Hand-Picked Top-Read Stories
Trending Tags
1.6K views
No comments

Standard Access-List

Sander
11 October 2016
cisco-article
[fusion_text]Standard Access-Lists only filter on source address, if you want to filter on/and ip, protocol or destination addresses, you have to use the Extended Access-lists.

Block the host with the ip 10.1.1.1 incoming on serial0/0

Router> enable
Router# configure terminal
Router(config)# access-list 1 (specify who to deny) deny host 10.1.1.1

I you use a denied access-list, there is the statement with deny all on the bottom of that ACL.
So allways set permit any, or everybody else will be denied also!

Router(config)# access-list 1 permit any
Router# show access-list

To activate this access-list, you have to enable this on a interface with the appropriate direct IN or OUT.
Traffic IN – traffic that is coming IN that specified interface!
Traffic OUT – traffic that is going OUT that specified interface!

Apply the access-list to the interface with:

Router(config)# interface serial0/0
Router(config-if)# ip access-group 1 in
Router(config-if)# exit

See the traffic that hits the access-lists:

Router(config)# show access-lists

You can turn it off the access-list by simply doing:

Router# no ip access-group 1 in

Block a network / Subnet

Let say we want to deny incoming traffic from 192.168.2.128 /25 on interface serial0/0

Router> enable
Router# configure terminal
Router(config)# access-list 2 (then specify the network to deny) deny 192.168.2.128 (then wildcard-mask) 0.0.0.127
Router(config)# access-list 2 permit any (else everything/any is denied also)

Apply it to the interface serial 0/0 with:

Router(config)# interface serial0/0
Router(config-if)# ip access-group 2 in
Router(config-if)# exit

Wildcard mask:
255.255.255.128 = 0.0.0.127

How to know the wildcard mask ?
Step 1: 255.255.255.128 converted to binary is : 11111111.11111111.11111111.10000000
Step 2: Set all the 1 to 0, so then it becomes : 00000000.00000000.00000000.01111111
Step 3: Convert the answer in step 2 to decimal: 0 .0 .0 .127

Short-cut:
255.255.255.255 minus 255.255.255.128 = 0.0.0.127
255.255.255.255 minus 255.255.255.0 = 0.0.0.255

The router only looks at the zero value and not the 255 in the wildcard-mask:

Router(config)# ip-access-list deny 192.0.53.0 0.255.0.255 (only 192 and 53 -> 192.X.53.X)

See if traffic hits the access-lists:

Router(config)# show access-lists

Named Access-List

Names Access-List is the same as above, only with names and not numbers (that increment with 10):

Router(config)# ip access-list standard BLOCK-NETWORK1-ACL
Router(config-std-nacl)# deny 192.168.2.128 0.0.0.127
Router(config-std-nacl)# permit any
Router(config-std-nacl)# exit
Router(config)# interface serial0/0
Router(config-int)# ip access-list BLOCK-HOST1-ACL deny in

You can also secure your VTY access with an access-list.
Here we set the access-list to the vty for the local subnet (10.0.0.0 /24):

Router(config)# ip access-list standard VTY_ACCESS
Router(config-std-nacl)# permit 10.0.0.1 0.0.0.255
Router(config-std-nacl)# exit
Router(config)# line vty 0 443
Router(line)# access-class VTY_ACCESS in

 

[/fusion_text][separator style_type=”none” top_margin=”5″ bottom_margin=”” sep_color=”” border_size=”” icon=”” icon_circle=”” icon_circle_color=”” width=”” alignment=”center” class=”” id=””]

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post
cisco-article

Extended Access-List

11 October 2016
1.7K views
Next Post
cisco-article

SSH v2 on a Cisco device

11 October 2016
1.6K views
Related Posts