Cisco Certifications Tutorials

Google
29 http:\\ciscocertifications.info Network Security Access Lists Access lists are a list of conditions that control access to a router's interface. · Each packet is compared with each line of the access list in sequential order. · Once a match is made it is acted upon and no further comparisons take place. · There is an implicit deny at the end of each access list. Access List Numbers to Know 1-99 - IP Standard Access Lists 100-199 - IP Extended Access Lists 800-899 - IPX Standard Access Lists 900-999 - IPX Extended Access Lists 1000-1099 - IPX SAP Access List *Keypoints: Know what numbers apply to which type of access lists. Standard IP Access List A standard IP access list analyses the source address of the packet and matches it against the access list. To create an access list in global configuration mode: Router(config)# access-list <number 1-99> <permit or deny> <source address> <wildcard mask> Wildcard Mask A wildcard mask is 32 bit, 4 octet, address that can be used on a router to allow you to apply an access list to a specific IP address or a specific range of IP addresses. Here is how it works: Let say you want to apply an access list 100 to all hosts in the 172.30.0.0 network. Your input on the router would look like this: Router(config)# access-list 100 permit 172.30.0.0 0.0.255.255 The wildcard mask will be converted to binary 00000000.00000000.11111111.11111111. A "0" bit tells the router to compare that position of the packets IP address to the source address 172.30.0.0 to see if it matches. If all the "0" bits match, it will apply the access list. If it doesn't, the access list will not be applied to this packet. A "1" bit in the wildcard mask tells the router to ignore this bit of the packets IP address. So all 8 bits of octet 1 (172) and all 8 bits of octet 2 (30) will be compared to any incoming packet. The last 2 octets of the packet are ignored. Therefore any packet beginning with 172.30 will have the access list applied. Now if you wanted to check only IP addresses in subnets 172.30.16.0 to 172.30.31.0, you would have to manipulate the bits in the wildcard mask to only check the bits unique to those subnets. To check for only a specific address, you would enter a wildcard mask of 0.0.0.0. This means that every bit of the IP address will be compared to the source IP address you entered for the access list. Ex: access-list 100 permit 172.30.16.100 0.0.0.0 This will only apply to packets from host 172.30.16.100. You apply the access list to an interface by entering the interface configuration mode and typing.