Access List Basics

An access list is a sequential series of filters. Each filter comprises some sort of matching criteria and an action. The action is always either permit or deny . The matching criteria may be as simple as a source address; alternatively, they may be a more complex combination of source and destination addresses, protocol type, ports or sockets, and specifications of the state of certain flags, such as the TCP ACK bit.

A packet is "dropped into" the top of the stack of filters (Figure B.2). At each filter, the matching criteria is applied. If a match occurs, the specified permit or deny action is executed. If a match does not occur, the packet " drops down" to the next filter in the stack, and the matching process is applied again.

In Figure B.2, a permit means that the packet will be allowed to exit on interface E0; a deny means that the packet will be dropped. For instance, a packet with a source address of HOST A will be dropped at the first filter. Suppose the packet's source address is HOST D of SUBNET 2 of NETWORK 5. The first filter specifies a match criteria of HOST A, so the packet will not match and will drop to the second layer. The second filter specifies SUBNET 3 ”again, no match. The packet drops to the third filter, which specifies NETWORK 5. This matches; the action at layer three is permit, so the packet is allowed to exit interface E0.

Implicit Deny Any

What happens if a packet drops through all the filters and a match never occurs? The router has to know what to do with a packet in this situation; that is, there must be a default action . The default action could be either to permit all packets that don't match or to deny them. Cisco chose to deny them: Any packet that is referred to an access list and does not find a match is automatically dropped.

This approach is the correct engineering choice, particularly if the access list is being used for security. It is better to drop some packets that shouldn't have been dropped than to permit packets you've inadvertently neglected to filter.

This last filter is called an implicit deny any (Figure B.3). As the name implies, the line does not show up in any access list you build. It's simply a default action, and it exists at the end of any and all access lists.

This default can be overridden by making the last line of the list an explicit permit any . The implication here is that packets dropping through all the other filters will match the permit any before they get to the default deny any ; therefore, all packets not matching anything else will be permitted ”nothing will ever reach the implicit deny .

Sequentiality

Access lists are executed sequentially, from the top down. This concept is important: Perhaps the most common cause of malfunctioning access lists is putting the individual filtering lines in the wrong sequence.

In Figure B.4, subnet 10.23.147.0/24 should be denied and the rest of network 10.0.0.0 should be permitted. The list on the left is out of sequence; network 10.0.0.0, including its subnet 10.23.147.0, will match the first line and be permitted. Packets with the subnet to be denied will never reach the second line.

The list on the right is correct. Subnet 10.23.147.0 matches the first line and is denied, whereas all other subnets of 10.0.0.0 drop to the next line and are permitted.

Access List Types

The actual configuration lines for the access list shown graphically on the right of ,Figure B.4 are:

 
 access-list9deny10.23.147.00.0.0.255 
 access-list9permit10.0.0.00.255.255.255 
 

Every filter layer of an access list is represented by one configuration line. The various components of an access list line are discussed shortly, but for now notice the number 9 in both lines. This number is the access list number, and it serves two purposes:

• It links all the lines of this list together and makes the list distinct from any others that might exist in the router's configuration file (it is common to have several access lists on a single router).

• The router has to have a way to distinguish the access list type. Cisco IOS has access lists for IP, IPX, AppleTalk, DEC, NetBIOS, bridging, and many other protocols. Further, many of these protocols have multiple access list types. The access list number tells the router what type of list it is.

Access list types may be identified by either a number or a name. Table B.1 shows the numbered access list types and the range of access list numbers available for each. For example, as shown in the table, access-list 1010 is identifying IPX SAPs because the number is between 1000 and 1099.

Table B.1. Cisco access list numbers

Within a range, access list numbers do not have to follow any particular sequence. That is, the first AppleTalk list on a router does not have to be 600, the second 601, and so on. They can be any number between 600 and 699, as long as each list is uniquely numbered on a single router.

Also, notice that some number ranges are the same for different protocols ”Ethernet Type Code, Source Route Bridging, and Simple VINES, for instance. In these cases, the router will differentiate between access list types by the format of the access list lines themselves .

The following access list types are identified by names instead of numbers:

• Apollo domain

• Standard IP

• Extended IP

• ISO CLNS

• Source-route bridging NetBIOS

• Standard IPX

• Extended IPX

• IPX Sap

• IPX NetBIOS

• NLSP route summary

An example of an access list named Boo, identifying IPX NetBIOS, is:

 
 netbiosaccess-listhostBoodenyAtticus 
 netbiosaccess-listhostBoodenyScout 
 netbiosaccess-listhostBoodenyJem 
 netbiosaccess-listhostBoopermit* 
 

Note that although standard and extended IP access lists normally are numbered, they may also be named access lists. This convention is supported in IOS 11.2 and later. In some environments, a router may be configured with a large number of IP lists. By using names instead of numbers, individual lists may be more easily identified; additionally, the named lists remove the limitation of 99 standard and 100 extended IP access lists.

Named IP access lists currently can be used only with packet and route filters. Refer to the Cisco configuration guides for more information.

Editing Access Lists

Anyone who has edited an access list longer than a few lines from the console will tell you that this process can be an exercise in frustration. There is no way, from the console, to add a line to the middle of the list. All new lines are added to the bottom. And if you happen to type a mistake and try to eliminate a particular line by typing, for instance,

 
 noaccess-list101permittcp10.2.5.40.0.0.255192.168.3.00.0.0.255eq25 
 

this line, as well as all of access list 101, will be deleted!

A far more convenient technique is to cut and paste the list to the notepad of your PC, or upload the configuration to a TFTP server, and do the editing from there. When finished, the new access list may be loaded back into the router. A word of caution, however: All new lines are added to the bottom of an access list Always add no access-list # , where # is the number of the list you're editing, to the beginning of the edited list. For example:

 
 noaccess-list5 
 access-list5permit172.16.5.40.0.0.0 
 access-list5permit172.16.12.00.0.0.255 
 access-listdeny172.16.0.00.0.255.255 
 access-listpermitany 
 

The line no access-list 5 will delete the old list 5 from the configuration file before adding the new one. If you omit this step, the new list will simply be added onto the end of the old one.