Dalam penggunaan standart akses list memiliki aturan. contoh penggunaan standart akses list :
Router_A(config)#access-list 1 deny 172.16.5.2 0.0.0.0 Router_A(config)#access-list 1 deny 172.16.5.3 0.0.0.0 Router_A(config)#access-list 1 permit any
The previous example is a standard IP access list that denies the hosts 172.16.5.2 and 172.16.5.3, while allowing all other traffic. The list is applied sequentially from the top down as the router checks the packets arriving at the interface where this access list is applied, in order to check if the packets match the permit and deny statements. In the process of applying the access list, the router first checks an arriving packet to determine if it matches the deny 172.16.5.2 0.0.0.0 statement. If it does, the router discards the packet. If it does not, the router applies the second statement, deny 172.16.5.3 0.0.0.0. If the packet matches the second statement, the router discards the packet. Once again, if the packet does not meet the rules of the first two lines, the router applies the final permit any statement, and the packet is forwarded through the interface.
If you wish to remove an access-list, you use the no access-list (list #) command. For example, to remove the above list, you enter global configuration mode and type the no access-list command. The information below shows the correct procedure for typing this command.
From Global Configuration mode, type in:
access-list [access-list-number] [deny/permit] [ wildcard mask] interface [interface-number] ip access-group [number of list] in/out
access-list 5 permit 188.8.131.52 0.0.0.255 access-list 5 permit 10.0.5.0 0.0.0.255 int fa0/0 ip access-group 5 in
The above example permits traffic from two specific networks. Note that the access-list must be defined, and assigned an interface. An access-list by itself (not assigned to an interface) doesn’t do anything at all.
“in” or “out” refer to the traffic into, or out of, the router that is being configured.
From Global configuration mode type:
ip access-list standard [name] deny [wildcard mask or keyword any] OR permit [wildcard mask or keyword any]
Problems with Access Lists
I. One of the most common problems associated with access lists is a lack of planning. Before you even begin the process of creating access lists on your router, you must plan exactly what needs to be filtered and where it needs to be filtered.
II. Another troublesome area is the sequential nature in which you must enter the lists into the router. You cannot remove individual statements once they are entered. When making changes, you must remove the list, using the no access-list command, and then retype the commands.
You can remove an entry in the access-list by using the “ip access-list” command.
gw(config)#access-list 77 permit 184.108.40.206 gw(config)#access-list 77 permit 220.127.116.11 gw(config)#do show access-list 77 Standard IP access list 77 10 permit 18.104.22.168 20 permit 22.214.171.124 gw(config)#ip access-list standard 77 gw(config-std-nacl)#no 10 permit 126.96.36.199 gw(config-std-nacl)#do show access-list 77 Standard IP access list 77 20 permit 188.8.131.52
III. Finally, many new network administrators find themselves in trouble when they Telnet into a router and begin applying an access list. An access list begins to work the second it’s applied to an interface. It’s very possible that many new administrators will find themselves inadvertently blocked from the same router on which they’re applying the access list.