Cisco Systems RJ-45-to-AUX ∙ Managing Hypertext Transfer Protocol Http access, Access Lists, 256

∙Managing Hypertext Transfer Protocol (HTTP) access

Access Lists

An access list is a list of conditions that control access to the switch, router, or route processor. IP, AppleTalk, and Internetwork Packet Exchange (IPX) access lists are like gatekeepers that control access from or to different segments of the network. After you build an access list, it can be applied to an inbound interface or an outbound interface. Once it has been applied to the interface, an implied “deny all” appears at the end of each access list.

The packets are filtered by comparing an identified value and acting upon a permit or deny statement. The list compares the packets receiving information (such as the source and destination addresses) to the values in your access list. If a match is made, the list follows the order to permit or deny the data. If a packet is denied, an Internet Control Message Protocol (ICMP) message is sent to the sending interface listed in the packet header, notifying the requester that the packet has been denied.

In Figure 13.2, the source address of 10.1.128.6 is trying to send a data packet to 10.1.128.10. Because the configured access list doesn’t contain a permit statement for the source address, the access list automatically denies the packet.

Figure 13.2: The request from x.x.128.6 to x.x.128.10 encounters an access list with no permit statement applied to the interface. As a result, the request is denied.

Before you apply the access list to the currently used management station using a console port or virtual terminal port, always remember to check that you have a permit statement near the top of your access list for the management station you are using. You won’t believe how many times we have had to deal with an administrator who is unfamiliar with access lists and who has locked himself out of his own internal or external route processor.

Tip It is important to remember that an access list is read in the order that it is configured. Here’s an analogy: Suppose you’re walking down a lane in a parking lot, looking for your car. Once you find your car, you don’t continue looking. Access lists work the same way—if the access list makes a match, it does not continue looking for further instructions.

Access List Types

There are two types of access lists: standard and extended. Both types permit or deny based on certain criteria. The standard access list allows a permit or deny statement based only on the source address. The extended access list is a bit more complex—it allows you to permit or deny based on the source address, destination address, protocol type, application type, or port number of the packet.

Standard IP and IPX addresses are the easiest to configure. The configuration statement requires an access list number, a permit or deny statement, and then the source address. This statement allows packets originating from the identified source address to be permitted or denied through the interface to which the access list is applied. Let’s take a look at an example of permitting the source address from Figure 13.2 on access list 2:

CAT5KRSM (config)# access−list 2 permit 10.1.128.6

To identify a subnet in one statement, use a wildcard value after the IP address. If a wildcard value is not present, the source address must match completely. The wildcard value looks a lot like a subnet mask. A 0 in the wildcard string indicates that the value must match exactly in the same octet as the IP address; the value 255 allows any number in the corresponding octet of the IP address to be used. Let’s look at the following

256