An access list is essentially a list of conditions that categorize packets. They can be really helpful when you need to exercise control over network traffic. An access list would be your tool of choice for decision making in these situations.
One of the most common and easiest to understand uses of access lists is filtering unwanted packets when implementing security policies.
It’s compared with lines of the access list only until a match is made. Once the packet matches the condition on a line of the access list, the packet is acted upon and no further comparisons take place.
There is an implicit “deny” at the end of each access list—this means that if a packet doesn’t match the condition on any of the lines in the access list, the packet will be discarded.
Each of these rules has some powerful implications when filtering IP packets with access lists, so keep in mind that creating effective access lists truly takes some practice.
Introduction to Access Lists
Once you create an access list, it’s not really going to do anything until you apply it. Yes,they’re there on the router, but they’re inactive until you tell that router what to do with them.
To use an access list as a packet filter, you need to apply it to an interface on the router where you want the traffic filtered. And you’ve got to specify which direction of traffic you want the access list applied to. There’s a good reason for this—you may want different controls in place for traffic leaving your enterprise destined for the Internet than you’d want for traffic coming into your enterprise from the Internet. So, by specifying the direction of traffic, you can—and frequently you’ll need to—use different access lists for inbound and outbound traffic on a single interface:
Inbound access lists
When an access list is applied to inbound packets on an interface, those packets are processed through the access list before being routed to the outbound interface.
Any packets that are denied won’t be routed because they’re discarded before the routing process is invoked.
Outbound access lists
When an access list is applied to outbound packets on an interface,those packets are routed to the outbound interface and then processed through the access list before being queued.
There are some general access-list guidelines that should be followed when you’re creating and implementing access lists on a router:
Standard access lists
These use only the source IP address in an IP packet as the condition test. All decisions are made based on the source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. They don’t distinguish between any of the many types of IP traffic such as web, Telnet, UDP, and so on.
By using numbers 1–99 or 1300–1999, you’re telling the router that you want to create a standard IP access list, so the router will expect syntax specifying only the source IP address in the test lines.
Wildcards are used with access lists to specify an individual host, a network, or a certain range of a network or networks. To understand a wildcard, you need to understand what a block size is; it’s used to specify a range of addresses. Some of the different block sizes available are 64, 32, 16, 8, and 4.When you need to specify a range of addresses, you choose the next-largest block size for your needs. For example, if you need to specify 34 networks, you need a block size of 64. If you want to specify 18 hosts, you need a block size of 32. If you only specify 2 networks, then a block size of 4 would work.Wildcards are used with the host or network address to tell the router a range of available addresses to filter. To specify a host, the address would look like this:22.214.171.124 0.0.0.0
We make access list ON ROUTER 2
(config) # access list 10 deny host 10.1.12.1
(config) # access list 10 permit any
(config) # interface fastethernet 1/0
(config-if) #ip access-group 10 out