Professional Documents
Culture Documents
Corporate
(trusted
network)
Untrusted
network
Perimeter
(premises)
router
Internal
Firewall (local network)
router
Internet
DMZ
Email
Server
Web
Server
Access Lists
There are two main types of access lists:
Standard access lists
These ACLs use only the source IP address in an IP packet as the condition
test. All decisions are made based on the source IP address. This means that
standard access lists basically permit or deny an entire suite of protocols. They
dont distinguish between any of the many types of IP traffic such as Web,
Telnet, UDP, and so on.
Direction
Once you create an access list, its not really
going to do anything until you apply it.
You can assign only one access list per interface per
protocol per direction.
This means that when applying IP access lists, you can
have only one inbound access list and one outbound
access list per interface.
Anytime a new entry is added to the access list, it will
be placed at the bottom of the
list, which is why I highly recommend using a text editor
for access lists.
You cant remove one line from an access list. If you try
to do this, you will remove the entire list.
This is why its best to copy the access list to a text
editor before trying to edit the list. The only exception is
when youre using named access lists.
Denied!
Finance
172.16.50.0/24
Lab_A#config t
Lab_A(config)#access-list 10 deny 172.16.40.0 0.0.0.255
Lab_A(config)#access-list 10 permit any
Marketing
172.16.60.0/24
Lab_A(config)#int fa0/1
Lab_A(config-if)#ip access-group 10 out
Effect
show access-list
show ip access-list
show ip interface
show running-config
15