Access-Lists are fundamentals to today’s network as they provide basic packet filtering at the interface level. The router basically inspects each incoming or outgoing packet to determine whether to forward it or drop it per the configuration of the ACL (Access-List). While one of the many reasons to leverage the use of ACLs in today’s network is for security purposes, it is also important to know that there are two basic type of ACLs:

-Standard ACLs: Filters traffic based on source addresses – Typically applied closest to the destination
-Extended ACLs: Filters traffic based on source and destination addresses – Typically applied closest to the source

Note that extended ACLs drills down to the service level as well which is nice because you can allow/block based on port number

The steps needed to successfully apply a standard ACL to an interface is as follow:

1) Create an ACL
2) Apply the ACL to the interface either inbound or outbound

For the sake of this topic, we will use the following topology…

Here we basically have a single broadcast domain and a couple of loopback addresses on both router. Our endgame here is to allow traffic sourcing from R2 – Loopback 2 (2.2.2.2/24) and block traffic sourcing from R2 – Loopback 9 (9.9.9.9/24) when pinging R1 Loopback 1 address.

Let’s hop onto the consoles and first make sure we have reachability across…

Here we have static routes to ensure basic connectivity. We can now ping across but let’s make sure we can ping Loopback 1 from both Loopback 2 and Loopback 9 before we make any changes…

Fantastic ! We can clearly see here that we can. Let’s now create our ACL…

Notice here how we have ranges for different routed network protocols such as AppleTalk for instance but what we are interested in is the 1st range which is specifically for IP Standard ACLs.

So here, we are only allowing 2.2.2.0/24 (Match on the entire subnet) and the reason for it is because at the end of every ACL, there is an implicit DENY which mean that if Loopback 9 is not explicitly allowed, it will be implicitly denied. Let’s apply our ACL to the Eth1/0 interface on R1…

Here, we have configured the command “ip access-group 1 in” on interface Eth1/0 which call on the ACL number and set the direction to be inbound to the router. We can validate by running the following command…

So, this should work like a charm but let’s test it. Let’s run a debug on R1 first…

Let’s now ping Loopback 1 from Loopback 2…

Very good ! Let’s see what the debug says on R1…

Fantastic ! This is a good sign ! Let’s now ping Loopback 1 from Loopback 9…

Well ! This is not a good sign. Let’s now check our debug output on R1 to get more clarification…

All right ! This is what we were looking for. We can clearly see here that the debug output indicates that we have successfully denied incoming packets sourcing from Loopback 9.

That’s all there is to it. You can play with the ACLs and configure deny statements and add a “permit all” statement at the end. Depending on ease of management and how you want to scope it out, you can configure it different ways but this is in general what you need to know.

Please let me know if you have any questions.