3.7 IP Access Lists

IP access lists are used on Cisco routers and switches to perform numerous functions. They can be used to control access to networks and virtual local-area networks (VLANS), to redistribute or filter routes in route maps, etc. An access list is a sequential list of permit or deny conditions, i.e., a set of criteria that can be applied to every packet processed by the router or switch. When applied to an interface, an access list can block or permit traffic. The access list can be applied at either the ingress (inbound) or at the egress (outbound) of a network.

  • If applied at the ingress, the system checks the access list for a match when the router receives a packet. If the packet is denied, it is discarded immediately without processing the packet. If the packet is permitted, the system processes and forwards the packet.

  • If applied at the egress, the system checks the access list for a match after processing the packet. If the packet is permitted, the system transmits the packet. If the packet is denied, it is discarded.

3.7.1 IP Access List Configuration

Cisco IOS contains two types of IP access lists: the standard access list and the extended access list. Each access list is configured using an access list number. Standard access lists are configured with numbers from 1 to 99, while extended access lists are configured from 100 to 199. The router tests the packets' IP addresses and port numbers sequentially against each condition in the access list. The first match determines if the packet is forwarded or discarded. Subsequent conditions in the list are ignored; therefore, the order of conditions in the access list is important. Also, if no conditions match, the router rejects the packet with an implicit deny all at the end of the list.

3.7.1.1 IP Standard Access List Configuration

The standard IP access list can filter traffic based only on the source IP address of the packet. You can configure standard access lists by using the access-list n {permit | deny} address | any wildcard-mask global command. In this command:

  • nspecifies the access list number.

  • address specifies the source IP address of the packet. The address can be replaced with the any keyword, which matches any packet that did not have a match in earlier conditions in the list.

  • wildcard-mask is an inverse mask that specifies a network or network range.

An inverse mask of 0.0.0.0 means that the specific host specified in the address field, and an inverse mask of 255.255.255.255, is any host.

Once the access list is configured, it can be applied to an interface by using the ip access-group n {in | out} interface command. If you don not specify the in or out keyword, the default inbound is applied.

3.7.1.2 IP Extended Access List Configuration

The extended access list allows filtering based on both the source and the destination address, as well as some protocol and port number specifications. You can configure an extended access by using the

access-list n {permit | deny} protocol source source-wildcard-mask destination

destination-wildcard-mask global commands. In this command:

  • n specifies the access list number from 100 to 199.

  • protocol can be ip, tcp, udp, or icmp.

  • source specifies the source IP address of the packet. This can be replaced with the any keyword if the source can be from any IP address.

  • source-wildcard-mask is an inverse mask that specifies a network or network range as the source.

  • destination specifies the destination IP address of the packet.

  • destination-wildcard-mask is an inverse mask that specifies a network or network range as the destination.

The access list is verified by using the show access-list command.

3.7.2 IP Named Access Lists

A standard or extended access list can be identified with a name rather than a number. These are called named access lists and can reduce the confusion of identifying access lists and permit the editing of the access list instead of having to re-create the list when changes are necessary. The functions of standard and extended access lists remain exactly the same when using named access lists.

3.7.3 Reflexive ACLs

Reflexive ACLs were introduced in Cisco IOS Software Release 11.3. Reflexive ACLs allow IP packets to be filtered based on upper-layer session information. They are usually used to permit outbound traffic and to restrict inbound traffic in reply to sessions beginning inside the router. Reflexive ACLs can be defined solely with extended, named IP ACLs. They unable to be defined with numbered or standard named IP ACLs or with other protocol ACLs. Reflexive ACLs can be used in combination with other standard and static extended IP ACLs.

3.7.4 Time-Based ACLs

Time-based ACLs were introduced in Cisco IOS Software Release 12.0.1.T. Even though similar to extended IP ACLs in purpose, they enable access control based on time. To put time-based ACLs into practice, a time range is formed that defines particular times of the day and week. The time range is identified by a name and then referenced by a function. Therefore, the time restrictions are imposed on the function itself. The time range functions on the router's system clock. The router clock can be used, but the feature functions best with Network Time Protocol (NTP) synchronization.