Access-list(Standard - Extended)
Last updated
Last updated
In Cisco we have two types of access-list:
Standard
It's based on source address
It uses lower process utilization
Extended
It's based on source/destination and port number
It uses high process utilization
We define access-list only on routers or layer3 switches. You can't define access-list on layer 2 switches
Imagine in router 2, we want to deny any packets come from network 192.168.3.0/24. To prevent these packet based on standard access-list just pay attention to source:
In this command, first, we define access-list and write it as 10. This number should between 1 to 99 . Then, we deny every source address in network 192.168.3.0/24. In access-list, we always use wildcard mask instead of netmask. To know wildcard mask, just substract 255.255.255.255 from network mask , the result shows wildcard mask.
Next, we permit others to access network. If you forget to write line 2, all network will be down. Because you forbid any connections from router 2.
After that, we have to associate access-list to router interface. We have inbound and outbound, in this example, we are entering from network 192.168.3.0/24 to router 2. So, we write access-list in inbound of router.
The best practise we can bring here, is our previous router-on-a-stick. In above example, we have two PCs which can communicate together through router 0. Switch 0 is connected to Router0 through trunk port. PCs IP address is:
PC0
IP Address: 192.168.10.2
Netmask: 255.255.255.0
Default Gateway: 192.168.10.1
PC1
IP Address: 192.168.20.2
Netmask: 255.255.255.0
Default Gateway: 192.168.20.1
Now, we want to forbid every packet goes from vlan 10 to vlan 20 and vice versa. So, we can define access-list based on source and destination. In extended access-list, you have to follow these rules:
1- Protocol --> Source Address--> Destination Address --> Port
2- Extended access-list starts from 100-199
This is for Vlan 10 which bans every packet from network 192.168.10.0/24 to 192.168.20.0/24. We define protocol, IP. It means, any related protocol to IP such as ftp, web, ..... In other words, I ban all protocols of IP.
For Vlan 20, we have:
Then, we access above-mentioned access-list to int fa0/0.10 and fa0/0.20:
There are different scenarios in access-list and it can be permit and deny or any protocol such as ftp, web. Imagine in above example just we want to deny telnet and ssh. Then, we write:
To know, what we write and how access-list work, just write :
You can define, named access-list like numbered access-list in section 1-2 and 1-1. I write previous example in named access-list:
As you can see, everything is the same as numbered access-list. In real work, network engineers prefer using named access-list rather than numbered access-list
