In this article I explain the standard access control list in router. In previous article you learn the access control lists in router. Standard Access Control List is a type of ACLs. Access Control Lists in router works as filter to allow or deny the routing updates and packets in particular interface of router. Access Control Lists provides an extra layer of security for network. An Access Control Lists control the incoming and outgoing traffic of a network.
Access Control Lists in router works as filter to allow or deny the routing updates and packets in particular interface of router. Access Control Lists provides an extra layer of security for network. An Access Control Lists control the incoming and outgoing traffic of a network. Access Control Lists do only two things permit the packets and deny the packets at layer 3 of OSI reference model.
On arrival a packet at the router interface, the router examined packet header and tally the information with the existing Access Control Lists in router. The comparison of both information give decision whether the packet should be drop or allow. This process works on network layer of the OSI or TCP/IP model. Access Control Lists in router can be apply on entrance or exit interface.
Access Control Lists are set of instructions use to filter the traffic passing through a router interface. The traffic may be incoming or outgoing from an interface. Access Control List is the in integrated facility of IOS of a router. On arrival a packet on interface the router firstly check the destination address of the packet. Then, router check the destination address entry in its routing table. If destination address found in routing table router check for Access Control List on that interface. According to the Access Control Lists the packet permitted or dropped on that interface.
Access Control Lists do only two things permit the packets and deny the packets at layer 3. On arrival a packet at the router interface, the router examined packet header and tally the information with the existing Access Control Lists in router. The comparison of both information give decision whether the packet should be dropped or allow. In this article I brief the configuration of standard access control list in a router.
Standard access control list identify by the number of ACLs. The predefined numbers for standard access control list are 1-99 and 1300-1999. Router apply the existing standard access control list on incoming or outgoing packet on a particular interface. Standard access control list works on IP address of source only. It can not filter the traffic on the basis of protocols like WEB, UDP or email etc. Before going to configure the standard access control list let’s take a look on the features of standard ACLs in router.
Standard Access Control List features.
Standard ACL deny the whole network and sub-network for a particular IP address. The Standard ACLs applied very close to destination mostly. A standard ACL created by using the source IP address only. A named standard ACL can be modify but numbered ACL can not be modified. Standard ACL applied on the known networks IP address. A allow entry is necessary to access the traffic via standard ACL in router.
See the below help commands in router CLI. you can see how much options are available there with standard ACLs. there is only one option available to give IP address of source.
Router(config)#access-list 10 ? deny Specify packets to reject permit Specify packets to forward remark Access list entry comment Router(config)#access-list 10 deny ? A.B.C.D Address to match any Any source host host A single host address Router(config)#
Configuration of standard access control list in router
See the network image below. Here we have three different networks connected with a router. Interface GigabitEthernet0/0 connected with network 192.168.1.0/24. The Interface GigabitEthernet0/1 connected with network 192.168.2.0/24. Interface GigabitEthernet0/2 connected with network 192.168.3.0/24. A PC in each network connected with the router. IP address of PC1, PC2 and PC3 are 192.168.1.2, 192.168.2.2 and 192.168.3.2 respectively.
First thing is required is to assign the IP address to all three interfaces of router. These IP address works as gateway for all three networks. To assign the IP addresses on all interfaces run the below commands in CLI of router.
Router>en Router#config t Router(config)#interface gigabitEthernet 0/0 Router(config-if)#ip address 192.168.1.1 255.255.255.0 Router(config-if)#no shut Router(config-if)#exit Router(config)#interface gigabitEthernet 0/1 Router(config-if)#ip address 192.168.2.1 255.255.255.0 Router(config-if)#no shut Router(config-if)#exit Router(config)#interface gigabitEthernet 0/2 Router(config-if)#ip address 192.168.3.1 255.255.255.0 Router(config-if)#no shut Router(config-if)#do wr Building configuration... [OK] Router(config-if)#exit Router(config)#
Now assign the IP address to each PC as shown in figure above. The IP address of connected interfaces will work like gateway for each network. After assigning IP addresses to Pcs ping all Pcs with each other. You found all Pcs are communicating with each other successfully. Here no requirement for IP routing as all networks directly connected with router.
Configure access list in router
My aim is to deny the access of PC1 from PC2 and permit all traffic from PC3. We require to create a standard access list in router and apply it to appropriate interface. The subnet mask of network 192.168.1.0 is 255.255.255.0 so the wildcard mask will be 0.0.0.255. Configure a standard access list by running the below commands in CLI or router.
Router>en Router#config t Router(config)#access-list 10 deny 192.168.1.0 0.0.0.255 Router(config)#access-list 10 permit any
After running this command a standard ACL is crested in router. This standard ACL will deny all traffic for 192.168.1.0/24 network. My aim to deny the access of PC1 from PC2 and allow other all traffic. So I require to apply this standard ACL near to PC2 interface. The interface is GigabitEthernet0/1. Run the below command to apply the above ACL on interface GigabitEthernet0/1.
Router>en Router(config)#interface gigabitEthernet 0/1 Router(config-if)#ip access-group 10 out Router(config-if)#exit Router(config)#exit Router#
After running the above command try to ping the PC2 from PC1 and PC3. You got that PC1 is not able to ping the PC2 while PC3 is pinging PC2. This is the explanation of standard ACL in router.
Configuration of a named standard ACL in router
In above exercise I use the standard ACL by its number 10. you can give it a name at the time of configuration and call it by its name. See the below commands to create named standard ACL similar to above ACL.
Router(config)#ip access-list standard blockpc1 Router(config-std-nacl)#deny 192.168.1.0 0.0.0.255 Router(config-std-nacl)#permit any Router(config-std-nacl)#exit
A standard ACL named blockPC1 is ready. To apply this ACL on interface GigabitEthernet0/1 run the below commands.
Router(config)#interface gigabitEthernet 0/1 Router(config-if)#ip access-group blockpc1 out Router(config-if)#exit Router(config)#do wr Building configuration... [OK] Router(config)#
After applying the blockpc1 ACL on GigabitEthernet0/1 you can see the same result. I hope you understood the standard ACLs and its function in a network.
In this article I described the standard access control list for CCNA exam. For any query or suggestion on this article you may contact us or drop a comment below.
I’m impressed, I need to say. Actually not often do I encounter a blog that’s each educative and entertaining, and let me let you know, you’ve gotten hit the nail on the head. Your concept is outstanding; the difficulty is something that not sufficient persons are talking intelligently about. I am very comfortable that I stumbled across this in my seek for one thing referring to this.