Access Lists

Card Set Information

Access Lists
2014-02-05 23:35:51

Cisco CCNA Exam
Show Answers:

  1. Access Lists
    Access lists are a set of conditions that permit or deny access to or through a routers interface.

    Range            Usage

    • 1-99              IP Standard
    • 1300-1999      IP Standard (Expanded Range)
    • 100-199IP      Extended
    • 2000-2699IP   Extended (Expanded Range)

    Access lists can be applied to multiple interfaces but there can only be one access list per protocol per direction per interface.

    Use the term ‘access-class’ if applying to console/aux/vty lines

    • show ip access-lists
    • show access-list 1

    Access lists are applied to interfaces:

    • Router(config)#access-list 1 permit
    • Router(config)#interface e0
    • Router(config-if)#ip access-group 1 in
  2. Standard Access Lists
    Standard IP access lists check only the source address of the packet and permits or denies the entire TCP/IP suite. You cannot choose a particular port or application to block.

    Cisco recommends that they are placed as close to the destination as possible.

    Router(config)#access-list{number 1-99}{permit/deny}{source address}access-list 10 permit  address can be a host or network
  3. Extended Access Lists
    These allow for a lot more granularity when filtering IP traffic. They can filter packets based upon source or destination, a particular IP protocol and port number.

    Cisco recommends that they are placed as close to the source as possible.

    Router(config)#access-list {number 100-99}{permit/deny}{protocol} {source}{destination}{port}access-list 112 permit tcp host host eq www
  4. Named Access Lists
    Access lists applied to inbound interfaces save the router having to process the packet, denied packets will be dropped at the interface. Outbound access lists will be processed by the router and then dropped at the outbound interface if they match the access list.

    • Router(config)#ip access-list {standard/extended} name
    • Router(config)#ip access-list extended no_ftp
  5. Wildcard Masks
    Wildcard masks tell the router which parts of the address to look at and which to disregard.

    access-list 12 permit

    This would permit any host on network 172.16.5.x. In order to work out a wildcard mask simply write out the mask in full and then take that number away from 255.

    • Number  255 255 255 255
    • Mask      255 255 192 0
    • Equals     0    0    63  255