Ex Te ND Ed: Access Lists

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 42

A CL

Ex An y

te Lists
0.0
Access
0.0.

nd permit
Workbook
Version 1.2

Instructor’s Edition

ed access-group
deny
access-list Wildcard Mask

Standard
Access-List Numbers
IP Standard 1 t 99
o
IP Extended 100 t 19
o 9
Ethernet Type Code 200 t 29
o 9
Ethernet Address 700 t 79
o 9
DECnet and Extended DECnet 300 t 39
o 9
XNS 400 t 49
o 9
Extended XNS 500 t 59
o 9
Appletalk 600 t 69
o 9
48-bit MAC Addresses 700 t 79
o 9
IPX Standard 800 t 89
o 9
IPX Extended 900 t 99
o 9
IPX SAP (service advertisement 100 t 10
protocol) 0 o 99
IPX SAP SPX 100 t 10
0 o 99
Extended 48-bit MAC Addresses 110 t 11
0 o 99
IPX NLSP 120 t 12
0 o 99
IP Standard, expanded range 130 t 19
0 o 99
IP Extended, expanded range 200 t 26
0 o 99
SS7 (voice) 270 t 29
0 o 99
Standard Vines 1 t 10
o 0
Extended Vines 101 t 20
o 0
Simple Vines 201 t 30
o 0
Transparent bridging (protocol type) 200 t 29
o 9
Transparent bridging (vendor type) 700 t 79
o 9
Extended Transparent bridging 110 t 11
0 o 99
Source-route bridging (protocol 200 t 29
type) o 9
Source-route bridging (vendor type) 700 t 79
o 9

Produced by: Robb Jones


[email protected]
Frederick County Career & Technology Center
Cisco Networking Academy
Frederick County Public Schools
Frederick, Maryland, USA

Special Thanks to Melvin Baker and Jim Dorsch


for taking the time to check this workbook for errors.

Instructors (and anyone else for that matter) please do not post the Instructors version on public websites.
When you do this your giving everyone else worldwide the answers. Yes, students look for answers this
way.
It also discourages others; myself included, from posting high quality materials.
Inside Cover
What are Access Control Lists?
ACLs...
...are a sequential list of instructions that tell a router which packets to permit or deny.

General Access Lists Information


Access Lists...
...are read sequentially.
...are set up so that as soon as the packet matches a statement it stops comparing and
permits or denys the packet.
...need to be written to take care of the most abundant traffic first.
...must be configured on your router before you can deny packets.
...can be written for all supported routed protocols; but each routed protocol must
have a different ACL for each interface.
...must be applied to an interface to work.

How routers use Access Lists


(Outbound Port - Default)
The router checks to see if the packet is routable. If it is it looks up
the route in its routing table.

The router then checks for an ACL on that outbound interface.

If there is no ACL the router switches the packet out that interface to its
destination.

If there is an ACL the router checks the packet against the access list
statements sequentially. Then permits or denys each packet as it is
matched.

If the packet does not match any statement written in the ACL it is
denyed because there is an implicit “deny any” statement at the end of
every ACL.

1
Standard Access Lists
Standard Access Lists...
...are numbered from 1 to 99.
...filter (permit or deny) only source addresses.
...do not have any destination information so it must placed as close to the destination
as possible.
...work at layer 3 of the OSI model.

Why standard ACLs are placed close to the


destination.
If you want to block traffic from Juan’s computer from reaching Janet’s
computer with a standard access list you would place the ACL close to
the destination on Router D, interface E0. Since its using only the
source address to permit or deny packets the ACL here will not effect
packets reaching Routers B, or C.

Router B Router D S1
S1 S0 E0
Router A Router C
E0
S0 S1 S0
E0 E0

Janet’s
Matt’s
Computer
Computer

Juan’s Jimmy’s
Computer Computer

If you place the ACL on router A to block traffic to Router D it


will also block all packets going to Routers B, and C; because all
the packets will have the same source address.
Standard Access List Placement
Sample Problems

FA0 FA1

Router A

Juan’s Jan’s
Computer Computer

In order to permit packets from Juan’s computer to arrive at


Jan’s computer you would place the standard access list at
router interface FA1.

