Access Lists

Access lists are built to deny or permit IP traffic into or out of a network interface on a router. These access lists will filter IP source and destination addresses as well as protocol and service specific traffic. There are two basic types of access lists for routers:

1. Standard Access Lists - lists that filter traffic based on source IP or IP address range.

2. Extended Access Lists - lists that filter traffic based on source IP, IP address range as well as TCP(Transmission Control Protocol), UDP (User Datagram Protocol) adn TCP/UDP port numbers.

Access List - Numeric Types

1-99 IP standard access list 100-199 IP extended acess list 200-299 Protocol type-code access list 300-399 DECnet 600-699 Appletalk 700-799 48-bit media access control (MAC) addreess 800-899 IPX standard 900-999 IPX extended 802.12SAP

Standard Access Lists The standard access list can have a list of statements. Each list of statements will have an acess list number to identify the access group and will list entries that you have made. Order of entries is important because once a packet is matched to an entry, the access is activated or denied. Once a packet is permitted entry, the router will cache this entry and further packets are allowed entry without comparing to the access list. It is important to place a deny all statement at the end of all access lists to make sure that if not match is made for the traffic it is always denied.

Standard Access List Commands

Access-list number [deny|permit

This command identifies the access-list as number 4 and will deny access to 12.32.34.any nodes.

Now apply the access-list to a network interface.

ip access-group access-list-number [in|out]

Example: ip access-group 4 in