| To pass the CCNA exam, you have to be able to | | | | represent a wildcard mask of |
| write and troubleshoot access lists. As you climb the | | | | 255.255.255.255.R3(config)#access-list 15 permit |
| ladder toward the CCNP and CCIE, you'll see more | | | | anyAnother often overlooked detail is the order of |
| and more uses for ACLs. Therefore, you had better | | | | the lines in an ACL. Even in a two- or three-line ACL, |
| know the basics!The use of "host" and "any" | | | | the order of the lines in an ACL is vital.Consider a |
| confuses some newcomers to ACLs, so let's take a | | | | situation where packets sourced from 172.18.18.0 /24 |
| look at that first.It is acceptable to configure a | | | | will be denied, but all others will be permitted. The |
| wildcard mask of all ones or all zeroes. A wildcard | | | | following ACL would do that.R3#conf |
| mask of 0.0.0.0 means the address specified in the | | | | tR3(config)#access-list 15 deny 172.18.18.0 |
| ACL line must be matched exactly a wildcard mask | | | | 0.0.0.255R3(config)#access-list 15 permit anyThe |
| of 255.255.255.255 means that all addresses will match | | | | previous example also illustrates the importance of |
| the line.Wildcard masks have the option of using the | | | | configuring the ACL with the lines in the correct order |
| word host to represent a wildcard mask of 0.0.0.0. | | | | to get the desired results. What would be the result |
| Consider a configuration where only packets from IP | | | | if the lines were reversed?R3#conf |
| source 10.1.1.1 should be allowed and all other packets | | | | tR3(config)#access-list 15 permit |
| denied. The following ACLs both do that.R3#conf | | | | anyR3(config)#access-list 15 deny 172.18.18.0 |
| tR3(config)#access-list 6 permit 10.1.1.1 | | | | 0.0.0.255If the lines were reversed, traffic from |
| 0.0.0.0R3(config)#conf tR3(config)#access-list 7 | | | | 172.18.18.0 /24 would be matched against the first line |
| permit host 10.1.1.1The keyword any can be used to | | | | of the ACL. |