In previous article we discussed about Access Control Lists, generally. Here we’ll focus on Standard Access Lists on Cisco devices and will give you an example.
With standard ACLs you can permit or deny traffic from source IP addresses. The destination of the packet and the port doesn’t matter. They can be named or numbered. The ranges used by numbered ACLs are from 1 to 99 and from 1300 to 1999.
To understand better how they work let’s take an example.
In the picture above we have R1 and R2. On R1’s fa0/0 interface will apply an Inbound ACL to filter some of R2’s loopback interfaces networks. For now, will configure on R1 and R2 interfaces, without ACL.
interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip route 192.168.0.0 255.255.255.0 FastEthernet0/0 ip route 192.168.1.0 255.255.255.0 FastEthernet0/0 ip route 192.168.2.0 255.255.255.0 FastEthernet0/0
interface Loopback0 ip address 192.168.0.1 255.255.255.0 interface Loopback1 ip address 192.168.1.1 255.255.255.0 interface Loopback2 ip address 192.168.2.1 255.255.255.0 interface FastEthernet0/0 ip address 10.0.0.2 255.255.255.0
On R1 we’ve added 3 static routes to reach R2’s loopback interfaces. Further, we’ll configure a numbered Access List on R1.
access-list 1 deny 192.168.0.0 0.0.0.255 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 remark Manage Traffic From R2
Configuration must be entered in global configuration mode. In ACL’s statements we have:
- Number “1”
- This is the number used by this ACL
- “deny” keyword
- With this keyword will be denied network matched by this statement
- “permit” keyword
- With this keyword will be permited network matched by this statement
- This is network that will be matched by the statement
- This is wildcard mask that tells the router which parts of the subnet number to look at.
- With Wildcard mask bit 0 – will match the corresponding bit value in the address;
- With Wildcard mask bit 1 – will ignore the corresponding bit value in the address.
- If we take this in binary we will get: 00000000.00000000.00000000.11111111. Results that first 24 positions in IP address will be mathed and last 8 will be ignored. If we take first statement from ACL we get that all packets with source IP address which start with 192.168.0 will be matched, and will be denied, the last 8 bits don’t matter.
- “remark” KEYWORD
- The string that comes after this keyword represents a description which can help you at a later time what is the purpose of the ACL
Next step is to bound Standard Access List to an interface as inbound or outbound. ACL doesn’t act on packets generated by itself, that’s why there is no reason to use it here as outbound ACL. We’ll bound it to R1’s fa0/0 as inbound Access List.
interface FastEthernet0/0 ip access-group 1 in
We have got the next result:
- Packets with R2’s Loopback 0 source IP address (192.168.0.1) will be denied by first statement;
- Packets with R2’s Loopback 1 source IP address(192.168.1.1) will be permited by second statement;
- Packets with R2’s Loopback 2 source IP address (192.168.2.1) will be denied by “implicit deny” because it is not matched by any of the other statements.
Let’s check this out with some pings from R2’s Loopback interfaces.
R2#ping 10.0.0.1 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: Packet sent with a source address of 192.168.0.1 U.U.U Success rate is 0 percent (0/5) R2# R2#ping 10.0.0.1 source loopback 1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: Packet sent with a source address of 192.168.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/23/36 ms R2# R2#ping 10.0.0.1 source loopback 2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: Packet sent with a source address of 192.168.2.1 U.U.U Success rate is 0 percent (0/5) R2#
From the output you can see that only ping from Loopback 1 succeeded. You can check ACL’s statements with one of these commands
show access-lists show ip access-lists
To delete an this Access List use this command
no access-list 1
The named version of this Access List will look like this
ip access-list standard FIRST deny 192.168.0.0 0.0.0.255 permit 192.168.1.0 0.0.0.255 remark Manage Traffic From R2
See You !