Standard access lists permit or deny packets based only on the packet's source IP address, as shown in Figure B-9. The access list number range for standard IP access lists is 1 to 99 or from 1300 to 1999. Standard access lists are easier to configure than their more robust counterparts, extended access lists.
Figure B-9 Standard IP Access Lists Filter Based Only on the Source Address
Source Address
Source Address
A standard access list is a sequential collection of permit and deny conditions that apply to source IP addresses. The router tests addresses against the conditions in an access list one by one. The first match determines whether the router accepts or rejects the packet. Because the router stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the router rejects the packet.
Figure B-10 shows the processing of inbound standard access lists. After receiving a packet, the router checks the packet's source address against the access list. If the access list permits the address, the router exits the access list and continues to process the packet. If the access list denies the address, the router discards the packet and returns an Internet Control Message Protocol [ICMP] administratively prohibited message.
Figure B-10 Inbound Standard IP Access List Processing
Note that the action taken if no more entries are found in the access list is to deny the packet; this illustrates an important rule to remember when creating access lists. For example, consider what will happen if you create a list that simply denies traffic that you do not want to let into your network, and you configure this on an interface. If you forget about this rule, all of your traffic is denied—the traffic explicitly denied by your list, and the rest of the traffic that is implicitly denied because the access list is applied to the interface.
Implicit deny any at the End of the Access List
The last entry in an access list is known as an implicit deny any. All traffic not explicitly permitted is implicitly denied.
Order Is Important When Configuring Access Lists
When configuring access lists, order is important. Make sure that you list the entries in order from specific to general. For example, if you want to deny a specific host address and permit all other addresses, make sure that your entry about the specific host appears first.
KEY POINT
KEY POINT
Figure B-11 illustrates the processing of outbound standard IP access lists. After receiving and routing a packet to a controlled interface, the router checks the packet's source address against the access list. If the access list permits the address, the router transmits the packet. If the access list denies the address, the router discards the packet and returns an ICMP administratively prohibited message.
Figure B-11 Outbound Standard IP Access List Processing
Wildcard Masks
Both standard and extended IP access lists use a wildcard mask. Like an IP address, a wildcard mask is a 32-bit quantity written in dotted-decimal format. The wildcard mask tells the router which bits of the address to use in comparisons.
KEY POINT
Wildcard Mask Used to Interpret the IP Address
Address bits corresponding to wildcard mask bits set to 1 are ignored in comparisons; address bits corresponding to wildcard mask bits set to 0 are used in comparisons.
An alternative way to think of the wildcard mask is as follows. If a 0 bit appears in the wildcard mask, the corresponding bit location in the access list address and the same bit location in the packet address must match [both must be 0 or both must be 1]. If a 1 bit appears in the wildcard mask, the corresponding bit location in the packet matches [whether it is 0 or 1], and that bit location in the access list address is ignored. For this reason, bits set to 1 in the wildcard mask are sometimes called don't care bits.
Remember that the order of the access list statements is important because the access list is not processed further after a match is found.
Wildcard Masks
The concept of a wildcard mask is similar to the wildcard character used in DOS-based computers. For example, to delete all files on your computer that begin with the letter f, you would enter this:
The * character is the wildcard; any files that start with f, followed by any other characters, and then a dot, and then any other characters, are deleted.
Instead of using wildcard characters, routers use wildcard masks to implement this concept.
Examples of addresses and wildcard masks, and what they match, are shown in Table B-6.
Table B-6 Access List Wildcard Mask Examples
|
Address |
Wildcard Mask |
What It Matches |
|
0.0.0.0 |
255.255.255.255 |
Any address |
|
172.16.0.0/16 |
0.0.255.255 |
Any host on network 172.16.0.0 |
|
172.16.7.11/16 |
0.0.0.0 |
Host address 172.16.7.11 |
|
255.255.255.255 |
0.0.0.0 |
Local broadcast address 255.255.255.255 |
|
172.16.8.0/21 |
0.0.7.255 |
Any host on subnet 172.16.8.0/21 |
Access List Configuration Tasks
Whether you are creating a standard or extended access list, you need to complete the following two tasks:
Step 1
Step 2
Create an access list in global configuration mode by specifying an access list number and access conditions.
