Chapter 7. Access Lists

In the most intuitive sense, an access list is a series of rules that instruct the router on how to select or match a route or packet. IOS uses access lists as an extremely general mechanism for controlling many kinds of router behavior, but the best way to understand how they work is to start with the simplest application: controlling the traffic that flows into or out of an interface.

Each rule in a standard access list contains three important parts:

  • a number that identifies the list when you refer to it in other parts of the router’s configuration

  • a deny or permit instruction

  • a packet identifier (such as an address)

As incoming or outgoing packets reach an interface that has an access list, the router compares the packets to each rule in the access list and decides whether the traffic should be blocked (denied) or permitted.

For IP traffic, there are two fundamental types of lists: standard and extended. Standard access lists filter based on source network addresses. A typical standard access list looks like this:

access-list 1 deny
access-list 1 deny
access-list 1 permit any

This list blocks any traffic from the and subnets, regardless of the packet’s destination, and permits anything that makes it past the first two lines. In other words, all traffic is permitted except for the and subnets. Once you have the list, you can apply it to the packets going into or out of a particular ...

Get Cisco IOS in a Nutshell, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.