IP Access Control List (ACL)
Why use an access list
Manage the growing IP data in the network
Filter data as it passes through the router
access list application
Allow and deny packets through the router
Allow or deny the establishment of Telnet sessions
When no access list is set, all packets are transmitted over the network
What is an access list -- (standard, extended)
standard
Check source address
Usually allowed and denied is the complete agreement
expand
Check source and destination addresses
Usually allowed or denied is a specific protocol
What is an access list
Inbound and outbound directions
Access List Configuration Guide
The number of the access list indicates which protocol the access list is using
Each port, each direction, and each protocol can only correspond to one access list
The content of the access list determines the control order of the data
Statements with strict constraints should be placed at the top of all statements in the access list
There is an implicit statement at the end of the access list: deny any - every correct access list should have at least one allow statement
Create an access list first, then apply it to the port
Access lists cannot filter data generated by the router itself
Standard access list and extended access list comparison
standard
Allows and denies the full TCP/IP protocol based on source address Number ranges 1-99 and 1300-1999
expand
Specify TCP/IP specific protocol and port number based on source and destination addresses Number range 100-199 and 2000-2699
configure
Standard IP Access List Configuration
Router(config)#
access-list access-list-number {permit|deny} source [mask]
Set parameters for access list
IP Standard Access List Numbers 1 to 99
Default wildcard mask = 0.0.0.0
The "no access-list access-list-number" command deletes an access list
Router(config-if)#
ip access-group access-list-number { in | out }
Apply an access list on a port
Indicates the in or out direction
The "no ip access-group access-list-number" command removes the access list on the port
Configuration of Extended IP Access List
Router(config)#
access-list access-list-number { permit | deny } protocol source source-wildcard [operator port] destination destination-wildcard [ operator port ]
Set the parameters of the access list
Router(config-if)# ip access-group access-list-number { in | out }
Apply an access list on a port
View the statement of the access list
wg_ro_a#show {protocol} access-list {access-list number}
wg_ro_a#show access-lists {access-list number}
wg_ro_a#show access-lists
Standard IP access list 1
permit 10.2.2.1
permit 10.3.3.1
permit 10.4.4.1
permit 10.5.5.1
Extended IP access list 101
permit tcp host 10.22.22.1 any eq telnet
permit tcp host 10.33.33.1 any eq ftp
permit tcp host 10.44.44.1 any eq ftp-data