Upload
sbpimenta
View
144
Download
0
Embed Size (px)
Citation preview
Home > Access List Tutorial
Access List Tutorial
February 13th, 2011 Go to comments
In this tutorial we will learn about access list.
Access control lists (ACLs) provide a means to filter packets by allowing a user to permit or deny IP packets from crossing specified interfaces. Just image you come to a fair and see the guardian checking tickets. He only allows people with suitable tickets to enter. Well, an access list’s function is same as that guardian.
Access lists filter network traffic by controlling whether packets are forwarded or blocked at the router’s interfaces based on the criteria you specified within the access list.
To use ACLs, the system administrator must first configure ACLs and then apply them to specific interfaces. There are 3 popular types of ACL: Standard, Extended and Named ACLs.
Standard IP Access List
Standard IP lists (1-99) only check source addresses of all IP packets.
Configuration Syntax
Apply ACL to an interface
Example of Standard IP Access List
Configuration:
In this example we will define a standard access list that will only allow network 10.0.0.0/8 to access the server (located on the Fa0/1 interface)
Type text to search here... Enviar Consulta
access-list access-list-number {permit | deny} source {source-mask}
ip access-group access-list-number {in | out}
Promoção Itil Exam Grátis Itil+Cobit+Pmi+Grátis Exame 1990,00 Itil + Cobit 890,00 Ultimas Vagas www.trainning.com.br/pmi_itil_cobit
CCIE Labs Solutions Pass CCIE Lab Exam In First Attempt By Studying Real Labs. ccie.passearly.com
Page 1 of 9CCNA Training » Access List Tutorial
25/07/2011http://www.9tut.com/access-list-tutorial
Define which source is allowed to pass:
Router(config)#access-list 1 permit 10.0.0.0 0.255.255.255
(there is always an implicit deny all other traffic at the end of each ACL so we don’t need to define forbidden traffic)
Apply this ACL to an interface:
Router(config)#interface Fa0/1
Router(config-if)#ip access-group 1 out
The ACL 1 is applied to permit only packets from 10.0.0.0/8 to go out of Fa0/1 interface while deny all other traffic. So can we apply this ACL to other interface, Fa0/2 for example? Well we can but shouldn’t do it because users can access to the server from other interface (s0 interface, for example). So we can understand why an standard access list should be applied close to the destination.
Note: The “0.255.255.255″ is the wildcard mask part of network “10.0.0.0″. We will learn how to use wildcard mask later.
Extended IP Access List
Extended IP lists (100-199) check both source and destination addresses, specific UDP/TCP/IP protocols, and destination ports.
Configuration Syntax
Example of Extended IP Access List
In this example we will create an extended ACL that will deny FTP traffic from network 10.0.0.0/8 but allow other traffic to go through.
Note: FTP uses TCP on port 20 & 21.
Define which protocol, source, destination and port are denied:
Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 21
Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 20
Router(config)#access-list 101 permit ip any any
access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port]
Page 2 of 9CCNA Training » Access List Tutorial
25/07/2011http://www.9tut.com/access-list-tutorial
Apply this ACL to an interface:
Router(config)#interface Fa0/1
Router(config-if)#ip access-group 101 out
Notice that we have to explicit allow other traffic (access-list 101 permit ip any any) as there is an “deny all” command at the end of each ACL.
As we can see, the destination of above access list is “187.100.1.6 0.0.0.0″ which specifies a host. We can use “host 187.100.1.6″ instead. We will discuss wildcard mask later.
In summary, below is the range of standard and extended access list
Pages: 1 2 Comments (37) Comments
1. very well March 9th, 2011
thank for shareing document,it’s very usefull for me
2. Wildcard March 11th, 2011
172.23.16.0 /28 /28 = 11111111.11111111.11111111.11110000 = 255.255.255.240
255.255.255.240 doesn’t convert to 0.0.15.255
11111111.11111111.11111111.11110000 = 255.255.255.240 00000000.00000000.00000000.00001111 = 0.0.0.15 not 00000000.00000000.00001111.11111111 = 0.0.15.255
Unless I missed something…
3. oiram March 15th, 2011
Roger tat, althought this tut is bit more screwed up than this wildcard.
