Router Access Lists manage IP traffic as network access grows and filter packets as they pass through the router.
Access list applications include permitting or denying packets moving through a router, vty access to or from a router, custom queuing, and triggering of “dial-on-demand” routing.
There are two general types of access lists: standard, that permits or denies output for an entire protocol suite based on the source address, and extended, that allows greater flexibility by being able to check for source and destination addresses as well as specific protocols and numbers.
Access lists may be applied as either Inbound or Outbound access lists. In inbound access lists, incoming packets are processed before being routed to an outbound interface. In outbound access lists, incoming packets are routed to the outbound interface and then processed through the outbound access list.
In terms of access lists, permit means to continue to process the packet through to the next access list test, deny means to discard the packet and the implicit deny ensures any packets not matching an access list are dropped.
General guidelines for access list configuration include: most restrictive statements should be at the top of list, one access list per interface, per protocol, per direction, create access lists before applying them to interfaces, and every access list should have at least one permit statement.
For IP, standard access lists use the number range 1 – 99 as an identifier and extended access lists use 100 – 199. For IPX, standard access lists use the number range 800 – 899 and extended access lists use 900 – 999.
The parameters that the Cisco IOS IP access list checks include: port number, protocol, source address, and destination address.
Address filtering occurs using access list address wildcard masking to identify how to check or ignore corresponding IP address bits.
Access List Configuration
General guidelines for configuring access lists include ending all access lists with an implicit deny and ordering access lists with the more specific tests and tests that will test true frequently at the beginning of the access list.
Standard access lists filter based on source address and mask while extended access lists filter based on source and destination address allowing more filtering control. In addition, extended access lists allow for filtering by protocol and port.
To configure standard access lists, use the access list and access group commands. These commands identify the list number, identiy the source IP address and links the access list to an interface.
The two steps for setting access lists are setting the parameters for the access test statement and enabling the interface to use the specified list.
The IOS commands to enable an extended access list are the same as for enabling a standard access list, but they include additional parameters for configuration such as identification of specific protocols and ports. These commands are access list and access group.
The two steps for setting extended access lists are setting the parameters for the access test statement and enabling the interface to use the specified list. The test statement may include source and destination addresses as well as protocols and port numbers.
Named access lists allow for IP standard and extended access lists to be identified with an alphanumeric string, not a number. Named access lists allow you to delete, but not insert, individual entries from a specific access list.
Place extended access lists close to the source of the traffic to be denied while standard access lists should be placed as near the destination as possible.
Access lists can be used to control virtual terminal access (vty) to or from a router. Users can be denied access to a router or denied access to destinations from that router.
The two commands used to configure a router for vty access are line vty, that places the router in line configuration mode, and access class, that links an existing access list to a terminal line or range of lines.