Access list types are defined by the numbers you use. You can remind yourself of the ranges like this:
Router(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
Most of the time you’ll probably only ever need to configure IP standard and IP extended access lists. Access lists can be used to provide security on the console port, auxillary port, and on the virtual lines that allow access to the routers. We sometimes use the abbreviation ACL to denote access lists.
ACLs are applied using the ‘access-class’ command on console, aux, and vty lines and using the ‘access-group’ command on interfaces, and by using the ACL name at the end of a community string command for SNMP access:
interface GigabitEthernet0/0
ip access-group 101 in
line vty 0 2
access-class 19 in
access-class 20 out
snmp-server community mypassword RO 90
When the access-class or group command is used it has to end in IN or OUT
IN denotes traffic that is INBOUND i.e. coming towards to the device from outside
OUT denotes OUTBOUND i.e. leaving the device
You can have one access list applied inbound and outbound on the same interface.
Standard access match on the source address of the packet only. The packet is checked and if there’s a match to the permit statement the packet is allowed through. If there’s no match, the packet is denied access.
Access lists have what’s called an implicit deny statement at the end, even if it hasn’t been configured. This means that no matter what the access list permits or denys according to the statements configured, the very last thing it does is deny all other packets.
The only way to override the implicit deny is to add ‘permit any’ at the end:
access-list 15 deny 10.16.0.0 0.0.63.255
access-list 15 deny 10.16.128.0 0.0.0.127
access-list 15 deny 10.16.0.0 0.0.255.255
access-list 15 permit any
If you were to configure the above, then any packets that matched and were blocked by the first three lines would be record int the access lists counters, and all other packets that passed through because of the final permit any line would also cause increments on the hit counter.
If you want to log the hits then you have to add the optional command log to the end of the line(s) you want to record in the log. The ‘log’ suffix then records the hits in the router log (not just the hit counter) with details
access-list 15 deny 10.16.0.0 0.0.63.255
access-list 15 deny 10.16.128.0 0.0.0.127
access-list 15 deny 10.16.0.0 0.0.255.255
access-list 15 permit any log
Use the command ’show access-list 15′ to view the hit counter
Use the command ’show log’ to view any log entries
Extended ACLs have a ‘from’ and a ‘to’ part. They also allow you to configure the protocol and port number amongst other things.
With extended ACLs we specify the protocol immediately after the permit or deny statement, then the source address, then the destination address.
For example, this segment from an extended access list allows traffic to flow to and from port number 3389:
permit tcp any any eq 3389 – any TCP traffic to port 3389
permit tcp any eq 3389 any – any TCP traffic from port 3389
ACLs can also be used as distribution lists. If EIGRP learnt about ten different subnets but we only wanted to advertise four of them, we could use a distribution list:
router eigrp 1234
network 10.0.0.0
distribute-list 35 out
no auto-summary
