Standard IP Access Lists

Previous page
Table of content
Next page

There are two ways to enter access lists. One format of a standard access list line is

access-list access-list-number {deny | permit} source[source-wildcard]

The other way to configure the access list is to enter a global access-list command, which takes you into access-list configuration mode. In the access-list configuration mode, packets are permitted or denied, sequence numbers are specified and remarks are made:

ip access-list standard {access-list-number | name}

This puts you into the access-list configuration mode. Further configuration options for standard IP access lists are

[sequence-number] {{{deny | permit} source [source-wildcard]} | {remark up-to-100-    characters-of-a-remark}}

This command specifies the access list number, which according to Table B-1 is between 1 and 99, and between 1300 and 1999; the action (permit or deny); a source IP address; and the wildcard (or inverse) mask. Example B-6 shows a standard IP access list.

Example B-6. Standard access list 1 permits and denies various hosts and subnet addresses.
access-list 1 permit 172.22.30.6 0.0.0.0 access-list 1 permit 172.22.30.95 0.0.0.0 access-list 1 deny 172.22.30.0 0.0.0.255 access-list 1 permit 172.22.0.0 0.0.31.255 access-list 1 deny 172.22.0.0 0.0.255.255 access-list 1 permit 0.0.0.0 255.255.255.255

The first two lines of the example permit passage of packets whose source addresses belong to two specific hosts, 172.22.30.6 and 172.22.30.95. This seems quite obvious from looking at the lines, although the inverse mask of 0.0.0.0 might not make sense yet. The third line denies all other hosts on subnet 172.22.30.0. Again, it's fairly intuitive. The purpose of the fourth line is not so obvious. It permits all hosts with addresses in the range of 172.22.0.1 to 172.22.31.255. The inverse mask is what allows the specification of this range of addresses with a single line. The fifth line denies all other subnets of the Class B network 172.22.0.0, and the last line permits all other addresses.

The alternative way to configure the same list is displayed in Example B-7.

Example B-7. The same standard IP access list as shown in example B-6 is written here using the access list configuration mode on the router.
ip access-list standard 1  10 permit 172.22.30.6 0.0.0.0  15 permit 172.22.30.95 0.0.0.0  20 deny 172.22.30.0 0.0.0.255  permit 172.22.0.0 0.0.31.255  deny 172.22.0.0 0.0.255.255  permit 0.0.0.0 255.255.255.255

The sequence numbers of the first three entries are specified. The fourth, fifth, and sixth entries are automatically assigned a sequence number 10 greater than the previous entry, or 30, 40, and 50. A new statement can be added between two entries simply by specifying a sequence number that falls between the sequence number of the entry above and below the desired location. Example B-8 shows a sample of this.

Example B-8. A new entry is added to the middle of a standard IP access list using sequence numbers.
ip access-list standard 1  17 permit 172.22.30.100 0.0.0.0

Example B-8 adds the new entry after the entry that permits 172.22.30.95 and before the entry that denies the rest of the subnet, deny 172.22.30.0 0.0.0.255.

This entry can simply be deleted as well. Example B-9 deletes the entry with sequence number 17.

Example B-9. An entry is deleted from the middle of a standard IP access list using sequence numbers.
ip access-list standard 1  no 17

Comments can be added to access lists before or after any entry to make understanding the list easier in the future. The access list configurations in Example B-10 and Example B-11 contain remarks.

Example B-10. Remarks are added to a standard IP access list.
access-list 1 remark permit the 2 management hosts access-list 1 permit 172.22.30.6 0.0.0.0 access-list 1 permit 172.22.30.95 0.0.0.0 access-list 1 remark deny everyone else on the subnet access-list 1 deny 172.22.30.0 0.0.0.255 access-list 1 permit 172.22.0.0 0.0.31.255 access-list 1 deny 172.22.0.0 0.0.255.255 access-list 1 permit 0.0.0.0 255.255.255.255

Example B-11. Remarks are added to a standard IP access list using the router's access-list configuration mode.
ip access-list standard 1  remark permit the 2 management hosts  10 permit 172.22.30.6 0.0.0.0  15 permit 172.22.30.95 0.0.0.0  remark deny everyone else on the subnet  20 deny 172.22.30.0 0.0.0.255  permit 172.22.0.0 0.0.31.255  deny 172.22.0.0 0.0.255.255  permit 0.0.0.0 255.255.255.255

Example B-10 and Example B-11 are two ways to configure the same lists. Remarks don't have any functional affect, but they can make a complicated access list a little more friendly to future readers.

To fully understand the functionality of this access list, you need to understand inverse masks.

Recall how IP address masks function: To derive a network or subnet address from a host address, a one is set in the mask corresponding to each bit of the network address, and a zero is set for each bit of the host address. A Boolean AND is performed on each bit, and the result is the network or subnet number. Figure B-5(a) includes a truth table for the AND function; in English, the function states the following:

Compare two bits. The result is one if and only if both bits are one.

Figure B-5. Truth tables and examples of a Boolean AND (a) and a Boolean OR (b).


A Boolean OR is the inverse of this function, as its truth table in Figure B-5(b) shows:

Compare two bits. The result is zero if and only if both bits are zero.

An inverse mask (Cisco prefers the term wildcard mask) sets a zero for each bit of the address that should be exactly matched and a one for each bit where anything will matchthe one bits are frequently referred to as "don't care" bits. The inverse mask is then ORed with the address.

Notice the result of the OR example in Figure B-5(b), 172.22.30.255. In IP terms, this result means "all host addresses on subnet 172.22.30.0." Any specific address from 172.22.30.0 will match this address/inverse mask combination.

Figure B-6 shows two shortcuts that might be used when writing standard IP access lists. Figure B-6(a) shows an inverse mask of all zeros to indicate that all 32 bits of the address in question must match 172.22.30.6 exactly. The default mask for a standard IP access list is 0.0.0.0. So, the alternative statement shown, with no mask specified, is the same as the first statement. Note that this default does not apply to extended IP access lists, which are covered in the following section.

Figure B-6. Two shortcuts can be used when writing standard IP access lists.


Figure B-6(b) shows the permit anything address/inverse mask combination. The address of 0.0.0.0 is actually just a placeholder; the mask, 255.255.255.255, actually does all the work. By placing a 1 in all 32-bit positions, this mask will match anything. The alternative statement shown uses the keyword any, which has the same meaning as the first statement.



Previous page
Table of content
Next page
CCIE Professional Development Routing TCP/IP (Vol. 12005)
Routing TCP/IP, Volume 1 (2nd Edition)
ISBN: 1587052024
EAN: 2147483647
Year: 2005
Pages: 233
Authors: Jeff Doyle, Jennifer Carroll
BUY ON AMAZON
Project Management JumpStart
Absolute Beginner[ap]s Guide to Project Management
Building Web Applications with UML (2nd Edition)
MySQL Clustering
Java All-In-One Desk Reference For Dummies
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy