In preparation of our CCNA exam, we want to make sure we cover the various concepts that we could see on our Cisco CCNA exam. So to assist you, below we will discuss Access Lists.
Access lists are one of the more difficult concepts to master for your Cisco CCNA exam. It is hard to simulate the different types of scenarios that may be covered on your Cisco CCNA exam in a lab so you can really get a handle on access lists. But it is not impossible. We are going to cover the major concepts that you will encounter on your Cisco CCNA exam below.
Access lists are used to filter network traffic on your Cisco router. This can be accomplished by using various different access lists implemented on different parts of your network to improve network performance and efficiency. You may see access used to implement QoS on a network to make sure your time sensitive data such as voice gets through while an email can be slightly delayed. Access lists can filter your routing protocols to control what networks are advertised. Additionally, access lists can be used to implement dial on demand routing and also to govern NAT or Network Address Translation for your Internet activities.
Packet Filtering Mechanism
On your Cisco router incoming or outgoing packets are compared to the access list from top to bottom until a match is found. Then an action is taken accordingly with no further comparisons. For security reasons, an implicit deny statement is added at the end of each access list. By default, if no match found, the packet will be dropped by that deny statement. You can only assign one access list per interface.
Two types of Access Lists
Standard: For IP, it filters traffic based on source address. A standard IP access list is placed as close to the destination is possible because filtering is based on source address.
Extended: Filters traffic based on source and destination address, protocols and port for IP. Extended IP access list are placed as close to the source as possible, because filtering is based on source & destination addresses.
Standard IP Access List Configuration:
Router(config)# access-list number (deny | permit) source_ip
Standard IP access list syntax.
Specifying a source: (host ip_address | any | wildcard)
This statement will deny a single host:
Router(config)# access-list 10 deny host 10.10.10.5
This statement will deny any host:
Router(config)# access-list 10 deny any (any = all hosts)
This statement will deny the entire 172.16.10.0 subnet
Router(config)# access-list 10 deny 172.16.10.0 0.0.0.255
This statement assigns access list 10 to an interface
Router(config-if)# ip access-group 10 (out | in)
This statement assigns an access list to a vty line.
Router(config-line)# access-class 10 (out | in)
Extended IP Access List Configuration
Router(config)# access-list number (deny | permit) protocol source
[port] destination [port] [log] syntax.
Specifying a port: (eq | gt | It | neq | range port_number)
The following denies telnet(port23) to host 172.16.10.5
The log statement tells the router to log messages to console every time the access list hit.
Router(config)# access-list 10 deny tcp any host 172.16.10.5eq 23 log
The following assigns access list 110 to an interface
Router(config-if)# ip access-group 110(out | in)
This statement allows IP traffic to pass before hitting the default implicit deny statement.
Router(config)# access-list 110 permit ip any any
We hope you found this Cisco certification article helpful. We pride ourselves on not only providing top notch Cisco CCNA exam information, but also providing you with the real world Cisco CCNA skills to advance in your networking career.