ICND2 – Chapter 7 – Basic Access Control Lists (ACLs)

I’m expecting to see a good bit of ACL on the exam and this first chapter on ACLs covers mostly standard access lists. I’m reasonably confident in my ACL skills at this level. Here are my notes:

An ACL can be applied inbound on an interface (before the router makes its forwarding decision) or on the outbound interface (after the router makes its forwarding decision)

ACLs look at the IP header fields. (source and destination address and TCP/UDP port numbers)

ACL Numbers:

1-99 Standard
100-199 Extended
1300-1999 Standard
2000-2699 Extended

ACLs can also be named.

Named ACLs allow advanced editing with sequence numbers.

An ACL will be numbered OR name AND standard OR extended.

Standard ACLs only look at the SOURCE ADDRESS.

Extended ACLs look at the SOURCE, DESTINATION, AND optional SOURCE PORT and/or DESTINATION PORT.

When evaluating an address against an ACL the FIRST MATCH results in the defined action (permit/deny) and it does not look at any subsequent lines in the ACL.

You configure a standard access list as follows:

Router(config)#access-list 1 permit host 10.1.1.2 (single address)

Router (config)#access-list 1 permit 10.11.0.0 0.0.255.255 (for subnet)

ACLs use a Wildcard Mask for the subnet.

Subtract the subnet mask from 255.255.255.255 to determine the wildcard mask.

*FASTER WAY*:

Each 255 becomes a 0
Each 0 becomes a 255

If it is not on a classful boundary then find the block size in the interest octet and subtract one for the wild card value. Example:

192.168.1.16 255.255.255.240 = 192.168.1.16 0.0.0.15 (block size = 16 minus 1)

You can use the any keyword to allow all addresses. Example: access-list 1 permit any

There is an implicit deny any/any at the end of every ACL. However, if you want to log denials then add an explicit deny statement to the bottom of your ACL.

Standard ACLs should be placed closest to the destination of the packet.

Extended ACLs should be placed closest to the source of the packet.

Apply an ACL to an interface as follows:

Router(config-if)#ip access-group 1 [in | out]

To view access lists use:

Router#show access-lists (this version only shows IPv4 ACLs)

or

Router#show ip access-lists (this version will show all types of ACLs)

To add a remark in an ACL use:

Router(config-acl)#access-list 1 remark This is to block Fred

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s