Introduction to Access-Lists on Cisco IOS Router

ReneMolenaar · December 22, 2016, 12:31am

This topic is to discuss the following lesson:

system · December 10, 2013, 10:07pm

On your Introduction to Access-Lists on Cisco IOS Router lesson, you have, in the picture for where to place the ACL, the word inbound twice. I believe that the top router should be “inbound” and the bottom router should be the “outbound.”

ReneMolenaar · January 14, 2014, 7:36pm

Hi Eric,

Thanks for pointing that out, I just fixed it.

Rene

system · February 22, 2014, 3:35am

Everything very clear but little confusing in number range.
standard access list number range(1300-199) confusing & 199 overlap with extended acl

ReneMolenaar · March 10, 2014, 1:27pm

You caught a typo It has to be 1300 - 1999, just fixed it.

system · September 12, 2014, 7:52am

You explain complex in English. Thanks Rene Molenaar. I am going to advertise you to college students here In Uganda. You make it all simple.
God bless you!!

ReneMolenaar · September 12, 2014, 11:20am

Thanks Frank!

hussien.samer · October 10, 2015, 9:25pm

Hi Rene,

I did not understand what do you mean in this statement “You can only have a single ACL per direction, so it’s impossible to have 2 inbound access-lists”

Is it possible to explain to me the meaning in other words please ?

thanks,

Hussein Sameer

ReneMolenaar · October 11, 2015, 9:28am

Hi Hussein,

Here’s what I mean:

access-list 1 permit 1.1.1.0 0.0.0.255 access-list 2 permit 2.2.2.0 0.0.0.255

interface fa0/0 access-group 1 in access-group 2 in

Once you apply access-list 2 on the interface, 1 will be removed. You can’t have two inbound or two outbound access-lists.

Rene

lewisdzuda · December 24, 2015, 10:27pm

Is there any example on how to configure classification on a router.

ReneMolenaar · December 25, 2015, 10:20am

Hi Lewis,

Take a look here:

https://networklessons.com/quality-of-service/qos-classification-cisco-ios-router/

Rene

abdullimran · February 16, 2016, 6:45pm

Hi Rene,

if i do access list like:

access-list out_acz_in permit any 10.0.32.10

access list out_acsz_in udp permit any 10.0.32.10 eq h323

What isthe difference between both, what will be the default if i don`t mention tcp/udp and destination port in first case -what is the default type?

andrew · February 16, 2016, 8:17pm

Asi
The first thing you have to decide is whether you are creating an standard or extended access-list. The next decision to make is whether you wanted to use an access-list number or an access-list name. In the examples you gave, you chose to use named access-lists for both (out_acsz_in). Also, in your example, we must be using extended access-lists (because you specified the destination of the traffic you are permitting).

Let’s look at your two examples, and reconfigure them so they are using the proper syntax.
Your first example is this:
(config)#access-list out_acz_in permit any 10.0.32.10

The correct syntax for this would be:

(config)#ip access-list extended out_acz_in
(config-nacl)#permit ip any host 10.0.32.10

Here’s the difference between what you wrote, and what I wrote:

The keyword “ip” must be used before “access-list” if you are using a named access-list. If you plan to use access-list numbers instead, this is not needed
Named access-lists have to told whether they are standard or extended, hence the keyword “extended”
Named access-lists require you press ENTER after you give the name. The IOS then takes you to a new submenu, (config-nacl)# where you can type all of your permit or deny lines one by one
After the word “permit” or “deny” a protocol has to specified for an extended access-list. In this case, I chose “ip” which means any type of traffic, since you didn’t specify a port at the end
The keyword “host” tells the access list that the next address you type in is supposed to be that specific ip. Think of “host” as a shortcut. Instead of typing 10.0.32.10 0.0.0.0, you can just type host 10.0.32.10. Both lines are acceptable and both do the same thing.

Now, let’s compare the correct syntax for both of your examples and go over the difference:

Example 1

ip access-list extended out_acz_in
 permit ip any host 10.0.32.10

Example 2

ip access-list extended out_acsz_in
 permit udp any 10.0.32.10 eq h323

Example 2 allows only the UDP ports associated with the H.323 protocol from anywhere to reach 10.0.32.10.
Example 1 allows ALL traffic from anywhere to 10.0.32.10.

As you can see, Example 2 is much more restrictive than Example 1. As to what is the default type, there really isn’t a “default.” How you write the access-list determines its behavior.

--Andrew

abdullimran · February 17, 2016, 12:44pm

Hi Andrew,

Thanks a million was a very excellent explanation really appreciate, i did not knew this inside edge with IOS ACL .

However its my mistake posted at wrong place -My question was with reference to ASA.Found this on the below link and was keen to get information about the qustion i asked previously

check this bit starting at

ACL sYNTAX

drashti30.desai · April 18, 2016, 3:12pm

Hi Rene,

Can you explain why standard ACL need to be placed near the destination and extended ACL need to be placed near source?

Regards,
Nanu

ReneMolenaar · April 18, 2016, 8:48pm

Hi Nanu,

The standard access-list only allows you to filter source addresses. If you place it close to the source, it’s possible that you filter too much (unwanted) traffic.

The extended access-list is very specific…you can filter source + destination address and source + destination ports. Since it’s so specific, it’s best to place it as close to the source as possible so you can drop unwanted traffic right away.

Rene

drashti30.desai · April 19, 2016, 9:41am

Thanks Rene…I understood it now.

Regards,
Nanu

Zaman.rubd · October 13, 2016, 1:24pm

Dear Rene,

Need your assistant to be clear the questions …

What are the high level difference between Named and Numbered access list?

br/
zaman

maher1 · October 15, 2016, 9:41am

Hi Zaman,

As a function there is are no difference between the Named and the Numbered AC, so both function the same way as to what you have learned in our lessons.
The only difference is that on the named ACL’s you can put a better descriptive rather than putting numbers. For example, if you want to deny http traffic than you can name the named ACL something like:
ip access-list extended Deny_HTTP
This can give to your as an administrator a better idea of what this ACL is doing.

Another point is that in the old IOS it wasn’t possible to edit numbered ACLs, so if you wanted to change an entry then you had to remove the whole ACL and make it again, while on the named ACLs editing was & still possible. Nowadays both numbered and named ACLs can be edited without the need to change the whole configuration from the router.

The last point is that number ACLs are limited with range of numbers for both standard & extended while named ACL’s are not.

Hope I could answer to your question.

siukaileung · December 25, 2017, 7:06am

I have a question. What is the difference between inbound ACL and outbound ACL? When will we use inbound ACL and when we need to use outbound ACL? Thank you very much.