10.2 Configuring IP Standard Access Lists
10.2.7 Configuration principles for access lists
The following four general principles help ensure that the access lists you create have the intended results:
  • Top-down processing

Organize your access list so that more specific references in a network or subnet appear before more general ones.

Place more frequently occurring conditions before less frequently occurring conditions to optimize performance.

  • Implicit deny any

Unless you end your access list with an explicit permit any, it will deny by default all traffic that fails to match any of the access-list lines.

  • New lines added to the end

Subsequent additions are always added to the end of the access list.

You cannot selectively add or remove lines when using numbered access lists, but you can when using IP-named access lists (a Cisco IOS Release 11.2 feature; see www.cisco.com).

  • Undefined access list means permit any

If you apply an access list with the access-group command to an interface before any access-list lines have been created, the result will be permit any. The list is "live," so if you enter only one line, it goes from a permit any to a "deny most" (because of the implicit deny any) as soon as you press Return. For this reason, create your access list before you apply it to an interface.

Note that this usage changed with Release 10.3. In previous releases, an undefined access list caused everything to be denied because they interpreted an undefined access list as an actual access list with no entries, and, therefore, had only an implicit "deny any" at the end.

Note: One way to change an access list is to create a new access list with a different access-list number. Then use the ip access-group command to apply the new access list number to the router interface. The new access list replaces the old one. For a few seconds (or microseconds), you will not have protection on the interface while the router replaces the old access list with the new. If you are working in a secure environment where this kind of security breach is unacceptable, use the ip shutdown command to disable the interface for IP packets during the changeover, as in the following example:

interface serial 0
ip shutdown
ip access-group 2
no ip shutdown

The main figure shows an example of a standard access list. The first statement permits a specific host, while the second statement denies all other hosts on that subnet. The third statement permits all other hosts on the same network, and finally the implied deny statement denying the outside world (Internet).

Lab Activity
  In this lab, you will learn the usage of standard access control lists.

So, who can connect to A? Answer the following questions:

  • Can host B communicate with host A? Yes. It is permitted by the first line, which uses an implicit host mask.
  • Can host C communicate with host A? No. Host C is in the subnet denied by the second line.
  • Can host D communicate with host A? Yes. Host D is on a subnet that is explicitly permitted by the third line.
  • Can users on the Internet communicate with host A? No. Users outside this network are not explicitly permitted, so they are denied by default (implicit deny any).