Notes
Slide Show
Outline
1
Interconnecting Cisco Networking Devices
  • Module 8
  • Access Lists
2
Overview
  • Introduction to Access Lists
  • Standard Access Lists
  • Extended Access Lists
  • Named Access Lists
  • Monitoring Access Lists
  • Summary
3
Introduction to Access Lists
  • Essentially, a list of conditions that categorize packets.


  • Standard Access Lists
  • Extended Access Lists
  • Named Access Lists


  • Inbound Access Lists
  • Outbound Access Lists
4
Standard Access Lists
  • Filters traffic by examining the source IP Address in a packet
  • Use access-list #’s 1-99 and 1300-1999
  • access-list ?
5
Wildcard Masking

  • 172.16.30.5 0.0.0.0 <- specifies that host only


  • 172.16.30.0 0.0.0.255 <- traffic has to match first 3 octets only


  • 172.16.16.0 0.0.3.255 <- would match traffic from 172.16.16.0 to 172.16.19.0
6
Standard Access List Example
  • Router (config)# access-list 10 deny 172.16.40.0 0.0.0.255
  • Router (config)# access-list 10 permit any
  • -----
  • Router (config)# int e0
  • Router (config-if)# ip access-group 10 out
  • -----
7
Controlling VTY (Telnet) Access
  • Router (config)# access-list 50 permit 172.16.10.3
  • Router (config)# line vty 0 4
  • Router (config-line)# access-class 50 in
8
Extended Access Lists
  • Can Filter traffic by examining the source IP Address, destination IP address, service, etc. in a packet
  • Use access-list #’s 100-199 and 2000-2699
  • access-list ?
9
Extended Access List Example
  • Router (config)# access-list 110 deny tcp any host 172.16.30.5 eq 21
  • Router (config)# access-list 110 deny tcp any host 172.16.30.5 eq 23
  • Router (config)# access-list 110 permit ip any any


  • Router (config)# int s0
  • Router (config-if)# ip access-group 110 out
10
Named Access Lists
  • Another way to create Standard and Extended Access Lists
  • Allows you to remove individual lines, instead of re-creating the whole access list
11
Named Access List Example
  • Router (config)# ip access-list standard BlockSales
  • Router (config-std-nacl)# deny 172.16.40.0 0.0.0.255
  • Router (config-std-nacl)# permit any
  • Router (config-std-nacl)# exit


  • Router (config)# int s0
  • Router (config-if)# ip access-group BlockSales out
12
Useful Commands
  • show access-list
  • show access-list 110
  • show ip access-list
  • show ip interface
  • show running-config
13
Summary

  • Place Standard Access Lists close to the destination


  • Place Extended Access Lists close to the source


  • Extremely useful
14