Essentially, access lists are lists of conditions; they’re powerful tools that control access both to and from network segments. They can filter unwanted packets and can be used to implement security policies. With the right combination of access lists, network managers are armed with the power to enforce nearly any access policy they can invent.
Critical Information
An IP access list is a packet filter that packets are compared with, categorized by, and acted upon. A packet is always compared with each line of the access list in sequential order (in other words, It’ll always start with line 1, then go to line 2, then line 3, and so on).
There are two types of access lists used with IP:
Standard Access Lists
These use only the source IP address in an IP packet to filter the network, which basically permits or denies all messages from that address.
Extended Access Lists
These check for both source and destination IP address, Protocol field in the Network-layer header, and Port Number in the Transport-layer header. Once you create an access list, you apply it to an interface with either an inbound or outbound list:
IP Access Lists
IP access lists are configured in global configuration mode and are identified by the number assigned to the access list. The numbers 0 through 99 represent a standard IP access list, and 100 to 199 represent an extended IP access list.
Standard IP Access Lists
IP standard access lists can analyze the source IP addresses of TCP/IP packets and then take action based upon that analysis. Each line of a standard IP access list is created with a command in the following format:
access-list [number] [permit or deny] [source address]
To define access lists, use the access-list command in configuration mode.
Each access list is assigned a unique number to distinguish it from the other lists. IP standard access lists are given numbers between 1 and 99, but other access-list types require different number ranges. Here is a sample command:
access-list 10 permit 172.16.30.2
This command adds a line to access list 10. The permit or deny keyword indicates whether to allow or discard matching packets, and the [source address] is used to define which source IP addresses should be acted upon.
Applying an IP Access List to an Interface
Even though you configure an access list, it won’t filter anything until you apply it to an interface. First, enter configuration mode and select the Ethernet 0 interface. Then use the ip access-group command to specify 10 out. Here is an example:
(config-int)ip access-group 10 out
Wildcard Masking
Wildcard masking allows you to specify either an entire network or a specific host. You can use wildcard masking in both standard and extended access lists.
In this example, we’ve used a wildcard mask to specify the source address:
Address 172. 16. 30. 0
Mask 0. 0. 0. 255
It consists of a 32-bit binary string of 0s followed by 1s, broken into octets and written in decimal. Ones are considered throwaway bits, meaning that their corresponding positions in the address are irrelevant.
By specifying the source address and mask as shown above, we’re saying that the 172, 16, and 30 are required to match up, but the last octet of the IP address can be any value (remember that 255 is decimal format for binary 11111111). Likewise, when you specify a mask as follows, you’re requiring 172, 16, 30, and 2 all to match up exactly, because you’ve set all mask values to 0:
Address 172. 16. 30. 2
Mask 0. 0. 0. 0
Necessary Procedures
Here is an example of configuring with standard access lists:
RouterA#config t
RouterA(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<200-299> Protocol type-code access list
<300-399> DECnet access list
<600-699> Appletalk access list
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list
<900-999> IPX extended access list
To apply this configuration to an Ethernet interface, you could use this example:
RouterA#config t
Enter configuration commands, one per line. End with Æ’CNTL/Z.
RouterA(config)#int e0
RouterA(config-if)#ip access-group 10 out
RouterA(config-if)#^Z
RouterA#
Wildcards can be used in a standard access list as follows:
RouterA#config t
RouterA(config)#access-list 10 permit 172.16.50.2 Æ’0.0.0.0
RouterA(config)#access-list 10 permit 172.16.30.0 Æ’0.0.0.255
RouterA(config)#int e0
RouterA(config-if)#ip access-group 10 out
RouterA(config-if)#^Z
RouterA#
Related posts:
- Configure Standard Access Lists to Figure IP Traffic
- Configure Extended Access Lists to Filter IP Traffic
- Monitor and Verify Selected Access list Operations on the Router
- Extended Access Lists to Filter IP
- Access List Operations on the Router
- Verify IP addresses Lab
- Commands to Configure Frame Relay LMIs, Maps, and Subinterfaces
- Configure IP addresses Exams Points
- Configure IP Addresses
- Initial Configuration in Router Using the Setup Command
