Numbered Standard ACL
- Standard ACL Numbers
- 1-99, 1300-1999
- Configure a number standard route to allow one subnet to pass-though while denying another subnet to a third subnet.
- As soon as a rule is applied there is also a deny all rule applied to the access list also.
- Standard Access lists only check the source address as opposed to extended ACL that checks both source and destination.
- This requires that the list be completed on the outbound port toward the subnet that needs to be blocked.
- Commands
- Create the outbound ACL on interface sending traffic to the subnet to be denied
- (config-if)#ip access-group [Standard ACL#] out
- Add rules to the newly created ACL
- (config-if)#exit
- (config)#access-group 1 deny [restricted subnet] [restricted wildcard mask]
- (config)#access-group 1 permit [allowed subnet] [allowed wildcard mask]
- This is needed as the default Deny All rule that is applied to all ACLs
- Create the outbound ACL on interface sending traffic to the subnet to be denied
- In the lab, they create the ACL rules first and then create the ACL that will house these rules. This makes sense as when you apply the ACL all traffic will be blocked until a permit rule is put in place.
Numbered Extended ACL
- Extended ACL Numbers
- 100-199, 2000-2699
- Configure a numbered extended ACL to permit telnet access to a single IP address while denying all other IP addresses.
- I did this incorrectly as I applied two rules while three are needed (all rules were provided on the inbound interface on the router for the subnet making the request.
- I provided the permit rule for the single IP address and a deny rule for all other IP addresses. The default deny all traffic on the ACL blocked all other traffic.
- Since numbered ACLs cannot be reordered, the ACL was deleted and re-applied the rules in the ordered needed.
- Commands
- (config)#access-list 100 permit tcp host 10.0.1.10 host 10.0.0.2 eq telnet
- (config)#access-list 100 deny tcp 10.0.1.0 0.0.0.255 host 10.0.0.2 eq telnet
- (config)#access-list 100 permit ip any any
- (config)#int [inbound interface]
- (config-if)#ip access-list 100 in
- I did this incorrectly as I applied two rules while three are needed (all rules were provided on the inbound interface on the router for the subnet making the request.
Named Extended ACL
- Remove the number extended ACL
- Command
- (config-if)#no ip access-group [group#] in
- Command
- Configure and apply a named extended ACL
- (config)#ip access-list extended [Name]
- (config-ext-nacl)#permit tcp host 10.0.1.10 host 10.0.0.2 eq telnet
- (config-ext-nacl)#deny tcp 10.0.1.0 0.0.0.255 host 10.0.0.2 eq telnet
- (config-ext-nacl)#permit icmp host 10.0.1.11 host 10.0.0.2 echo
- (config-ext-nacl)#deny icmp host 10.0.1.0 host 10.0.0.2 echo
- (config-ext-nacl)#permit ip any any
- Apply ACL to interface
- (config-if)#ip access-group [access-list name] in|out