Access List Configuration Facts

Configuring access lists involves two general steps:

1. Create the list and list entries with the access-list command.
2. Apply the list to a specific interface or line.
   • Use the ip access-group command to apply the list to an interface.
   • Use the access-class command to apply the list to a line.

When constructing access list statements, keep in mind the following:

• The access list statement includes the access list number. The type of list (standard or extended) is indicated by the access list number. Use the following number ranges to define the access list:
  • 1-99 = Standard IP access lists
  • 100-199 = Extended IP access lists
• A single access list can include multiple access list statements. The access list number groups all statements into the same access list.
• List statements include an action, either permit or deny.
• To identify a host address in the access list statement, use the following formats:
  n.n.n.n
  n.n.n.n 0.0.0.0
  OR host n.n.n.n
  Where n.n.n.n is the IP address of the host.
• To identify a network address, use the format:
  n.n.n.n w.w.w.w
  Where n.n.n.n is the subnet address and w.w.w.w is the wildcard mask.
• Enter access list statements in order, with the most restrictive statements at the top. Traffic is matched to access list statements in the order they appear in the list. If the traffic matches a statement high in the list, subsequent statements will not be applied to the traffic.
• Each access list has an implicit deny any statement at the end of the access list. Your access list must contain at least one allow statement, or no traffic will be allowed.
• When you remove an access list statement, the entire access list is deleted. Use Notepad or another text editor to construct and modify access lists, then paste the list into the router console.
• A single access list can be applied to multiple interfaces.
• Extended access lists include a protocol designation (such as IP, TCP, or UDP). Use IP to match any Internet Protocol (including TCP and UDP). Use other keywords to match specific protocols.
• Newer routers include an access list command prompt mode.
  • Before you can enter access list statements, you must first enter the configuration mode for access lists. For example, typing ip access-list standard 3 creates the standard IP address list number 3, and changes the router prompt to: Router(config-std-nacl)#
  • In access list mode, you can use a sequence number to identify the order of access list statements.
  • Removing an access list statement removes only that statement, not the entire access list.

Examples
The following commands create a standard IP access list that permits all outgoing traffic except the traffic from network 10.0.0.0, and applies the list to the Ethernet0 interface.

Router(config)#access-list 1 deny 10.0.0.0 0.255.255.255

Router(config)#access-list 1 permit any

Router(config)#int e0

Router(config-if)#ip access-group 1 out

The following commands create a standard IP access list that rejects all traffic except traffic from host 10.12.12.16, and applies the list to the Serial0 interface.

Router(config)#access-list 2 permit 10.12.12.16

Router(config)#int s0

Router(config-if)#ip access-group 2 in

The following commands create an extended IP access list that rejects packets from host 10.1.1.1 sent to host 15.1.1.1, and applies the list to the second serial interface.

Router(config)#access-list 101 deny ip 10.1.1.1 0.0.0.0 15.1.1.1 0.0.0.0

Router(config)#access-list 101 permit ip any any 

Router(config)#int s1

Router(config-if)#ip access-group 101 in

The following commands create an extended IP access list that does not forward TCP packets from any host on network 10.0.0.0 to network 11.12.0.0, and applies the list to the first serial interface.

Router(config)#access-list 111 deny tcp 10.0.0.0 0.255.255.255 11.12.0.0 0.0.255.255

Router(config)#access-list 111 permit ip any any 

Router(config)#int s0

Router(config-if)#ip access-group 111 in

The following commands create a standard access list that allows VTY lines 0-4 access only from the internal network of 192.168.1.0/24:

Router(config)#access-list 12 permit 192.168.1.0 0.0.0.255

Router(config)#line vty 0 4

Router(config-line)#access-class 12 in



Credit: Testout 640-802 CCNA Notes