Professional Documents
Culture Documents
EUMED - GRNET
ACL Types
ACLs come in many types. The access-listnumber specifies what types. The table below shows common access list types. ACL Type IP Standard IP Extended AppleTalk IPX Standard IPX Extended ACL Number 1 to 99 100 to 199 600 to 699 800 to 899 900 to 999
IPX SAP
1000 to 1099
Should be put close to the destination address because you can not specify the destination address.
Wildcard Mask
32 bit long Mask bits of 0 imply that the same bit positions must be compared Mask bits of 1imply that the same bit positions are considered to match
Example
Configure an access list that blocks network 210.93.105.0 from exiting serial port s0 on some router. Allow all other to pass. access-list 4 deny 210.93.105.0 0.0.0.255 access-list 4 permit any interface s0 ip access-group 4
Example (continued)
Same example but would like to block only the first half IP of the network. access-list 4 deny 210.93.105.0 0.0.0.127 access-list 4 permit any interface s0 ip access-group 4
Example (continued)
Same example but would like to block only the second half IP of the network. access-list 4 deny 210.93.105.128 0.0.0.127 access-list 4 permit any interface s0 ip access-group 4
Example (continued)
Same example but would like to block only the even numbered IP of the network. access-list 4 deny 210.93.105.0 0.0.0.254 access-list 4 permit any interface s0 ip access-group 4
Example (continued)
Same example but would like to block only the odd numbered IP of the network. access-list 4 deny 210.93.105.1 0.0.0.254 access-list 4 permit any interface s0 ip access-group 4
Second, look for the leading bits that are shared by both (in blue below)
00000000 01111111 These bits in common are to be checked just like the common bits in the 192.5.5 portion of the addresses.
What about the teachers? What would be their ip mask and wildcard mask?
192.5.5.128 (10000000) to 192.5.5.255 (11111111) Answer: 192.5.5.128 0.0.0.127 Notice anything? What stayed the same? changed?
Since the last statement is commonly used to override the deny any, Cisco gives you an option--the any command:
Lab-A(config)#access-list 1 permit any
or...
Lab-A(config)#access-list 1 permit host 192.5.5.10
Naming ACLs
One nice feature in the Cisco IOS is the ability to name ACLs. This is especially helpful if you need more than 99 standard ACLs on the same router. Once you name an ACL, the prompt changes and you no longer have to enter the access-list and access-list-number parameters. In the example below, the ACL is named over_and as a hint to how it should be placed on the interface--out Lab-A(config)# ip access-list standard over_and Lab-A(config-std-nacl)#deny host 192.5.5.10
.........
Lab-A(config-if)#ip access-group over_and out
Verifying ACLs
Show commands:
show access-lists shows all access-lists configured on the router show access-lists {name | number} shows the identified access list show ip interface shows the access-lists applied to the interface--both inbound and outbound. show running-config shows all access lists and what interfaces they are applied on
Extended ACL
Logging
(config-ext-nacl)# permit tcp any any log-input (config-ext-nacl)# permit ip any any log
Time based
(conf)# time-range bar (conf-time-range)# periodic daily 10:00 to 13:00 (conf-time-range)# ip access-list tin (config-ext-nacl)# deny tcp any any eq www time-range bar (config-ext-nacl)# permit ipv6 any any
Evaluate
Apply the packet against a reflexive ACL. Multiple evaluate statements are allowed per ACL. The implicit deny any any rule does not apply at the end of a reflexive ACL; matching continues after the evaluate in this case.