Basic IP Access Control List Notes

IP Access Control Lists filter packets in two ways, to prevent or allow packets to be forwarded to their respective destinations. ACLs can be applied in two was inbound and outbound on any given router interface.

ACLs must be used on interfaces processing the packets in the same direction that the packet flows through a given interface. If a packet is traveling outbound on an interface the ACL needs to be applied to outbound traffic to be effective.

Matching packets - is the method of configuring an ACL command to look at each packet, listing how to identify which packet should be discarded and which should be allowed.

ACLs have only two actions deny and permit

Types of ACLs

Standard Numbered ACLs - ( 1 - 99 )
Extended Numbered ACLs - ( 100 -199 )
Additional ACLs Number - ( 1300 -1999 Standard ) and ( 2000 - 2999 Extended )
Named ACLs

Improved editing with sequence Numbers

Standard ACLs only match source IP

Extended ACLs match source and destination IP or source and destination port numbers.

ACLs use first-match logic, meaning when a packet matches an ACL in descending order lowest to highest in stops going down the line and executes the first matching ACL. This happens for all IOS ACL lists, standard, extended, named, or numbered.

Wild Cards

Decimal 0: the router must compare as normal
Decimal 255: the router treats it as a wild card and all values match


Matching a subnet with an ACL
Subtract the wild card mask from the value of the subnet mask of the source in the ACL

Wild card mask
subnet mask

Wild card value =

Matching any\all addresses

access-list 1 permit any ( can place this at the end of all ACLs to overwrite the implicit deny all behavior )

access-list deny any ( does the same thing as the implicit deny default, but this keeps counters of policy violations. )