Home   ::  Login   ::  Register   ::  Post

:: Computers & Technology

cisco standard and extended access list configuration

SpiderTip
SpiderTip
Posted: 2011-01-05

Cisco Access Lists (ACLs) is used to control the network traffic from one network to another or host. Using ACLs, you can allow, deny, limit or restrict network traffic. There are 2 types of ACLs, numbered and named. Numbered ACL uses numerical range, standard numbered ACL ranges from 1-99, extended numbered ACL ranges from 100 199. Standard ACL can only define traffic source while the extended can define the source and destination. Access lists are executed sequentially from top to bottom and once condition is met, no further checks are done (overlapping conditions are ignored). You can only setup one access list per interface/ per direction (inbound or outbound). Standard access list syntax: Access-List # (1-99) permit/deny Source-IP Wild-card
int interface
Standard Access list examples router(config) # Access-list 1 permit 10.1.1.254 0.0.0.0
router(config) # int serial 0/0
router(config-if) # ip access-group 1 in

- This access permits inbound traffic from the 10.1.1.254 host on Serial 0/0 interface. router(config) # Access-list 2 deny 10.1.2.0 0.0.0.255
router(config) # int serial 0/1
router(config-if) # ip access-group 2 in

- This access denies inbound traffic from 10.1.2.0 network on Serial 0/1 interface. router(config) # Access-list 3 deny 10.1.3.0 0.0.0.255
router(config) # int fast 0/0
router(config-if) # ip access-group 3 out

- This access denies outbound traffic to 10.1.3.0 network on fast 0/0 interface. Extended access list syntax: Access-List # (100-199) permit/deny protocol Source-IP Wild-card Destination-IP Wild-Card Condition log
int interface
Extended Access list examples router(config)# Access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.1.1.254 eq http - This access list allows web traffic from 192.168.1.0 network to 10.1.1.254 host.
router(config)# Access-list 100 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 - This access list allows tcp traffic from 192.168.1.0 network to 10.1.1.0 network.
router(config)# Access-list 100 deny tcp 192.168.1.1 0.0.0.0 host 10.1.1.254 eq 23 - This access list denies telnet traffic from host 192.168.1.1 to 10.1.1.254 host. router(config)# Access-list 100 deny tcp host 192.168.1.1 host 10.1.1.254 eq 80 log - This access list denies web traffic from host 192.168.1.1 to host 10.1.1.254 and logs events. Note: there is implicit deny all that is automatically generated and hidden for any access list. You would normally type this command access-list 100 permit ip any any to allow any explicitly not denied traffic. Applying access list to interface as inbound rule router(config) # int e 0
router(config-if) # ip access-group 100 in
Delete access list You can delete an access list by simply typing no access-list # where # is the access number. For example, if I want delete the access list 1, I should type: router#Config t router(config)#No access-list 1

© Copyright 2019-2020 SpiderTip.Com