E0 S 0 E
S1 1
Router A Router
B

Lisa’s
Computer Paul’s
Computer

Lisa has been sending unnecessary information to Paul. Where


would you place the standard ACL to deny all traffic from Lisa to
Paul? Router Name Router B Interface E1
Where would you place the standard ACL to deny traffic from
Paul to Lisa?
Router Name Router A Interface E0
Standard Access List Placement
Router B
S1 S0
Router A
E0 FA1
S0 S1
S1 Router C

Ricky’s Jenny’s
Computer Computer
Amanda’s
Computer

Carrol’s Kathy’s
George’s
Computer Computer
Computer

S1
Router D E0 Jeff’s
S0 Computer

Jim’s
Computer

S1
E0 S0 FA1
S1
Router E Router F

Linda’s Jackie’s
Sarah’s Melvin’s
Computer Computer
Computer Computer
Standard Access List Placement
1. Where would you place a standard access list
to permit traffic from Ricky’s computer to reach Router Name Router D
Jeff’s computer? Interface E0

2. Where would you place a standard access list


to deny traffic from Melvin’s computer from Router Name Router A
reaching Jenny’s computer? Interface E0
3. Where would you place a standard access list
to Router Name Router C
deny traffic to Carrol’s computer from Interface FA1
Sarah’s computer?

4. Where would you place a standard access list Router Name Router D
to permit traffic from Ricky’s computer to reach Interface E0
Jeff’s computer?

5. Where would you place a standard access list Router Name Router D
to deny traffic from Amanda’s computer from Interface E0
reaching Jeff and Jim’s computer?

6. Where would you place a standard access list to Router Name Router E
permit traffic from Jackie’s computer to reach Interface E0
Linda’s computer?

7. Where would you place a standard access list Router Name Router C
to permit traffic from Ricky’s computer to reach Interface FA1
Carrol and Amanda’s computer?

8. Where would you place a standard access list to Router Name Router A
deny traffic to Jenny’s computer from Interface E0
Jackie’s computer?
from
9. Where would you place a standard access list to
permit traffic from George’s computer to reach
Linda and Sarah’s computer?

10. Where would you place an ACL to deny traffic


from Jeff’s computer from reaching George’s
computer?

11. Where would you place a standard access list


to deny traffic to Sarah’s computer from Ricky’s
computer?

12. Where would you place an ACL to deny traffic


Router Name Router E Router Name Router E
Interface E0 Interface E0

Router Name Router C Router Name Router F


Interface FA1
Linda’s computer from reaching Jackie’s
computer?
Interface FA1
Extended Access Lists
Extended Access Lists...
...are numbered from 100 to 199.
...filter (permit or deny) based on the:source address
destination address protocol
port number
... are placed close to the source.
...work at both layer 3 and 4 of the OSI model.

Why extended ACLs are placed close to the source.

If you want to deny traffic from Juan’s computer from reaching


Janet’s computer with an extended access list you would place the
ACL close to the source on Router A, interface E0. Since it can permit
or deny based on the destination address it can reduce backbone
overhead and not effect traffic to Routers B, or C.
Router B Router D S1
S1 S0 E0
Router A Router C
FA0
S0 S1 S0
E0 E0

Matt’s Janet’s
Computer Computer

Juan’s Jimmy’s
Computer Computer

If you place the ACL on Router E to block traffic from Router A, it


will work. However, Routers B, and C will have to route the
packet before it is finally blocked at Router E. This increases the
volume of useless network traffic.
Extended Access List
Placement Sample
Problems

E0 E1

Router A

Juan’s Jan’s
Computer Computer

In order to permit packets from Juan’s computer to arrive


at Jan’s computer you would place the extended access
list at router interface E0 .

