Standard Admission Lists
Standard IP admission lists clarify arrangement cartage by analytical the antecedent IP abode in a packet.
You actualize a
standard IP admission list
by application the access-list numbers 1–99 or 1300–1999
(expanded range). Access-list types are about differentiated application a number. Based on the
number acclimated back the admission account is created, the router knows which blazon of syntax to expect
as the account is entered. By application numbers 1–99 or 1300–1999, you’re cogent the router you want
to actualize a accepted IP admission list, so the router will apprehend syntax allegorical alone the source
IP abode in the analysis lines.
Here in Table 7.1 are the basal access-list commands that will get your configuration
started:
Table 7.2 lists the options for these commands:
TABLE 7 . 1
Creating an Access-list and Applying it to an Interface
Command Meaning
access-list
Configures a distinct access-list account into a router’s
memory for use in a complete admission account that will be activated to
an interface
ip access-group
Places an admission account on a device’s concrete interface
TABLE 7 . 2
Access-list Command Options
Option Meaning
Identifies an admission account by cardinal as a accepted or extended
list. Also allows the conception and break of assorted admission lists.
permit
or
deny
Specifies the aftereffect of the access-list account as acceptance or
blocking the cartage specified.
hostname
or IP abode Specifies the hostname or device’s IP abode that will be acted
upon in the access-list statement.
host Specifies a distinct specific host for the statement.
any Specifies that behindhand of the host or accessory IP, it will match
the statement.
The following is an example of the many access-list number ranges that you can use to filter
traffic on your network (the protocols for which you can specify access lists depend on your
IOS version):
Corp(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
compiled Enable IP access-list compilation
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
Let’s take a look at the syntax used when creating a standard access list:
Corp(config)#access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
As I said, by using the access-list numbers between 1–99 or 1300–1999, you’re telling the
router that you want to create a standard IP access list.
After you choose the access-list number, you need to decide whether you’re creating a
permit or deny statement. For this example, you will create a deny statement:
Corp(config)#access-list 10 deny ?
Hostname or A.B.C.D Address to match
any Any source host
host A single host address
The next step requires a more detailed explanation. Three options are available. You can
use the any parameter to permit or deny any host or network, you can use an IP address to
specify either a single host or a range of them, or you can use the host command to specify a
specific host only. The any command is pretty obvious—any source address matches the statement,
so every packet compared against this line will match. The host command is relatively
simple. Here’s an example of how to use it:
Corp(config)#access-list 10 deny host ?
Hostname or A.B.C.D Host address
Corp(config)#access-list 10 deny host 172.16.30.2