Académique Documents
Professionnel Documents
Culture Documents
k access Decide which types of traffic are forwarded or blocked at router interfaces
Standard Extended
100-199
IOS tests the packet against each condition statement in the order in which the statements were created Note: After a match is found, no more condition statements are checked If you create a condition statement that permits all traffic, no statements added later will ever be checked If all the ACL statements are unmatched, an implicit "deny any" statement is imposed
This identifies a host or range of addresses It is the binary inversion of the subnet mask i.e. in a class C address range we use the subnet mask 255.255.255.0 To specify the same range with a wildcard mask we use 0.0.0.255 (all 1s are now 0s and all 0s are now 1s)
11
access-list access-list-number {permit |deny} source-ip-address wildcard-mask [log] Log causes each packet that matches this statement to generate a log entry that is recorded by the router.
access-list number {permit|deny} protocol source-ip-address source-wildcard-mask destination-ip-address destination-wildcardmask eq port-number [log]
21
17 March 2009in
ITCN
access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 102 deny ip any any
This command is used to permit IP traffic from 10.1.1.0 network to 172.16.1.0 network. All packets with a source address not in this range will be rejected.
FTP 21 Telnet 23 SMTP 25 DNS 53 TFTP 69 WWW, HTML 80 POP3 - 110 SNMP - 161
Standard ACL
Use only source address and requires fewer CPU cycles. Place as close to destination as possible.
Extended ACL
More flexible and requires more CPU cycles. Place as close to source as possible. (This keeps undesired traffic and ICMP messages away from the network backbone.)
Imagine you are standing INSIDE the router The direction of the ACL for an interface will be the same as our perspective standing INSIDE the router
27
In
Requires less CPU processing because every packet bypasses processing before it is routed. Filtering decision is made prior to the routing table.
Out
Routing decision has been made and the packet is switched to the proper outbound interface before it is tested against the access list. ACLs are outbound unless otherwise specified.