StandardExtended Access List Fundamentals

Previous page
Table of content
Next page
   

Standard/Extended Access List Fundamentals

Cisco has defined two types of IP access lists: standard and extended. However, only one type can be applied to an interface at time. This means that you cannot have an inbound standard access list and an inbound extended access list applied to the same interface. Each access list must have its own number range and applications, for network security.

Standard Access Lists

Standard access lists match packets by examining the source IP address field in the packet's IP header. Any bit positions in the 32-bit source IP address can be compared to the access list statements. However, the matching is flexible and does not consider the subnet mask in use.

Access lists use the inverse mask, sometimes called the wildcard mask or I-mask. This mask is named because it inverts the meaning of the bits. In a normal mask, ones mean "must match," while zeroes mean "may vary." For example, for two hosts to be on the same Class C network, the first 24 bits of their address must match, while the last 8 may vary. Inverse masks swap the rules so that zeroes mean "must match" and ones mean "may vary."

TIP

The easy way to calculate the inverse mask when you already know the normal mask is to subtract from all ones. The table that follows shows an example. The normal mask is subtracted, column by column, from the all-ones mask to determine the inverse mask.

All Ones 255 255 255 255
Normal Mask 255 255 240
Inverse Mask 15 255

The command for configuring a standard access list is as follows: 

 Router(config)#  access-list {1-99  }  {permit   deny  }  source-addr [source-mas  k]

As you can see from the command syntax, the first option is to specify the access list number. The number range for standard access lists is 1 to 99. The second value that you must specify is to permit or deny the configured source IP address. The third value is the source IP address that you want to match. The fourth value is the wildcard mask that you want to apply to the IP address previously configured.

CAUTION

All access lists have an implicit deny, meaning that if a packet does not match any of the criteria that you have specified in your access list, it will be denied . If you have deny statements in your access lists, be sure to create permit statements to allow valid traffic.


When the access list has been created, you need to apply it to the appropriate interface. The command to apply the access list is as follows: 

 Router(config-if)#  ip access-group   {number   name  [  in   ou  t] }

The access list is applied under the interface configuration mode. You must specify only the number or name and whether it is an incoming or an outgoing access list.

Extended Access Lists

Extended IP access lists are almost identical to standard IP access lists in their use. The key difference between the two types is the variety of fields in the packet that can be compared for matching by extended access lists. As with standard lists, extended access lists are enabled for packets entering or exiting an interface. The list is searched sequentially; the first statement matched stops the search through the list and defines the action to be taken. All these features are true of standard access lists as well. The matching logic, however, is different than that used with standard access lists and makes extended access lists much more complex. Extended access lists can match source and destination addresses as well as different TCP and UDP ports. This gives greater flexibility and control over network access.

To configure extended access lists, the command is similar to standard access list, but with more options. The command is this: 

 Router(config)#  access-list  {  100-199  }  {permit   deny  }  protocol source-addr [source-   mas  k]  [operator operan  d]  destination-addr  [  destination-mask  ] [  operator operand  ] [  established  ]

The first value that you must configure is the access list number. Extended access lists range from 100 to 199. Then you need to permit or deny the criteria that you will specify next. The next value is the protocol type. Here, you could specify IP, TCP, UDP, or other specific IP sub-protocols. The next value is the source IP address and its wildcard mask. Next is the destination IP address and its wildcard mask. When the destination IP address and mask are configured, you can specify the port number that you want to match, by number or by a well-known port name.

As with standard access lists, after the extended access list is created, you need to apply it to an interface with the ip access-group command. Review the lab objectives associated with the chapter before beginning to configure the access lists.

   
Top

Previous page
Table of content
Next page
CCNA Practical Studies
CCNA Practical Studies (Cisco Certification & Training)
ISBN: 1587200465
EAN: 2147483647
Year: 2005
Pages: 127
Authors: Gary Heap, Lynn Maynes
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Data Structures and Algorithms in Java
.NET System Management Services
GDI+ Programming with C#
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy