Access-list(Standard – Extended)

In Cisco we have two types of access-list:

  • Standard

    • It’s based on source address

    • It uses lower process utilization

  • Extended

    • It’s based on source/destination and port number

    • It uses high process utilization

We define access-list only on routers or layer3 switches. You can’t define access-list on layer 2 switches

1-1 Standard Acess-list

Enter a caption for this image (optional)

Imagine in router 2, we want to deny any packets come from network 192.168.3.0/24. To prevent these packet based on standard access-list just pay attention to source:

Router2(config)# access-list 10 deny 192.168.3.0 0.0.0.255
Router2(config)# access-list 10 permit any
Router2(config)# int gi0/1
Router2(config-if)# ip access-group 10 in

In this command, first, we define access-list and write it as 10. This number should between 1 to 99 . Then, we deny every source address in network 192.168.3.0/24. In access-list, we always use wildcard mask instead of netmask. To know wildcard mask, just substract 255.255.255.255 from network mask , the result shows wildcard mask.

Next, we permit others to access network. If you forget to write line 2, all network will be down. Because you forbid any connections from router 2.

After that, we have to associate access-list to router interface. We have inbound and outbound, in this example, we are entering from network 192.168.3.0/24 to router 2. So, we write access-list in inbound of router.

1-2 Extended Access-list

Enter a caption for this image (optional)

The best practise we can bring here, is our previous router-on-a-stick. In above example, we have two PCs which can communicate together through router 0. Switch 0 is connected to Router0 through trunk port. PCs IP address is:

  • PC0

    • IP Address: 192.168.10.2

    • Netmask: 255.255.255.0

    • Default Gateway: 192.168.10.1

  • PC1

    • IP Address: 192.168.20.2

    • Netmask: 255.255.255.0

    • Default Gateway: 192.168.20.1

Now, we want to forbid every packet goes from vlan 10 to vlan 20 and vice versa. So, we can define access-list based on source and destination. In extended access-list, you have to follow these rules:

1- Protocol –> Source Address–> Destination Address –> Port

2- Extended access-list starts from 100-199

Router0(config)# access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
Router0(config)# access-list 100 permit ip any any

This is for Vlan 10 which bans every packet from network 192.168.10.0/24 to 192.168.20.0/24. We define protocol, IP. It means, any related protocol to IP such as ftp, web, ….. In other words, I ban all protocols of IP.

For Vlan 20, we have:

Router0(config)# access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Router0(config)# access-list 101 permit ip any any

Then, we access above-mentioned access-list to int fa0/0.10 and fa0/0.20:

Router0(config)# int fa0/0.10
Router0(config-subif)# ip access-group 100 in
Router0(config-subif)# exit
Router0(config)# int fa0/0.20
Router0(config-subif)# ip access-group 101 in
Router0(config-subif)# exit

There are different scenarios in access-list and it can be permit and deny or any protocol such as ftp, web. Imagine in above example just we want to deny telnet and ssh. Then, we write:

Router0(config)# access-list 100 deny tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 eq 23
Router0(config)# access-list 100 deny tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 eq 22
Router0(config)# access-list 100 permit ip any any
1-3 Show access-list

To know, what we write and how access-list work, just write :

Router0# show access-lists

Enter a caption for this image (optional)
1-4 Named access-list

You can define, named access-list like numbered access-list in section 1-2 and 1-1. I write previous example in named access-list:

Router0(config)# ip access-list extended vlan10
Router0(config-ext-nacl)# deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
Router0(config-ext-nacl)# permit ip any any
Router0(config-ext-nacl)# exit
Router0(config)# ip access-list extended vlan20
Router0(config-ext-nacl)# deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Router0(config-ext-nacl)# permit ip any any
Router0(config-ext-nacl)# exit
Router0(config)# int fa0/0.10
Router0(config-subif)# ip access-group vlan10 in
Router0(config-subif)# exit
Router0(config)# int fa0/0.20
Router0(config-subif)# ip access-group vlan20 in
Router0(config-subif)# exit

As you can see, everything is the same as numbered access-list. In real work, network engineers prefer using named access-list rather than numbered access-list

/by