By default a router does not filter traffic. Traffic that enters the router is routed solely based on information within the routing table.
Packet filtering controls access to a network by analyzing the incoming and outgoing packets and passing or dropping them based on criteria such as the source IP address, destination IP addresses, and the protocol carried within the packet. A packet-filtering router uses rules to determine whether to permit or deny traffic. A router can also perform packet filtering at Layer 4, the transport layer.
An ACL is a sequential list of permit or deny statements. The last statement of an ACL is always an implicit deny which blocks all traffic. To prevent the implied deny any statement at the end of the ACL from blocking all traffic, the permit ip any any statement can be added.
When network traffic passes through an interface configured with an ACL, the router compares the information within the packet against each entry, in sequential order, to determine if the packet matches one of the statements. If a match is found, the packet is processed accordingly.
ACLs are configured to apply to inbound traffic or to apply to outbound traffic.
Standard ACLs can be used to permit or deny traffic only from a source IPv4 addresses. The destination of the packet and the ports involved are not evaluated. The basic rule for placing a standard ACL is to place it close to the destination.
Extended ACLs filter packets based on several attributes: protocol type, source or destination IPv4 address, and source or destination ports. The basic rule for placing an extended ACL is to place it as close to the source as possible.
The access-list global configuration command defines a standard ACL with a number in the range of 1 through 99 or an extended ACL with numbers in the range of 100 to 199 and 2000 to 2699. Both standard and extended ACLs can also be named. The ip access-list standard name is used to create a standard named ACL, whereas the command ip access-list extended name is for an extended access list. IPv4 ACEs include the use of wildcard masks.
After an ACL is configured, it is linked to an interface using the ip access-group command in interface configuration mode. Remember the three Ps, one ACL per protocol, per direction, per interface.
To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL.
The show running-config and show access-lists commands are used to verify ACL configuration. The show ip interface command is used to verify the ACL on the interface and the direction in which it was applied.
The access-class command configured in line configuration mode restricts incoming and outgoing connections between a particular VTY and the addresses in an access list.
Like IPv4 named ACLs, IPv6 names are alphanumeric, case sensitive, and must be unique. Unlike IPv4, there is no need for a standard or extended option.
From global configuration mode, use the ipv6 access-list name command to create an IPv6 ACL. Unlike IPv4 ACLs, IPv6 ACLs do not use wildcard masks. Instead, the prefix-length is used to indicate how much of an IPv6 source or destination address should be matched.
After an IPv6 ACL is configured, it is linked to an interface using the ipv6 traffic-filter command.