FA0 S 0 FA
S1 1
Router A Router
B

Lisa’s Paul’s
Computer Computer

Lisa has been sending unnecessary information to Paul. Where would


you place the extended ACL to deny all traffic from Lisa to Paul?
Router Name Router A Interface FA0
Where would you place the extended ACL to deny traffic from Paul
to Lisa?
Router Name Router B Interface FA1
Extended Access List Placement
Router B
S1 S0
Router A
FA0 E1
S0 S1
S1 Router C

Ricky’s Jenny’s
Computer Computer Amanda’s
Computer

Carrol’s Kathy’s
George’s
Computer Computer
Computer

S1
Router D FA0 Jeff’
s
S0 Computer

Jim’s
Computer

S1
FA0 S0 FA1
S1
Router E Router F

Linda’s Jackie’s
Sarah’s Melvin’s
Computer Computer
Computer Computer
Extended Access List Placement
1. Where would you place an ACL to deny traffic
from Jeff’s computer from reaching George’s Router Name Router D
computer? Interface FA0
2. Where would you place an extended access list to Router Name Router F
permit traffic from Jackie’s computer to reach Interface FA1
Linda’s computer?

3. Where would you place an extended access list Router Name Router A
to deny traffic to Carrol’s computer from Ricky’s Interface FA0
computer?

4. Where would you place an extended access list Router Name Router F
to deny traffic to Sarah’s computer from Jackie’s Interface FA1
computer?

5. Where would you place an extended access list Router Name


to
permit traffic from Carrol’s computer to reach Jeff’s Interface
computer?

6. Where would you place an extended access list Router Name Router F
to
deny traffic from Melvin’s computer from reaching Interface FA1
Jeff and Jim’s computer?

7. Where would you place an extended access list Router Name Router C
to permit traffic from George’s computer to reach Interface E1
Jeff’s computer?

8. Where would you place an extended access list to Router Name Router D
permit traffic from Jim’s computer to reach Carrol Interface FA0
and Amanda’s computer?

9. Where would you place an ACL to deny traffic Router Name Router E
from Linda’s computer from reaching Kathy’s Interface FA0
computer?
Router Name Router E
10. Where would you place an extended access Interface FA0
list to deny traffic to Jenny’s computer from
Sarah’s computer?
Router Name Router C
11. Where would you place an extended access list
to
permit traffic from George’s computer to reach Interface E1
Linda and Sarah’s computer?
12. Where would you place an
extended access list to deny traffic from Linda’s
computer from reaching Jenny’s computer? Router Name Router E
Interface FA0
Choosing to Filter Incoming or Outgoing Packets
Access Lists on your incoming port...
...requires less CPU processing.
...filters and denys packets before the router has to make a routing decision.

Access Lists on your outgoing port...


...are outbound by default unless otherwise specified.
...increases the CPU processing time because the routing decision is made and the
packet switched to the correct outgoing port before it is tested against the ACL.

Breakdown of a Standard ACL Statement


permit
or wildcard
deny mask

access-list 1 permit 192.168.90.36 0.0.0.0

autonomous
source address
number 1
to 99

permit or deny
source
address

access-list 78 deny host 192.168.90.36 log

autonomous indicates a (Optional)


number 1 specific host generates a log
to 99 address entry on the
router for each
packet that
matches this
statement

10
Breakdown of an Extended ACL Statement
protocol
icp,
icmp,
tcp, source destinatio
udp, wildcar n
autonomou
ip,
s number d mask wildcard
etc.
100 to 199 mask

access-list 125 permit ip 192.168.90.36 0.0.0.0 192.175.63.12 0.0.0.0

permit or deny
source destinatio
address n
address

port
protocol
number
icp,
icmp, (23 = telnet)
tcp, udp,
autonomou ip, indicates destinatio
s number etc. a specific n
100 to 199 host address

access-list 178 deny tcp host 192.168.90.36 host 192.175.63.12 eq 23 log

permi
t or source indicates operator
address a specific eq for =
deny
host gt for >
lt for <
Protocols Include: neg for
=

IP IGMP IPINIP (Optional)


TCP GRE OSPF generates a log
UDP IGRP NOS entry on the
ICMP EIGRP Integer 0-255 router for each
packet that
To match any internet protocol use IP. matches this
statement
What are Named Access Control Lists?
Named ACLs...
...are standard or extended ACLs which have an alphanumeric name instead of a
number. (ie. 1-99 or 100-199)

Named Access Lists Information


Named Access Lists...
...identify ACLs with an intuutive name instead of a number.
...eliminate the limits imposed by using numbered ACLs. (798 for standard and 799 for
extended)
...provide the ability to modify your ACLs without deleting and reloading the revised
access list. It will only allow you to add statements to the end of the exsisting
statements.
...are not compatable with any IOS prior to Release 11.2.
...can not repeat the same name on multiple ACLs.

