Explicacion Muy Buena De Access List (ingles)

access lists (acl) knowledge needed for cisco ccna exam ...just an fast overview there are two kinds of access lists on cisco routers 1. standart acls -numbered from 1-99 (and some higher ranges) -filter only on source ip -needed to deny a single source ip or source network to access another network or host 2. extended acls -numbered from 100-199 (and some higher ranges) -filter on source ip and protocols and ports/applications -needed to filter only traffic from a specified host or network and specified protocols and ports handling of access-lists 1. configure some statements. example1: deny http and telnet access from a network to an host access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 80 access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 23 access-list 100 permit ip any any example2: deny complete ip access from a network to a host access-list 1 deny ip 143.43.43.0 0.0.0.255 143.55.55.8 0.0.0.0 access-list 1 permit ip any any example 3: deny ping from a network to a host access-list 1 deny icmp 132.43.4.0 0.0.0.255 145.52.54.9 access-list 1 permit ip any any 2. all the statements build one access list. bind the acl on an interface with command "ip access-group interface e0 ip access-group 100 in rules 1. "last" deny statement of every acl at the end of every access-list there is a "access-list deny ip any any" statement, which is invisible. thats why we have to use the "access-list permit ip any any" statement at the end of our acl. 2. from first to last in filtering the packets, the router checks the statements of the acl from the first to the last. when an statement is found as true, the next statements are not checked anymore.

example access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 80 access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 23 access-list 100 permit ip any any if a host with ip 143.43.43.6/24 would try to access the webserver 132.32.32.4 he would be denied, because of the first statement. the second and third statement would not be checked in that case. if the same host would try to access the telnet port of the webserver, then the first statement would be checked. because its not port 80 which the host wants to reach, the second statement would be checked. the second statement denys telnet, and the host would not access the webserver via telnet. 3. placement of acls put standart acls close to the destination host or network which has to be protected put extended acls close to the source hosts or network, from where the traffic will origin. 4. you can put one acl per interface, per protocol, per direction you cant bind more than one acl to an interface per direction (incoming or outgoing). 5. single statements of an acl can not be deleted if you have to change or delete a single statement, you have to delete the whole acl and write a new one. only in named access-lists it is possible to change or delete single statements of the acl. 6. different terms for different useage there are different terms which can confuse. access-group used to bind an access-list to an interface access-class used to deny or permit telnet access to a router vty line. 7. synthax of extended acl access-list <protocol> <source> <wildcard> <destination> <wildcard> eq <portnumber or application> 8. synthax of standart acl access-list <source> <wildcard> pleeze correct if something is wrong