• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Cisco Articles
• Cisco Router Configuration
• Cisco Switch Configuration
• Understanding Subnet Mask
• Understanding Cisco IOS
• Understanding Frame Relay
• Understanding IPX SPX Protocol
• Understanding ISDN
• Understanding Cisco Subnetting
• Understanding Cisco TCP/IP
• Used Cisco Routers and Switches
• Understanding Ethernet
• Understanding Switching
• Spanning Tree Protocol
• Routing Protocols
• Routing Elements
• Enabling IP Routing
• Distance Vector Routing Protocols
• Cisco Switch Commands
• Cisco Router Commands
• Cisco Discovery Protocol
• Cisco Three Layer Model vs OSI Model
• Ethernet Cabling
• Point to Point Protocol
• Cisco Network Management
• Ethernet at the Data Link Layer
• IP Access Lists
• Understanding Data Encapsulation
• Understanding Ethernet Networking
• Ethernet at Physical Layer
• Understanding the Cisco Three Layer Hierarchial Model
• Articles Menu
• » Windows Server
• » Microsoft Networking
• » Microsoft Security
• » Active Directory
• » Microsoft IIS
• » Microsoft IPSec
• » Microsoft DNS
• » Microsoft DHCP
• » Microsoft WINS
• » Microsoft Filesystems
• » Remote Access
• » Microsoft Exchange
• » Microsoft SMS
• » Microsoft ISA Server
• » Microsoft Biztalk Server
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

IP Access Lists

IP Access Lists

What is an Access List?

Access lists are used to control and manage access of interesting and non interesting traffic. Access lists are powerful tools for controlling access both to and from network segments. They can filter uninteresting packets and be used to implement security policies. Using the right combination of access lists, network managers will be armed with the power to enforce nearly any access policy they can invent. After the lists are built, they can be applied to either inbound or outbound traffic on any interface. By applying access lists can effect router to analyze each packet by crossing the interface at specific direction and also take action.

Basic Rules for IP Access Lists

There are a few important rules that a packet should follows when it's being compared with an access list:

• It's always compared with each line of the access list in sequential order, it mean that it will always start with line 1, then go to line 2, then line 3, and so on.
• It is compared with lines of the access list only until a match is made. Once the packet matches a line of the access list, no further comparisons take place.
• "deny all" is used to end of each access list. This means that if a packet doesn't match up to any statement of the access list, it'll be discarded.

Types of IP Access Lists

There are two types of IP access lists used:

• Standard access lists: The standard IP access lists use only the source IP address in an IP packet to filter the network. This basically permits or denies an entire protocol suite.
• Extended access lists: The extended access lists check for source and destination IP address, protocol field in the layer 3 header, and port number at the layer 4 header.

After creating an IP access list, you apply it to an interface with either an inbound or outbound list:

• Inbound access lists: The packets are processed through the inbound access list before being routed to the outbound interface.
• Outbound access lists: The packets are routed to the outbound interface and then processed through the outbound access list.

Guidelines for Creating and Implementing IP Access Lists

There are also some guidelines that should be followed when creating and implementing IP access lists on a router:

• You can only assign only one access list per interface, per protocol, or per direction. It means if you are making IP access lists you can use only one inbound and one outbound access list on each interface.
• You should have organized the access lists so that the more specific tests are at the top of the access list.
• Whenever a new statement is added to the access list, it will be placed at the bottom of the list.
• You cannot remove one specific line from an access list. You have to remove the entire list. You can copy access configuration to notepad before editing it. The only exception is named access lists.
• The access list should end with a permit command, all packets will be discarded if they do not meet any of the lists' tests. Each access list must have one permit statement and also you can shut down interface.
• You have to create the access lists and then apply them to an interface. Access list which is implemented to an interface will not ever filter traffic.
• The access lists are designed to filter traffic going through the router. They will not filter the traffic which is originated from the router.
• You have to place the IP standard access lists as close to the destination as possible.
• You have to place the IP extended access lists as close to the source as possible.

Standard IP Access Lists Example

The standard IP access lists filter the network by using the source IP address in an IP packet. You could create a standard IP access list by using the access list numbers 1-99.

Extended IP Access Lists Example

The extended IP access lists allow you to choose your source and destination IP address as well as the protocol and the logical port number, which identify the upper-layer protocol or application. By using extended IP access lists, you can effectively allow access to a physical LAN and stop them from using certain services. You'll use the extended IP access list range from 100 to 199.

Monitoring IP Access Lists

It is important to be able to verify the access list configuration on a router. The following commands can be used to verify the access list configuration

Show access-list: This command displays all access lists and their parameters configured on the router. This command does not show you that on which interface the list is set.

Show ip access-list: This command shows only the IP access lists configured on the router.

Show ip access-list access list no: This command displays the detail of the specific IP access list configured on the router.

Show ip interface interface no: This command shows that which interfaces have access lists set and in which direction.

Show running-config: This command shows the access lists configuration and the interfaces status.

Bookmark IP Access Lists

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum