Introduction to Access-Lists on Cisco IOS Router

Everything very clear but little confusing in number range.
standard access list number range(1300-199) confusing & 199 overlap with extended acl

You caught a typo :slight_smile: It has to be 1300 - 1999, just fixed it.

You explain complex in English. Thanks Rene Molenaar. I am going to advertise you to college students here In Uganda. You make it all simple.
God bless you!!

Thanks Frank!

Hi Rene,

 

I did not understand what do you mean in this statement “You can only have a single ACL per direction, so it’s impossible to have 2 inbound access-lists”

Is it possible to explain to me the meaning in other words please ?

 

thanks,

Hussein Sameer

 

Hi Hussein,

Here’s what I mean:

access-list 1 permit 1.1.1.0 0.0.0.255
access-list 2 permit 2.2.2.0 0.0.0.255

interface fa0/0
access-group 1 in
access-group 2 in

Once you apply access-list 2 on the interface, 1 will be removed. You can’t have two inbound or two outbound access-lists.

Rene

Is there any example on how to configure classification on a router.

Hi Lewis,

Take a look here:

https://networklessons.com/quality-of-service/qos-classification-cisco-ios-router/

Rene

Hi Rene,

if i do access list like:

access-list out_acz_in permit any 10.0.32.10

access list out_acsz_in udp permit any 10.0.32.10 eq h323

What isthe difference between both, what will be the default if i don`t mention tcp/udp and destination port in first case -what is the default type?

1 Like

Asi
The first thing you have to decide is whether you are creating an standard or extended access-list. The next decision to make is whether you wanted to use an access-list number or an access-list name. In the examples you gave, you chose to use named access-lists for both (out_acsz_in). Also, in your example, we must be using extended access-lists (because you specified the destination of the traffic you are permitting).

Let’s look at your two examples, and reconfigure them so they are using the proper syntax.
Your first example is this:
(config)#access-list out_acz_in permit any 10.0.32.10

The correct syntax for this would be:

(config)#ip access-list extended out_acz_in
(config-nacl)#permit ip any host 10.0.32.10

Here’s the difference between what you wrote, and what I wrote:

  1. The keyword “ip” must be used before “access-list” if you are using a named access-list. If you plan to use access-list numbers instead, this is not needed
  2. Named access-lists have to told whether they are standard or extended, hence the keyword “extended”
  3. Named access-lists require you press ENTER after you give the name. The IOS then takes you to a new submenu, (config-nacl)# where you can type all of your permit or deny lines one by one
  4. After the word “permit” or “deny” a protocol has to specified for an extended access-list. In this case, I chose “ip” which means any type of traffic, since you didn’t specify a port at the end
  5. The keyword “host” tells the access list that the next address you type in is supposed to be that specific ip. Think of “host” as a shortcut. Instead of typing 10.0.32.10 0.0.0.0, you can just type host 10.0.32.10. Both lines are acceptable and both do the same thing.

Now, let’s compare the correct syntax for both of your examples and go over the difference:

Example 1

ip access-list extended out_acz_in
 permit ip any host 10.0.32.10

Example 2

ip access-list extended out_acsz_in
 permit udp any 10.0.32.10 eq h323

Example 2 allows only the UDP ports associated with the H.323 protocol from anywhere to reach 10.0.32.10.
Example 1 allows ALL traffic from anywhere to 10.0.32.10.

As you can see, Example 2 is much more restrictive than Example 1. As to what is the default type, there really isn’t a “default.” How you write the access-list determines its behavior.

--Andrew

3 Likes

Hi Andrew,

Thanks a million was a very excellent explanation really appreciate, i did not knew this inside edge with IOS ACL .

However its my mistake posted at wrong place -My question was with reference to ASA.Found this on the below link and was keen to get information about the qustion i asked previously

check this bit starting at

ACL sYNTAX

Hi Rene,

Can you explain why standard ACL need to be placed near the destination and extended ACL need to be placed near source?

Regards,
Nanu

Hi Nanu,

The standard access-list only allows you to filter source addresses. If you place it close to the source, it’s possible that you filter too much (unwanted) traffic.

The extended access-list is very specific…you can filter source + destination address and source + destination ports. Since it’s so specific, it’s best to place it as close to the source as possible so you can drop unwanted traffic right away.

Rene

Thanks Rene…I understood it now.

Regards,
Nanu

Dear Rene,

Need your assistant to be clear the questions …

What are the high level difference between Named and Numbered access list?

br/
zaman

Hi Zaman,

As a function there is are no difference between the Named and the Numbered AC, so both function the same way as to what you have learned in our lessons.
The only difference is that on the named ACL’s you can put a better descriptive rather than putting numbers. For example, if you want to deny http traffic than you can name the named ACL something like:
ip access-list extended Deny_HTTP
This can give to your as an administrator a better idea of what this ACL is doing.

Another point is that in the old IOS it wasn’t possible to edit numbered ACLs, so if you wanted to change an entry then you had to remove the whole ACL and make it again, while on the named ACLs editing was & still possible. Nowadays both numbered and named ACLs can be edited without the need to change the whole configuration from the router.

