


	More Testimonials >

Visit my blog for free daily Cisco CCNA and CCNP certification questions, my latest free articles and tutorials, and more!

Cisco CCNA Certification Test Prep Tutorial:

Standard Access Lists And Packet Filtering

By Chris Bryant, CCIE #12933

During your CCNA exam studies, you quickly learn it's not enough to configure Cisco routers with the commands necessary to send packets to their intended destination - you've also got to configure them to prevent certain traffic from reaching certain destinations

This is packet filtering, and a basic part of configuring packet filtering is the access list.

Before we go too far into this ACL discussion, I do want to tell you that you're going to use ACLs for the length of your entire networking career - ACLs literally have dozens of uses.

I'm mentioning this here to really drive home this point - ACLs are NOT just for your CCNA exam. You're going to use them on just about any Cisco exam you ever take, not to mention working with today's production networks - so get comfortable with ACLs, because you won't be leaving them behind once you earn your CCNA.

With properly configured access lists, you can prevent certain traffic types from being processed by the router while allowing other packet types.

Standard ACLs are the basic form of access list, and it's that access list type we'll focus on in this CCNA certification tutorial.

The first thing to note about actually writing and applying access lists is that they're configured in global configuration mode, but they're applied at the interface level. An access list does not take effect until it's actually applied - just writing it has no effect.

Standard access lists are written with the access-list command and are applied to router interfaces with the ip access-group command. Packet filtering can be applied to incoming or outgoing packets.

More right after this quick, important announcement!

____________________________________________________

I'm Paying It Forward Bigger Than Before...

The CCNA Study Package Is Now $25!

"You are the reason I'm a CCNA today!" - Paul Laudenslager

____________________________________________________

When writing an access list, the order of the lines is vital. The access list is compared to the packet on a line-by-line basis from top to bottom; once a match is found, the packet is either permitted or denied by the router.

If an access list contains more than one line that matches the packet, the one closest to the top will be the one that takes effect.

If there is no match, the implicit deny is applied to the packet. An easy way to remember this:

"If a packet is not expressly permitted, it is implicitly denied."

This implicit deny is a default behavior of Cisco access lists and cannot be changed, although it can be avoided by making the final written line of the access list a "permit any" statement.

The rules we've discussed so far are true of any access list, but the following are true only of standard ACLs:

Only one factor can be matched against with standard access lists - the source IP address of the packet. To match against the packet's destination IP address or a source and/or destination port number, an extended ACL must be used.

There are two numeric ranges for standard ACLs: 1 - 99 and 1300 - 1999.

Let's take a look at a typical standard ACL and how to apply it to an Ethernet interface on a Cisco router. First, we'll write an access list that only allows packets with a source IP address from the 172.12.12.0 255.255.255.0 network.

R3#conf t

R3(config)#access-list 5 permit 172.12.12.0 0.0.0.255

You don't see the implicit deny - but I promise you, it's there! Traffic that isn't sourced from the 172.12.12.0 /24 network will be denied. Now that we've configured the router, we need to apply the ACL to the Ethernet interface.

R3#conf t

R3(config)#interface e0

R3(config-if)#ip access-group 5 in

Note the "in" at the end of that command. Cisco routers will not allow you to use the ip access-group command without defining the direction of the packets that will be matched against this list.

In this case, packets that come into interface Ethernet0 will be permitted only if they have a source address from the 172.12.12.0 /24 network. If they come from any other network, they'll be dropped.

One final rule regarding access lists - on any given interface, you can only have one access list applied to outbound packets and only one for inbound packets. While it would certainly be rare, you could apply the same ACL to inbound and outbound packets, as shown below.

R3#conf t

R3(config)#interface e0

R3(config-if)#ip access-group 5 in

R3(config-if)#ip access-group 5 out

Of course, just because you can do something doesn't mean you should!

Be sure to visit my CCNA / CCNP certification tutorial page for more information on access lists - and over 400 additional tutorials to help you earn your CCNA and CCNP!

____________________________________________________

I'm Paying It Forward Bigger Than Before...

The CCNA Study Package Is Now $25!

"You are the reason I'm a CCNA today!" - Paul Laudenslager

____________________________________________________

To your success,

Chris Bryant

CCIE #12933

"The Computer Certification Bulldog"

chris@thebryantadvantage.com

The Ultimate CCNA Study Package | The Ultimate CCNA Study Guide

Binary Math And Subnetting Mastery