Access-list (standard) Command on CISCO Router/Switch

Command

Access-list (standard)

Use

This command is used to create a list that matches packets on a given criteria. While access-lists are most commonly associated with security, there are numerous uses.
Standard lists match on source addresses only.

Syntax

R1(config)#access-list <1-99 or 1300-1999> <permit or deny> <source address or source network or any>

Options

<1-99> or <1300-1999> Defines a standard access-list
<permit> Permits all matches specified in the list.
<deny> Denies all matches specified in the list.
<source address> Host ip address that sources packets matched by the list.
<source network> IP network that sourced packets matched by the list. Uses Wildcard masks for matching.
<any> Match anything.

Wildcard Masks

Wildcard masks are how access-lists know what networks apply to the list. They are the inverse of the subnet mask.

For example, network 123.123.123.0 0.0.0.255 would match any ip address in the 123.123.123.0/24 network.
Because a /24 mask is 255.255.255.0, the inverse would be 0.0.0.255. For the network 34.77.108.0/28, the subnet mask would be 255.255.255.248 and the inverse would be 0.0.0.7
Notice how the subnet mask and the inverse add to 255.

Example

Access-list (standard) Command on CISCO Router/Switch 1

In this example, we will make an access-list that will only allow packets sourced by the host 1.1.1.1 and apply the list to R2’s Fa0/0.

R2(config)#access-list 1 permit 1.1.1.1
R2(config)#int fa0/0
R2(config-if)#ip access-group 1 in

Pinging 10.1.1.2 from R1, we see that the ping fails unless it is sourced from R1’s loopback0 interface.

R1(config)#do ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R1(config)#do ping 10.1.1.2 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/22/44 ms
R1(config)#

We can also have an access-list that will allow the entire 10.1.1.0/24 network to be permited on R2’s Fa0/0

R2(config)#access-list 55 permit 10.1.1.0 0.0.0.255
R2(config)#int fa0/0
R2(config-if)#ip access-group 55 in
R2(config-if)#

Heres a quick ping test

R1(config-if)#do ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/19/36 ms
R1(config-if)#do ping 10.1.1.2 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
U.U.U
Success rate is 0 percent (0/5)
R1(config-if)

In this example, we deny any traffic sourced from 1.1.1.1 but permit any other traffic on R2’s Fa0/0

R2(config-if)#access-list 95 deny 1.1.1.1
R2(config)#access-list 95 permit any
R2(config)#int fa0/0
R2(config-if)#ip access-group 95 in
R2(config-if)#do sh run int fa0/0

Notice that only 1.1.1.1 is denied.

R1(config)#do ping 10.1.1.2 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
U.U.U
Success rate is 0 percent (0/5)
R1(config)#do ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/13/32 ms
R1(config)#do ping 10.1.1.2 source lo1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/20/44 ms

Related Articles

guest
0 Comments
Inline Feedbacks
View all comments