Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : Access List Basics

Access List Basics

Mar 24,2010 by alperen

small font medium font large font
image

Access List Basics

Access lists are a stack of one-line filters that are processed sequentially to determine whether data packets are allowed to continue on through the router or as a part of a router process. Each statement in the stack tests for one set of criteria and, if the criterion matches, the packet is either permitted or denied, as defined in the same statement.

A simple analogy would be this: while grocery shopping, if the grapes are ripe, I will add them to my basket. The single criterion is whether the grapes are ripe and, based on their being ripe, they’re either permitted in my basket or denied. A more complex criterion could be if the grapes need to be ripe and from a domestic vineyard.

Two-Step Process

With all access lists, you have two separate and distinct steps in using them: the creation and the implementation. First, the ACL is always created using the access-list statement in Global Configuration mode. Second, the ACL is referenced by a process command or applied to an interface with commands unique to the application. If either part isn’t done, the ACL typically has no impact, as if it didn’t exist at all. The following output is an example of a simple standard access list and applying it to a Fast Ethernet interface.

 interface Fastethernet 0/0
 ip address 192.168.5.1 255.255.255.0
 ip access-group 50 out
!
access-list 50 deny 192.168.1.10
access-list 50 deny 192.168.2.0 0.0.0.255
access-list 50 permit any
!

Access lists, when applied to an interface, called traffic filtering, only filter traffic traveling in the direction specified in the access-group statement. In the previous code output, only the outbound IP traffic is being filtered. While applying two ACLs for the same protocol for traffic going in one direction is impossible, you can have one for each direction for each protocol configured on the interface. The following code shows an example of an interface with multiple ACLs applied:

 !
interface Fastethernet 0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group 171 in
 ip access-group 15 out
 appletalk cable-range 10-19 15.11
 appletalk access-group 615 out
 appletalk access-group 601 in
 ipx access-group 805 in
 ipx access-group 809 out
 ipx network 127
!

In determining whether to apply the ACL in- or outbound, visualize yourself at the center of the router. Is the data coming at you in the interface or is it traveling out through the interface? The perspective for determining in or out is always the center of the router, never the center of the network segment. A common mistake is to use an inbound filter to block traffic from entering a LAN. While the bad traffic is coming into the LAN, it’s passing out of the router. Figure A-1 shows graphically inbound and outbound traffic flows on a basic router.


Figure A-1: Inbound and outbound traffic flows on router interfaces

Numbered ACL Common Characteristics

Before looking at the details of standard and extended ACLs, consider the following characteristics of all numbered access lists:

  • An ACL is made up of one or more permit or deny statements

  • If an ACL doesn’t have at least one permit statement, it will deny everything

  • All ACL statements with the same number are part of the same ACL

  • ACL statements must be entered sequentially in order to be processed

  • An ACL can be added to (appended), but not edited. Any attempt to edit an item will delete the entire ACL


    		 Tip 

    By default, router interfaces configured for a protocol “allow” all traffic in both directions without restriction. Once an ACL is applied to an interface, the default flips to “blocking” all traffic for that protocol in the specified direction, except what is explicitly allowed by the ACL.

The Numbers Matter

With numbered ACLs, the number is a list identifier that indicates the protocol used and whether the list is part of a standard or an extended ACL. Each statement in the ACL will have the same number. The following table is a recent listing of the ACL number ranges.

Range

Description

1–99

IP standard access list

1,300–1,999

IP standard access list (expanded range IOS v12.1)

100–199

IP extended access list

2,000–2,699

IP extended access list (expanded range IOS v12.1)

200–299

Protocol type-code access list

300–399

DECnet access list

400–499

XNS standard access list

500–599

XNS extended access list

600–699

Appletalk access list

700–799

48-bit MAC address access list

800–899

IPX standard access list

900–999

IPX extended access list

1,000–1,099

IPX SAP access list

1,200–1,299

IPX summary address access list

1,100–1,199

Extended 48-bit MAC address access list

While this text and the exam focus only on IP ACLs, it’s important to remember that similar features exist for IPX, Appletalk, and other even older protocols.


3469 times read

Related news
» Access Control Lists (ACLs)
by alperen posted on Dec 16,2008
» Distribute Lists
by alperen posted on Dec 01,2008
» Verifying ACLs
by alperen posted on Mar 24,2010
» Using Access Lists-Access-Group Statement
by alperen posted on Feb 04,2010
» Access groups
by alperen posted on Dec 01,2008
Did you enjoy this article?
1 2 3 4 5
Rating: 2.00Rating: 2.00 (total 1 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.