How Access Lists work on Cisco routers

This tutorial explains how Cisco access lists work through examples. Learn how Cisco routers process access control lists.

When routers receive IP packets on their interfaces, they check the destination address of each packet and forward that packet from the interface that is directly connected to the destination address or the path leading to the destination address. If none of the router's interfaces are connected to the destination address, the router discards the packet.

An access list is a set of additional commands or instructions that you can instruct a router to perform before forwarding IP packets. In the access list, each command or instruction is written on a separate line. Each line of the access list is treated as a separate entry.

An access list can contain many entries. Each entry must include a criterion and an action. A criterion defines the condition that triggers the action. An entry may include multiple criteria or actions.

Let's take an example to understand how access lists work.

The following image shows a sample school network.

ACL example network

In this network, four LAN segments are connected through a router. These segments are Students, Teachers, Staff, and Administrators. These segments respectively belong to students, teachers, office staff, and management team.

The following table lists the IP configurations of all segments.

LAN Network Address Default gateway Gateway interface
Students 10.0.0.0/8 10.0.0.1 Router'F0/0
Teachers 20.0.0.0/8 20.0.0.1 Router'F0/1
Staff 30.0.0.0/8 30.0.0.1 Router'F1/0
Administrators 40.0.0.0/8 40.0.0.1 Router'F1/1

As far as connectivity is concerned, this network is fine. All LAN segments can access each other without any issues. The main issue of this network is security. This network has no security policy. Anyone can access any resource of the network. A student can access the teacher's computer. A teacher can access the principal's computer. This free flow of access makes this network useless. This network will be useful only if it allows only authorized users to access permitted resources.

To block unauthorized access, Cisco routers have a built-in feature. This feature is known as access-lists. An access list allows the administrator to define what is allowed and what is blocked.

Once the criteria for allowed packets are defined, the router will only allow packets that meet the defined criteria. Access lists are used to define criteria for allowed packets. Access lists use lines to separate entries. Each line in the access list represents an entry. Each entry contains two things a condition and an action. When processing the entry, the router matches the condition, if the condition is matched, the router executes the action. A condition may include a single criterion or multiple criteria.

When creating an access list entry, you should keep three important factors in mind. These factors are location, direction, and order. We have already discussed these factors in the previous part of this tutorial. In this part, we will take an example to understand how an access list works and how these factors can affect an access list.

Location

In our example network, all LAN segments can access all LAN segments. To block students from accessing resources available outside the Students segment, the administrator created an access list and applied it to the F0/0 interface of the router. The ACL has the following entry.

If a packet has the source address from the network address 10.0.0.0/8, then discard the packet.

The following image shows how this ACL is applied.

 ACL correct location

Since all packets generated from the Students segment have source addresses from the 10.0.0.0/8 network, they will be blocked as soon as they enter the F0/0. After this ACL, users from the Students segment will not be able to access outside resources.

To understand how the location affects the ACL, let's suppose the administrator applied the above ACL on the F0/1 interface.

The following image shows this change.

ACL incorrect location

Now, this ACL is useless. This ACL instructs the router to block a packet if it arrives from the 10.0.0.0/8 network. A packet from the 10.0.0.0/8 will never enter from the F0/1 interface. The F0/1 interface is the default gateway of the Teachers segment. Since the network address of the Teachers segment is 20.0.0.0/8, all packets entering F0/1 will have a source address from the network 20.0.0.0/8.

This example shows how the correct location of the ACL is important. An ACL must be implemented on the interface that interacts with targeted traffic.

Direction

Now suppose, instead of using the source address in the ACL entry, the administrator mistakenly used the destination address. The modified ACL is given below.

If the destination address of a packet is from the network 10.0.0.0/8, discard the packet.

The administrator applied this ACL to the F0/0 interface of the router.

Will this ACL work?

The following image shows the new ACL.

ACL wrong direction

This ACL will not work. This ACL instructs the router to block the packets that are going to the network 10.0.0.0/8, not to the packets that are coming from the network 10.0.0.0/8. If you apply this ACL on the F0/0, the Students segment will be able to access all three segments but they will not be able to access the Students segment.

Order

As mentioned earlier, for each packet, the router checks ACL entries from top to bottom until a match is found. Once a match is found, it does not check the remaining entries for that packet. Let's understand this factor through the example.

The administrator wants to allow a user from the Teachers segment to access the server available in the Administrators segment. The IP address of the allowed user is 20.0.0.3/8. Apart from the allowed user, all remaining users must not be able to access the Administrators segment. For this, the administrator created the following ACL and applied it to the F0/1 interface of the router.

Drop the packet if its source address belongs to the network 20.0.0.0/8
Allow the packet if its source address is 20.0.0.3/8

The following image shows this ACL.

ACL wrong orders

Will this ACL work?

No, this ACL will block all outgoing traffic from the Teachers segment. When a packet originated from the host 20.0.0.3/8 reaches the router, the router checks the entries of the applied ACL until a match is found.

The first line of the ACL says "drop the packet if its source address belongs to the network 20.0.0.3/8". Since the IP address 20.0.0.3/8 belongs to the network 20.0.0.0/8, the statement becomes true. The router executes the action that is associated with this statement. Since the action of this statement is the drop, the router drops the packet.

Even the second line of the ACL allows the host 20.0.0.3/8, but it will never be read and executed by the router.

The correct order to allow the host 20.0.0.3/8 will be the following.

Allow the packet if its source address is 20.0.0.3/8
Drop the packet if its source address belongs to the network 20.0.0.0/8

The following image shows the above ACL.

ACL correct direction and order

Now, this ACL will allow all packets that are originated from the host 20.0.0.3/8 but it will block all packets that are originated from other hosts of the network 20.0.0.0/8.

That's all for this tutorial. In this tutorial, we discussed how ACLs work. In the next tutorial, we will discuss the types of ACLs.

ComputerNetworkingNotes CCNA Study Guide How Access Lists work on Cisco routers