howtonetwork.net

Cisco Certification Training

You are here: Home / Access-list (standard)

Access-list (standard)

Command

Access-list (standard)

Use

This command is used to create a list that matches packets on a given criteria. While access-lists are most commonly associated with security, there are numerous uses.
Standard lists match on source addresses only.

Syntax

R1(config)#access-list <1-99 or 1300-1999> <permit or deny> <source address or source network or any>

Options

<1-99> or <1300-1999> Defines a standard access-list
<permit> Permits all matches specified in the list.
<deny> Denies all matches specified in the list.
<source address> Host ip address that sources packets matched by the list.
<source network> IP network that sourced packets matched by the list. Uses Wildcard masks for matching.
<any> Match anything.

Wildcard Masks

Wildcard masks are how access-lists know what networks apply to the list. They are the inverse of the subnet mask.

For example, network 123.123.123.0 0.0.0.255 would match any ip address in the 123.123.123.0/24 network.
Because a /24 mask is 255.255.255.0, the inverse would be 0.0.0.255. For the network 34.77.108.0/28, the subnet mask would be 255.255.255.248 and the inverse would be 0.0.0.7
Notice how the subnet mask and the inverse add to 255.

Example

simple

In this example, we will make an access-list that will only allow packets sourced by the host 1.1.1.1 and apply the list to R2’s Fa0/0.

R2(config)#access-list 1 permit 1.1.1.1
R2(config)#int fa0/0
R2(config-if)#ip access-group 1 in

Pinging 10.1.1.2 from R1, we see that the ping fails unless it is sourced from R1’s loopback0 interface.

R1(config)#do ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R1(config)#do ping 10.1.1.2 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/22/44 ms
R1(config)#

We can also have an access-list that will allow the entire 10.1.1.0/24 network to be permited on R2’s Fa0/0

R2(config)#access-list 55 permit 10.1.1.0 0.0.0.255
R2(config)#int fa0/0
R2(config-if)#ip access-group 55 in
R2(config-if)#

Heres a quick ping test

R1(config-if)#do ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/19/36 ms
R1(config-if)#do ping 10.1.1.2 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
U.U.U
Success rate is 0 percent (0/5)
R1(config-if)

In this example, we deny any traffic sourced from 1.1.1.1 but permit any other traffic on R2’s Fa0/0

R2(config-if)#access-list 95 deny 1.1.1.1
R2(config)#access-list 95 permit any
R2(config)#int fa0/0
R2(config-if)#ip access-group 95 in
R2(config-if)#do sh run int fa0/0

Notice that only 1.1.1.1 is denied.

R1(config)#do ping 10.1.1.2 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
U.U.U
Success rate is 0 percent (0/5)
R1(config)#do ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/13/32 ms
R1(config)#do ping 10.1.1.2 source lo1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/20/44 ms

 
Get access to over 5 hours of IT webinar videos as well as regular study tips and ideas when you
join our mailing list