Home   ::  Login   ::  Register   ::  Post

:: Computers & Technology

cisco standard and extended access list configuration

Posted: 2011-01-05

Cisco Access Lists (ACLs) is used to control the network traffic from one network to another or host. Using ACLs, you can allow, deny, limit or restrict network traffic. There are 2 types of ACLs, numbered and named. Numbered ACL uses numerical range, standard numbered ACL ranges from 1-99, extended numbered ACL ranges from 100 199. Standard ACL can only define traffic source while the extended can define the source and destination. Access lists are executed sequentially from top to bottom and once condition is met, no further checks are done (overlapping conditions are ignored). You can only setup one access list per interface/ per direction (inbound or outbound). Standard access list syntax: Access-List # (1-99) permit/deny Source-IP Wild-card
int interface
Standard Access list examples router(config) # Access-list 1 permit
router(config) # int serial 0/0
router(config-if) # ip access-group 1 in

- This access permits inbound traffic from the host on Serial 0/0 interface. router(config) # Access-list 2 deny
router(config) # int serial 0/1
router(config-if) # ip access-group 2 in

- This access denies inbound traffic from network on Serial 0/1 interface. router(config) # Access-list 3 deny
router(config) # int fast 0/0
router(config-if) # ip access-group 3 out

- This access denies outbound traffic to network on fast 0/0 interface. Extended access list syntax: Access-List # (100-199) permit/deny protocol Source-IP Wild-card Destination-IP Wild-Card Condition log
int interface
Extended Access list examples router(config)# Access-list 100 permit tcp host eq http - This access list allows web traffic from network to host.
router(config)# Access-list 100 permit ip - This access list allows tcp traffic from network to network.
router(config)# Access-list 100 deny tcp host eq 23 - This access list denies telnet traffic from host to host. router(config)# Access-list 100 deny tcp host host eq 80 log - This access list denies web traffic from host to host and logs events. Note: there is implicit deny all that is automatically generated and hidden for any access list. You would normally type this command access-list 100 permit ip any any to allow any explicitly not denied traffic. Applying access list to interface as inbound rule router(config) # int e 0
router(config-if) # ip access-group 100 in
Delete access list You can delete an access list by simply typing no access-list # where # is the access number. For example, if I want delete the access list 1, I should type: router#Config t router(config)#No access-list 1

© Copyright 2019-2020 SpiderTip.Com