Applying a Standard Named Access List


called “George”
Write a named standard access list called “George” on Router A, interface E1 to block
Melvin’s computer from sending information to Kathy’s computer; but will allow all
other traffic.

Place the access list at:


Router Name: Router A
Interface: E1
Access-list Name: George

[Writing and installing an ACL]

Router# configure terminal (or config t)


Router(config)#ip access-list standard George
Router(config-std-nacl)# deny host
72.16.70.35 Router(config-std-nacl)# access-
list permit any Router(config-std-nacl)#
interface e1 Router(config-if)# ip access-
group George out Router(config-if)# exit
Router(config)# exit
Applying an extended Named Access List
called “Gracie”

Write a named extended access list called “Gracie” on Router A, Interface E0 called “Gracie” to deny HTTP traffic intended
for web server 192.168.207.27, but will permit all other HTTP traffic to reach the only the 192.168.207.0 network. Deny all
other IP traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be
written.

Place the access list at:


Router Name: Router A
Interface: E0
Access-list Mail: Gracie

[Writing and installing an ACL]

Router# configure terminal (or config t)


Router(config)#ip access-list extended Gracie
Router(config-ext-nacl)# deny tcp any host 192.168.207.27 eq www
Router(config-ext-nacl)# permit tcp any 192.168.207.0 0.0.0.255 eq
www Router(config-ext-nacl)# interface e0
Router(config-if)# ip access-group Gracie in
Router(config-if)# exit
Router(config)# exit

13
Choices for Using Wildcard Masks
Wildcard masks are usually set up to do one of four things:
1. Match a specific host.
2. Match an entire subnet.
3. Match a specific range.
4. Match all addresses.

1. Matching a specific host.


For standard access lists:
Access-List 10 permit 192.168.150.50 0.0.0.0
or
Access-List 10 permit 192.168.150.50 (standard ACL’s
assume a 0.0.0.0 mask)
or
Access-List 10 permit host 192.168.150.50

For extended access lists:


Access-list 110 deny ip 192.168.150.50 0.0.0.0
any or
Access-list 110 deny ip host 192.168.150.50 any

2. Matching an entire subnet


Example 1
Address: 192.168.50.0 Subnet Mask: 255.255.255.0

Access-list 25 deny 192.168.50.0 0.0.0.255

Example 2
Address: 172.16.0.0 Subnet Mask: 255.255.0.0

Access-list 12 permit 172.16.0.0 0.0.255.255

Example 3
Address: 10.0.0.0 Subnet Mask: 255.0.0.0

Access-list 125 deny udp 10.0.0.0 0.255.255.255 any

14
3. Match a specific range

Example 1
Address: 10.250.50.112 Subnet Mask: 255.255.255.224
255. 255.255.255
Custom Subnet mask: -255. 255.255.224
Wildcard: 0. 0. 0. 31
Access-list 125 permit udp 10.250.50.112 0.0.0.31 any

Example 2
Address Range: 192.168.16.0 to 192.168.16.127
192. 168. 16.127
-192. 168. 16. 0
Wildcard: 0. 0. 0.127
Access-list 125 deny ip 192.168.16.0 0.0.0.127 any
(This ACL would block the lower half of the subnet.)

Example 3
Address: 172.250.16.32 to 172.250.31.63
172. 250. 31. 63
-172. 250. 16. 32
Wildcard: 0. 0. 15. 31

Access-list 125 permit ip 172.250.16.32 0.0.15.31 any

4. Match everyone.

For standard access lists:


Access-List 15 permit any
or
Access-List 15 deny 0.0.0.0 255.255.255.255

For extended access lists:


Access-List 175 permit ip any any
or
Access-List 175 deny tcp 0.0.0.0 255.255.255.255 any
Creating Wildcard Masks
Just like a subnet mask the wildcard mask tells the router what part of the
address to check or ignore. Zero (0) must match exactly, one (1) will be
ignored.

The source address can be a single address, a range of addresses,


or an entire subnet.

As a rule of thumb the wildcard mask is the reverse of the subnet mask.

