How Access Lists work on Cisco routers

This tutorial explains the basic concepts and fundamentals of Cisco access lists. Learn what Cisco access lists are and how they work through examples.

An access list is a security feature. It allows a device to process data more intelligently. Cisco routers support access lists. Before we discuss how access lists work on Cisco routers or how Cisco routers use access lists to filter IP packets, let's briefly discuss how routers forward IP packets.

When routers receive IP packets on their interfaces, they check the destination address of each packet and forward that packet from the interface that is directly connected to the destination address or the path leading to the destination address. If none of the router's interfaces are connected to the destination address, the router discards the packet.

An access list is a set of additional commands or instructions that you can instruct a router to perform before forwarding IP packets. In the access list, each command or instruction is written on a separate line. Each line of the access list is treated as a separate entry.

An access list can contain many entries. Each entry must include a criterion and an action. A criterion defines the condition that triggers the action. An entry may include multiple criteria or actions.

Let's take an example to understand how access lists work. The following image shows a sample school network.

acl example network

In this network, four LAN segments are connected through a router. These segments are Students, Teachers, Staff, and Administrators. These segments respectively belong to students, teachers, office staff, and management team.

The following table lists the IP configurations of all segments.

LAN Network Address Default gateway Gateway interface
Students 10.0.0.0/8 10.0.0.1 Router'F0/0
Teachers 20.0.0.0/8 20.0.0.1 Router'F0/1
Staff 30.0.0.0/8 30.0.0.1 Router'F1/0
Administrators 40.0.0.0/8 40.0.0.1 Router'F1/1

As far as connectivity is concerned, this network is fine. All LAN segments can access each other without any issues. The main issue of this network is security. This network has no security policy. Anyone can access any resource of the network. A student can access the teacher's computer. A teacher can access the principal's computer. This free flow of access makes this network useless. This network will be useful only if it allows only authorized users to access permitted resources.

To block unauthorized access, Cisco routers have a built-in feature. This feature is known as access-lists. An access list allows the administrator to define what is allowed and what is blocked.

Once the criteria for allowed packets are defined, the router will only allow packets that meet the defined criteria. Access lists are used to define criteria for allowed packets. Access lists use lines to separate entries. Each line in the access list represents an entry. Each entry contains two things a condition and an action. When processing the entry, the router matches the condition, if the condition is matched, the router executes the action. A condition may include a single criterion or multiple criteria.

When creating an access list entry, you should keep three important factors in mind. These factors are location, direction, and order. Let us discuss these factors.

Location

Access lists are applied to interfaces. For example, if a router has two interfaces, you can apply different access lists on both interfaces. An interface can only use its own ACL to filter the traffic that passes through it. It can't use the ACL of the other interface. If you apply an ACL to an interface that does not interact with targeted traffic, that ACL will not work. Because of this, access lists must be implemented on the flow of packets.

Direction

An access list can be applied on either the entry point or the exit point of the router. If the access list is applied to the entry point, it will be used to process incoming packets. If the access list is applied to the exit point, it will be used to process outgoing packets. To filter incoming traffic, the access list uses source addresses. To filter outgoing traffic, the access list uses destination addresses.

Order

Once the access list is implemented, the router processes each packet through the access list. For each packet, the router checks each entry in the access list from top to bottom until a match is found. Once a match is found, the router executes the corresponding action. It does not check the remaining entries for that packet. If an access list has multiple entries for the same packet, the router will only execute the action of the first entry from the top.

Let's understand the above factors through our example.

Location

In our example network, all LAN segments can access all LAN segments. To block students from accessing resources available outside the Students segment, the administrator created an access list and applied it on the F0/0 interface of the router. The ACL has the following entry.

If a packet has the source address from the network address 10.0.0.0/8, then discard the packet.

The following image shows how this ACL is applied.

acl working

Since all packets generated from the Students segment have source addresses from the 10.0.0.0/8 network, they will be blocked as soon as they enter the F0/0. After this ACL, users from the Students segment will not be able to access outside resources.

To understand how the direction affects the ACL, let's suppose the administrator applied the above ACL on the F0/1 interface.

The following image shows this change.

acl wrong location

Now, this ACL is useless. This ACL instructs the router to block a packet if it arrives from the 10.0.0.0/8 network. A packet from the 10.0.0.0/8 will never enter from the F0/1 interface. The F0/1 interface is the default gateway of the Teachers segment. Since the network address of the Teachers segment is 20.0.0.0/8, all packets entering F0/1 will have a source address from the network 20.0.0.0/8.

This example shows how the correct location of the ACL is important. An ACL must be implemented on the interface that interacts with targeted traffic.

Direction

Now suppose, instead of using the source address in the ACL entry, the administrator mistakenly used the destination address. The modified ACL is given below.

If the destination address of a packet is from network 10.0.0.0/8, discard the packet.

The administrator applied this ACL on the F0/0 interface of the router. Will this ACL work?

The following image show new the ACL.

acl incorrect direction

This ACL will not work. This ACL instructs the router to block the packets that are going to the network 10.0.0.0/8, not to the packets that are coming from the network 10.0.0.0/8. If you apply this ACL on the F0/0, the Students segment will be able to access all three segments but they will not be able to access the Students segment.

Order

As mentioned earlier, for each packet, the router checks ACL entries from top to bottom until a match is found. Once a match is found, it does not check the remaining entries for that packet. Let's understand this factor through the example.

The administrator wants to allow a user from the Teachers segment to access the server available in the Administrators segment. The IP address of the allowed user is 20.0.0.3/8. Apart from the allowed user, all remaining users must not be able to access the Administrators segment. For this, the administrator created the following ACL and applied it to the F0/1 interface of the router.

Drop the packet if its source address belongs to the network 20.0.0.0/8
Allow the packet if its source address is 20.0.0.3/8

The following image shows this ACL.

acl wrong order

Will this ACL work? No, this ACL will block all outgoing traffic from the Teachers segment. When a packet originated from the host 20.0.0.3/8 reaches the router, the router checks the entries of the applied ACL until a match is found.

The first line of the ACL says "drop the packet if its source address belongs to the network 20.0.0.3/8". Since the IP address 20.0.0.3/8 belongs to the network 20.0.0.0/8, the statement becomes true. The router executes the action that is associated with this statement. Since the action of this statement is the drop, the router drops the packet.

Even the second line of the ACL allows the host 20.0.0.3/8, but it will never be read and executed by the router. The correct order to allow the host 20.0.0.3/8 will be the following.

Allow the packet if its source address is 20.0.0.3/8
Drop the packet if its source address belongs to the network 20.0.0.0/8

The following image shows the above ACL.

acl correct order

Now, this ACL will allow all packets that are originated from the host 20.0.0.3/8 but it will block all packets that are originated from other hosts of the network 20.0.0.0/8.

That's all for this tutorial. In this tutorial, we discussed what ACLs are and how they work. To understand how ACLs work, we used simple sentences for ACL entries. Actual ACL entries use specific keywords to define criteria and actions. In the next tutorial, we will discuss how actual ACL entries are built and how they work.

ComputerNetworkingNotes CCNA Study Guide How Access Lists work on Cisco routers