Access List Tutorial
Named IP Access List
This allows standard and extended ACLs to be given names instead of numbers
Named IP Access List Configuration Syntax
| ip access-list {standard | extended} {name | number} |
Example of Named IP Access List
This is an example of the use of a named ACL in order to block all traffic except the Telnet connection from host 10.0.0.1/8 to host 187.100.1.6.
Define the ACL:
Router(config)#ip access-list extended in_to_out permit tcp host 10.0.0.1 host 187.100.1.6 eq telnet
(notice that we can use ‘telnet’ instead of port 23)
Apply this ACL to an interface:
Router(config)#interface Fa0/0
Router(config-if)#ip access-group in_to_out in
Where to place access list?
Standard IP access list should be placed close to destination.
Extended IP access lists should be placed close to the source.
How many access lists can be used?
You can have one access-list per protocol, per direction and per interface. For example, you can not have two access lists on the inbound direction of Fa0/0 interface. However you can have one inbound and one outbound access list applied on Fa0/0.
How to use the wildcard mask?
Wildcard masks are used with access lists to specify a host, network or part of a network.
The zeros and ones in a wildcard determine whether the corresponding bits in the IP address should be checked or ignored for ACL purposes. For example, we want to create a standard ACL which will only allow network 172.23.16.0/20 to pass through. We need to write an ACL, something like this:
access-list 1 permit 172.23.16.0 255.255.240.0
Of course we can’t write subnet mask in an ACL, we must convert it into wildcard mask by converting all bits 0 to 1 & all bits 1 to 0.
255 = 1111 1111 -> convert into 0000 0000
240 = 1111 0000 -> convert into 0000 1111
0 = 0000 0000 -> convert into 1111 1111
Therefore 255.255.240.0 can be written in wildcard mask as 00000000.00000000.00001111.11111111 = 0.0.15.255
Remember, for the wildcard mask, 1′s are I DON’T CARE, and 0′s are I CARE. Now let’s analyze our wildcard mask.
Two first octets are all 0’s meaning that we care about the network 172.23.x.x. The third octet, 15 (0000 1111 in binary), means that we care about first 4 bits but don’t care about last 4 bits so we allow the third octet in the form of 0001xxxx (minimum:00010000 = 16; maximum: 00011111 = 31).
The fourth octet is 255 (all 1 bits) that means I don’t care.
Therefore network 172.23.16.0 0.0.15.255 ranges from 172.23.16.0 to 172.23.31.255.
Some additional examples:
+ Block TCP packets on port 30 from any source to any destination:
Router(config)#access-list 101 deny tcp any any eq 30
+ Permit any IP packets in network 192.23.130.128 with subnet mask 255.255.255.248 to any network:
Router(config)#access-list 101 permit ip 192.23.130.128 0.0.0.7 any
Apply the access control list to an interface:
Router(config)#interface fastEthernet0/0
Router(config-if)#ip access-group 101 in
Note: An ACL applied to the main interface does not affect the traffic of subinterfaces. If we want to filter traffic on subinterfaces, we have to assign ACL to each subinterface separately.
|
There are some differences between numbered ACL and named ACL: + Only numbered ACL is supported on VTY lines (by using the access-class command) R1# show access-list Standard IP access list nat_traffic Then to remove the second statement (the line “20 permit 10.2.0.0, wildcard bits 0.0.255.255”) we just need to type “no 20”: R1(config)#ip access-list standard nat_traffic But for numbered ACL, we have to recreated the whole ACL when entries are moved. |
Marvelous, what a weblog it is! This website provides helpful information to
us, keep it up.
Thanks for sharing your thoughts. I really appreciate your efforts and I am waiting
for your next write ups thanks once again.
Hi, after reading this amazing paragraph i am as well glad to share my familiarity here
with friends.
Hello, the rule of thumb is.
first deny then anything else is permitted right?
@9 tut: Regarding your Extended Access List example, isn’t it better to implement the Extended ACL closest to the source / traffic to be matched? (so that you can prevent unnecessary bandwidth usage as the frame would be sent all the way down to the destination if you choose Fa0/1, rather than dropping it closest to the source at Fa0/0).
In this case, interface Fa0/0 and apply ACL as: ip access-group 101 in (instead of out) ?
where are the questions May you please provide link
True ….. Extended ACL are best done close to the source to eliminate unnecessary bandwidth consumption.
This is perfect dude, keep it up!
So is the Extended IP Access-list example wrong? You set the access-list closet to the destination (Fa0/1) instead of closet to the source (Fa0/0).
@9tut – I agree the Extended ACL should be FA0/0 in not fa0/1 out.
Hi, as far as I know, the Extended ACLs should be applied closest to the source f0/0 in this case, could someone CONFIRM IT.
If someone could give an example of an Extended ACL applied in OUTBOUND direction would be much appreciated.
amazing
i would not use the fa0/1 in the last example in page1. if you put your ACL on that interface all traffic would be processed. Why not using the int fa0/0 inbound?
It would be inappropriate to block traffic at Fa0/0 when the question says we block it only from accessing 187.100.1.6 and not to Non 10.0.0.0/8 Networks where it may be needed and has to go through Fa0/0. That’s my opinion.
One of the best explainings for ACLs imho
“maximum: 0001111 = 31)” – is there one missing 1? I mean 31 should be: 00011111
@Artiom: Thank you for your detection, we updated it!