Scribd
Upload
117 views3 pages

CCNA 200-301 Official Cert Guide, Volume 2-27

Uploaded by

Arif Hasan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
117 views3 pages

CCNA 200-301 Official Cert Guide, Volume 2-27

Uploaded by

Arif Hasan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Chapter 2: Basic IPv4 Access Control Lists 33

10.1.1.1
A
S0/0/1
S1
F0/0 S0/0/0 F0/0
R1 R2
B
F0/1
ACL 1 2
10.1.1.2
C access-list 1 permit 10.1.1.1
access-list 1 deny 10.1.1.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.255.255.255
10.3.3.3
Figure 2-7 Syntactically Correct ACL Replaces Pseudocode from Figure 2-4

Binary Wildcard Masks


Wildcard masks, as dotted-decimal number (DDN) values, actually represent a 32-bit binary
number. As a 32-bit number, the WC mask actually directs the router’s logic bit by bit. In
short, a WC mask bit of 0 means the comparison should be done as normal, but a binary 1
means that the bit is a wildcard and can be ignored when comparing the numbers.
Thankfully, for the purposes of CCNA study, and for most real-world applications, you can
ignore the binary WC mask. Why? Well, we generally want to match a range of addresses
that can be easily identified by a subnet number and mask, whether it be a real subnet, or
a summary route that groups subnets together. If you can describe the range of addresses
with a subnet number and mask, you can find the numbers to use in your ACL with some
simple decimal math, as discussed next.

NOTE If you really want to know the binary mask logic, take the two DDN numbers
the ACL will compare (one from the access-list command and the other from the packet
header) and convert both to binary. Then, also convert the WC mask to binary. Compare
the first two binary numbers bit by bit, but also ignore any bits for which the WC mask
happens to list a binary 1, because that tells you to ignore the bit. If all the bits you checked
are equal, it’s a match!

Finding the Right Wildcard Mask to Match a Subnet


In many cases, an ACL needs to match all hosts in a particular subnet. To match a subnet
with an ACL, you can use the following shortcut:
■ Use the subnet number as the source value in the access-list command.
■ Use a wildcard mask found by subtracting the subnet mask from 255.255.255.255.

For example, for subnet 172.16.8.0 255.255.252.0, use the subnet number (172.16.8.0) as
the address parameter, and then do the following math to find the wildcard mask:
255.255.255.255
– 255.255.252.0
0. 0. 3.255

Continuing this example, a completed command for this same subnet would be as follows:
access-list 1 permit 172.16.8.0 0.0.3.255
34 CCNA 200-301 Official Cert Guide, Volume 2

The section “Practice Applying Standard IP ACLs” gives you a chance to practice matching
subnets when configuring ACLs.

Matching Any/All Addresses


In some cases, you will want one ACL command to match any and all packets that reach
that point in the ACL. First, you have to know the (simple) way to match all packets using
the any keyword. More importantly, you need to think about when to match any and all
packets.
First, to match any and all packets with an ACL command, just use the any keyword for the
address. For example, to permit all packets:
access-list 1 permit any

So, when and where should you use such a command? Remember, all Cisco IP ACLs end
with an implicit deny any concept at the end of each ACL. That is, if a router compares a
packet to the ACL, and the packet matches none of the configured statements, the router
discards the packet. Want to override that default behavior? Configure a permit any at the
end of the ACL.
You might also want to explicitly configure a command to deny all traffic (for example,
access-list 1 deny any) at the end of an ACL. Why, when the same logic already sits at the
end of the ACL anyway? Well, the ACL show commands list counters for the number of
packets matched by each command in the ACL, but there is no counter for that implicit deny
any concept at the end of the ACL. So, if you want to see counters for how many packets are
matched by the deny any logic at the end of the ACL, configure an explicit deny any.

Implementing Standard IP ACLs


This chapter has already introduced all the configuration steps in bits and pieces. This sec-
tion summarizes those pieces as a configuration process. The process also refers to the
access-list command, whose generic syntax is repeated here for reference:
access-list access-list-number {deny | permit} source [source-wildcard]

Step 1. Plan the location (router and interface) and direction (in or out) on that interface:
A. Standard ACLs should be placed near to the destination of the packets so that
they do not unintentionally discard packets that should not be discarded.
B. Because standard ACLs can only match a packet’s source IP address, iden-
tify the source IP addresses of packets as they go in the direction that the
ACL is examining.
Step 2. Configure one or more access-list global configuration commands to create
the ACL, keeping the following in mind:
A. The list is searched sequentially, using first-match logic.
B. The default action, if a packet does not match any of the access-list com-
mands, is to deny (discard) the packet.
Step 3. Enable the ACL on the chosen router interface, in the correct direction, using
the ip access-group number {in | out} interface subcommand.

The rest of this section shows a couple of examples.


Chapter 2: Basic IPv4 Access Control Lists 35

Standard Numbered ACL Example 1


The first example shows the configuration for the same requirements demonstrated with
Figure 2-4 and Figure 2-5. Restated, the requirements for this ACL are as follows:

1. Enable the ACL inbound on R2’s S0/0/1 interface.


2. Permit packets coming from host A. 2
3. Deny packets coming from other hosts in host A’s subnet.
4. Permit packets coming from any other address in Class A network 10.0.0.0.
5. The original example made no comment about what to do by default, so simply deny
all other traffic.
Example 2-1 shows a completed correct configuration, starting with the configuration pro-
cess, followed by output from the show running-config command.
Example 2-1 Standard Numbered ACL Example 1 Configuration
R2# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)# access-list 1 permit 10.1.1.1
R2(config)# access-list 1 deny 10.1.1.0 0.0.0.255
R2(config)# access-list 1 permit 10.0.0.0 0.255.255.255
R2(config)# interface S0/0/1
R2(config-if)# ip access-group 1 in
R2(config-if)# ^Z
R2# show running-config
! Lines omitted for brevity

access-list 1 permit 10.1.1.1


access-list 1 deny 10.1.1.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.255.255.255

First, pay close attention to the configuration process at the top of the example. Note that
the access-list command does not change the command prompt from the global configura-
tion mode prompt, because the access-list command is a global configuration command.
Then, compare that to the output of the show running-config command: the details are
identical compared to the commands that were added in configuration mode. Finally, make
sure to note the ip access-group 1 in command, under R2’s S0/0/1 interface, which enables
the ACL logic (both location and direction).
Example 2-2 lists some output from Router R2 that shows information about this ACL. The
show ip access-lists command lists details about IPv4 ACLs only, while the show access-
lists command lists details about IPv4 ACLs plus any other types of ACLs that are currently
configured; for example, IPv6 ACLs.
Example 2-2 ACL show Commands on R2
R2# show ip access-lists
Standard IP access list 1
10 permit 10.1.1.1 (107 matches)
20 deny 10.1.1.0, wildcard bits 0.0.0.255 (4 matches)

You might also like