CCNA4 (Chapter4)

Inbound ACLs are processed before the packets are routed while outbound ACLs are processed after the routing is completed. Refer to curriculum topic: 4.4.1 With an inbound ACL, incoming packets are processed before they are routed. With an outbound ACL, packets are first routed to the outbound interface, then they are processed. Thus processing inbound is more efficient from the router perspective. The structure, filtering methods, and limitations (on an interface, only one inbound and one outbound ACL can be configured) are the same for both types of ACLs.

They filter traffic based on source IP addresses only. Refer to curriculum topic: 4.1.2 A standard IPv4 ACL can filter traffic based on source IP addresses only. Unlike an extended ACL, it cannot filter traffic based on Layer 4 ports. However, both standard and extended ACLs can be identified with either a number or a name, and both are configured in global configuration mode.

172.16.2.0 to 172.16.3.255 Refer to curriculum topic: 9.1.3 The wildcard mask 0.0.1.255 means the first 23 bits are matched and the last 9 bits are ignored. That is, a matching IP address should be from 172.16.2.0 to 172.16.3.255 (where last 9 bits are from all 0s to all 1s and any value between).

- Hosts in a subnet with the subnet mask 255.255.252.0 - 192.168.5.0 0.0.3.255 - All IP address bits must match exactly - host 192.168.15.2 - The first valid host address in a subnet - 192.168.15.65 255.255.255.240 - Subnetwork addresses of a subnet with 14 valid host addresses - 192.168.15.144 0.0.0.15 - Addresses with a subnet mask of 255.255.255.248 - 192.168.3.64 0.0.0.7 Refer to curriculum topic: 4.2.2 Converting the wildcard mask 0.0.3.255 to binary and subtracting it from 255.255.255.255 yields a subnet mask of 255.255.252.0. Using the host parameter in a wildcard mask requires that all bits match the given address. 192.168.15.65 is the first valid host address in a subnetwork beginning with the subnetwork address 192.168.15.64. The subnet mask contains 4 host bits, yielding subnets with 16 addresses. 192.168.15.144 is a valid subnetwork address in a similar subnetwork. Change the wildcard mask 0.0.0.15 to binary and subtract it from 255.255.255.255, and the resulting subnet mask is 255.255.255.240. 192.168.3.64 is a subnetwork address in a subnet with 8 addresses. Convert 0.0.0.7 to binary and subtract it from 255.255.255.255, and the resulting subnet mask is 255.255.255.248. That mask contains 3 host bits, and yields 8 addresses.

1. An implicit deny any rejects any packet that does not match any ACL statement. 2. A packet can either be rejected or forwarded as directed by the statement that is matched. 3. Each statement is checked only until a match is detected or until the end of the ACL statement list is reached. Refer to curriculum topic: 4.1.1 ACLs are processed in a top down manner. When an ACL is inspected, if the information in a packet header and an ACL statement match, the remaining statements are not examined, and the packet is either denied or permitted through as specified by the ACL. If a packet header does not match an ACL statement, the packet is tested against the next statement in the list. This matching process continues until the end of the list is reached. Every ACL has an implied deny at the end of the list. This implied deny statement is applied to all packets for which conditions did not test true.

1. Router1(config)# access-list 10 permit host 192.168.15.23 2. Router1(config)# access-list 10 permit 192.168.15.23 0.0.0.0 Refer to curriculum topic: 4.1.2 To permit or deny one specific IP address, either the wildcard mask 0.0.0.0 (used after the IP address) or the wildcard mask keyword host (used before the IP address) can be used.

1. 172.16.0.255 2. 172.16.15.36 Refer to curriculum topic: 4.1.1 The wildcard mask indicates that any IP address within the range of 172.16.0.0 to 172.16.15.255 matches.

1. host 2. any Refer to curriculum topic: 4.1.3 The two keywords that can be used when configuring ACLs are host and any. The host keyword is equivalent to using the 0.0.0.0 wildcard mask and the any keyword could be used instead of the 255.255.255.255 wildcard mask.

named extended Refer to curriculum topic: 4.3.1 Unlike IPv4, IPv6 has only one type of access list and that is the named extended access list.

0.0.0.31 Refer to curriculum topic: 4.1.1 The wildcard mask can be found by subtracting the subnet mask from 255.255.255.255.

192.168.70.0 to 192.168.70.127 Refer to curriculum topic: 4.1.1 The number of 1s in the wildcard mask represents the number of 0s in the subnet mask. The range of IP addresses for this network would be 192.168.70.0 - 192.168.70.127 with 192.168.70.127 being the broadcast address.

1. deny ipv6 any any 2. permit icmp any any nd-ns 3. permit icmp any any nd-na Refer to curriculum topic: 4.3.1 All IPv6 ACLs automatically include two implicit permit statements; permit icmp any any nd-ns and permit icmp any any nd-na. These statements allow the router interface to perform neighbor discovery operations. There is also an implicit deny ipv6 any any automatically included at the very end of any IPv6 ACL that blocks all IPv6 packets not otherwise permitted.

R1(config-line)# access-class 1 in Refer to curriculum topic: 4.3.2 Administrative access over SSH to the router is through the vty lines. Therefore, the ACL must be applied to those lines in the inbound direction. This is accomplished by entering line configuration mode and issuing the access-class command.

The ACL name is case sensitive. Refer to curriculum topic: 4.1.3 The name in a named ACL is alphanumeric, case sensitive and unique. Thus, the router treats access_network and ACCESS_NETWORK as if they are two separate ACLs.