Define a standard IP access list using a source address and wildcard, as shown later in this section.
Define an extended access list using source and destination addresses, as well as optional protocol-type information for finer granularity of control, as discussed in the "IP Extended Access Lists" section later in this appendix.
Apply the access list in interface configuration mode to interfaces [or in line configuration mode to terminal lines].
After creating an access list, you can apply it to one or more interfaces. Access lists can be applied either outbound or inbound on interfaces.
IP Standard Access List Configuration
Use the access-list access-list-number {permit I deny} {source [source-wildcard] I any} [log] global configuration command to create an entry in a standard access list, as detailed in Table B-7.
Table B-7 Standard IP access-list Command Description
|
Parameter |
Description |
|
access-list-number |
Identifies the list to which the entry belongs. A number from 1 to 99 or from 1300 to 1999. |
|
permit I deny |
Indicates whether this entry allows or blocks traffic from the specified address. |
|
source |
Identifies the source IP address. |
|
source-wildcard |
[Optional] Identifies which bits in the address field must match. A 1 in any bit position indicates don't care bits, and a 0 in any bit position indicates that the bit must strictly match. If this field is omitted, the wildcard mask 0.0.0.0 is assumed. |
|
any |
Use this keyword as an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255. |
|
log |
[Optional] Causes an informational logging message about the packet that matches the entry to be sent to the console. Exercise caution when using this keyword, because it consumes CPU cycles. |
When a packet does not match any of the configured lines in an access list, the packet is denied by default because there is an invisible line at the end of the access list that is equivalent to deny any. [deny any is the same as denying an address of 0.0.0.0 with a wildcard mask of 255.255.255.255.]
The keyword host can also be used in an access list. It causes the address that immediately follows it to be treated as if it were specified with a mask of 0.0.0.0. For example, configuring host 10.1.1.1 in an access list is equivalent to configuring 10.1.1.1 0.0.0.0.
Use the ip access-group access-list-number { in I out} interface configuration command to link an existing access list to an interface, as shown in Table B-8. Each interface can have both an inbound and an outbound IP access list.
Table B-8 ip access-group Command Description
|
Parameter |
Description |
|
access-list-number |
Indicates the number of the access list to be linked to this interface. |
|
in I out |
Processes packets arriving on or leaving from this interface. The default is out. |
Eliminate the entire list by entering the no access-list access-list-number global configuration command. Remove an access list from an interface with the no ip access-group access-list-number {in I out} interface configuration command.
Implicit Wildcard Masks
Implicit, or default, wildcard masks reduce typing and simplify configuration, but you must take care when relying on the default mask.
The access list line shown in Example B-2 is an example of a specific host configuration. For standard access lists, if no wildcard mask is specified, the wildcard mask is assumed to be 0.0.0.0. The implicit mask makes it easier to enter a large number of individual addresses.
Example B-2 Standard Access List Using the Default Wildcard Mask
I access-list 1 permit 172.16.5.17
Example B-3 shows common errors found in access list lines.
Example B-3 Common Errors Found in Access Lists
|
access |
list |
1 |
permit 0.0.0.0 |
|
access |
list |
2 |
permit 172.16.0.0 |
|
access |
list |
3 |
deny any |
|
access |
list |
3 |
deny 0.0.0.0 255.255.255.255 |
The first list in Example B-3—permit 0.0.0.0—would exactly match the address 0.0.0.0 and then permit it. Because you would never receive a packet from 0.0.0.0, this list would prevent all traffic from getting through [because of the implicit deny any at the end of the list].
The second list in Example B-3—permit 172.16.0.0—is probably a configuration error. The intention was probably 172.16.0.0 0.0.255.255. The exact address 172.16.0.0 refers to the network and would never be assigned to a host. As a result, nothing would get through with this list, again because of the implicit deny any at the end of the list. To filter networks or subnets, use an explicit wildcard mask.
