Prerequisite – Access-lists (ACL)
Access-list (ACL) is a set of rules defined for controlling network traffic and reducing network attacks. ACLs are used to filter traffic based on the set of rules defined for the incoming or outgoing of the network.
Standard Access-list –
These are the Access-list which are made using the source IP address only. These ACLs permit or deny the entire protocol suite. They don’t distinguish between the IP traffic such as TCP, UDP, HTTPS, etc. By using numbers 1-99 or 1300-1999, the router will understand it as a standard ACL and the specified address as the source IP address.
Features –
- Standard Access-list is generally applied close to destination (but not always).
- In a standard access list, the whole network or sub-network is denied.
- Standard access-list uses the range 1-99 and extended range 1300-1999.
- Standard access-list is implemented using source IP address only.
- If numbered with standard Access-list is used then remember rules can’t be deleted. If one of the rules is deleted then the whole access list will be deleted.
- If named with standard Access-list is used then you have the flexibility to delete a rule from the access list.
Note – Standard Access-list are less used as compared to extended access-list as the entire IP protocol suite will be allowed or denied for the traffic as it can’t distinguish between the different IP protocol traffic.
Configuration –
Here is a small topology in which there are 3 departments namely sales, finance, and marketing. The sales department has a network of 172.16.40.0/24, the Finance department has a network of 172.16.50.0/24, and the marketing department has a network of 172.16.60.0/24. Now, want to deny connection from the sales department to the finance department and allow others to reach that network.
Now, first configuring numbered standard access – list for denying any IP connection from sales to finance department.
R1# config terminal
R1(config)# access-list 10 deny 172.16.40.0 0.0.0.255
Here, like extended access-list, you cannot specify the particular IP traffic to be permitted or denied. Also, note that wildcard mask has been used (0.0.0.255 which means Subnet mask 255.255.255.0). 10 is used from the number standard access-list range.
R1(config)# access-list 110 permit ip any any
Now, as you already know there is an implicit deny at the end of every access list which means that if the traffic doesn’t match any of the rules of the access list then the traffic will be dropped.
By specifying any means that source having any IP address traffic will reach the finance department except the traffic which it matches the above rules that you have made.
Now, you have to apply the access list on the interface of the router:
R1(config)# int fa0/1
R1(config-if)# ip access-group 10 out
As you remember that the standard access-list is generally applied to the destination and here also if you apply access-list close to the destination, it will satisfy our need, therefore, outbound to interface fa0/1 has been applied.
Named standard Access-list example –
Now, considering the same topology, you will make a named standard access list.
R1(config)# ip access-list standard blockacl
By using this command you have made an access-list named blockacl.
R1(config-std-nacl)# deny 172.16.40.0 0.0.0.255
R1(config-std-nacl)# permit any
And then the same configuration you have done in numbered access-list.
R1(config)# int fa0/1
R1(config-if)# ip access-group blockacl out
Standard access-list for Telnet example –
As you know, you cannot specify particular IP traffic to be denied in standard access-list but telnet connection can be permitted or denied using standard access-list by applying access-list on line vty lines.
Here, in the given figure, you want to deny telnet to the Finance department from any network. Configuring for the same:
R1(config)# access-list 10 deny any
R1(config)# line vty 0 4
R1(config-line)# access-class 10 out
Article Tags :
Computer Networks
Practice Tags : Computer Networks
Command | Description |
---|
show access-lists | Displays all access lists and their parameters configured on the router.This command doesn't show which interface the list is configured on. |
show access-list [list #] | Shows only the parameters for the access list specified.This command does not show you the interface the list is configured on. |
show ip access-list | Shows only the IP access lists configured on the router. |
show ipx access-list | Shows only the IPX access lists configured on the router. |
show ip interface | Shows which interfaces have IP access lists on them. |
show ipx interface | Shows which interfaces have IPX access lists on them. |
show running-config | Shows the access lists and which interfaces have access lists set. |
any | Keyword used to represent all hosts or networks, replaces 0.0.0.0 255.255.255.255 in access list. |
host | Keyword that specifies that an address should have a wildcard mask of 0.0.0.0 (i.e will match only 1 host) |
clear access-list counter [list#] | Clears extended access lists counter of the number of matches per line of the access list. |
-1 | Applies to any IPX network or any protocol when used in extended IPX access lists. |
0 | Used for all sockets in extended IPX access lists. |
ip access-group | Applies an IP access list to an interface. |
ipx access-group | Applies an IPX access list to an interface. |
ipx input-sap-filter | Applies an inbound IPX SAP filter to an interface. |
ipx output-sap-filter | Applies an outbound IPX SAP filter to an interface. |