CCNA TechNote: IP Access Lists
- Wednesday, June 11, 2008, 1:54
- Study Guide
- 81 views
- 1 comment
Access lists allow Cisco routers to function as a packet filter and are supported for several protocols. The most common of these protocols are listed in the following table:
| Protocol | Range |
| IP standard | 1 to 99 (and 1300 to 1999 in IOS 12.0 and higher) |
| IP Extended | 100-199 (and 2000 to 2699 in IOS 12.0 and higher) |
| Ethernet type code |
200-299 |
| DecNet | 300-399 |
| XNS |
400-499 |
| Extended XNS |
500-599 |
| AppleTalk | 600-699 |
| Ethernet address | 700-799 |
| IPX Standard | 800-899 |
| IPX Extended | 900-999 |
| IPX SAP | 1000-1099 |
Access lists are lists of rules that either permit or deny certain inbound or outbound traffic from and to particular hosts or networks. The access list and its rules are applied to one or more interfaces on the router. When the router routes traffic through these interfaces, the rules in the list are processed sequential, looguide for a matching rule permitting the traffic to pass. When there is not a matching rule permitting the traffic to pass, it is denied by default because of the implicit deny any at the end of each rule. For example, if you deny telnet traffic to host 172.16.22.139 using the rule: access-list 110 deny TCP any host 172.16.22.139 eq TELNET and this would be the only rule in the access list, you would effectively deny all IP traffic from entering or leaving the router’s interface.
The implicit deny all, for many, is a confusing part of access lists and often forgotten in practice while in fact it is very logical. If you want to protect a network using a packet filter, you would typically start out with denying all traffic, and from there permit certain hosts or networks to communicate certain traffic.
In addition to protecting private networks from external intruders, access lists are also commonly used to manage network traffic. For example, if you do not want certain protocols or services available in particular subnets you can block only those ports but permit all other traffic. This is also used as an effective way to prevent traffic such as ICMP messages and routing updates from traveling over certain links.
Standard IP Access Lists
Standard IP access lists are used to permit/deny traffic from or to one or more IP addresses.
Use the global exec access-list command to create access lists:
router(config)#access-list number deny|permit source|any [log]
Use the Interface config mode access-group command to bind the access list to an interface: router(config-if)#ip access-group number in|out
For example, to deny hostC from sending traffic to the WAN in the network depicted in the diagram below, use the following commands.
router(config)#access-list 10 deny 192.168.23.11
router(config)#access-list 10 permit any
router(config)#interface ethernet 0
router(config-if)#ip access-group 10 in
When traffic is send to the router
PassGuide Cisco Exams Questions & Training Materials
- Free How to match CoS on a 3750
- Free CCNA TechNote: Basic Cisco Router Configuration and Management
- Free CCNA Lab 2 Set Router Port Address/Label and Save Settings
- Free passguide cisco ccie 350-020
- Free CCNA 2 – Module 2 Exam Answers
- Free How to filter OSPF routes that have the same source ip
- Free CCNA Lab 1 Change Router Name and Password
- Free How do prefix-lists work?
- Free CCNA Lab 3 CDP Command Operations
- Free CCNA LAB: Configuring RIP Routing
- Free CCNA 2 – Module 1 Exam Answers
- Free CCNA Lab 5 Configure Telnet Remote Access
About the Author
PassGuide Free Certification Exam Download has written 11070 stories on this site.
If you have any doubts about legality of content or you have another suspicions, feel free to contact us:CertGuard@Gmail.com
Write a Comment
Gravatars are small images that can show your personality. You can get your gravatar for free today!
