This tutorial explains how Cisco access lists work through examples. Learn how Cisco routers process access control lists.
When routers receive IP packets on their interfaces, they check the destination address of each packet and forward that packet from the interface that is directly connected to the destination address or the path leading to the destination address. If none of the router's interfaces are connected to the destination address, the router discards the packet.
An access list is a set of additional commands or instructions that you can instruct a router to perform before forwarding IP packets. In the access list, each command or instruction is written on a separate line. Each line of the access list is treated as a separate entry.
An access list can contain many entries. Each entry must include a criterion and an action. A criterion defines the condition that triggers the action. An entry may include multiple criteria or actions.
Let's take an example to understand how access lists work.
The following image shows a sample school network.
In this network, four LAN segments are connected through a router. These segments are Students, Teachers, Staff, and Administrators. These segments respectively belong to students, teachers, office staff, and management team.
The following table lists the IP configurations of all segments.
LAN | Network Address | Default gateway | Gateway interface |
Students | 10.0.0.0/8 | 10.0.0.1 | Router'F0/0 |
Teachers | 20.0.0.0/8 | 20.0.0.1 | Router'F0/1 |
Staff | 30.0.0.0/8 | 30.0.0.1 | Router'F1/0 |
Administrators | 40.0.0.0/8 | 40.0.0.1 | Router'F1/1 |
As far as connectivity is concerned, this network is fine. All LAN segments can access each other without any issues. The main issue of this network is security. This network has no security policy. Anyone can access any resource of the network. A student can access the teacher's computer. A teacher can access the principal's computer. This free flow of access makes this network useless. This network will be useful only if it allows only authorized users to access permitted resources.
To block unauthorized access, Cisco routers have a built-in feature. This feature is known as access-lists. An access list allows the administrator to define what is allowed and what is blocked.
Once the criteria for allowed packets are defined, the router will only allow packets that meet the defined criteria. Access lists are used to define criteria for allowed packets. Access lists use lines to separate entries. Each line in the access list represents an entry. Each entry contains two things a condition and an action. When processing the entry, the router matches the condition, if the condition is matched, the router executes the action. A condition may include a single criterion or multiple criteria.
When creating an access list entry, you should keep three important factors in mind. These factors are location, direction, and order. We have already discussed these factors in the previous part of this tutorial. In this part, we will take an example to understand how an access list works and how these factors can affect an access list.
This tutorial is the third part of the article 'Cisco Access Lists Explained with Examples.'. Other parts of this article are the following.
Definition, purposes, benefits, and functions of ACL
Basic concepts and fundamentals of ACLs
Types of access control lists explained
Wildcard masks in ACLs Explained
Rules and configuration guidelines for Cisco ACLs
Access Control List Explained with Examples
The ip access-list command options and arguments
Standard ACL Configuration Commands Explained
Configure Standard Access Control List Step by Step Guide
How to secure VTY access to the Router
Extended ACL Configuration Commands Explained
Configure Extended Access Control List Step by Step Guide
How to block ICMP Ping on Cisco Routers
Location
In our example network, all LAN segments can access all LAN segments. To block students from accessing resources available outside the Students segment, the administrator created an access list and applied it to the F0/0 interface of the router. The ACL has the following entry.
If a packet has the source address from the network address 10.0.0.0/8, then discard the packet.
The following image shows how this ACL is applied.
Since all packets generated from the Students segment have source addresses from the 10.0.0.0/8 network, they will be blocked as soon as they enter the F0/0 interface. After this ACL, users from the Students segment will not be able to access outside resources.
To understand how the location affects the ACL, let's suppose the administrator applied the above ACL to the F0/1 interface.
The following image shows this change.
Now, this ACL is useless. This ACL instructs the router to block a packet if it arrives from the 10.0.0.0/8 network. A packet from the 10.0.0.0/8 will never enter from the F0/1 interface. The F0/1 interface is the default gateway of the Teachers segment. Since the network address of the Teachers segment is 20.0.0.0/8, all packets entering F0/1 will have a source address from the network 20.0.0.0/8.
This example shows how the correct location of the ACL is important. An ACL must be implemented on the interface that interacts with targeted traffic.
Direction
Now suppose, instead of using the source address in the ACL entry, the administrator mistakenly used the destination address. The modified ACL is given below.
If the destination address of a packet is from the network 10.0.0.0/8, discard the packet.
The administrator applied this ACL to the F0/0 interface of the router.
Will this ACL work?
The following image shows the new ACL.
This ACL will not work. This ACL instructs the router to block the packets that are going to the network 10.0.0.0/8, not to the packets that are coming from the network 10.0.0.0/8. If you apply this ACL to the F0/0 interface, the Students segment will be able to access all three segments but they will not be able to access the Students segment.
Order
As mentioned earlier, for each packet, the router checks ACL entries from top to bottom until a match is found. Once a match is found, it does not check the remaining entries for that packet. Let's understand this factor through the example.
The administrator wants to allow a user from the Teachers segment to access the server available in the Administrators segment. The IP address of the allowed user is 20.0.0.3/8. Apart from the allowed user, all remaining users must not be able to access the Administrators segment. For this, the administrator created the following ACL and applied it to the F0/1 interface of the router.
Drop the packet if its source address belongs to the network 20.0.0.0/8 Allow the packet if its source address is 20.0.0.3/8
The following image shows this ACL.
Will this ACL work?
No, this ACL will block all outgoing traffic from the Teachers segment. When a packet originated from the host 20.0.0.3/8 reaches the router, the router checks the entries of the applied ACL until a match is found.
The first line of the ACL says "drop the packet if its source address belongs to the network 20.0.0.3/8". Since the IP address 20.0.0.3/8 belongs to the network 20.0.0.0/8, the statement becomes true. The router executes the action that is associated with this statement. Since the action of this statement is the drop, the router drops the packet.
Even the second line of the ACL allows the host 20.0.0.3/8, but it will never be read and executed by the router.
The correct order to allow the host 20.0.0.3/8 will be the following.
Allow the packet if its source address is 20.0.0.3/8 Drop the packet if its source address belongs to the network 20.0.0.0/8
The following image shows the above ACL.
Now, this ACL will allow all packets that are originated from the host 20.0.0.3/8 but it will block all packets that are originated from other hosts of the network 20.0.0.0/8.
Watch Video Edition of this Tutorial
That's all for this tutorial. In this tutorial, we discussed how ACLs work. In the next tutorial, we will discuss the types of ACLs.