Command
Access-list (standard)
Use
This command is used to create a list that matches packets on a given criteria. While access-lists are most commonly associated with security, there are numerous uses.
Standard lists match on source addresses only.
Syntax
R1(config)#access-list <1-99 or 1300-1999> <permit or deny> <source address or source network or any>
Options
<1-99> or <1300-1999> | Defines a standard access-list |
<permit> | Permits all matches specified in the list. |
<deny> | Denies all matches specified in the list. |
<source address> | Host ip address that sources packets matched by the list. |
<source network> | IP network that sourced packets matched by the list. Uses Wildcard masks for matching. |
<any> | Match anything. |
Wildcard Masks
Wildcard masks are how access-lists know what networks apply to the list. They are the inverse of the subnet mask.
For example, network 123.123.123.0 0.0.0.255 would match any ip address in the 123.123.123.0/24 network.
Because a /24 mask is 255.255.255.0, the inverse would be 0.0.0.255. For the network 34.77.108.0/28, the subnet mask would be 255.255.255.248 and the inverse would be 0.0.0.7
Notice how the subnet mask and the inverse add to 255.
Example
In this example, we will make an access-list that will only allow packets sourced by the host 1.1.1.1 and apply the list to R2’s Fa0/0.
R2(config)#access-list 1 permit 1.1.1.1 |
Pinging 10.1.1.2 from R1, we see that the ping fails unless it is sourced from R1’s loopback0 interface.
R1(config)#do ping 10.1.1.2 Type escape sequence to abort. Type escape sequence to abort. |
We can also have an access-list that will allow the entire 10.1.1.0/24 network to be permited on R2’s Fa0/0
R2(config)#access-list 55 permit 10.1.1.0 0.0.0.255 |
Heres a quick ping test
R1(config-if)#do ping 10.1.1.2 Type escape sequence to abort. Type escape sequence to abort. |
In this example, we deny any traffic sourced from 1.1.1.1 but permit any other traffic on R2’s Fa0/0
R2(config-if)#access-list 95 deny 1.1.1.1 |
Notice that only 1.1.1.1 is denied.
R1(config)#do ping 10.1.1.2 source 1.1.1.1 Type escape sequence to abort. Type escape sequence to abort. Type escape sequence to abort. |