Cisco access lists ACL and wildcard mask

From Ever changing code
Jump to navigation Jump to search

Wild card mask

WILDCARD                    NETWORK MASK
0 - means match             0 - hosts part of a network address
1 - means ignore            1 - match, identifies network bits that need matching for all hosts in the same subnet

Calculate wild card mask

                   255.255.255.255
  subnet mask     -255.255.192.0
                 -----------------
 wild card mask      0.  0. 63.255

Examples

                        pattern     wildcard
access-list 33 permit 198.51.100.58 0.0.0.63
ip packet evaluated   198.51.100.3

in binary
ACL IP pattern        198.51.100.58 11000110.00110011.01100100.00111010
Wildcard mask           0. 0.  0.63 00000000.00000000.00000000.00111111
Logic applied                       \   these bits must match   /\ ignore,it/
                                     \ ________________________/  | can be |
                                                                  | 0 or 1 |
Range of addresses
matching         from 198.51.100.0  11000110.00110011.01100100.00000000
the rule:          to 198.51.100.63 11000110.00110011.01100100.00111111

Ip packet evaluated   198.51.100.3  11000110.00110011.01100100.00000011  MATCH!

ACL abbrivations

any  =      0.0.0.0 255.255.255.255      # wildcard ignores all address bits
host = eg: 10.0.0.2 0.0.0.0              # wildcard requires that all bits need to match

Standard numbered ACL

Router(config)# access-list access-list-number { deny | permit | remark } source [ source-wildcard ][ log ]
Router(config-if)# ip access-group { access-list-number | access-list-name } { in | out }      !activates the numbered IP ACL on an interface

Standard named ACL

ACL name cannot contain special characters or spaces, it is advised to be UPPER CASES. 

Router(config)# ip access-list standard name
Router(config-std-nacl)# [permit | deny | remark] {source [source-wildcard]} [log]
Router(config-if)# ip access-group name [in | out]     !activates the named IP ACL on an interface

ACL to Control VTY Access

Because the access-class command is used to filter incoming or outgoing Telnet/SSH sessions by source address, a standard ACL can be used. Standard and extended access lists apply to packets that travel through a router. An outbound Telnet extended ACL does not prevent router-initiated Telnet sessions, by default. 

Router(config-line)# access-class access-list-number { in [ vrf-also ] | out }

Troubleshooting

clear access-list counters {access-list name | access-list number}
Retrieved from ‘http://wiki.ciscolinux.co.uk/index.php?title=Cisco_access_lists_ACL_and_wildcard_mask&oldid=1560