Configuring Access Lists on Cisco Routers

An access list is simply a list of conditions or statements that can match or categorize packets in a number of different ways. Access lists are also known as access control lists (ACLs) while individual entries or statements in an access lists are called access control entries (ACEs).

Access lists are primarily used for traffic filtering but they also have several other uses like management access control, route advertisement filtering, debug output filtering, and traffic identification for encryption. Access lists basically are a tool to match interesting packets which can then be subjected to different kinds of special operations.

There are two main categories of access lists: standard access lists and extended access lists

Standard Access Lists           Standard access lists are the basic form of access list on Cisco routers that can be used to match packets by source IP address field in the packet header. These access lists are simpler to create and understand but packet matching options are also limited to only source address.

Extended Access Lists           If you want to match packets on anything more than source IP address, you would need an extended access list: numbered or named. Extended access lists can filter on source and destination IP addresses, or a combination of addresses and several other fields.

Both standard and extended access lists can be written in numbered or named format, which are just different ways to write access lists. In terms of functionality, numbered and named access lists are equivalent. What you can achieve with a numbered access list can also be achieved with an equivalent named access list, and this applies to both standard and extended ACLs. Some people favor the named format as it is probably more readable but both formats are widely used in practice and both are important for your Cisco certification exam.

Please refer to Table 1 to learn the range of numbers that can be used to create standard and extended numbered access lists.

Table 1 Access List Number Ranges

Access List Type Number Range
IP Standard Access Lists 1-99
IP Standard Access Lists (expanded range) 1300-1999
IP Extended Access Lists 100-199
IP Extended Access Lists (expanded range) 2000-2699

Please have a look at Figure 1 that we will use for all our configuration examples. The scenario consists of a single router R1 with two interfaces Fa0/0 and Fa0/1 connected to internal network and the Internet, respectively. The access lists would be aimed at controlling access to the Internet by users in the internal network. These access lists would be applied to interface Fa0/0 in the inbound direction.

Figure 1 Access List Application

cisco access list configuration

Creating Standard Access Lists       We will start by configuring a standard access list first in numbered and then in named format. The access list should allow Bob to access the Internet while block all access for Smith also logging unsuccessful attempts by Smith. Let’s see how can we do this using a standard access list in numbered format.

R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#access-list 1 permit host 192.168.1.3
R1(config)#access-list 1 deny host 192.168.1.7 log
R1(config)#

In the above configuration example we used host keyword to identify individual hosts but the same result can also be achieved by using inverse mask 0.0.0.0. Let’s now apply this access list to interface Fa0/0 in the inbound direction.

R1(config)#interface Fa0/0
R1(config-if)#ip access-group 1 ?
in   inbound packets
out  outbound packets

R1(config-if)#ip access-group 1 in
R1(config-if)#end
R1#

Let’s now create an access list in the named format and apply it to interface Fa0/0, in order to achieve the same effect. Here, we would use the inverse mask instead of the host keyword to match individual hosts.

R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip access-list standard Filter
R1(config-std-nacl)#permit 192.168.1.3 0.0.0.0
R1(config-std-nacl)#deny 192.168.1.7 0.0.0.0 log
R1(config-std-nacl)#interface Fa0/0
R1(config-if)#ip access-group Filter in
R1(config-if)#end
R1#

Creating Extended Access Lists       We will now configure an extended access list first in numbered and then in named format. The access list should allow Bob to access Web servers on the Internet while blocking all Web access for Smith also logging unsuccessful attempts by Smith to open a website. Let’s see how we can do this using an extended access list in numbered format.

R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#access-list 100 permit tcp host 192.168.1.3 any eq www
R1(config)#access-list 100 deny tcp host 192.168.1.7 any eq www log
R1(config)#interface Fa0/0
R1(config-if)#ip access-group 100 in
R1(config-if)#end
R1#

Now, let’s configure the same extended access list in the numbered format.

R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip access-list extended Filter
R1(config-ext-nacl)#permit tcp 192.168.1.3 0.0.0.0 any eq www
R1(config-ext-nacl)#deny tcp 192.168.1.7 0.0.0.0 any eq www log
R1(config-ext-nacl)#interface Fa0/0
R1(config-if)#ip access-group Filter in
R1(config-if)#end
R1#

We briefly covered access lists in this article. You can verify which access lists exist on your Cisco device using command show access-lists. A final access lists test is done by actually generating traffic that the access-list is supposed to permit or deny and see the results.

Get Free Cisco Tutorials – Sign Up Below

Fill out your e-mail address below to receive free
Cisco Configuration Examples and Tutorials
(Your email is safe with us)
My Email Address is:

Speak Your Mind

*