Information Technology Reference
In-Depth Information
A packet is received and routed to the outbound interface before being processed for an
outbound access list. If the packet is applied outbound, the system checks the access list's
statements for a match. If the packet is permitted, the system transmits the packet. If the packet
is denied, it is discarded.
IP Access List Configuration
Cisco IOS contains two types of access lists for IP. The first is the standard access list; the
second is the extended access list. Each access list is configured using an access list number.
Standard access lists are configured with numbers from 1 to 99. Extended access lists are
configured from 100 to 199. The access list is a sequential list of permit or deny conditions. The
router tests the packets' IP addresses and port numbers against each condition in the list one by
one. The first match determines if the packet is forwarded or discarded. After a match is made
in the list for the packet, the statements that follow in the list are ignored; therefore, order of
conditions in the access list is important. Also, if no conditions match, the router rejects the
packet with an implicit deny all at the end of the list. An expanded range of access list numbers
exist. The expanded range permits the configuration of IP standard or IP extended access lists
by using these numbers, which are highlighted in the following example:
ag1.hstttx.lab(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<2000-2699> IP extended access list (expanded range)
Remember the access list numbers. For IP, standard access lists use 1 to 99. For IP, extended
access lists use 100 to 199.
NOTE
IP Standard Access List Configuration
You can configure standard access lists by using the following global command:
access-list list {permit | deny} address wildcard-mask log
The argument
list
is the access list number (1-99 or 1300-1999). The
address
is the source IP
address of the packet. A network or network range can be defined with
wildcard-mask
. The
wildcard mask is an inverse mask; if the bit is a 1, the address bit is variable. An inverse mask
of 0.0.0.0 means that the specific host specified in the address field, and an inverse mask of
255.255.255.255, is any host. The
address
can be replaced with the keyword
any
, which
matches any packet that did not have a match in earlier conditions in the list. After the access
list is built, it can be applied to an interface with the following interface command:
ip access-group list {in | out}
Search WWH ::
Custom Search