Sentence
Therefore 255.255.255.240 can be written in wildcard mask as 00000000.00000000.00001111.11111111 = 0.0.15.255
should be replaced by
Access list type Range
Standard 1-99, 1300-1999
Extended 100-199, 2000-2699
Moxa Units for Evaluation Wide selection. Order online and receive unit within 2 days. store.moxa.com
Complete CCNA Training Instant access to 900+ hours of Cisco training videos. Only $159/mo www.INE.com/CCNA
Cursos Governança em TI ITILV3 - ISO20000 - Cobit 4 - PMBOK Condições Imbatíveis.Confira ! www.green.com.br
Page 3 of 9CCNA Training » Access List Tutorial
25/07/2011http://www.9tut.com/access-list-tutorial
Therefore 255.255.240.0 can be written in wildcard mask as 00000000.00000000.00001111.11111111 = 0.0.15.255
(decimal mask is jut typo I suppose, since they talk /28, please fix this 9tut Guys)
4. oiram March 15th, 2011
oops, now I screwed ;) CIDR should be set to /20
5. 9tut March 15th, 2011
Yes, it is a typo. I fixed it. Thanks for your detection!
6. extended March 23rd, 2011
Extended IP access lists should be placed close to the source. in this case why we applied it on interface 0/1 ? i think we should apply it on interface 0/0 also the ACL number is wrong !!
Router(config)#interface Fa0/0 Router(config-if)#ip access-group 101 in am I right? Explain pls
7. 9tut March 24th, 2011
@extended: “Extended IP access lists should be placed close to the source” but it is not always the case. We can apply it to either Fa0/0 (inbound) or Fa0/1 (outbound)
8. gassah April 2nd, 2011
hello guys I will be writing my exam next week. Please can somebody send me the latest dumps at [email protected]
9. CCNA Student April 6th, 2011
hello guys I will be writing my exam after 2 weeks. Please can somebody send me the latest dumps at
10. hello friends April 19th, 2011
i will give my exam in 30 th april so plz give me latest dumps for the exam…….
my mail id is [email protected]
11. Otakking April 21st, 2011
In the first example.
Page 4 of 9CCNA Training » Access List Tutorial
25/07/2011http://www.9tut.com/access-list-tutorial
access-list 1 permit 10.0.0.0 0.0.0.255
should be
access-list 1 permit 10.0.0.0 0.255.255.255
as the example says 10.0.0.0/8 network.
Please fix it to avoid further confusion.
12. abraham April 25th, 2011
hey guys i will be writing my exam after 2 weeks. Please can somebody send me the latest dumps my email is [email protected]
13. 9tut April 27th, 2011
@Otakking: Yes, I fixed it. Thanks for your detection!
14. CiscoCisco April 30th, 2011
blog.ine.com/2008/09/15/binary-math-part-i/
blog.ine.com/2008/09/16/binary-math-part-i-answers/
blog.ine.com/2008/11/03/binary-math-part-ii/
blog.ine.com/2008/11/05/binary-math-part-ii-answers/
15. hadezproj May 3rd, 2011
Hi 9tut,
for Extended ACL example, kindly edit the wildcard mask to 0.255.255.255 and also to apply ACL, it should be “ip access-group 101 out” . hope this is helpful.
thanks for the great tutorials.
16. sinesio May 3rd, 2011
Yes, @hadezproj is right..
17. 9tut May 7th, 2011
Yes, I updated it. Thanks for your detection!
18. ppower May 15th, 2011
Thanks for excellent tutorial, im sitting the CCNA in 2 weeks, if anyone has the latest dumps could you send them to [email protected]
thanks
Page 5 of 9CCNA Training » Access List Tutorial
25/07/2011http://www.9tut.com/access-list-tutorial
19. Tee May 18th, 2011
Hi 9tut, Thanks for the tutorials. Can you please provide a situation where an ‘IN’ statement is use. Both examples only used the ‘OUT’ statements
20. Tee May 18th, 2011
just realize there is an “inbound” example on the next page.
21. liv May 20th, 2011
Can u pls send me the new dumps, I’m trying to sit for the ccna exams. Thanks………..my email is [email protected]
22. David May 25th, 2011
Very handy!
23. David May 25th, 2011
What are dumps?
24. Jose May 26th, 2011
Hi beautiful pple. I am sitting for my exam this weekend on 28 th of may. Can sam1 send me the most valid dumps at [email protected]. ASAP. Thanx in advance.
