2. With standard ACLs you can permit or deny traffic from
source IP addresses.
The destination of the packet and the port doesn’t
matter. They can be named or numbered.
The ranges used by numbered ACLs are from 1 to 99 and
from 1300 to 1999.
3. we have R1 and R2. On R1’s fa0/0 interface will apply an
Inbound ACL to filter some of R2’s loopback interfaces
networks
4. configure on R1 and R2 interfaces, without ACL
R1
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip route 192.168.0.0 255.255.255.0 FastEthernet0/0
ip route 192.168.1.0 255.255.255.0 FastEthernet0/0
ip route 192.168.2.0 255.255.255.0 FastEthernet0/0
R2
interface Loopback0
ip address 192.168.0.1 255.255.255.0
interface Loopback1
ip address 192.168.1.1 255.255.255.0
interface Loopback2
ip address 192.168.2.1 255.255.255.0
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.0
5. On R1 we’ve added 3 static routes to reach R2’s loopback
interfaces. Now, we’ll configure a numbered Access List on R1.
access-list 1 deny 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark Manage Traffic From R2
6. ACL’s statements
NUMBER “1”
This is the number used by this ACL
“DENY” KEYWORD
With this keyword will be denied network matched by this statement
“PERMIT” KEYWORD
With this keyword will be permitted network matched by this statement
“192.168.0.0”
This is network that will be matched by the statement
“REMARK” KEYWORD
The string that comes after this keyword represents a description which can help
you at a later time what is the purpose of the ACL
At the end of every ACL there is an “implicit deny” which will deny all packets that aren’t matched in ACL.
7. “0.0.0.255”
This is wildcard mask that tells the router which parts of the subnet number to
look at.
With Wildcard mask bit 0 – will match the corresponding bit value in the
address;
With Wildcard mask bit 1 – will ignore the corresponding bit value in the
address.
If we take this in binary we will get: 00000000.00000000.00000000.11111111.
Results that first 24 positions in IP address will be matched and last 8 will be
ignored. If we take first statement from ACL we get that all packets with source
IP address which start with 192.168.0 will be matched, and will be denied, the
last 8 bits don’t matter.
8. Next step is to bound Standard Access List to an interface as
inbound or outbound. ACL doesn’t act on packets generated by
itself, that’s why there is no reason to use it here as outbound
ACL. We’ll bound it to R1’s fa0/0 as inbound Access List.
R1
interface FastEthernet0/0
ip access-group 1 in
9. We have got the next result:
Packets with R2’s Loopback 0 source IP address (192.168.0.1) will be
denied by first statement;
Packets with R2’s Loopback 1 source IP address(192.168.1.1) will be
permitted by second statement;
Packets with R2’s Loopback 2 source IP address (192.168.2.1) will be
denied by “implicit deny” because it is not matched by any of the
other statements.
10. R2#ping 10.0.0.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
U.U.U
Success rate is 0 percent (0/5)
R2#
R2#ping 10.0.0.1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/23/36 ms
R2#
R2#ping 10.0.0.1 source loopback 2
11. Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
U.U.U
Success rate is 0 percent (0/5)
R2#
From the output you can see that only ping from Loopback 1 succeeded.
You can check ACL’s statements with one of these commands
show access-lists
show ip access-lists
12. To delete an this Access List use this command
no access-list 1
The named version of this Access List will look like this
ip access-list standard FIRST
deny 192.168.0.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
remark Manage Traffic From R2