Understanding Access Lists

Posted On 2007-05-10 by FortyPoundHead
Keywords: 640-607:Cisco Certified Network Associate (CCNA) Exam
Tags: Cisco Networking 
Views: 3313

Router Access Lists manage IP traffic as network access grows and filter packets as they pass through the router.

Access list applications include permitting or denying packets moving through a router, vty access to or from a router, custom queuing, and triggering of "dial-on-demand" routing.

There are two general types of access lists: standard, that permits or denies output for an entire protocol suite based on the source address, and extended, that allows greater flexibility by being able to check for source and destination addresses as well as specific protocols and numbers.

Access lists may be applied as either Inbound or Outbound access lists. In inbound access lists, incoming packets are processed before being routed to an outbound interface. In outbound access lists, incoming packets are routed to the outbound interface and then processed through the outbound access list.

In terms of access lists, permit means to continue to process the packet through to the next access list test, deny means to discard the packet and the implicit deny ensures any packets not matching an access list are dropped.

General guidelines for access list configuration include: most restrictive statements should be at the top of list, one access list per interface, per protocol, per direction, create access lists before applying them to interfaces, and every access list should have at least one permit statement.

For IP, standard access lists use the number range 1 - 99 as an identifier and extended access lists use 100 - 199. For IPX, standard access lists use the number range 800 - 899 and extended access lists use 900 - 999.

The parameters that the Cisco IOS IP access list checks include: port number, protocol, source address, and destination address.

Address filtering occurs using access list address wildcard masking to identify how to check or ignore corresponding IP address bits.

Access List Configuration

General guidelines for configuring access lists include ending all access lists with an implicit deny and ordering access lists with the more specific tests and tests that will test true frequently at the beginning of the access list.

Standard access lists filter based on source address and mask while extended access lists filter based on source and destination address allowing more filtering control. In addition, extended access lists allow for filtering by protocol and port.

To configure standard access lists, use the access list and access group commands. These commands identify the list number, identiy the source IP address and links the access list to an interface.

The two steps for setting access lists are setting the parameters for the access test statement and enabling the interface to use the specified list.

The IOS commands to enable an extended access list are the same as for enabling a standard access list, but they include additional parameters for configuration such as identification of specific protocols and ports. These commands are access list and access group.

The two steps for setting extended access lists are setting the parameters for the access test statement and enabling the interface to use the specified list. The test statement may include source and destination addresses as well as protocols and port numbers.

Named access lists allow for IP standard and extended access lists to be identified with an alphanumeric string, not a number. Named access lists allow you to delete, but not insert, individual entries from a specific access list.

Place extended access lists close to the source of the traffic to be denied while standard access lists should be placed as near the destination as possible.

Access lists can be used to control virtual terminal access (vty) to or from a router. Users can be denied access to a router or denied access to destinations from that router.

The two commands used to configure a router for vty access are line vty, that places the router in line configuration mode, and access class, that links an existing access list to a terminal line or range of lines.

About the Author

FortyPoundHead has posted a total of 1974 articles.


Comments On This Post

No comments on this post yet!

Do you have a thought relating to this post? You can post your comment here. If you have an unrelated question, you can use the Q&A section to ask it.

Or you can drop a note to the administrators if you're not sure where you should post.

Your IP address is:

Before you can post, you need to prove you are human. If you log in, this test goes away.

Recent Forum Posts

Advanced search added
dwirch posted on September 23, 2017 at about 13:44 in Site News

Job Spammer: Gaurav Mehta - AgreeYa Solutions
dwirch posted on September 22, 2017 at about 10:35 in Spammers

Job Spammer: Prutha Siri - Javelin Systems
dwirch posted on September 10, 2017 at about 6:15 in Spammers

New security implemented
dwirch posted on September 7, 2017 at about 7:16 in Site News

Malicious IP Checker Companion Tool
dwirch posted on August 12, 2017 at about 20:24 in Site News

Job Spammer: Steve Adams
dwirch posted on August 8, 2017 at about 7:44 in Spammers