25. dhana June 7th, 2011
hi some 1 plz send me dumps 2011 bcoz i wnna workout plz send to vs.dhananjay89 @gmail.com
26. nikhil June 13th, 2011
i think subnet mask of /28 will be 255.255.255.240 and so wild card mask should be 0.0.0.15……….is it right????plzzz explain reply…..
27. Rick29 June 15th, 2011
planning on taking the exam tomorrow, any new dumps avalible please send to [email protected] thanks….
28. 9tut June 17th, 2011
@nikhil: Yes, first convert subnet mask 255.255.255.240 into binary form, then replace all “1″ with “0″ and all “0″ with “1″ and convert back to decimal you will get 0.0.0.15.
29. fidel
Page 6 of 9CCNA Training » Access List Tutorial
25/07/2011http://www.9tut.com/access-list-tutorial
June 27th, 2011
I will be sitting for CCNA exam next week. Please can somebody send me the latest dumps at [email protected] .thanks
30. A. Moiz July 2nd, 2011
Easy way to find a wild card mask from given network address is to do minus last or interested octet of subnet mask from 256 remaing will be the block size and 1 minus from it U’ll have a wild card mask
Eg
192.168.5.1 /28 Its means that the subnet mask will be 255.255.255.240
256-240=16(16 will be the block size means that netowrk will be 192.168.5.0 OR 192.165.5.16 or .32 OR .48 muliple of 16′s)
do 1 minus from it
15..
this means that u’ll have 15 inyour last octet of the MCM 0.0.0.15
Do inform me if i m wrong
31. A. Moiz July 2nd, 2011
Can any one send me the latest Dumbs plz plz plz
32. Michael July 13th, 2011
Hi Moiz, Yes that is correct and is the easiest way to figure out VLSM for me anyway!!!
33. Ephraim July 20th, 2011
Can someone send me the latest CCNA dump for appearing in exam
34. Ephraim July 20th, 2011
my id [email protected]
35. bright July 20th, 2011
Could someone kindly send me the latest CCNA dump please my mail is [email protected] I wish to take the examination soon but this forum as really help build my morals…Thanks guys
36. Brad July 20th, 2011
hi everyone i am sitting for CCNA exam next week can someone send me the latest dump my id
Page 7 of 9CCNA Training » Access List Tutorial
25/07/2011http://www.9tut.com/access-list-tutorial
[email protected] thanks
37. vhick July 21st, 2011
Hello All, I love what’s goin on here, my exam comes up tomorrow friday 22-07-2011. can you all please send the latest dumps that you have to me, plz i need you help urgently. send to [email protected]. i also need any advice and clues
Vhick
Add a Comment
Name
Subscribe to comments feed
CCNA – VTP Questions CCNA – Hotspot
CCNA 640-802
� CCNA Lab Sim � CCNA – Access List Questions � CCNA – WAN � CCNA – RIP Questions � CCNA – OSPF Questions � CCNA – EIGRP Questions � DHCP Group of Four Questions � CCNA – Drag and Drop 1 � CCNA – Drag and Drop 2 � CCNA – Drag and Drop 3 � CCNA – Drag and Drop 4 � CCNA – Drag and Drop 5 � CCNA – VTP Questions � CCNA – Hotspot � CCNA – STP Questions � CCNA – IPv6 Questions � CCNA – Subnetting � CCNA – Operations 1 � CCNA – Operations 2 � CCNA – Operations 3 � CCNA – Troubleshooting 1 � CCNA – Troubleshooting 2 � CCNA – Wireless � CCNA FAQs & Tips � Share your CCNA Experience
CCNA Self-Study
� Practice CCNA GNS3 Labs
Submit Comment
Page 8 of 9CCNA Training » Access List Tutorial
25/07/2011http://www.9tut.com/access-list-tutorial
� CCNA Knowledge
Network Resources
� Free Router Simulators
� ICND1/ICND2 Website
� CCNP - ROUTE Website
� CCNP - SWITCH Website
� CCNP - TSHOOT Website
� CCNA Voice Website
� CCNA Wireless Website
� CCNA Security Website
� CCDA Website
� CCIP Website
� CCIE Written Website
Support 9tut
Your contribution will help keep this site updated!
Top Copyright © 2010-2011 CCNA Training Privacy Policy. Valid XHTML 1.1 and CSS 3.
Ads by Google
Tutorial
CCNA Exam Download
CCNA Certification
CCNA Practice Tests
Page 9 of 9CCNA Training » Access List Tutorial
25/07/2011http://www.9tut.com/access-list-tutorial