IP access lists are a sequential list of permit and deny conditions that apply to IP addresses or upper-layer protocols. Access Control Lists are used in routers to identify and control traffic.
There are three types of IP access lists:
1. Standard IP Access Lists: Standard ACLs control traffic by the comparison of the source address of the IP packets to the addresses configured in the ACL. In all software releases, the access-list-number can be anything from 1 to 99. In Cisco IOS Software Release 12.0.1, standard ACLs begin to use additional numbers (1300 to 1999). These additional numbers are referred to as expanded IP ACLs. After the ACL is defined, it must be applied to the interface (inbound or outbound).
This is the command syntax format of a standard ACL.
access-list <access-list-number> {permit|deny} {host|source source-wildcard|any}
Keep in mind that:
1. Place standard access lists as near the destination as possible and extended access lists as close to the source as possible.
2. Access lists have an implicit deny at the end of them automatically. Because of this, an access list should have at least one permit statement in it; otherwise the access list will block all remaining traffic.
3. Access lists applied to interfaces default to outbound if no direction is specified.
2. Extended IP Access Lists: Extended ACLs control traffic by the comparison of the source and destination addresses of the IP packets to the addresses configured in the ACL. In all software releases, the access-list-number can be 100 to 199. In Cisco IOS Software Release 12.0.1, extended ACLs begin to use additional numbers (2000 to 2699). These additional numbers are referred to as expanded IP ACLs. IP Named ACLsIP Extended Access lists have the format,
access-list {number} {permit or deny} {protocol} {source} {destination} {port}
With extended IP access lists, we can act on any of the following:
Source address
Destination address
IP protocol (TCP, ICMP, UDP, etc.)
Port information (WWW, DNS, FTP, etc.)
As seen from the syntax, the source ip address precedes the destination. Extended access lists are applied close to source where as standard access lists are applied close to destination. The permitted numbers for some important access-lists are:
1-99: IP standard access list
100-199:IP extended access list
800-899: IPX standard access list
900-999: IPX extended access list
1000-1099: IPX SAP access list
1100-1199: Extended 48-bit MAC address access list
Wild card masking:Wild card masking is used to permit or deny a group of addresses. For example, if we have a source address 185.54.13.2 and want all the hosts on the last octet to be considered, we use a wild card mask, 185.54.13.255.
Special cases: Host 185.54.13.2 is same as 185.54.13.2 with a wild card mask of 0.0.0.0, considers only specified IP.
Any is equivalent to saying 0.0.0.0 with a wild card mask of 255.255.255.255. This means none of the bits really matter. All IP addresses need to be considered for meeting the criteria
3. Named ACLs: The standard and extended ACLs to be given names instead of numbers. Numbered Access List have a major disadvantage, which is the ability to edit specific lines in the access-list. Unfortunately the only way to do that is to edit the lines in a text editor and completely remove and re-add the ACL. Named ACL's also have a big advantage of being descriptive in the name such as an ACL named "Deny_Telnet" its quite obvious that that ACL would be for denying telnet access.
This is the command syntax format for IP named ACLs.
ip access-list {extended|standard} <name>
The following commands can be used to view access lists:
sh ip access-list
