Access List Basics

An access list is a sequential series of filters. Each filter comprises some sort of matching criteria and an action. The action is always either permit or deny. The matching criteria might be as simple as a source address; alternatively, they might be a more complex combination of source and destination addresses, protocol types, ports or sockets, and specifications of the state of certain flags, such as the TCP ACK bit.

A packet is "dropped into" the top of the stack of filters. (See Figure B-2.) At each filter, the matching criteria are applied. If a match occurs, the specified permit or deny action is executed. If a match does not occur, the packet "drops down" to the next filter in the stack, and the matching process is applied again.

Figure B-2. An access list is a sequential list of filters, each of which defines a matching criterion and an action.

In Figure B-2, a permit means that the packet will be allowed to exit on interface E0; a deny means that the packet will be dropped. For instance, a packet with a source address of HOST A will be dropped at the first filter. Suppose the packet's source address is Host D of Subnet 2 of Network 5. The first filter specifies a match criteria of Host A, so the packet will not match and will drop to the second layer. The second filter specifies Subnet 3again, no match. The packet drops to the third filter, which specifies Network 5. This matches; the action at layer three is permit, so the packet is allowed to exit interface E0.

Implicit Deny Any

What happens if a packet drops through all the filters and a match never occurs? The router must know what to do with a packet in this situation; that is, there must be a default action. The default action can be either to permit all packets that don't match or to deny them. Cisco chose to deny them: Any packet that is referred to an access list and does not find a match is automatically dropped.

This approach is the correct engineering choice, particularly if the access list is being used for security. It is better to drop some packets that shouldn't have been dropped than to permit packets you inadvertently neglected to filter.

This last filter is called an implicit deny any (Figure B-3). As the name implies, the line does not show up in any access list you build. It's simply a default action, and it exists at the end of any and all access lists.

Figure B-3. All access lists end with an implicit deny any, which discards all packets that do not match a line in the list.

This default can be overridden by making the last line of the list an explicit permit any. The implication here is that packets dropping through all the other filters will match the permit any before they get to the default deny any; therefore, all packets not matching anything else will be permittednothing will ever reach the implicit deny.

Sequentiality

Access lists are executed sequentially, from the top down. This concept is important: Perhaps, the most common cause of malfunctioning access lists is putting the individual filtering lines in the wrong sequence. The first match encountered in the sequenced access list is always taken. After the first match is made, the rest of the access list is ignored.

In Figure B-4, subnet 10.23.147.0/24 should be denied and the rest of network 10.0.0.0 should be permitted. The list on the left is out of sequence; network 10.0.0.0, including its subnet 10.23.147.0, will match the first line and will be permitted. Packets with the subnet to be denied will never reach the second line.

Figure B-4. If the individual filter layers of an access list are not configured in the correct sequence, the access list will not function correctly.

The list on the right is correct. Subnet 10.23.147.0 matches the first line and is denied, whereas all other subnets of 10.0.0.0 drop to the next line and are permitted.

Access List Types

The actual configuration lines for the access list shown graphically at the right of Figure B-4 are displayed in Example B-1.

Example B-1. The access list configuration for sequence 2 of Figure B-4 shows one line for each filter layer.

access-list 9 deny 10.23.147.0 0.0.0.255 access-list 9 permit 10.0.0.0 0.255.255.255

Every filter layer of an access list is represented by one configuration line. The various components of an access list line are discussed shortly, but for now, notice the number 9 in both lines. This number is the access list number, and it serves two purposes:

It links all the lines of this list together and makes the list distinct from any others that might exist in the router's configuration file. (It is common to have several access lists on a single router.)
The router must have a way to distinguish the access list type. Cisco IOS Software has access lists for IP, IPX, AppleTalk, DEC, NetBIOS, bridging, and many other protocols. Further, many of these protocols have multiple access list types. The access list number tells the router what type of list it is.

Access list types can be identified by either a number or a name. Table B-1 shows some of the numbered access list types and the range of access list numbers available for each. For example, as shown in the table, access-list 1010 is identifying IPX SAPs because the number is between 1000 and 1099.

