Standard ACLs

Standard ACLs 
11.2.1

Standard ACLs check the source address of IP packets that are routed. The ACL will either permit or deny access for an entire protocol suite, based on the network, subnet, and host addresses. For example, packets that come in Fa0/0 are checked for their source addresses and protocols. If they are permitted, the packets are routed through the router to an output interface. If they are not permitted, they are dropped at the incoming interface.

The standard version of the access-list global configuration command is used to define a standard ACL with a number in the range of 1 to 99 (also from 1300 to 1999 in recent IOS). In Cisco IOS Software Release 12.0.1, standard ACLs began using additional numbers (1300 to 1999) to provide a maximum of 798 possible standard ACLs. These additional numbers are referred to as expanded IP ACLs. In the first ACL statement, notice that there is no wildcard mask. Since no list is shown, the default mask of 0.0.0.0 is used. The entire address must match or the router must check for a match in the next line in the ACL.

The full syntax of the standard ACL command is as follows:

Router(config)#access-listaccess-list-number deny permit remarksource [source-wildcard ] [log]

The no form of this command is used to remove a standard ACL. The remark keyword makes the access list easier to understand. Each remark is limited to 100 characters. For example, it is not immediately clear what the purpose of the following entry is:

Router(config)#access-list 1 permit 171.69.2.88

It is much easier to read a remark about the entry to understand its effect, as follows:

Router(config)#access-list 1 remark Permit only Jones workstation through access-list 1 permit 171.69.2.88

To remove a standard ACL, use the no form of the command. This is the syntax:

Router(config)#no access-listaccess-list-number

The no form of this command is used to remove a standard ACL. The syntax is as follows:

Router(config)#no access-list access-list-number

The ip access-group command links an existing standard ACL to an interface:

Router(config)#ip access-group {access-list-number | access-list-name } {in | out }

The table shows descriptions of the parameters used in this syntax.
The Lab Activities will teach students how to plan, configure, and apply standard ACLs to permit or deny traffic.
The next page will describe extended ACLs

Verifying ACLs

Verifying ACLs 
11.1.5

The show ip interface command displays IP interface information and indicates whether any ACLs are assigned to the interface. The show access-lists command displays the contents of all ACLs on the router. To see a specific list, add the ACL name or number as an option for this command. The show running-config command will also reveal the access lists on a router and the interface assignment information.

These show commands will verify the list contents and placement. It is also a good practice to test the access lists with sample traffic to ensure that the access list logic is correct.

In the Lab Activity, students will use show commands to verify ACLs on a router.

This page concludes this lesson. The next lesson will provide more information about ACLs. The first page will describe standard ACLs.

The function of a wildcard mask

The function of a wildcard mask
11.1.4

This page will explain what a wildcard mask is and how it is used. A wildcard mask is a 32-bit quantity that is divided into four octets. A wildcard mask is paired with an IP address. The numbers one and zero in the mask are used to identify how to treat the corresponding IP address bits. The term wildcard mask represents the ACL mask-bit matching process and comes from an analogy of a wildcard that matches any other card in the game of poker. Wildcard masks have no functional relationship with subnet masks. They are used for different purposes and follow different rules.

The subnet mask and the wildcard mask represent two different things when they are compared to an IP address. Subnet masks use binary ones and zeros to identify the network, subnet, and host portion of an IP address. Wildcard masks use binary ones and zeros to filter individual or groups of IP addresses to permit or deny access to resources based on an IP address. The only similarity between a wildcard mask and a subnet mask is that they are both thirty-two bits long and use binary ones and zeros.

The mask in Figure would be written as 0.0.255.255. A zero indicates a value that will be checked. The Xs, or ones, are used to block values.  In the wildcard mask process, the IP address in the access-list statement has the wildcard mask applied to it. This creates the match value, which is used to compare and see if a packet should be processed by this ACL statement, or sent to the next statement to be checked. The second part of the ACL process is that any IP address that is checked by a particular ACL statement will have the wildcard mask of that statement applied to it. The result of the IP address and the wildcard mask must equal the match value of the ACL. This process is illustrated in the animation in Figure . There are two special keywords that are used in ACLs, the any and host options. The any option substitutes 0.0.0.0 for the IP address and 255.255.255.255 for the wildcard mask. This option will match any address that it is compared against. The host option substitutes 0.0.0.0 for the mask. This mask requires that all bits of the ACL address and the packet address match. This option will match just one address. The next page will teach students how to verify ACLs.