|
Access Control Lists |
There are two types of
ACL’s each of which can be numbered or named.
|
Standard ACL’s (numbered or named) |
|
Extended ACL’s (numbered or named) |
|
Standard ACL’s – Filter packets based on the Source address only! They
are the simplest form of ACL’s. Standard ACL’s cannot filter based on
protocol or destination Addresses. Standard ACL’s are placed closest to the
destination (create more traffic). Remember that Standard ACL’s have slightly
different syntax than Extended ACL’s. |
|
Extended ACL’s – Filter packets based on Source addresses, Destination
addresses, protocols and port numbers. Extended ACL’s are placed closest to
the source (create less traffic). Remember that Extended ACL’s have slightly
different syntax than Standard ACL’s. |
|
Things to consider before creating and
Appling ACL’s |
|
You
must create the ACL’s before you apply them to an interface. |
|
You
must apply the ACL’s to an interface in order for them to work. |
|
ACL’s
can be applied Inbound or Outbound |
|
ACL’s
should be created using a text editor such as TextPad
or WordPad |
|
It’s
not possible to remove only one line from an ACL therefore use an editor |
|
All
new entries will be placed at the bottom of the ACL |
|
Only
one Inbound ACL per interface! |
|
Only
one Outbound ACL per interface! |
|
ACL’s
should be organized from most specific to least specific |
|
An
implicit deny any statement is at the bottom of all access lists |
|
There
should be at least one permit statement in an ACL so that all traffic is no
discarded. |
|
When
deciding on applying an ACL on an interface and you are unsure which way is
inbound or outbound put yourself inside the router. |
|
ACL’s
are created at global configuration |
|
ACL’s
are implemented at specific interfaces |
|
Numbered
Standard ACL ranges |
|
1-99 |
IP Standard Access List |
|
1300-1999 |
IP Standard Access List
(expanded range) |
|
600-699 |
AppleTalk Standard Access
List |
|
800-899 |
IPX Standard Access List |
|
******* |
These are the most common
list but there are other Standard ACL ranges |
|
Numbers Extended ACL ranges |
|
100-199 |
IP Extended Access List |
|
2000-2699 |
IP Extended Access List (expanded range) |
|
900-999 |
IPX Extended Access List |
|
******* |
These are the most common list but there are other Extended ACL ranges |
Wild Card Masking
0’s in the mask means to check
1’s in the mask means to ignore
|
For example: If you want to specify subnet 172.10.0.0/16 then your wild card mask should look like 0.0.255.255 |
||
|
Subnet |
172.10.0.0 |
10101100.00001010.00000000.00000000 |
|
Subnet mask |
255.255.0.0 |
11111111.11111111.00000000.00000000 |
|
Wildcard mask |
0.0.255.255 |
00000000.00000000.11111111.11111111 |
|
For example: If you want to specify subnet 172.10.32.0/19 then your wild card mask should look like 0.0.31.255 |
||
|
Subnet |
172.10.32.0 |
10101100.00001010.00100000.00000000 |
|
Subnet mask |
255.255.224.0 |
11111111.11111111.11100000.00000000 |
|
Wildcard mask |
0.0.31.255 |
00000000.00000000.00011111.11111111 |
|
For example: If you want to specify subnet 172.10.1.0/24 then your wild card mask should look like 0.0.0.255 |
||
|
Subnet |
172.10.1.0 |
10101100.00001010.00000001.00000000 |
|
Subnet mask |
255.255.255.0 |
11111111.11111111.11111111.00000000 |
|
Wildcard mask |
0.0.0.255 |
00000000.00000000.00000000.11111111 |
|
For example: If you want to specify subnet 172.10.1.32/27 then your wild card mask should look like 0.0.0.31 |
||||
|
Subnet |
172.10.1.32 |
10101100.00001010.00000001.00100000 |
||
|
Subnet mask |
255.255.255.224 |
11111111.11111111.11111111.11100000 |
||
|
Wildcard mask |
0.0.0.31 |
00000000.00000000.00000000.00011111 |
||
|
Class A Sub-netting |
||||
|
Total Bits |
Subnet Mask |
Usable Subnets |
Usable Hosts |
|
|
8 |
255.0.0.0 |
1 |
8388606 |
|
|
10 |
255.192.0.0 |
2 |
4193790 |
|
|
11 |
255.224.0.0 |
6 |
2096894 |
|
|
12 |
255.240.0.0 |
14 |
1048446 |
|
|
13 |
255.248.0.0 |
30 |
524224 |
|
|
14 |
255.252.0.0 |
62 |
262110 |
|
|
15 |
255.254.0.0 |
126 |
131054 |
|
|
16 |
255.255.0.0 |
254 |
65526 |
|
|
17 |
255.255.128.0 |
510 |
32762 |
|
|
18 |
255.255.192.0 |
1022 |
16382 |
|
|
19 |
255.255.224.0 |
2046 |
8190 |
|
|
20 |
255.255.240.0 |
4094 |
4094 |
|
|
21 |
255.255.248.0 |
8190 |
2046 |
|
|
22 |
255.255.252.0 |
16382 |
1022 |
|
|
23 |
255.255.254.0 |
32764 |
510 |
|
|
24 |
255.255.255.0 |
65536 |
254 |
|
|
25 |
255.255.255.128 |
131070 |
126 |
|
|
26 |
255.255.255.192 |
262142 |
62 |
|
|
27 |
255.255.255.224 |
524286 |
30 |
|
|
28 |
255.255.255.240 |
1048574 |
14 |
|
|
29 |
255.255.255.248 |
2097150 |
6 |
|
|
30 |
255.255.255.252 |
4194302 |
2 |
|
|
Class B Sub-netting |
|||
|
Total Bits |
Subnet Mask |
Usable Subnets |
Usable Hosts |
|
16 |
255.255.0.0 |
1 |
32766 |
|
18 |
255.255.192.0 |
2 |
16382 |
|
19 |
255.255.224.0 |
6 |
8190 |
|
20 |
255.255.240.0 |
14 |
4094 |
|
21 |
255.255.248.0 |
30 |
2046 |
|
22 |
255.255.252.0 |
62 |
1022 |
|
23 |
255.255.254.0 |
126 |
510 |
|
24 |
255.255.255.0 |
254 |
254 |
|
25 |
255.255.255.128 |
510 |
126 |
|
26 |
255.255.255.192 |
1022 |
62 |
|
27 |
255.255.255.224 |
2046 |
30 |
|
28 |
255.255.255.240 |
4094 |
14 |
|
29 |
255.255.255.248 |
8190 |
6 |
|
30 |
255.255.255.252 |
16382 |
2 |
|
Class C Sub-netting |
|||
|
Total Bits |
Subnet Mask |
Usable Subnets |
Usable Hosts |
|
24 |
255.255.255.0 |
1 |
254 |
|
26 |
255.255.255.192 |
2 |
62 |
|
27 |
255.255.255.224 |
6 |
30 |
|
28 |
255.255.255.240 |
14 |
14 |
|
29 |
255.255.255.248 |
30 |
6 |
|
30 |
255.255.255.252 |
62 |
2 |