Packet Filtering Example
To understand the concept of how a router uses packet filtering, imagine that a guard has been posted at a locked door. The guard’s instructions are to allow only people whose names appear on a list to pass through the door. The guard is filtering people based on the criterion of having their names on the authorized list.
By default, a router does not have any ACLs configured and therefore does not filter traffic. Traffic that enters the router is routed according to the routing table. If you do not use ACLs on the router, all packets that can be routed through the router pass through the router to the next network segment.
Regarding numbered ACLs, in case you are wondering why numbers 200 to 1299 are skipped, it is because those numbers are used by other protocols. This course focuses only on IP ACLs. For example, numbers 600 to 699 are used by AppleTalk, and numbers 800 to 899 are used by IPX.
There are two types of Cisco ACLs, standard and extended
Standard ACLs
filter IP packets based on the source address only
number (1 to 99) and (1300 to 1999)
===================================================
access-list 10 permit 192.168.30.0 0.0.0.255
===================================================
Extended ACLs
filter IP packets based on several attributes, including the following :
- source and destination addresses
- source and destination TCP and UDP ports
- protocol type (IP, ICMP, UDP, TCP, or protocol number)
number (100 to 199) and (2000 to 2699)
===========================================================
access-list 103 permit tcp 192.168.30.0 0.0.0.255 any eq 80
===========================================================
Recall that there is an unseen implicit deny all statement that is equivalent to adding the line access-list 1 deny 0.0.0.0 255.255.255.255