The last point is that number ACLs are limited with range of numbers for both standard & extended while named ACL’s are not.

Hope I could answer to your question.

1 Like

I have a question. What is the difference between inbound ACL and outbound ACL? When will we use inbound ACL and when we need to use outbound ACL? Thank you very much.

Hello Siu Kai L,

Both inbound and outbound get the job done, they filter packets. It depends on the scenario which one you might want to use. For example, let’s say you have a router with 4 interfaces:

* 1x WAN interface that connects to the Internet
* 3x LAN interface

Let’s say you want to restrict internet traffic from your LAN to the Internet. You could attach the same access-list INBOUND on all three LAN interfaces, or you can attach the access-list OUTBOUND on your WAN interface. Both get the job done, the only difference is you have to apply it once instead of on three interfaces.

You can also look at this from the other way around. Let’s say you want to restrict traffic from the Internet to your LAN. You could create an access-list and attach it INBOUND on your WAN interface, or you attach it OUTBOUND on all three LAN interfaces.

Both will get the job done, but adding it to the WAN interface INBOUND is probably easier since you only have to attach it once. Also, it prevents the traffic from going anywhere else since you filter it right away on where it enters the router.

Hope this helps!

1 Like

Hi Rene / Team ,

I have a query , suppose a router has two interface one is fa0/0 which treated inbound and other one Fa 1/1 which is outbound.

Like u said in above post on a single interface two inbound or two outbound access list is not possible.

Kindly confirm is it possible to permit above access list 1 and access list 2 separately on one inbound Fa 0/0 and other outbound Fa 1/1 interface because i am using a single router

If we apply this statement , is it work , please confirm

access-list 1 permit 1.1.1.0 0.0.0.255
access-list 2 permit 2.2.2.0 0.0.0.255

interface fa0/0
access-group 1 in

interface fa0/1
access-group 2 out

Imp edit,

But as i know i can not apply inbound acl or outbound acl at same time you need to choose first which acl u want inbound or outbound then what syntax or command required to permit or deny this specific network given below and how can be know that the network is source address or destination address .

access-list 1 permit 1.1.1.0 0.0.0.255
access-list 2 permit 2.2.2.0 0.0.0.255

One More doubt :smiley:

How u decided that in below example or above post the ACL is specified for destination traffic.

(config)#access-list out_acz_in permit any 10.0.32.10

The correct syntax for this would be:

(config)#ip access-list extended out_acz_in
(config-nacl)#permit ip any host 10.0.32.10

what it means by this statement used in ACL
out_acsz_in

Please explain this term

Let’s say you want to restrict internet traffic from your LAN to the Internet. You could attach the same access-list INBOUND on all three LAN interfaces, or you can attach the access-list OUTBOUND on your WAN interface. Both get the job done, the only difference is you have to apply it once instead of on three interfaces.

Sir , what it said in above highlighted statement , means we have to create different access list on all three inbound interface or other thing will do to restrict the traffic .

Please explain in the syntax form if we create same access list on all the three inbound interface of router .

Regards
Shivam Chaudhary

Hello Shivam

Yes, it is possible to apply the access lists as you mention in your post. Keep in mind that you can apply one access list per direction per interface. This means that you can have both an inbound and an outbound access list applied to the same interface. You can even have the same access list applied in both directions on a single interface. For example, you can have this:

interface GigabitEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 ip access-group 1 in
 ip access-group 1 out
!
interface GigabitEthernet0/1
ip address 10.10.20.1 255.255.255.0
 ip access-group 1 in
 ip access-group 2 out
!
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 2 permit 0.0.0.0 255.255.255.0

Notice that for GE0/0, the same access list is applied in both directions, while on GE0/1, different access lists are applied in each direction. But you can have the same access list applied to multiple interfaces as well.

You know that it is meant for destination traffic because the extended access list has the following syntax:

access-list access-list-number {deny|permit} protocol source source-wildcard destination destination-wildcard

So you see that after the protocol is specified, you begin with the source address and wildcard mask, and then the destination address and wildcard mask. So for the following command:

(config)#ip access-list extended out_acz_in
(config-nacl)#permit ip any host 10.0.32.10

…the any keyword specifies the source, and the 10.0.32.10 specifies the destination. When there is no subnet mask applied, then the assumed wildcard mask is 0.0.0.0, which means that the destination specifies only a single host with that address.

This is just a name used to name the access list. You can call it anything you like.

Imagine you have the following topology:


Now if you want to block traffic to the 147.52.0.0/16 network on the Internet, for example, then you would create an ACL such as this:

(config)#ip access-list extended block_147.52
(config-nacl)#deny ip any 147.52.0.0 0.0.0255.255
(config-nacl)#permit ip any any

Now you can apply this to the GE0/1, GE0/2, GE0/3 interfaces in an inbound direction or you can apply this to the GE0/0 interface in an outbound direction. Obviously it would be better to apply it only once to the GE0/0 interface. It is faster, more efficient, and clearer.

I hope this has been helpful!

Laz

1 Like