Thursday, 24 May 2012
 Home arrow Articles arrow cisco arrow Tutorial: Standard ACL (Access Control List) Basics
   
Main Menu
Home
News
Blog
Links
Search
FAQs
Spider
Articles
@intrenet
Free Softwares
Break for fun
Friends VIdeos
Techno videos
Contact Us
Disclaimer
Guest Book
Speed test
V.E.C. Calculator
IPv4 Subnet Calc
IPv6 Subnet Calc
Byte Converter
Converter
GMT/UTC Time
Bandwidth Calc
Allinone Calc
IANA Port Numbers
Country Call Codes
Pk Postal Codes
Surf Anonumously
Visitors Counter
mod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_counter
mod_vvisit_counterToday46
mod_vvisit_counterYesterday273
mod_vvisit_counterThis week881
mod_vvisit_counterThis month5430
mod_vvisit_counterAll126105
 
 
 
 

Tutorial: Standard ACL (Access Control List) Basics PDF Print E-mail
User Rating: / 0
PoorBest 
Written by Amanatullah khalil   
Sunday, 24 May 2009

Tutorial: Standard ACL (Access Control List) Basics

 

This is a BASIC explanation of Standard ACL’s that SHOULD be fairly easy to understand and span the spectrum of most Cisco routers.


The first thing to remember about ACL’s is they read from top to bottom. When a packet comes to a router interface, it is matched against the first line in the ACL, if it doesn’t meet the criteria, then it drops to the next line and so on until it reaches a permit or deny that fits it. The second thing to remember is THERE IS A IMPLICIT DENY underneath the last (bottom) line! Don’t apply an access-list to an interface without at least one permit statement. (Especially an inside interface!) Standard access lists can be numbered 1 - 99 or 1300 - 1999

The basic makeup of a line (statement) is:

permit / deny source_ip

access-list 1 permit 192.168.1.3 0.0.0.0

Depending on the interface and direction the list is applied, will determine its relevance. For example, if this access-list is placed on the inside interface with an “ip access-group 1 in” then the only traffic permitted into that interface will come from 192.168.1.3.

Whew! If I haven’t completely confused you yet, then get ready.

Wildcard masks are an inverse of normal subnet masks, so 0.0.0.0 is equivalent to the 255.255.255.255 of route advertisement, for example.

So if I want to deny the network 10.0.1.0 255.255.255.248 then I would type

access-list 1 deny 10.0.1.0 0.0.0.7.

if I want to permit a single host, I type

access-list 1 permit 192.168.1.1 0.0.0.0

Ridiculous, I know. I’m not going to get into the functionality behind this, we would be reading for an hour.

Finally, when you apply the access-list to an interface, don’t call it a “list” call it a “group”.

i.e.
router(config)# interface fastethernet 0/0
router(config-int)# ip access-group 1 in

P.S. Oh, yeah, and only one ACL per interface, per direction, per protocol.

This is the complete tip-top of the iceberg of ACL’s, several chapters in several large books cover this topic. I keep shaking my head as I write this because I’m leaving out sooooooo much stuff, but hopefully it gives you a base for researching / understanding this topic. Good luck!

courtesy  http://www.tech-recipes.com/rx/2436/tutorial_standard_acl_access_control_list_basics/
 
< Prev   Next >
[ Back ]
 
 
 
csatpk Newsflash
Paper-thin batteries made from algae
Thursday, 26 November 2009
  Click for details...

Buffalo ships first USB 3.0 hard drive
Thursday, 26 November 2009
  Click for details...

Cisco's amazing $3B buy of videoconf. vendor Tandberg
Friday, 02 October 2009
  Click for details...

Large online payroll service hacked
Friday, 02 October 2009
  Click for details...

--= NFSP =--

Virtualization: Tips for avoiding server overload
Friday, 02 October 2009
  Click for details...

Statistics
OS: Linux h
PHP: 5.2.17
MySQL: 5.1.63-community-log
Time: 15:34
Caching: Disabled
GZIP: Disabled
Members: 3
News: 368
Web Links: 5
Visitors: 266870
Popular