Access-list(Standard - Extended)

In Cisco we have two types of access-list:

  • Standard

    • It's based on source address

    • It uses lower process utilization

  • Extended

    • It's based on source/destination and port number

    • It uses high process utilization

We define access-list only on routers or layer3 switches. You can't define access-list on layer 2 switches

1-1 Standard Acess-list

Imagine in router 2, we want to deny any packets come from network 192.168.3.0/24. To prevent these packet based on standard access-list just pay attention to source:

In this command, first, we define access-list and write it as 10. This number should between 1 to 99 . Then, we deny every source address in network 192.168.3.0/24. In access-list, we always use wildcard mask instead of netmask. To know wildcard mask, just substract 255.255.255.255 from network mask , the result shows wildcard mask.

Next, we permit others to access network. If you forget to write line 2, all network will be down. Because you forbid any connections from router 2.

After that, we have to associate access-list to router interface. We have inbound and outbound, in this example, we are entering from network 192.168.3.0/24 to router 2. So, we write access-list in inbound of router.

1-2 Extended Access-list

The best practise we can bring here, is our previous router-on-a-stick. In above example, we have two PCs which can communicate together through router 0. Switch 0 is connected to Router0 through trunk port. PCs IP address is:

  • PC0

    • IP Address: 192.168.10.2

    • Netmask: 255.255.255.0

    • Default Gateway: 192.168.10.1

  • PC1

    • IP Address: 192.168.20.2

    • Netmask: 255.255.255.0

    • Default Gateway: 192.168.20.1

Now, we want to forbid every packet goes from vlan 10 to vlan 20 and vice versa. So, we can define access-list based on source and destination. In extended access-list, you have to follow these rules:

1- Protocol --> Source Address--> Destination Address --> Port

2- Extended access-list starts from 100-199

This is for Vlan 10 which bans every packet from network 192.168.10.0/24 to 192.168.20.0/24. We define protocol, IP. It means, any related protocol to IP such as ftp, web, ..... In other words, I ban all protocols of IP.

For Vlan 20, we have:

Then, we access above-mentioned access-list to int fa0/0.10 and fa0/0.20:

There are different scenarios in access-list and it can be permit and deny or any protocol such as ftp, web. Imagine in above example just we want to deny telnet and ssh. Then, we write:

Router0(config)# access-list 100 deny tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 eq 23

Router0(config)# access-list 100 deny tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 eq 22

Router0(config)# access-list 100 permit ip any any

1-3 Show access-list

To know, what we write and how access-list work, just write :

1-4 Named access-list

You can define, named access-list like numbered access-list in section 1-2 and 1-1. I write previous example in named access-list:

As you can see, everything is the same as numbered access-list. In real work, network engineers prefer using named access-list rather than numbered access-list

PreviousSetup Router-on-a-Stick(Layer 2 -Layer 3)NextVTP(Vlan Trunking Protocol)

Last updated