Cisco CCNA Certification Exam Tutorial: Access List Particulars You Must Know!
To pass the CCNA exam, you have to be in a position to write and troubleshoot access lists. As you climb the ladder toward the CCNP and CCIE, you'll see more and more makes use of for ACLs. Therefore, you had greater know the basics!
The use of "host" and "any" confuses some newcomers to ACLs, so let's take a look at that first.
It is acceptable to configure a wildcard mask of all ones or all zeroes. A wildcard mask of ... implies the address specified in the ACL line must be matched specifically a wildcard mask of 255.255.255.255 indicates that all addresses will match the line.
Wildcard masks have the solution web security solutions of employing the word host to represent a wildcard mask of .... Consider a configuration where only packets from IP supply 10.1.1.1 must be allowed and all other packets denied. The following ACLs each do that.
R3#conf t
R3(config)#access-list 6 permit 10.1.1.1 ...
R3(config)#conf t
R3(config)#access-list 7 permit host 10.1.1.1
The keyword any can be used to represent a wildcard mask of 255.255.255.255.
R3(config)#access-list 15 permit any
One more usually overlooked detail is the order of the lines in an ACL. Even in a two- or 3-line ACL, the order of the lines in an ACL is vital.
Consider a situation where packets sourced from 172.18.18. /24 will be denied, but all others will be permitted. The following ACL would do that.
R3#conf t
R3(config)#access-list 15 deny 172.18.18. ...255
R3(config)#access-list 15 permit any
The preceding example also illustrates the value of configuring the ACL with the lines in the correct order to get the desired benefits. What would be the outcome if the lines had been reversed?
R3#conf t
R3(config)#access-list 15 permit any
R3(config)#access-list 15 deny 172.18.18. ...255
If the lines had been reversed, visitors from 172.18.18. /24 would ssl management be matched against the first line of the ACL. The very first line is permit any", meaning all visitors is permitted. The targeted traffic from 172.18.18./24 matches that line, the visitors is permitted, and the ACL stops running. The statement denying the traffic from ssl certificate comparison 172.18.18. is never run.
The crucial to writing and troubleshoot access lists is to take just an extra moment to read it more than and make confident it is going to do what you intend it to do. It really is greater to understand your mistake on paper instead of when the ACL's been applied to an interface!
