WooleryCrowell499
To pass the CCNA exam, you have to be able to write and troubleshoot access lists. As you climb the ladder toward the CCNP and CCIE, you'll see more and a lot more makes use of for ACLs. Consequently, you had far better know the fundamentals!
The use of "host" and "any" confuses some newcomers to ACLs, so let's take a look at that very first.
It is acceptable to configure a wildcard mask of all ones or all zeroes. A wildcard mask of ... indicates the address specified in the ACL line ought to be matched specifically a wildcard mask of 255.255.255.255 implies that all addresses will match the line.
Wildcard masks have the solution of utilizing the word host to represent a wildcard mask of .... Consider a configuration exactly where only packets from IP source ten.1.1.1 should be permitted and all other packets denied. The following ACLs each do that.
R3#conf t
R3(config)#access-list 6 permit ten.1.1.1 ...
R3(config)#conf t
R3(config)#access-list 7 permit host 10.1.1.1
The keyword any can be used to represent a wildcard mask of 255.255.255.255.
R3(config)#access-list 15 permit any
An additional usually overlooked detail is the order of the lines in an ACL. Even in a two- or three-line ACL, the order of the lines in an ACL is important.
Consider a circumstance exactly where packets sourced from 172.18.18. /24 will be denied, but all other people will be permitted. The following ACL would do that.
R3#conf t
R3(config)#access-list 15 deny 172.18.18. ...255
R3(config)#access-list 15 permit any
The earlier example also illustrates the importance of configuring the ACL with the lines in the right order to get the desired final results. What would be the result if the lines were reversed?
R3#conf t
R3(config)#access-list 15 permit any
R3(config)#access-list 15 deny 172.18.18. ...255
If the lines were reversed, traffic from 172.18.18. /24 would be matched against the initial line of the ACL. The initial line is permit any", which means all traffic is permitted. The site visitors from 172.18.18./24 matches that line, the traffic is permitted, and the ACL stops running. The statement denying the traffic from 172.18.18. is never run.
The key to writing and troubleshoot access lists is to take just an extra moment to read it over and make confident it is going to do what you intend it to do. It's far better to recognize your mistake on paper as an alternative of when the ACL's been applied to an interface!