The next two lines in Example B-3—deny any and deny 0.0.0.0 255.255.255.255—are unnecessary to configure because they duplicate the function of the implicit deny that occurs when a packet fails to match all the configured lines in an access list. Although they are not necessary, you might want to add one of these entries for record-keeping purposes.
Configuration Principles
The following general principles help ensure that the access lists you create have the intended results:
■ Top-down processing
— Organize your access list so that more specific references in a network or subnet appear before more general ones.
— Place more frequently occurring conditions before less-frequent conditions.
■ Implicit deny any
— Unless you end your access list with an explicit permit any, it denies all traffic that fails to match any of the access list lines by default.
■ New lines added to the end
— Subsequent additions are always added to the end of the access list.
— You cannot selectively add or remove lines when using numbered access lists, but you can when using named access lists for IP [a feature that is available in Cisco IOS Release 11.2 and later].
NOTE Cisco IOS Release 12.2[14]S introduced a feature called IP Access List Entry Sequence Numbering that allows network administrators to apply sequence numbers to permit or deny statements in a named IP access list and also reorder, add, or remove such statements. Prior to this feature, network administrators could only add access list entries to the end of an access list [which is the case for numbered access lists], meaning that if statements need to be added anywhere except the end of the access list, the entire access list must be reconfigured.
■ An undefined access list equals permit any
— If you apply an access list with the ip access-group command to an interface before any access list lines have been created, the result is permit any. However, the list is live, so if you enter only one line, it goes from a permit any to a deny most [because of the implicit deny any] as soon as you press Enter. For this reason, you should create your access list before applying it to an interface.
Standard Access List Example
Figure B-12 shows a sample network, and Example B-4 shows the configuration on Router X in that figure.
Figure B-12 Network Used for the Standard IP Access List Example
Example B-4 Standard Access List Configuration of Router X in Figure B-12
Router[config]#access-list 2 permit 10.48.0.3 Router[config]#access-list 2 deny 10.48.0.0 0.0.255.255 Router[config]#access-list 2 permit 10.0.0.0 0.255.255.255 Router[config]#![Note: all other access implicitly denied] Router[config]#interface ethernet 0 Router[config-if]#ip access-group 2 in
Consider which devices can communicate with Host A in this example:
■ Host B can communicate with Host A. It is permitted by the first line of the access list, which uses an implicit host mask.
■ Host C cannot communicate with Host A. Host C is in the subnet that is denied by the second line in the access list.
■ Host D can communicate with Host A. Host D is on a subnet that is explicitly permitted by the third line of the access list.
■ Users on the Internet cannot communicate with Host A. Users outside this network are not explicitly permitted, so they are denied by default with the implicit deny any at the end of the access list.
Location of Standard Access Lists
Access list location can be more of an art than a science. Consider the network in Figure B-13 and the access list configuration in Example B-5 to illustrate some general guidelines. If the policy goal is to deny Host Z access to Host V on another network, and not to change any other access policy, determine on which interface of which router this access list should be configured.
Figure B-13 Location of the Standard IP Access List Example
Example B-5 Standard Access List to Be Configured on a Router in Figure B-13
access-list 3 deny 10.3.0.1
access-list 3 permit any
The access list should be placed on Router A because a standard access list can specify only a source address. No hosts beyond the point in the path where the traffic is denied can connect.
The access list could be configured as an outbound list on E0 of Router A. However, it would most likely be configured as an inbound list on E1 so that packets to be denied would not have to be routed through Router A first.
Consider the effect of placing the access list on other routers:
■ Router B—Host Z could not connect with Host W [and Host V].
■ Router C—Host Z could not connect with Hosts W and X [and Host V].
■ Router D—Host Z could not connect with Hosts W, X, and Y [and Host V].
KEY POINT
Place Standard Access Lists Close to the Destination
For standard access lists, the rule is to place them as close to the destination as possible to exercise the most control. Note, however, that this means that traffic is routed through the network, only to be denied close to its destination.
Continue reading here: IP Extended Access Lists
Was this article helpful?