Standard IP Access Lists

As mentioned earlier, a standard IP access list provides basic packet filtering abilities, based on the source IP address of a packet only. As a general rule, apply standard IP access lists close to the destination network to which you wish to permit or deny access.

Consider the figure below – in this simple network, we wish to deny hosts on network 10.1.10.0/24 from accessing network 10.1.30.0/24. If an outbound access list were placed on RouterA interface E1, this would stop hosts on network 10.1.10.0/24 from accessing both networks 10.1.20.0 and 10.1.30.0. By placing the outbound standard access list on RouterB interface E1 instead, hosts on network 10.1.10.0/24 are only denied access to network 10.1.30.0.

Figure: The outbound access list applied to RouterB interface E1 denies access to hosts from network 10.1.10.0/24.

Recall that standard IP access lists fall into the numerical range 1-99. Implementing a standard access list involves two major steps. The first step involves adding rules to an access list. The second involves applying the access list to an interface.
IP standard access lists are created from global configuration mode, using the access-list command. The syntax of an access list can be a little confusing, so we’ll walk through our examples using the help feature of the Cisco IOS. The complete syntax for an IP standard access list is:

access-list access-list-number {deny | permit} source [source-wildcard] log

The access-list command is used to specify the creation of a new access list entry. The access-list-number is the number of the access list to which this rule will be added. It’s worth noting that if an access list of this number doesn’t exist, it will be created. If it does exist, the command will add another rule to the bottom of that access list. Then the deny or permit entry does what their names suggest – outlines the action to be carried out when the criteria specified in the rule is met. A permitted packet is allowed to pass, while a denied packet is dropped. The source section allows you to specify the source address of the host to which the rule applies. This might be a single host, or a group of hosts if a customized source-wildcard mask is specified (wildcard masking will be looked at in the next section). The log command is optional – if specified, the router will literally display a message on the console each time an access list entry is matched. While it may be interesting to see, I generally suggest leaving it turned off, especially on a production router.

The best way to begin is by creating an access list based on a scenario. In the figure below, our network consists of two subnets. Our goal is to deny traffic from host 192.168.1.100 from reaching network 192.168.2.0. All other traffic should be allowed to pass.

Figure: An outbound access list will be applied outbound on interface E1.

We’ll give the access list a number of 50, which I chose randomly. Remember that access lists are defined from global configuration mode.

RouterA(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<300-399> DECnet access list
<600-699> Appletalk access list
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list
<900-999> IPX extended access list

By using help, we know that the access-list command expects an access list number next. We’re using the number 50. Requesting help again yields the following:

RouterA(config)#access-list 50 ?
deny Specify packets to reject
permit Specify packets to forward

The next step is specifying whether this rule permits or denies traffic. The goal of our first rule is to deny access to host 192.168.1.100, so we’ll choose deny.

RouterA(config)#access-list 50 deny ?
Hostname or A.B.C.D Address to match
any Any source host
host A single host address

After specifying our deny statement, we are prompted to identify the host (or hosts) for which we wish to deny access. Notice that possible entries include a hostname (this would require a configured hosts table or DNS lookup), the IP address of the host, or use of the any keyword. Choosing any would deny access to all hosts in this case. Denying access to a single host can be accomplished in two different ways. The first method is by using the host keyword, as shown below.

RouterA(config)#access-list 50 deny host 192.168.1.100

Another way to accomplish the same thing is to specify what is known as a wildcard mask. For a single host, the wildcard mask is all 0s, as shown below. We’ll look at how to specify wildcard masks for groups of hosts shortly.

RouterA(config)#access-list 50 deny 192.168.1.100 0.0.0.0
RouterA(config)#

Pressing Enter completes the command (though the log keyword could have also been added). This adds a single rule to standard IP access list 50. We still need to add a second rule, specifying that all other traffic is permitted. This command is very straightforward:

RouterA(config)#access-list 50 permit any

The second rule simply specifies that all traffic is allowed to pass. It’s important to remember that this is the second rule on the list – rules are sequentially added to an access list, in the order they are specified. If we were to add another rule, it would be the third on the list, and so forth. There is no way to change the order of rules in the Cisco IOS. However, one popular way to edit the order of access lists is to save your configuration to a TFTP server, and then edit the saved configuration file in a text editor.

It’s also important that you think very carefully about the order in which you add access list entries. You want to make sure that the entries permit or deny traffic as per your intentions. For that reason, it is extremely important that more specific entries always be added towards the beginning of an access list. If not, a packet that you intended to deny may in fact be permitted by a more “generous” preceding entry. Remember – access lists are only evaluated until a match is found. If we had created our access list in the reverse order (with the access-list 50 permit any rule added first), the second rule would never be evaluated – all traffic would match the first rule.

To view the access lists that have been defined on a router, use the show run command. Though I’ve truncated the output below, access list entries appear towards the bottom of the configuration file.

RouterA#sh run
Building configuration...
Current configuration:
!
access-list 50 deny 192.168.1.100
access-list 50 permit any

With our simple standard IP access list defined, the next step is applying it to an interface. The command to apply a standard IP access list to an interface is ip access-group, followed by the number of the access list and a direction (inbound or outbound). Access lists are applied to an interface from interface configuration mode, as shown below.

RouterA#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#int e1
RouterA(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD Access-list name

RouterA(config-if)#ip access-group 50 ?
in inbound packets
out outbound packets
RouterA(config-if)#ip access-group 50 out

Recall our original scenario. Our goal was to deny host 192.168.1.100 access to network 192.168.2.0/24. By configuring the access-list as outbound on the router’s E1 interface, only traffic from host 192.168.1.100 is denied the ability to exit interface E1. You might wonder why we didn’t just apply the access list as inbound on interface E0. If we had, it would have denied host 192.168.1.100 access to all networks, and not just network 192.168.2.0/24.

To view the IP access lists applied to an interface, use the show ip interface or show running-config commands. The show ip int e1 command is shown below, truncated to only include relevant output.

RouterA#sh ip int e1
Ethernet0 is up, line protocol is up
Internet address is 192.168.2.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 50
Inbound access list is not set

To view all access lists applied to a router, use the show access-lists command. To view a particular IP access list, use the show ip access-list command, followed by the access list number. Examples of both are outlined below.

RouterA#show access-list
Standard IP access list 50
deny 192.168.1.100
permit any
RouterA#show ip access-list 50
Standard IP access list 50
deny 192.168.1.100
permit any

Because we only have one access list defined at this point, the output of both commands looks similar. However, the first command will ultimately list all access lists (including IPX or otherwise), while the second shows only the contents of a specific IP access list.
To remove an access list from an interface, you use the “no” version of the ip access-group command from interface configuration mode.

RouterA(config-if)#no ip access-group 50 out

To entirely remove an access-list from the router, use the no access-list command, followed by the number of the access list that you wish to delete from global configuration mode.

RouterA(config)#no access-list 50

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.