The use of " host " and " any " confused some newcomers to ACLs, so we take a look at the first.
It is acceptable to configure a wildcard mask only ones or all zeros. A wild card mask 0.0.0.0 means the address in the ACL line must match exactly a wildcard mask 255,255,255,255 means that all addresses are line.
Wildcard with the masks have the opportunity to work with the word host represent a wildcard mask of 0.0.0.0. Consider a configuration in which only packages from source IP 10.1.1.1, and all other packages denied. The following two ACLs do that.
R3 conf t
R3 (config) access-list 6 permit 10.1.1.1 0.0.0.0
R3 (config) conf t
R3 (config) access-list 7 allow host 10.1.1.1
The keyword, anyone can used to mask a wildcard 255.255.255.255.
R3 (config) access-list 15 permit any
Another often overlooked detail is the order of the lines in an ACL. Even in a two-or three-ACL line, the order of the lines in an ACL is vital.
Consider a situation where packages are from 172.18.18.0 / 24 is rejected, but all the others are allowed. The following ACL would that.
R3 conf t
R3 (config) access-list 15 deny 172.18.18.0 0.0.0.255
R3 (config) access-list 15 permit any
The previous example also shows the importance of the ACL configuration with the lines in the correct order to ensure the desired results. What would be the result if the lines were reversed?
R3 conf t
R3 (config) access-list 15 permit any
R3 (config) access-list 15 deny 172.18.18.0 0.0.0.255
If the lines were reversed, the movement of 172.18. 18.0 / 24 would be matched against the first line of the ACL. The first line is the " permit any ", which means that all traffic is permitted. The movement of 172.18.18.0/24 hit this line, the traffic is permitted, and the ACL stations running. The statement denying the traffic from 172.18.18.0 is never run.
The key to the letter and resolving access lists, to name just another moment to read it over and make sure it is to do what you intend to do it. It is better to realize your mistakes on paper, once the ACL & 39; s been applied to an interface!
Chris Bryant, CCIE 12933, is the owner of the Bryant Advantage (http://www.thebryantadvantage.com), home of free CCNA, CCNP tutorials, The Ultimate CCNA Study Package, Ultimate CCNP Study Packages, and CCNA CBT Video Training. Pass the CCNA exam, BSCI exam, and BCMSN exam with Chris Bryant, CCIE 12933!
For a copy of his Free ebooks, " As to the CCNA " and " How to CCNP " available on the website and download your copy! You can now Get a free CCNA, CCNP exam question every day without e-mail registration required. Get your CCNA study guide from the Bryant advantage!
Bookmark it:
No comments:
Post a Comment