The following four general principles
help ensure that the access lists you create have the intended
results:
Organize your access list so that more specific references in a
network or subnet appear before more general ones.
Place more frequently occurring conditions before less
frequently occurring conditions to optimize performance.
Unless you end your access list with an explicit
permit any,
it will deny by default all traffic that fails to match any of the
access-list lines.
- New lines added to the end
Subsequent additions are always added to the end of the access
list.
You cannot selectively add or remove lines when using numbered
access lists, but you can when using IP-named access lists (a
Cisco IOS Release 11.2 feature; see www.cisco.com).
- Undefined access list means permit any
If you apply an access list with the access-group
command to an interface before any access-list lines have been
created, the result will be permit any. The list is
"live," so if you enter only one line, it goes from a permit
any to a "deny most" (because of the implicit
deny any) as soon as you press Return. For this reason,
create your access list before you apply it to an interface.
Note that this usage changed with Release 10.3. In previous
releases, an undefined access list caused everything to be denied
because they interpreted an undefined access list as an actual
access list with no entries, and, therefore, had only an implicit
"deny any" at the end.
Note: One way to change an access list is to create a
new access list with a different access-list number. Then
use
the ip access-group command
to apply the new access list number to the router interface. The new access list replaces the old one.
For a few seconds (or microseconds), you will not have protection on
the interface while the router replaces the old access list with the
new. If you are working in a secure environment where this kind of
security breach is unacceptable, use the ip shutdown
command to disable the interface for IP packets during the
changeover, as in the following example:
interface serial 0
ip shutdown
ip access-group 2
no ip shutdown
The main figure shows an example of a standard
access list. The first statement permits a specific host, while the second statement denies all other hosts on that subnet. The third statement permits all other hosts on the same network, and finally the implied deny statement denying the outside world (Internet).
 |
 |
Lab
Activity |
| |
In
this lab, you will learn the usage of standard
access control lists. |
|
|
|
So, who can connect to A? Answer the following questions:
-
Can host B communicate with host A? Yes. It is permitted by
the first line, which uses an implicit host mask.
-
Can host C communicate with host A? No. Host C is in the
subnet denied by the second line.
-
Can host D communicate with host A? Yes. Host D is on a subnet
that is explicitly permitted by the third line.
-
Can users on the Internet communicate with host A? No. Users
outside this network are not explicitly permitted, so they are
denied by default (implicit
deny
any).
|