Académique Documents
Professionnel Documents
Culture Documents
CCNATrainingAccessListTutorial
Gotocomments
Inthistutorialwewilllearnaboutaccesslist.
Accesscontrollists(ACLs)provideameanstofilterpacketsbyallowingausertopermitordenyIPpacketsfrom
crossingspecifiedinterfaces.Justimagineyoucometoafairandseetheguardiancheckingtickets.Heonly
allowspeoplewithsuitableticketstoenter.Well,anaccesslistsfunctionissameasthatguardian.
Accesslistsfilternetworktrafficbycontrollingwhetherpacketsareforwardedorblockedattherouters
interfacesbasedonthecriteriayouspecifiedwithintheaccesslist.
TouseACLs,thesystemadministratormustfirstconfigureACLsandthenapplythemtospecificinterfaces.
Thereare3populartypesofACL:Standard,ExtendedandNamedACLs.
StandardIPAccessList
StandardIPlists(199)onlychecksourceaddressesofallIPpackets.
ConfigurationSyntax
accesslistaccesslistnumber{permit|deny}source{sourcemask}
ApplyACLtoaninterface
ipaccessgroupaccesslistnumber{in|out}
ExampleofStandardIPAccessList
Configuration:
Inthisexamplewewilldefineastandardaccesslistthatwillonlyallownetwork10.0.0.0/8toaccesstheserver
(locatedontheFa0/1interface)
Definewhichsourceisallowedtopass:
Router(config)#accesslist1permit10.0.0.00.255.255.255
(thereisalwaysanimplicitdenyallothertrafficattheendofeachACLsowedontneedtodefineforbidden
traffic)
ApplythisACLtoaninterface:
http://www.9tut.com/accesslisttutorial#more458
1/3
6/1/2016
CCNATrainingAccessListTutorial
Router(config)#interfaceFa0/1
Router(configif)#ipaccessgroup1out
TheACL1isappliedtopermitonlypacketsfrom10.0.0.0/8togooutofFa0/1interfacewhiledenyallother
traffic.SocanweapplythisACLtootherinterface,Fa0/2forexample?Wellwecanbutshouldntdoitbecause
userscanaccesstotheserverfromotherinterface(s0interface,forexample).Sowecanunderstandwhyan
standardaccesslistshouldbeappliedclosetothedestination.
Note:The0.255.255.255isthewildcardmaskpartofnetwork10.0.0.0.Wewilllearnhowtousewildcard
masklater.
ExtendedIPAccessList
ExtendedIPlists(100199)checkbothsourceanddestinationaddresses,specificUDP/TCP/IPprotocols,and
destinationports.
ConfigurationSyntax
accesslistaccesslistnumber{permit|deny}protocolsource{sourcemask}
destination{destinationmask}[eqdestinationport]
ExampleofExtendedIPAccessList
InthisexamplewewillcreateanextendedACLthatwilldenyFTPtrafficfromnetwork10.0.0.0/8butallow
othertraffictogothrough.
Note:FTPusesTCPonport20&21.
Definewhichprotocol,source,destinationandportaredenied:
Router(config)#accesslist101denytcp10.0.0.00.255.255.255187.100.1.60.0.0.0eq21
Router(config)#accesslist101denytcp10.0.0.00.255.255.255187.100.1.60.0.0.0eq20
Router(config)#accesslist101permitipanyany
ApplythisACLtoaninterface:
Router(config)#interfaceFa0/1
Router(configif)#ipaccessgroup101out
Noticethatwehavetoexplicitallowothertraffic(accesslist101permitipanyany)asthereisandenyall
commandattheendofeachACL.
http://www.9tut.com/accesslisttutorial#more458
2/3
6/1/2016
CCNATrainingAccessListTutorial
Aswecansee,thedestinationofaboveaccesslistis187.100.1.60.0.0.0whichspecifiesahost.Wecanuse
host187.100.1.6instead.Wewilldiscusswildcardmasklater.
Insummary,belowistherangeofstandardandextendedaccesslist
Accesslisttype
Range
Standard
199,13001999
Extended
100199,20002699
http://www.9tut.com/accesslisttutorial#more458
3/3