IP Access Lists

Previous page
Table of content
Next page

IP access lists are used to deny or permit specific traffic into or out of an interface on a router. They filter IP source and destination addresses and protocol- or service-specific traffic. IP access lists are of two types: standard and extended. The difference between the two is the precision by which each can filter IP traffic.

IP Standard Access Lists

IP standard access lists filter traffic based on the source IP address or address range. Therefore, administrators can use this tool to restrict access to specific users and allow access to others. The lists are applied to the interface of a router where traffic is to be filtered, and they restrict access into or out of the interface. The direction in which traffic is restricted is determined by the Cisco command used to apply the access list to the interface.

IP Standard Access List Commands

Creating and applying an access list to an interface consists of two steps, both of which are performed in the configuration mode of a router. First, the access list must be created. A single access list can consist of many access list statements . An access list number identifies an individual access group , which can consist of many access list entries . In addition, the order in which access list entries are created plays an important role in the behavior of the access list. When traffic passes through the interface, it is compared with each access list entry in the order in which the entries were created. If the traffic matches an access list entry, the indicated function (permit or deny) of the access list entry is performed on the traffic. When a packet is permitted entry, the router caches the entry, and any subsequent packets in this session are granted access without being applied against the access list. All access lists have an implicit deny all statement at the end. Therefore, if the traffic does not match any entry, it is denied access into or out of the interface. The command to create an access list is as follows : 

 
 Access-list access-list-number {denypermit} source [source-wildcard]

A brief description of each field is provided in Table 10.10.

Table 10.10. IP Standard Access List Command Field Descriptions

Identifier

Description

access-list-number

A dotted decimal number between 1 and 99

deny

Denies access if condition is matched

permit

Permits access if condition is matched

source

Number of the network or host from which the packet is being sent

source-wildcard

Wildcard bits to be applied to the source

graphics/alert_icon.gif

Any time you are working with access lists, remember the implicit deny automatically incorporated into the list. That is, anything you do not specifically identify as accepted is by default denied.


The source-wildcard field, referred to as a wildcard mask , is used to identify bits in an IP address that have meaning and bits that can be ignored. In this case, the wildcard mask is referred to as a source-wildcard , indicating that it is a wildcard mask of the source IP address. A source-wildcard mask is applied to a source IP address to determine a range of addresses to permit or deny.

At first, the best way to learn wildcard masks is to convert them from decimal to binary format. The wildcard mask is applied by comparing the IP address bits with the corresponding IP wildcard bits. A 1 bit in the wildcard mask indicates that the corresponding bit in the IP address can be ignored. Therefore, the IP address bit can be either 1 or 0. A 0 in the wildcard mask indicates that the corresponding bit in the IP address must be strictly followed. Tables 10.3 and 10.4 illustrate how to apply a source-wildcard mask to a source address to determine a range of addresses.

Tables 10.3 and 10.4 illustrate that the first three octets must be strictly followed; therefore, the values of these octets must be 172.16.16 to be a match. The 1 bits in the fourth octet, however, indicate that any value between 0 and 255 will result in a match. Therefore, any host with the IP address of 172.16.16.0 through 172.16.16.255 is a match for this source IP address and source-wildcard mask.

The next step is to apply the access list to an interface. The syntax for doing so is as follows: 

 
 NFLD(config-if)#ip access-group access-list-number {inout}

Here, access-list-number is the number used to identify the access list. This number must be the same as the one specified in the access-list command used to create the previously shown entries. The inout option indicates whether this list is to filter on inbound or outbound traffic through the interface. It is important to remember that the access list is being applied to a specific interface on a router, rather than to all the interfaces on the router.


Previous page
Table of content
Next page
CCNA Exam Cram[tm] 2 (Exams 640-821, 640-811, 640-801)
CCNA Exam Cram[tm] 2 (Exams 640-821, 640-811, 640-801)
ISBN: 789730197
EAN: N/A
Year: 2005
Pages: 155
BUY ON AMAZON
Software Configuration Management
Image Processing with LabVIEW and IMAQ Vision
WebLogic: The Definitive Guide
C++ How to Program (5th Edition)
Introduction to 80x86 Assembly Language and Computer Architecture
Data Structures and Algorithms in Java
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy