Lab 29: Configuring Access Lists, Named Access Lists, and EIGRP Route Filters-Part II

Understanding How Access Lists Operate

Essentially, an access list is a set of conditions that are executed sequentially from top to bottom. When a condition is matched, no further comparisons are made, and a true or false result is returned to the process that called the list. The types of access lists have grown over the years . Cisco IOS Software Release 12.0. adds some extended ranges for IP, as Example 14-1 lists.

Example 14-1 Access List Range in Cisco IOS Software Release 12.0.

 router(config)#  access-list ?  <199>       IP standard access list   <100199>    IP extended access list   <10001099>  IPX SAP access list   <11001199>  Extended 48-bit MAC address access list   <12001299>  IPX summary address access list   <13001999>  IP standard access list (expanded range)   <200299>    Protocol type-code access list   <20002699>  IP extended access list (expanded range)   <300399>    DECnet access list   <400499>    XNS standard access list   <500599>    XNS extended access list   <600699>    Appletalk access list <700799>    48-bit MAC address access list   <800899>    IPX standard access list   <900999>    IPX extended access list 

Standard access lists filter based on one condition, the match of an address. When you think of access lists, think of them as conditions that are either true or false; they return this result to the process that called them. It is important to think of them in this way because you will use access lists not only to filter packets on interfaces, but also for route maps, redistribution, and other features, such as Network Address Translation (NAT). Therefore, don't limit your thinking of access lists in terms of "networks" or "packets," but consider what process is calling the access list and what is returned to that process. The access list merely returns the result of the condition in the list, either true or false. The process that called the list is then carried out or denied based on the result of the condition.

You should follow a few rules and suggestions when configuring any access list:

• There is an implicit deny at the end of all access lists. This will not appear in your configuration listing.

• The access list is executed from top to bottom in sequential order. When a condition is true, processing in the list comes to a halt, and no further comparisons are made.

• Access list entries should filter in the order from specific to general. Specific hosts should be denied first, and groups or general filters should come last.

• New lines are always added to the end of the access list. A no access-list x command will remove the whole list; you cannot selectively add and remove lines.

• An undefined access list will permit any or all traffic.

• When configuring an access list, always configure the list first and then apply it to the process, whether it's a standard packet filter, a route map, or a redistribute statement. This way, it is easy to test your list and remove it quickly.

• An IP access list will send an ICMP host unreachable message to the sender of the packet and then will discard the packet into the bit bucket.

• Apply the filter as close as possible to the source of traffic that you want to filter. Security filters usually block inbound access, whereas traffic filters usually prohibit traffic from crossing a link and use outbound filters.

• Care should be used whenever removing an access list. If the access list is applied to a production interface and the access list is removed, there will be a default deny any applied to the interface, and all traffic will be halted.

• Outbound filters do not affect traffic originating on the router.