Embed Size (px)
Citation preview
Page 1
Access ListsAccess Lists
Lecture 7Hassan Shuja
04/25/2006
Page 2
Access ListsAccess Lists• Access Lists (ACL)
– Access lists are used to filter traffic that passes through a router– Some key features of Cisco ACL
– Packets can be filtered as they enter an interface– Packets can be filtered before they exit an interface– Deny is the term used in Cisco IOS to block a packet at the interface that is doing
the filtering – Permit is the term used in Cisco IOS to allow a packet through the interface that is
doing the filtering– At the end of every ACL is an implied “deny all traffic” statement. Therefore, if a
packet does not match any of your access list statements, it is blocked
– ACL filter packets by looking at the IP, TCP, and UDP headers in the packet– There are two types of ACLs
– The standard ACL only examine the source IP address– The extended ACL can examine the source and destination IP address, as well as
the source and destination port numbers
– ACLs use a wildcard mask instead of a subnet mask– Wildcard masks are the inverse of the subnet mask, the 1s are 0s and the 0s are
1s
Page 3
Access ListsAccess Lists• Standard Access Lists
– Standard ACLs are numbered in the range of 1 to 99 or 1300 to 1999– The following is the syntax for a standard ACL
– “access-list number permit/deny ip address wildcard mask”– “access-list 1 permit 172.16.0.0 0.0.255.255”– “access-list 1 deny 165.31.0.0 0.0.255.255”– Configuration is done in configuration mode
– A standard ACL needs to be enabled under the interface before it will work– The command used to apply an ACL to an interface is “ip access-group”
– This command is run under the interface mode– To enable an ACL The interfaces on router need to be designated as the
“inside” and “outside” interface– “ip access-group 1 out” or “ip access-group 1 in”
Page 4
Access ListsAccess Lists• Extended Access Lists
– Extended ACLs are numbered in the range of 100 to 199 or 2000 to 2699– The following is the syntax for a extended ACL
– “access-list number permit/deny protocol source IP address source wildcard mask destination IP address destination wildcard mask eq port number”
– “access-list 101 permit tcp 172.16.0.0 0.0.255.255 165.33.15.0 0.0.0.255 eq 23”– “access-list 101 deny udp host 130.85.5.5 209.80.1.0 0.0.255.255 eq 80”
– “host” can be used to specify one ip address– “eq” stands for equal and is telling the exact port to filter traffic on– Ports can be compared by using less than (lt) or greater than (gt)– Configuration is done in configuration mode
– An extended ACL needs to be enabled under the interface before it will work– The command used to apply an ACL to an interface is “ip access-group”
– This command is run under the interface mode– To enable an ACL The interfaces on router need to be designated as the “inside”
and “outside” interface– “ip access-group 101 out” or “ip access-group 101 in”
– Remarks can be written to identify the ACL– “access-list 101 remark this access list is used to deny web traffic”
