Playing with Cisco access lists

Although typically considered Cisco's low-end security tool, access lists are far more productive. If you're new to Cisco, you will want to get to know this tool, and Alexander Prohorenko is here to help.

In this Daily Drill Down, I'm going to help you understand what Cisco’s access lists are, how to use them on different Cisco series, and how to make your work with them more efficient. Why did I choose this topic? That’s simple—Cisco’s access list is a basic tool, applicable to numerous tasks. Every Cisco specialist has to know how to work with access lists. If you can handle access lists, you can handle the router; that's the rule.

Access list defined
Let’s clarify the meaning of access list. Some technicians argue that the access list is a firewall tool and nothing more. These people are wrong. Access list (in Cisco notation) has a very broad meaning. The best way to describe an access list is as a “limit“ that is used to determine “interesting traffic” and how to act upon it. Yes, of course, one can use access lists for organizing a simple firewall, but that's not their primary purpose.

Also, you should understand that access lists are not a panacea. You can do a lot of things with them, but you should always look for alternative solutions.

Let's start
Access lists can be used to control the transmission of packets across an interface, to restrict traffic across virtual terminal lines, or to restrict routing updates. You enter rules to permit or deny packets within each access list. The access lists are identified by a number. All statements within a single list must have the same number. The number used is up to you, but it has to fall within the definite ranges, depending on what service you are applying the access list to. Here are the available ranges for a Cisco 3640 router with Enterprise IOS 12.0(7)T:
core#configure terminal
core(config)#access-list ?
 <1-99>  IP standard access list
 <100-199> IP extended access list
 <1000-1099> IPX SAP access list
 <1100-1199> Extended 48-bit MAC address access list
 <1200-1299> IPX summary address access list
 <1300-1999> IP standard access list (expanded range)
 <200-299> Protocol type-code access list
 <2000-2699> IP extended access list (expanded range)
 <300-399> DECnet access list
 <400-499> XNS standard access list
 <500-599> XNS extended access list
 <600-699> Appletalk access list
 <700-799> 48-bit MAC address access list
 <800-899> IPX standard access list
 <900-999> IPX extended access list
 rate-limit Simple rate-limit specific access list

These ranges may vary among different IOS versions. For example, for Cisco 2620 with basic IP IOS 12.0(7)T, this list squeezes down to:
2620#configure terminal
2620(config)#access-list ?
 <1-99>  IP standard access list
 <100-199> IP extended access list
 <1100-1199> Extended 48-bit MAC address access list
 <1300-1999> IP standard access list (expanded range)
 <200-299> Protocol type-code access list
 <2000-2699> IP extended access list (expanded range)
 <700-799> 48-bit MAC address access list
 rate-limit Simple rate-limit specific access list

There is no sense in trying to build some ultimate tables for these ranges; just learn them from your router. The Cisco IOS help system is powerful enough to help you with this (so I've covered only the basic ones).

How IP access lists work
An IP access list is a collection of permit and deny rules that are applied to IP addresses. The router processes each access list statement, in sequence, against each packet. If the router reaches the end of the list and has found no match for the packet, the packet will be discarded. Therefore, it is important that each access list contain at least one permit statement. And because the first match is the one followed, it is critical to pay attention to the order.

Access list types
There are three basic types of IP access lists: standard, extended, and dynamic extended. Standard access lists use source addressing for applying rules and provide very basic forms of filtering. Extended access lists use both source and destination addresses for filtering and even allow filtering by protocol type. This allows a more granular method of controlling data flow. Finally, dynamic extended access lists grant access to destinations on a per-user basis, through an authentication process.

The router uses a wildcard mask (sometimes known as an inverse mask), along with the source or destination IP address, to identify a range of addresses to match. Just as a subnet mask tells the router which bits of the IP address belong to the network number and which belong to the host address, the wildcard mask tells the router how many bits of the IP address it needs to examine in order to make a matching determination. This address mask pair allows us to specify a range of IP addresses with just two 32-bit numbers.

Standard type
So how do you use standard access lists? Easy! For example, suppose we want to create an access list number 1, which will deny and log all requests from all addresses, except We’ll start out using the help feature by running the following at the configuration prompt:
core(config)#access-list 1 ?
 deny Specify packets to reject
 permit Specify packets to forward
 remark Access list entry comment

core(config)#access-list 1 permit ?
 Hostname or A.B.C.D Address to match
 any     Any source host
 host     A single host address

core(config)#access-list 1 permit ?
 A.B.C.D Wildcard bits
 log  Log matches against this entry

And here we actually enter the commands to set up the access list:
core(config)#access-list 1 deny
core(config)#access-list 1 deny any log
core#show access-lists 1
Standard IP access list 1
 deny any log

After an access list is created, any additions to that list number are placed at the end. Unfortunately, this means that you can't selectively add or remove items. The only removal that can be done is to remove the entire access list, which can obviously be a nuisance if you have extensive lists.

Extended and dynamic extended type
Extended IP access lists allow you to control traffic at a more granular level. Extended IP uses both the source and destination addresses when it tries to match up packets to your list, and you can optionally use protocol type information for even finer control.

A lot of the rules you learned from standard IP access lists are the same in Extended IP access lists, such as the rule that we cannot selectively add or remove from a list, and that at the end of the list there is an implicit deny all statement (by default). The syntax for adding extended IP access lists is a bit more complex, though it is similar to the standard one. From the configuration prompt, run:
core(config)#access-list 101 ?
 deny  Specify packets to reject
 dynamic Specify a DYNAMIC list of PERMITs or DENYs
 permit Specify packets to forward
 remark Access list entry comment

core(config)#access-list 101 permit ?
 <0-255> An IP protocol number
 ahp  Authentication Header Protocol
 eigrp Cisco's EIGRP routing protocol
 esp  Encapsulation Security Payload
 gre  Cisco's GRE tunneling
 icmp  Internet Control Message Protocol
 igmp  Internet Gateway Message Protocol
 igrp  Cisco's IGRP routing protocol
 ip  Any Internet Protocol
 ipinip IP in IP tunneling
 nos  KA9Q NOS compatible IP over IP tunneling
 ospf  OSPF routing protocol
 pcp  Payload Compression Protocol
 pim  Protocol Independent Multicast
 tcp  Transmission Control Protocol
 udp  User Datagram Protocol

core(config)#access-list 101 permit ip ?
 A.B.C.D Source address
 any  Any source host
 host  A single source host

Let's say, for example, that we would like to block and log all TCP and UDP connections to the port 12345, and everything else should be passed through. Here is how this would be accomplished:
core#configure terminal
core(config)#access-lists 101 deny tcp any any eq 12345 log
core(config)#access-lists 101 deny udp any any eq 12345 log
core(config)#access-lists 101 permit ip any any
core#show access-lists 101
Extended IP access list 101
 deny tcp any any eq 12345 log
 deny udp any any eq 12345 log
 permit ip any any

Pretty simple, isn't it?

Named type
To finish, let's turn to the named access list. It is new in IOS version 11.2, and it is not backward-compatible with older releases. With named lists, you can identify IP access lists, whether standard or extended, with an alphanumeric name instead of a number. This allows you to exceed the previous limit of 99 characters for standard and 100 for extended. You should not, however, assume that all access lists that use a number can also use a name. If you choose to use this method, you should know that the mode and command syntax are a little different. Also, as of now, only packet and route filters can use a named list.

As you can see, using access lists is not hard. When you understand how they work, you can handle this tool. I wouldn't be mistaken if I said that access lists are one of the most important parts of Cisco IOS. And this makes the access list a must-know for every Cisco specialist.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks