이 블로그의 실습 툴은 cisco paket tracer을 사용합니다.

구성도

standard_1

192.168.1.100 deny

1~99
src ip address 로 permit/deny

ACL 목록

Router0#sh ip access-lists
Router0(config)#access-list ?
  <1-99>     IP standard access list
  <100-199>  IP extended access list

ACL 생성

Ruter0(config)#access-list 1 deny 192.168.1.100 
Router0#sh ip access-lists 
Standard IP access list 1
    10 deny host 192.168.1.100

ACL 적용 : 대상 - int

Router0(config-if)#ip access-group 1 ?
  in   inbound packets
  out  outbound packets
Router0(config-if)#ip access-group 1 in

192.168.1.100]
C:\>ping 192.168.2.100
Pinging 192.168.2.100 with 32 bytes of data:
Reply from 192.168.1.254: Destination host unreachable.

인터페이스 정보로 확인

Router0#sh ip int f0/0
FastEthernet0/0 is up, line protocol is up (connected)
  Internet address is 192.168.1.254/24
  Broadcast address is 255.255.255.255
~
  Outgoing access list is not set
  Inbound  access list is 1

다른 host 들은 통신이 되는가?

192.168.1.200]
c:\>ping 192.168.1.100
Pinging 192.168.1.100 with 32 bytes of data:
Reply from 192.168.1.100: bytes=32 time=7ms TTL=128
Reply from 192.168.1.100: bytes=32 time<1ms TTL=128

C:\>ping 192.168.1.254
Pinging 192.168.1.254 with 32 bytes of data:
Reply from 192.168.1.254: Destination host unreachable
  • 모든 조건에 해당되지 않으면 ALL Deny
  • 항상 조건의 마지막에 기본값으로 “ALL Deny”정책이 지정되어 있다.
Router0#sh ip access-lists 
Standard IP access list 1
    10 deny host 192.168.1.100 (8 match(es))
  • 마지막 줄에 Deny ALL이 보이지 않는다.
  • 적용 순서가 위에서 아래로 적용
  • 이런상황은 마지막줄 deny all 만나기 전에 permit any 로 설정
Router0(config)#access-list 1 permit any
Router0(config)#access-list 1 permit ?
  A.B.C.D  Address to match
  any      Any source host
  host     A single host address

Router0#sh ip access-lists 1
Standard IP access list 1
    deny host 192.168.1.100 (8 match(es))
    permit any
  • 마지막 줄 Deny ALL이 보이지 않는다.
Router0(config)#access-list 1 permit any
Router0(config)#access-list 1 permit ?
  A.B.C.D  Address to match
  any      Any source host
  host     A single host address

Router0#sh ip access-lists 1
Standard IP access list 1
    deny host 192.168.1.100 (8 match(es))
    permit any

192.168.1.100 만 permit , 나머지는 deny

Router0(config)#access-list 1 permit 192.168.1.100
Router0(config-if)#ip access-group 1 out

192.168.1.200]
C:\>ping 192.168.2.100
Reply from 192.168.1.254: Destination host unreachable

192.168.1.100]
C:\>ping 192.168.2.100
Reply from 192.168.2.100: bytes=32 time=10ms TTL=126

Router0#sh ip access-lists 
Standard IP access list 1
    10 permit host 192.168.1.100 (4 match(es))
	  **마지막 줄 deny all (보이지는 않음)**
  • ACL 적용순서는 위에서 아래로 비교하면서 적용