Home > Articles > Cisco Certification > CCNA Routing and Switching > Basic Access List Configuration for Cisco Devices

Basic Access List Configuration for Cisco Devices

Contents

  1. Basic Access List Configuration

Article Description

One of the simplest ways of controlling the traffic in and out of a Cisco device is by using access lists (ACL). These lists are generally composed of a permit or deny action that is configured to affect those packets that are allowed to pass or be dropped. This article discusses the basic concepts of how ACLs work and shows how a basic ACL is configured.

One of the simplest ways of controlling the traffic in and out of a Cisco device is by using an access list (ACL). These lists are generally composed of a permit or deny action that is configured to affect those packets that are allowed to pass or be dropped. This article discusses the basic concepts of how ACLs work and shows how a basic ACL is configured.

Overview

The ACL is one of the most basic building blocks learned first when venturing into Cisco device configuration. Once the basic structure and logic of these ACLs is understood, they are not particularly hard to configure.

There are several different types of ACL that are defined by either the ACL number or by the syntax used to define the ACL when using named ACLs. Table 1 displays a list of the most commonly used ACL numbers and their associated ACL type.

Table 1 - ACL Number Ranges

Protocol

Range

Standard IP

1–99 and 1300–1999

Extended IP

100–199 and 2000–2699

Ethernet type code

200–299

Ethernet address

700–799

Transparent bridging (protocol type)

200–299

Transparent bridging (vendor code)

700–799

Extended transparent bridging

1100–1199

DECnet and extended DECnet

300–399

Xerox Network Systems (XNS)

400–499

Extended XNS

500–599

AppleTalk

600–699

Source-route bridging (protocol type)

200–299

Source-route bridging (vendor code)

700–799

Internetwork Packet Exchange (IPX)

800–899

Extended IPX

900–999

IPX Service Advertising Protocol (SAP)

1000–1099

Standard Virtual Integrated Network Service (VINES)

1–100

Extended VINES

101–200

Simple VINES

201–300

Next, we’ll look at the configuration of standard IP ACLs and basic configuration of IP extended ACLs.

Access List Configuration

A standard ACL provides the ability to match traffic based on the source address of the traffic only. This is, of course, rather limiting, but in many situations is all that is required. The command syntax of a standard ACL is as follows:

  • router(config)#access-list access-list-number {permit | deny} {source [source-wildcard] | host hostname | any}

or

  • router(config)#ip access-list standard {access-list-name}
  • router(config-std-nacl)# [sequence-number] {permit | deny} {source [source-wildcard] | host hostname | any}

From Table 1, it can be inferred that the access-list-number parameter will be a number from 1-99 or 1300-1999. The choice of the permit or deny action is rather obvious. The source parameter is the source IP network that is being matched by the ACL. The source-wildcard parameter is used to affect the source addresses being matched by the ACL by masking off the target addresses with an inverse mask. This parameter has long been an enemy of many beginning Cisco people, as the concept of an inverse mask adds another level of complexity to a subnet mask. The easiest way to calculate an inverse mask from a subnet mask is by subtracting each octet by 255. For example, if attempting to match the addresses of a /26 or 255.255.255.192 network, each octet will have its value subtracted from 255 to give 255-255 = 0 and 255-192 = 63; the result would be an inverse mask of 0.0.0.63. The host hostname parameter is used to match a specific host instead of a network. The any parameter is used to match all traffic.

The second method of configuration shown uses the named ACL configuration; this method allows some additional functionality that does not exist with the original method including the ability to edit individual lines in an ACL. When using a numbered ACL, the whole list must be deleted and reentered in order to make a change.

Unlike a standard ACL, the extended ACL provides much more flexibility in matching traffic as it provides the ability to match based on protocol, source and destination address as well as several other features like matching based on an established connection. In this article, we’re only reviewing the basic extended ACL syntax; the Advanced Access List Configuration article will cover extended ACLs is more detail. The command syntax of an extended ACL is as follows:

  • router(config)#access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [log]

or

  • router(config)#ip access-list extended {access-list-name}
  • router(config-ext-nacl)#[sequence-number] {permit | deny} protocol source source-wildcard destination destination-wildcard [option option-value] [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [log]

Both standard and extended IP access lists do nothing without being applied to a specific interface. When being applied, the access list is configured in a specific direction from the perspective of the interface with the options of coming into the interface (in) or going out of the interface (out). The general rule when applying access lists is to apply standard IP access lists as close to the destination as possible and to apply extended access lists as close to the source as possible. The reasoning for this rule is that standard access lists lack granularity, it is better to implement them as close to the destination as possible; extended access lists have more potential granularity, thus they are better implemented close to the source. The command syntax to apply an ACL is as follows:

  • router(config-if)#ip access-group {access-list-number | access-list-name} {in | out}

Access List Example

Figure 1 shows a basic network topology that has a single router that connects to three different IP subnets.

Figure 1 Basic Network Topology

In this example, the router needs to be configured with an access list that will block the traffic that comes in the f0/0 interface from the 192.168.1.0/24 network. The access list itself is the first thing that is configured; in this example the access list number 10 will be used.

  • router(config)#access-list 10 deny 192.168.1.0 0.0.0.255

The second step is to apply the access list on the correct interface; as the access list being configured is standard access list, it is best for it to be applied as close to the destination as possible.

  • router(config)#interface f0/1
  • router(config-if)#ip access-group 10 out

Summary

The capabilities of the access list feature are quite expansive, and this article just scratches the surface at the configuration possibilities. Hopefully, this article can be used as a basic primer to help allow people to become familiar with the feature and use it in their implementations. For those looking to become even more familiar with the possibilities of extended ACLs, a second article will be available soon that reviews these capabilities and their configuration.