Introduction to Cisco IOS Access-Lists

In a perfect world where we can trust anyone and nobody makes a mistake we don’t need security. In real life however bad things happen to our network so we’ll need to protect it.

This lesson is an introduction to access-lists and you’ll learn the difference between standard and extended access-lists.

Access-lists work on the network (layer 3) and the transport (layer 4) layer and can be used for two different things:

  • Filtering
  • Classification

Access List Network Topology

Filtering is used to permit or deny traffic reaching certain parts of our network. Without filtering traffic can go anywhere, if you look at the picture above you probably don’t want IP packets from the internet to freely enter your network. You can also use an access-list to block IP packets from /24 going to /24 or something else.

Classification does not drop IP packets like filtering does but we use it to “select” traffic.  Let’s take a look at an example:

access-list classification

In the picture above we have a VPN that encrypts traffic between the two routers. Whenever we create a VPN we can use an access-list to “select” what traffic should be encrypted. Perhaps I want traffic from network /24 to be encrypted but traffic from /24 not. We can use an access-list to “select” traffic, this is called classification.

Let’s take a closer look at filtering. After creating an access-list there are 3 spots where you can place them:

Access-List Inbound

You can put them inbound on the interface which means that all packets that reach your router will hit the access-list and will have to be checked against the access-list.

acl outbound

Another option is to put the access-list outbound. In this case IP packets will go through the router and once they are leaving the interface they will be checked against the access-list. When you place an access-list outbound, this is what your router will do:

Access-List Outbound Order

  1. IP Packets will enter your router.
  2. Your router will check if it knows about the destination by looking in its routing table.
  3. If there is no entry in the routing table the IP packet will be discarded.
  4. If there is an entry in the routing table it will select the correct outgoing interface.
  5. If there is no access-list the IP packet will be sent out of the interface.
  6. If there is an access-list we’ll have to check our IP packet and compare it with the access-list.
  7. If the IP packet is permitted it will be forwarded, otherwise it will be discarded and go to IP heaven.

The third option is applying it to the VTY line. We can use this to secure telnet and/or SSH traffic.

Access-List VTY Line

Let me give you an example of what an access-list looks like:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

542 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Asi
    The first thing you have to decide is whether you are creating an standard or extended access-list. The next decision to make is whether you wanted to use an access-list number or an access-list name. In the examples you gave, you chose to use named access-lists for both (out_acsz_in). Also, in your example, we must be using extended access-lists (because you specified the destination of the traffic you are permitting).

    Let’s look at your two examples, and reconfigure them so they are using the proper syntax.
    Your first example is this:

    ... Continue reading in our forum

  2. Hi Zaman,

    As a function there is are no difference between the Named and the Numbered AC, so both function the same way as to what you have learned in our lessons.
    The only difference is that on the named ACL’s you can put a better descriptive rather than putting numbers. For example, if you want to deny http traffic than you can name the named ACL something like:
    ip access-list extended Deny_HTTP
    This can give to your as an administrator a better idea of what this ACL is doing.

    Another point is that in the old IOS it wasn’t possible to edit numbered ACLs, so i

    ... Continue reading in our forum

  3. Hello Siu Kai L,

    Both inbound and outbound get the job done, they filter packets. It depends on the scenario which one you might want to use. For example, let’s say you have a router with 4 interfaces:

    * 1x WAN interface that connects to the Internet
    * 3x LAN interface

    Let’s say you want to restrict internet traffic from your LAN to the Internet. You could attach the same access-list INBOUND on all three LAN interfaces, or you can attach the access-list OUTBOUND on your WAN interface. Both get the job done, the only difference is you have to apply it once inste

    ... Continue reading in our forum

  4. Hello Shivam

    Yes, it is possible to apply the access lists as you mention in your post. Keep in mind that you can apply one access list per direction per interface. This means that you can have both an inbound and an outbound access list applied to the same interfac

    ... Continue reading in our forum

  5. Hello Lazaro Agapides,
    Ok, I understand, very clear for me now.
    thank you very much.

30 more replies! Ask a question or join the discussion by visiting our Community Forum