In
this article will demonstrate on Named Standard Access Contol List (Named Standard
ACL).
Access
control list is used for filtering unwanted traffic, there are two types of acl
:numbered and named acl. numbered acess lists are either standard or extended.
Also, named access lists are either standard and extended. So, there are four
access lists
- Numbered
standard access list
- Numbered extended access list
- Named standard access list
- Named extended access list
In this article will cover Named Standard Access
List. Standard means it will filter the packet based on the source ip address, named
means that the access list is identified
by name not by number and has a feature of editing (adding and removing
specific lines capability).
Access
Control List Rules
1- If you use Numbered
(Standard and Extended) and Named (Standard and Extended) Access Lists, the
packet is always compared with each line of the access list in sequential order,
means If the source packet ip address matches the first line(entry) of the acl,
the router will not check all other
entries in the access list. If the source ip address doesn't match the first
line of the acl, the router will check the second line and so on. The packet is
compared with lines of the access list only until a match is made. Once it
matches the condition on a line of the access list, no further comparisons take
place.
2- There is an
implicit deny at the end of each access list—this means that if a packet doesn't
match the condition on any of the lines in the access list, the packet will be discarded.
3- The access
list is applied on an interface in a specific direction -Inbound or Outbound.
Inbound:The packets will be processed through the acl before routed to the
outbound interfaces. Outbound:The packets are routed to the outbound interface,
and then processed through the acl.
4- Standard
(Numbered&Named) access control lists filter network traffic by examining
the source ip address in a packet (filtering traffic based on the source ip
address).
5- The Named
Access Lists (Standard and Extended) are editable, means you can insert a
line in between the lines or at the top of the entries. Also you can delete
specific line. So, there is a capability of modifying the access list(adding a line
or deleting specific line).
6- Named
Standard Access Control List is identified by a name specified by the network
administrator.
7- Standard
Access Control List is placed as close to destination as possible.
8- Named
Standard Access Control Lists use the following syntax
R(config)# ip access-list
standard <acl name>
R(config-std-nacl)#<permit or deny> <source address>
Looking
at the above diagram, we want preventing network 192.168.10.0/24 from accessing
network 192.168.30.0/24, and everthing else is permitted.
Configuration
Steps:
1- Create
an access list which is identified by a name, I used tariq as a name of the
access list as you see below in the first command. the second command prevents
the packets coming from network 192.168.10.0/24, means dropping the packets
from the source network 192.168.10.0/24.The third line permits the packets
coming from any other source ip address. the third line is very necessary
because if this line is not written all the packets will be dropped because
there is an implicit deny any at the end of the access list.
R2(config)#ip
access-list standard tariq
R2(config-std-nacl)#deny 192.168.10.0 0.0.0.255
R2(config-std-nacl)#permit any
2- The
access list is applied on an interface in a specific direction: no
action(permit or deny) will be taken
until the access list is applied on an interface in a specific direction.
you
should know the packet coming from network 192.168.10.0/24 will enter R2
interface g0/0 as you see in the diagram. if you apply this acl on the g0/0
interface of R2 in inbound direction,
the router after checking the acl (that prevent network 192.168.10.0/24), will
prevent this packet from being routed to the outbound interfaces g0/1&g0/2
based on the action in the first line of the acl. So, network 192.1698.10.0/24
will not access not only network 192.168.30.0/24 but also network
192.168.50.0/24. So you should be care where you will apply the acl and in
which direction.
The
Solution is applying the acl on the interface g0/2 in outbound direction, means
the router will permit the packets from entering g0/0 and routes the packets to
the outbound interfaces g0/1 and g0/2, after that, the packet are processed
through the acl. In our example will apply the acl on g0/2 to prevent network
10 to reach network 50 but will not
apply the acl on the g0/1 because we want allowing network 10 from accessing
network 50.
before
writing the commands below, host 192.168.10.2 can reach 192.168.30.2
R2(config)#int f0/0
R2(config-if)#ip access-group tariq out
After
writing the above commands (applying the acl on the interface), host
192.168.10.2 can't access 192.168.30.2
To
view the configured access list
R2#sh access-list
Standard IP access list tariq
10 deny 192.168.10.0 0.0.0.255
20 permit any
Adding
a line in between the lines of the ACL
After
that, if you want to deny the host 192.168.2.10 by using the command deny host
192.168.2.10. you can't add normally because it will be added at the bottom of
the acl. If you add it normally at the bottom of the list, the host
192.168.2.10 will not be denied because the acl find a match in the second line
of the acl that permit this host.
So,
you have to insert the command before the second line(permit any), means the
number of the inserted line must be before number 20 (The number of the second
line)
R2(config)#ip
access-list standard tariq
R2(config-std-nacl)#15 deny 192.168.2.10
View
the access list after adding a line
Router#sh
access-lists
Standard IP access list tariq
10 deny 192.168.10.0 0.0.0.255
15 deny host 192.168.2.10
20 permit any
Delete
individual lines
To
delete individual line from the acl, for example to delete line number 20.
Router(config)#ip
access-list standard tariq
Router(config-std-nacl)#no 20
View
the access list after deleting line number 20
Router#sh
access-lists
Standard IP access list tariq
10 deny 192.168.10.0 0.0.0.255
15 deny host 192.168.2.10
For
more details and explanation , watch this video on youtube
To
get automatic updates on your facebook, join a facebook group