Access lists are essentially lists of conditions that control access. They’re powerful tools that control access both to and from network segments. They can filter unwanted packets and be used to implement security policies. With the right combination of access lists, network managers will be armed with the power to enforce nearly any access policy they can invent. The IP and IPX access lists work similarly—they’re both packet filters that packets are compared with, categorized by, and acted upon. Once the lists are built, they can be applied to either inbound or outbound traffic on any interface. Applying an access list will then cause the router to analyze every packet crossing that interface in the specified direction and take action accordingly.
There are a few important rules a packet follows when it’s being compared with an access list:
It’s always compared with each line of the access list in sequential order, i.e., it’ll always start with line 1, then go to line 2, then line 3, and so on.It’s compared with lines of the access list only until a match is made. Once the packet matches a line of the access list, it’s acted upon, and no further comparisons take place.There is an implicit “deny” at the end of each access list—this means that if a packet doesn’t match up to any lines in the access list, it’ll be discarded.
Each of these rules has some powerful implications when filtering IP and IPX packets with access lists.
There are two types of access lists used with IP and IPX:
Standard access lists
These use only the source IP address in an IP packet to filter the network. This basically permits or denies an entire suite of protocols. IPX standards can filter on both source and destination IPX address.
Extended access lists
These check for both source and destination IP address, protocol field in the Network layer header, and port number at the Transport layer header. IPX extended access lists use source and destination IPX addresses, Network layer protocol fields, and socket numbers in the Transport layer header.
Once you create an access list, you apply it to an interface with either an inbound or outbound list:
Inbound access lists: Packets are processed through the access list before being routed to the outbound interface.
Outbound access lists: Packets are routed to the outbound interface and then processed through the access list.
There are also some access list guidelines that should be followed when creating and implementing access lists on a router:
You can only assign one access list per interface, per protocol, or per direction. This means that if you are creating IP access lists, you can only have one inbound access list and one outbound access list per interface.Organize your access lists so that the more specific tests are at the top of the access list.Anytime a new list is added to the access list, it will be placed at the bottom of the list.You cannot remove one line from an access list. If you try to do this, you will remove the entire list. It is best to copy the access list to a text editor before trying to edit the list. The only exception is when using named access lists.Unless your access list ends with a permit any command, all packets will be discarded if they do not meet any of the lists’ tests. Every list should have at least one permit statement, or you might as well shut the interface down.Create access lists and then apply them to an interface. Any access list applied to an interface without an access list present will not filter traffic.Access lists are designed to filter traffic going through the router. They will not filter traffic originated from the router.Place IP standard access lists as close to the destination as possible.Place IP extended access lists as close to the source as possible.