access lists (acl) knowledge needed for cisco ccna exam ...

just an fast overview

there are two kinds of access lists on cisco routers

1. standart acls

-numbered from 1-99 (and some higher ranges)

-filter only on source ip
-needed to deny a single source ip or source network to access another network or
host

2. extended acls

-numbered from 100-199 (and some higher ranges)

-filter on source ip and protocols and ports/applications
-needed to filter only traffic from a specified host or network and specified
protocols and ports

handling of access-lists

1. configure some statements.

example1: deny http and telnet access from a network to an host

access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 80

access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 23
access-list 100 permit ip any any

example2: deny complete ip access from a network to a host

access-list 1 deny ip 143.43.43.0 0.0.0.255 143.55.55.8 0.0.0.0

access-list 1 permit ip any any

example 3: deny ping from a network to a host

access-list 1 deny icmp 132.43.4.0 0.0.0.255 145.52.54.9

access-list 1 permit ip any any

2. all the statements build one access list.

bind the acl on an interface with command "ip access-group <acl-number> <in or
out>

interface e0
ip access-group 100 in

rules

1. "last" deny statement of every acl

at the end of every access-list there is a "access-list deny ip any any"
statement, which is invisible.
thats why we have to use the "access-list <nr> permit ip any any" statement at the
end of our acl.

2. from first to last

in filtering the packets, the router checks the statements of the acl from the
first to the last.
when an statement is found as true, the next statements are not checked anymore.
example
access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 80
access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 23
access-list 100 permit ip any any

if a host with ip 143.43.43.6/24 would try to access the webserver 132.32.32.4 he

would be denied,
because of the first statement. the second and third statement would not be
checked in that case.
if the same host would try to access the telnet port of the webserver, then the
first statement would be checked. because its not port 80 which the host wants to
reach, the second statement would be checked.
the second statement denys telnet, and the host would not access the webserver via
telnet.

3. placement of acls
put standart acls close to the destination host or network which has to be
protected
put extended acls close to the source hosts or network, from where the traffic
will origin.

4. you can put one acl per interface, per protocol, per direction
you cant bind more than one acl to an interface per direction (incoming or
outgoing).

5. single statements of an acl can not be deleted

if you have to change or delete a single statement, you have to delete the whole
acl and write a new one.
only in named access-lists it is possible to change or delete single statements of
the acl.

6. different terms for different useage

there are different terms which can confuse.
access-group
used to bind an access-list to an interface
access-class
used to deny or permit telnet access to a router vty line.

7. synthax of extended acl

access-list <number> <permit or deny> <protocol> <source> <wildcard> <destination>

<wildcard> eq <portnumber or application>

8. synthax of standart acl

access-list <number> <permit or deny> <source> <wildcard>

pleeze correct if something is wrong