Cisco CCNA Certification Test Prep Tutorial:

Standard Access Lists And Packet Filtering

By Chris Bryant, CCIE #12933

During your CCNA exam studies, you quickly learn it's not enough to configure Cisco routers with the commands necessary to send packets to their intended destination - you've also got to configure them to prevent certain traffic from reaching certain destinations! This is packet filtering, and a basic part of configuring packet filtering is the access list.

With properly configured access lists, you can prevent certain traffic types from being processed by the router while allowing other packet types. Standards ACLs are the basic form of access list, and it's that access list type we'll focus on in this CCNA certification tutorial.

The first thing to note about actually writing and applying access lists is that they're configured in global configuration mode, but they're applied at the interface level. An access list does not take effect until it's actually applied - just writing it has no effect. Standard access lists are written with the access-list command and are applied to router interfaces with the ip access-group command. Packet filtering can be applied to incoming or outgoing packets.

When writing an access list, the order of the lines is vital. The access list is compared to the packet on a line-by-line basis from top to bottom; once a match is found, the packet is either permitted or denied by the router. If an access list contains more than one line that matches the packet, the one closest to the top will be the one that takes effect.

If there is no match, the implicit deny is applied to the packet. An easy way to remember this: "If a packet is not expressly permitted, it is implicitly denied." This implicit deny is a default behavior of Cisco access lists and cannot be changed, although it can be avoided by making the final written line of the access list a "permit any" statement.

The rules we've discussed so far are true of any access list, but the following are true only of standard ACLs:

Only one factor can be matched against with standard access lists - the source IP address of the packet. To match against the packet's destination IP address or a source and/or destination port number, an extended ACL must be used.

There are two numeric ranges for standard ACLs: 1 - 99 and 1300 - 1999.

Let's take a look at a typical standard ACL and how to apply it to an Ethernet interface on a Cisco router. First, we'll write an access list that only allows packets with a source IP address from the 172.12.12.0 255.255.255.0 network.

R3#conf t

R3(config)#access-list 5 permit 172.12.12.0 0.0.0.255

You don't see the implicit deny - but I promise you, it's there! Traffic that isn't sourced from the 172.12.12.0 /24 network will be denied. Now that we've configured the router, we need to apply the ACL to the Ethernet interface with the ip access-group command.

R3#conf t

R3(config)#interface e0

R3(config-if)#ip access-group 5 in

Note the "in" at the end of that command. Cisco routers will not allow you to use the ip access-group command without defining the direction of the packets that will be matched against this list. In this case, packets that come into interface Ethernet0 will be permitted only if they have a source address from the 172.12.12.0 /24 network. If they come from any other network, they'll be dropped.

One final rule regarding access lists - on any given interface, you can only have one access list applied to outbound packets and only one for inbound packets. While it would certainly be rare, you could apply the same ACL to inbound and outbound packets, as shown below.

R3#conf t

R3(config)#interface e0

R3(config-if)#ip access-group 5 in

R3(config-if)#ip access-group 5 out

Of course, just because you can do something doesn't mean you should!

To your success,

Chris Bryant

CCIE #12933

chris@thebryantadvantage.com