Introduction to Access Lists

At the most basic level, an access list is no more than a list of packet filters applied to a router interface. Access lists inspect network packets based on criteria such as source address, destination address, protocols, and port numbers. The rules specified in an access list are then used to either permit or deny the traffic. For example, an access list entry might specify that traffic from network 192.168.25.0/24 should be denied. When network traffic is encountered on the interface, with the access list applied, the router will inspect the packet. If the source address is from the range listed, the packet will be denied, and dropped.

Tip: Cisco generally recommends that access lists be implemented at the distribution layer. Although they are sometimes used at the access layer as well, it is strongly recommended that you avoid implementing access lists at the core layer, since they slow down packet forwarding rates due to the inspection process that takes place.

In order to appreciate access lists, you must keep a few key things in mind. The first is that an access list is nothing more than a series of packet filtering rules. However, this list of rules does nothing until it is applied to a router interface. That’s important to remember – first you define an access list, and then apply it to an interface. Access lists can be applied to an interface to control inbound traffic, outbound traffic, or both. After being applied to an interface, an access list can still have packet-filtering rules added to it. It’s also important to keep in mind that access lists only filter traffic that moves through a router. As such, access lists do nothing to filter traffic that remains local.

While an access list that specifies a single rule may be simple, things get a little more complex as additional rules are added. An access list can be made up of many rules, each of which specifies whether certain types of traffic should be permitted or denied. In order to completely understand how access lists filter traffic, you’ll need to understand how rules are evaluated, the different types of access lists that exist, and how access lists are applied to interfaces.

Cisco IOS Access Lists

In Chapter 8 we walked through the essentials of configuring a Cisco router for both static and dynamic routing. While the ability to route protocols like IP and IPX might be the central purpose of a router, a Cisco router is actually capable of much more. Cisco’s IOS includes the ability to “filter” network traffic based on source or destination address, protocols, port numbers, and more. In Cisco’s world, the ability to filter network traffic is accomplished through the use of access lists. Access lists can be defined for a variety of protocols, and ultimately allow you to control the types of traffic that will be allowed in or out of a router interface. For example, you might block a group of hosts from accessing a certain internal server, or limit systems to passing only HTTP traffic to another network.

While the concept of an access list may be simple, the actual implementation of access lists involves some careful planning. It is said that Cisco receives more support calls about misconfigured access lists than anything else. For the purpose of both the CCNA and CCDA exams, you will need to understand the essentials of access lists, including the different types that exist, their capabilities, and how rules are applied and evaluated. The topics that we’ll cover in this chapter include:

  • An introduction to access lists
  • Configuring standard and extended IP access lists
  • Configuring standard and extended IPX access lists
  • Configuring SAP access lists

The successful use of access lists involves both understanding how they are evaluated, and properly planning the implementation.