Chapter 7. Access Lists

In the most intuitive sense, an access list is a series of rules that instruct the router on how to select or match a route or packet. IOS uses access lists as an extremely general mechanism for controlling many kinds of router behavior, but the best way to understand how they work is to start with the simplest application: controlling the traffic that flows into or out of an interface.

Each rule in a standard access list contains three important parts:

  • a number that identifies the list when you refer to it in other parts of the router’s configuration

  • a deny or permit instruction

  • a packet identifier (such as an address)

As incoming or outgoing packets reach an interface that has an access list, the router compares the packets to each rule in the access list and decides whether the traffic should be blocked (denied) or permitted.

For IP traffic, there are two fundamental types of lists: standard and extended. Standard access lists filter based on source network addresses. A typical standard access list looks like this:

access-list 1 deny 10.10.1.0 0.0.0.255
access-list 1 deny 10.10.2.0 0.0.0.255
access-list 1 permit any

This list blocks any traffic from the 10.10.1.0 and 10.10.2.0 subnets, regardless of the packet’s destination, and permits anything that makes it past the first two lines. In other words, all traffic is permitted except for the 10.10.1.0 and 10.10.2.0 subnets. Once you have the list, you can apply it to the packets going into or out of a particular ...

Get Cisco IOS in a Nutshell, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.