ShackelfordMidgett442
Материал из campus.mephi.ru
To pass the CCNA exam, you have to be able to write and troubleshoot access lists. As you climb the ladder toward the CCNP and CCIE, you will see far more and much more uses for ACLs. Therefore, you had much better know the basics!
The use of "host" and "any" confuses some newcomers to ACLs, so let's take a look at that 1st.
It is acceptable to configure a wildcard mask of all ones or all zeroes. A wildcard mask of ... implies the address specified in the ACL line need to be matched specifically a wildcard mask of 255.255.255.255 indicates that all addresses will match the line.
Wildcard masks have the alternative of employing the word host to represent a wildcard mask of .... Consider a configuration where only packets from IP source 10.1.1.1 should be allowed and all other packets denied. The following ACLs both do that.
R3#conf t
R3(config)#access-list 6 permit 10.1.1.1 ...
R3(config)#conf t
R3(config)#access-list 7 permit host ten.1.1.1
The keyword any can be utilized to represent a wildcard mask of 255.255.255.255.
R3(config)#access-list 15 permit any
Yet another often overlooked detail is the order of the lines in an ACL. Even in a two- or three-line ACL, the order of the lines in an ACL is vital.
Contemplate a situation where packets sourced from 172.18.18. /24 will be denied, but all other individuals will be permitted. The following ACL would do that.
R3#conf t
R3(config)#access-list 15 deny 172.18.18. ...255
R3(config)#access-list 15 permit any
The preceding instance also illustrates the significance of configuring the ACL with the lines in the right order to get the desired results. What would be the result if the lines were reversed?
R3#conf t
R3(config)#access-list 15 permit any
R3(config)#access-list 15 deny 172.18.18. ...255
If the lines had been reversed, targeted traffic from 172.18.18. /24 would be matched against the first line of the ACL. The very first line is permit any", meaning all traffic is permitted. The traffic from 172.18.18./24 matches that line, the site visitors is permitted, and the ACL stops operating. The statement denying the visitors from 172.18.18. is never ever run.
The key to writing and troubleshoot access lists is to take just an extra moment to read it more than and make confident it's going to do what you intend it to do. It really is much better to comprehend your mistake on paper as an alternative of as soon as the ACL's been applied to an interface!
