Cisco ACL basics

[dingo987]

Just a question to satisy my cuiosity:

I have a Cisco 2620, What command shows me its ACL?
How do you create an ACL? In a typical ACL command such as:

access-list 100 permit tcp any host 171.16.23.1 eq 80
access-list 100 deny ip any any

where does the number 100 come from? Is it a port?

Please excuse my ignorance of Cisco. I am only a beginner.

TY

Mike

 

[svermill]

'sh run' or 'sh start' will show you all of the ACLs that have been created. Different access lists serve different purposes and they fall into certain numbered ranges. ACLs 100-199 are extended IP ACLs. 1-99 are standard IP ACLs that can only filter based on source as opposed to extended IP ACLs that can filter on source and destination.

Search around on

http://www.cisco.com

for all the info you'll need.

 

[tschouten]

This is an extended ACL example.

Breakdown of the command:
This is how it would look on the terminal as you supplied the command.

Router(config)#access-list 100 deny ip 10.3.2.1 0.0.0.255 any

access-list [type/number] [deny/permit/dynamic] [protocol/port number] [source address] [wildcard bits] [destination address] [wildcard bits] [eq > < /port number] [cariage return or a few other commands]

**NOTE: you won't need to use wildcard bits if you use ANY as an address***

To put it simply you have the type of access-list you want to make. Take for example the 100 you asked about, it signifies that you want to use an extended access-list. I put a list of the ACL type numbers below. The deny/permit is self explanitory as well as the protocol/port number. The source address is the originating address you want to block, the wildcard bits are how you want the list to examine the packet. In my example it will look to match 10.3.2 but the last wildcard bit one is saying all bits in this octet. Then I put any as the destiniation address or you could do it the long way 0.0.0.0 255.255.255.255 To expand if I had used tcp as the protocol type I could use the eq(stands for equals) then port number or use greter than less than. There is a ton you can do with an access list. Know though, just because you created an access-list does not mean it is being used, you have to place it on a port either inbound or outbound depending on the design and purpose. That is a whole other command taking place in the interface configuration.

What the numbers you asked about stand for:

<1-99> IP standard access list
<100-199> IP extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<300-399> DECnet access list
<600-699> Appletalk access list
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list
<900-999> IPX extended access list


I know I didn't explain that really the greatest but there is a lot of things you can do and achieve with an access-list. So for everyone elses sake I admit that my explanation is sort of weak, but done so for brevity. Here is a good site on Cisco to help explain it a little more clearly.

http://www.cisco.com/en/US/products...figuration_guide_chapter09186a00800d9816.html