number, is associated with a named ACL. Names are easier to remember than numbers. Either way, the name of an ACL is given as either a number or a name.
Regardless of the type of access list you create, standard or extended, you must follow certain rules. For instance, you must create and apply access lists sequentially and must remember that they end with an implicit deny.
Router_A(config)#access-list 1 deny 172.16.5.2 0.0.0.0 Router_A(config)#access-list 1 deny 172.16.5.3 0.0.0.0 Router_A(config)#access-list 1 permit any
The previous example is a standard IP access list that denies the hosts 172.16.5.2 and 172.16.5.3, while allowing all other traffic. The list is applied sequentially from the top down as the router checks the packets arriving at the interface where this access list is applied, in order to check if the packets match the permit and deny statements. In the process of applying the access list, the router first checks an arriving packet to determine if it matches the deny 172.16.5.2 0.0.0.0 statement. If it does, the router discards the packet. If it does not, the router applies the second statement, deny 172.16.5.3 0.0.0.0. If the packet matches the second statement, the router discards the packet. Once again, if the packet does not meet the rules of the first two lines, the router applies the final permit any statement, and the packet is forwarded through the interface.
If you wish to remove an access-list, you use the no access-list (list #) command. For example, to remove the above list, you enter global configuration mode and type the no access-list command. The information below shows the correct procedure for typing this command.
From Global Configuration mode, type in:
access-list [access-list-number] [deny/permit] [source-ip-address] [ wildcard mask]
interface [interface-number] ip access-group [number of list] in/out
Example:
access-list 5 permit 11.0.3.0 0.0.0.255 access-list 5 permit 10.0.5.0 0.0.0.255 int fa0/0 ip access-group 5 in
The above example permits traffic from two specific networks. Note that the access-list must be defined, and assigned an interface. An access-list by itself (not assigned to an interface) doesn't do anything at all.
"in" or "out" refer to the traffic into, or out of, the router that is being configured.
From Global configuration mode type:
ip access-list standard [name]
deny [source ip or keyword any] [wildcard mask or keyword any]
OR
permit [source ip or keyword any] [wildcard mask or keyword any]
I. One of the most common problems associated with access lists is a lack of planning. Before you even begin the process of creating access lists on your router, you must plan exactly what needs to be filtered and where it needs to be filtered.
II. Another troublesome area is the sequential nature in which you must enter the lists into the router. You cannot remove individual statements once they are entered. When making changes, you must remove the list, using the no access-list command, and then retype the commands.
You can remove an entry in the access-list by using the "ip access-list" command.
gw(config)#access-list 77 permit 1.1.1.1
gw(config)#access-list 77 permit 1.1.1.2
gw(config)#do show access-list 77
Standard IP access list 77
10 permit 1.1.1.1
20 permit 1.1.1.2
gw(config)#ip access-list standard 77
gw(config-std-nacl)#no 10 permit 1.1.1.1
gw(config-std-nacl)#do show access-list 77
Standard IP access list 77
20 permit 1.1.1.2
III. Finally, many new network administrators find themselves in trouble when they Telnet into a router and begin applying an access list. An access list begins to work the second it's applied to an interface. It's very possible that many new administrators will find themselves inadvertently blocked from the same router on which they're applying the access list.