Packet filtering helps control packet movement through the network. Such control can help limit network traffic and restrict network use by certain users or devices. To permit or deny packets from crossing specified router interfaces, we provide access lists.
You can use access lists in several ways:
This section summarizes how to create access lists and how to apply them.
An access list is a sequential collection of permit and deny conditions that apply to IP addresses. The router tests addresses against the conditions in an access list one by one. The first match determines whether the router accepts or rejects the address. Because the router stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the router rejects the address.
The two steps involved in using access lists are as follows:
Step 1 Create an access list by specifying an access list number and access conditions.
Step 2 Apply the access list to interfaces or terminal lines.
These steps are described in the next sections.
The software supports two styles of access lists for IP:
To create a standard access list, perform one of the following tasks in global configuration mode:
| Task | Command |
|---|---|
Define a standard IP access list using a source address and wildcard. | access-list access-list-number {deny | permit} source [source-wildcard] |
Define a standard IP access list using an abbreviation for the source and source mask of 0.0.0.0 255.255.255.255. | access-list access-list-number {deny | permit} any |
To create an extended access list, perform one of the following tasks in global configuration mode:
| Task | Command |
|---|---|
Define an extended IP access list number and the access conditions. | access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log] |
Define an extended IP access list using an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and an abbreviation for a destination and destination wildcard of 0.0.0.0 255.255.255.255. | access-list access-list-number {deny | permit} protocol any any |
Define an extended IP access list using an abbreviation for a source and source wildcard of source 0.0.0.0 and an abbreviation for a destination and destination wildcard of destination 0.0.0.0. | access-list access-list-number {deny | permit} protocol host source host destination |
After an access list is created initially, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific access list.
After an access list is created, you can apply it to one or more interfaces. Access lists can be applied on either outbound or inbound interfaces. The following two tables show how this task is accomplished for both terminal lines and network interfaces.
Perform the following task in line configuration mode:
| Task | Command |
|---|---|
Restrict incoming and outgoing connections between a particular virtual terminal line (into a device) and the addresses in an access list. | access-class access-list-number {in | out} |
Perform the following task in interface configuration mode:
| Task | Command |
|---|---|
Control access to an interface. | ip access-group access-list-number {in | out} |
For outbound access lists, after receiving and routing a packet to a controlled interface, the router checks the source address of the packet against the access list. If the access list permits the address, the router transmits the packet. If the access list rejects the address, the router discards the packet and returns an ICMP Host Unreachable message.
When you apply an access list (standard or extended) that has not yet been defined to an interface, the router will act as if the access list has not been applied to the interface and will accept all packets. Remember this behavior if you use undefined access lists as a means of security in your network.
In the following example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host. Using access list 2, the router would accept one address on subnet 48 and reject all others on that subnet. The last line of the list shows that the router would accept addresses on all other network 36.0.0.0 subnets.
access-list 2 permit 36.48.0.3
access-list 2 deny 36.48.0.0
0.0.255.255
access-list 2 permit 36.0.0.0 0.255.255.255
interface
ethernet 0
ip access-group 2 in
Examples of Implicit Masks in Access Lists
IP access lists contain implicit masks. For instance, if you omit the mask
from an associated IP host address access list specification, 0.0.0.0 is
assumed
to be the mask. Consider the following example configuration:
access-list 1 permit 0.0.0.0
access-list 1 permit
131.108.0.0
access-list 1 deny 0.0.0.0 255.255.255.255
For this example, the following masks are implied in the first two lines:
access-list 1 permit 0.0.0.0 0.0.0.0
access-list 1 permit 131.108.0.0
0.0.0.0
The last line in the configuration (using the deny keyword) can be left off,
because IP access lists implicitly deny all other access. This is equivalent
to
finishing the access list with the following command statement:
access-list 1 deny 0.0.0.0 255.255.255.255
The following access list only allows access for those hosts on the three
specified networks. It assumes that subnetting is not used; the masks apply to
the
host portions of the network addresses. Any hosts with a source address
that does not match the access list statements will be rejected.
access-list 1 permit 192.5.34.0 0.0.0.255
access-list 1 permit
128.88.0.0 0.0.255.255
access-list 1 permit 36.0.0.0
0.255.255.255
(Note: all other access implicitly denied)
To specify a large number of individual addresses more easily, you can omit
the address mask that is all zeros from the access-list global
configuration
command. Thus, the following two configuration commands are
identical in effect:
access-list 2 permit 36.48.0.3
access-list 2 permit 36.48.0.3
0.0.0.0
The system counts how many packets pass each line of an access list; the counters are displayed by the show access-lists command. You can clear the counters of an access list by performing the following task in EXEC mode.
| Task | Command |
|---|---|
Clear the access list counters. | clear access-list counters access-list-number |