CCNA learning: ACL

ACL: access control list

ACL Function:

1. manage the IP  in network

2. filter message when it pass the router

ACL Type

1. Standard: Check source address; Allow or reject total protocol

2. Extend: Check source and destination address; Allow or reject special protocol

Inbound / Outbound ACL

ACL config guide

ACL config

(config)#access-list <access-list-number> <permit|deny> <test conditions>

(config)#<protocol> access-group <access-list-number> <in|out>

access-list-number:

standard: 1-99

extend: 100-199

IP ACL config

At least has one permit access-list

Set: (config)#access-list <access-list-number> <permit|deny> source <wildcard mask>

access-list-number: 1-99

wildcard mask: default 0.0.0.0(check all bits)

Example:

for IP 172.16.1.1 --> wildcard mask: 0.0.0.0

for subnet 172.16.1.0 --> wildcard mask: 0.0.0.255

for any network --> wildcard mask: 255.255.255.255

Delete:  (config)#no access-list <access-list-number>

IP ACL set to interface

Set: (config-if)#ip access-group <access-list-number> <in|out>

Delete: (config-if)#no ip access-group <access-list-number>

Example 1

Example 2

Example 3

Filter vty in Router

Router has 5 telnet channel (0,1,2,3,4)

Router config:

(config)#line vty <vty|vty-range>

(config-line)#access-class access-list-number <in|out>

Example

Extend IP ACL

Set: (config)#access-list <access-list-number> <permit|deny> <protocol> <source> <source-wildcard mask> <operator port> <destination> <destination-wildcard mask> <operator port> <established> <log>

Execute: (config-if)#ip access-gourp <access-list-number> <in|out>

Example 1

Example 2

Check all ACL: #show <protocol> access-list

Check ACL: #show <protocol> access-list <access-list-number>