Table B-1. Cisco access list numbers
Access List Type	Range
Standard IP	199, 13001999
Extended IP	100199, 20002699
Ethernet type code	200299
Ethernet address	700799
Transparent bridging (protocol type)	200299
Transparent bridging (vendor code)	700799
Extended transparent bridging	11001199
DECnet and extended DECnet	300399
XNS	400499
Extended XNS	500599
AppleTalk	600699
Source-route bridging (protocol type)	200299
Source-route bridging (vendor code)	700799
Standard IPX	800899
Extended IPX	900999
IPX SAP	10001099
NLSP route summary	12001299
Standard VINES	199
Extended VINES	100199
Simple VINES	200299

Within a range, access list numbers do not need to follow any particular sequence. That is, the first standard IP list on a router does not need to be 1, the second 2, and so on. They can be any number between 1 and 99, or 1300 and 1999, just so each list is uniquely numbered on a single router.

Also, notice that some number ranges are the same for different protocols: Ethernet Type Code, Source Route Bridging, and Simple VINES, for instance. In these cases, the router differentiates between access list types by the format of the access list lines themselves.

The following access list types can be identified by names instead of numbers:

Apollo domain
Standard IP
Extended IP
ISO CLNS
Source-route bridging NetBIOS
Standard IPX
Extended IPX
IPX Sap
IPX NetBIOS
NLSP route summary

An example of an access list named Boo, identifying IPX NetBIOS, is displayed in Example B-2.

Example B-2. The access list named Boo denies various NetBIOS devices.

netbios access-list host Boo deny Atticus netbios access-list host Boo deny Scout netbios access-list host Boo deny Jem netbios access-list host Boo permit *

Note that although standard and extended IP access lists normally are numbered, they can also be named access lists. This convention is supported in IOS 11.2 and later. In some environments, a router might be configured with a large number of IP lists. By using names instead of numbers, individual lists might be more easily identified.

Named IP access lists currently can be used only with packet and route filters. Refer to the Cisco configuration guides for more information.

Editing Access Lists

Anyone who has edited an access list longer than a few lines from the console will tell you that this process can be an exercise in frustration. Before 12.2(14), there was no way, from the console, to add a line to the middle of the list. All new lines were added to the bottom. And if you had typed a mistake and tried to eliminate a particular line by typing, for instance,

no access-list 101 permit tcp 10.2.5.4 0.0.0.255 192.168.3.0 0.0.0.255 eq 25

this line, and all of access list 101, would have been deleted!

A far more convenient technique is to cut and paste the list to the notepad of your PC, or upload the configuration to a TFTP server, and do the editing from there. When finished, the new access list can be loaded back into the router. A word of caution, however: All new lines are added to the bottom of an access list. Always add no access-list #, where # is the number of the list you're editing, to the beginning of the edited list. Example B-3 shows a sample.

Example B-3. no access-list is added to the beginning of an access list that is created and edited on a PC or server, so the access list is created anew each time it is loaded into the router.

no access-list 5 access-list 5 permit 172.16.5.4 0.0.0.0 access-list 5 permit 172.16.12.0 0.0.0.255 access-list 5 deny 172.16.0.0 0.0.255.255 access-list 5 permit any

The line no access-list 5 deletes the old list 5 from the configuration file before adding the new one. If you omit this step, the new list is simply added onto the end of the old one.

The command show access-list displays currently configured lists, as Example B-4 demonstrates.

Example B-4. show access-list displays configured access lists on the router.

Router#show access-list 5 Standard IP access list 5     10 permit 172.16.5.4     20 permit 172.16.12.0, wildcard bits 0.0.0.255     30 deny 172.16.0.0, wildcard bits 0.0.255.255     40 permit any Router#

Notice the numbers before each access list entry. These are sequence numbers. Sequence numbers are automatically added to access-list entries, as of IOS 12.2(14)S. The sequence numbers allow you to insert an entry into the middle or top of the list. If you don't specify a sequence number, the first entry will be assigned number 10, and the sequence number of every subsequent entry will be incremented by 10. When a router is reloaded, the sequence numbers are reset, to 10, 20, 30, and so on. Sequence numbers also allow you to delete specific entries from an access list.

The entry in access list 5 that permits all hosts on subnet 172.16.12.0 can be replaced with an entry that permits all hosts on subnet 172.16.20.0 with the configuration in Example B-5.

Example B-5. Access lists can be modified by replacing entries or adding entries using sequence numbers.

ip access-list standard 5 no 20 20 permit 172.16.20.0 0.0.0.255

The existing entry with sequence number 20 must first be deleted before a new entry with sequence number 20 can be added, or you will get a duplicate sequence number error.