Cisco access lists ACL and wildcard mask

From Ever changing code
Revision as of 12:47, 30 January 2015 by Pio2pio (talk | contribs)
Jump to navigation Jump to search

Wild card mask

WILDCARD                    NETWORK MASK
0 - means match             0 - hosts part of a network address
1 - means ignore            1 - match, identifies network bits that need matching for all hosts in the same subnet

IPv4 ACLs

Calculate wild card mask

                   255.255.255.255
  subnet mask     -255.255.192.0
                 -----------------
 wild card mask      0.  0. 63.255

Examples

                        pattern     wildcard
access-list 33 permit 198.51.100.58 0.0.0.63
ip packet evaluated   198.51.100.3

in binary
ACL IP pattern        198.51.100.58 11000110.00110011.01100100.00111010
Wildcard mask           0. 0.  0.63 00000000.00000000.00000000.00111111
Logic applied                       \   these bits must match   /\ ignore,it/
                                     \ ________________________/  | can be |
                                                                  | 0 or 1 |
Range of addresses
matching         from 198.51.100.0  11000110.00110011.01100100.00000000
the rule:          to 198.51.100.63 11000110.00110011.01100100.00111111

Ip packet evaluated   198.51.100.3  11000110.00110011.01100100.00000011  MATCH!

ACL abbrivations

any  =      0.0.0.0 255.255.255.255      # wildcard ignores all address bits
host = eg: 10.0.0.2 0.0.0.0              # wildcard requires that all bits need to match

Standard numbered ACL

Router(config)# access-list access-list-number { deny | permit | remark } source [ source-wildcard ][ log ]
Router(config-if)# ip access-group { access-list-number | access-list-name } { in | out }      !activates the numbered IP ACL on an interface

Standard named ACL

ACL name cannot contain special characters or spaces, it is advised to be UPPER CASES. 

Router(config)# ip access-list standard name
Router(config-std-nacl)# [permit | deny | remark] {source [source-wildcard]} [log]
Router(config-if)# ip access-group name [in | out]     !activates the named IP ACL on an interface

Extended ACLs

Extended numbered ACL are from 100 to 199 and 2000 to 2699 range.

The internal logic applied to the ordering of standard ACL statement does not apply to extended ACLs. The order in which the statements are entered during configuration is the order they are displayed and processed. 

access-list access-list-number  {deny | permit | remark} protocol source [source-wildcard] [operator operand] [port port-number or name] destination [destination-wildcard] [operator operand] [port port-number or name] [established]
  • protocol - name or number of Internet protocol, eg: icmp, tcp or udp. ip - matches any Internet protocol
  • operator - equal (eq), not equal (neq), greater than (gt), and less than (lt)
  • established - (optional) TCP protocol only, matches established connection where TCP segment has ACK or reset (RST) bits set

ACL to Control VTY Access

Because the access-class command is used to filter incoming or outgoing Telnet/SSH sessions by source address, a standard ACL can be used. Standard and extended access lists apply to packets that travel through a router. An outbound Telnet extended ACL does not prevent router-initiated Telnet sessions, by default. 

Router(config-line)# access-class access-list-number { in [ vrf-also ] | out }

Troubleshooting

clear access-list counters {access-list name | access-list number}

IPv6 ACLs

IPv6 has only one type of ACL, which is equivalent to an IPv4 extended named ACL, there is no numbered IPv6 ACL. An IPv4 ACL and an IPv6 ACL cannot share the same name.

Retrieved from ‘http://wiki.ciscolinux.co.uk/index.php?title=Cisco_access_lists_ACL_and_wildcard_mask&oldid=1562