Example #1:
IP Address and subnet mask: 204.100.100.0 255.255.255.0
IP Address and wildcard mask: 204.100.100.0 0.0.0.255

All zero’s (or 0.0.0.0) means the address must match exactly.

Example #2:
10.10.150.95 0.0.0.0 (This address must match exactly.)

One’s will be ignored.

Example #3:
10.10.150.95 0.0.0.255 (Any 10.10.150.0 subnet address will match.
10.10.150.0 to 10.10.150.255)

This also works with subnets.

Example #4:
IP Address and subnet mask: 192.170.25.30 255.255.255.224
IP Address and wildcard mask: 192.170.25.30 0.0.0.31
(Subtract the subnet mask from
255.255.255.255 to create the wildcard)

Do the math... 255 - 255 = 0 (This is the inverse of the subnet


mask.) 255 - 224 = 31

Example #5:
IP Address and subnet mask: 172.24.128.0 255.255.128.0
IP Address and wildcard mask: 172.24.128.0 0.0.127.255

Do the math... 255 - 255 = 0 (This is the inverse of the subnet mask.)
255 - 128 = 127
255 - 0 = 255
Wildcard Mask Problems
1. Create a wildcard mask to match this exact address.
IP Address: 192.168.25.70
Subnet Mask: 0 . 0 . 0 .0
255.255.255.0

2. Create a wildcard mask to match this range.


IP Address: 210.150.10.0
Subnet Mask: 0 . 0 . 0 . 255
255.255.255.0

3. Create a wildcard mask to match this host.


IP Address: 195.190.10.35
Subnet Mask: 0 . 0 . 0 .0
255.255.255.0

4. Create a wildcard mask to match this range.


IP Address: 172.16.0.0
Subnet Mask: 0 . 0 . 255 . 255
255.255.0.0

5. Create a wildcard mask to match this range.


IP Address: 10.0.0.0
Subnet Mask: 0 . 255 . 255 . 255
255.0.0.0

6. Create a wildcard mask to match this exact address.


IP Address: 165.100.0.130
Subnet Mask: 0 . 0 . 0 .0
255.255.255.192

7. Create a wildcard mask to match this range.


IP Address: 192.10.10.16
Subnet Mask: 0 . 0 . 0 . 31
255.255.255.224

8. Create a wildcard mask to match this range.


IP Address: 171.50.75.128
Subnet Mask: 0 . 0 . 0 . 63
255.255.255.192

9. Create a wildcard mask to match this host.


IP Address:
10.250.30.2 0 . 0 . 0 .0
Subnet Mask: 255.0.0.0

10. Create a wildcard mask to match this range.


IP Address: 210.150.28.16 Subnet Mask: 255.255.255.248
0. 0. 0.7
11. Create a wildcard mask to match this range.
IP Address: 172.18.0.0
Subnet Mask: 0 . 0 . 31 . 255
255.255.224.0

12. Create a wildcard mask to match this range.


IP Address: 135.35.230.32
Subnet Mask: 0. 0. 0.7
255.255.255.248
Wildcard Mask Problems
Based on the given information list the usable source addresses or range of
usable source addresses that would be permitted or denied for each access
list statement.

1. access-list 10 permit 192.168.150.50 0.0.0.0

Answer: 192.168.150.50

2. access-list 5 permit any

Answer: Any address

3. access-list 125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1 fragments

Answer: 195.223.50.1 to 195.223.50.63

4. access-list 11 deny 210.10.10.0 0.0.0.255

Answer: 210.10.10.1 to 210.10.10.254

5. access-list 108 deny ip 192.220.10.0 0.0.0.15 172.32.4.0 0.0.0.255

Answer: 192.220.10.1 to 192.220.10.15

6. access-list 171 deny any host 175.18.24.10 fragments

Answer: Any Address

7. access-list 105 permit 192.168.15.0 0.0.0.255 any

Answer: 192.168.15.1 to 192.168.15.254

8. access-list 109 permit tcp 172.16.10.0 0.0.0.255 host 192.168.10.1 eq 80

Answer: 172.16.10.1 to 172.16.10.254

9. access-list 111 permit ip any any

Answer: Any Address

10. access-list 195 permit udp 172.30.12.0 0.0.0.127 172.50.10.0 0.0.0.255

Answer: 172.30.12.1 to 172.30.12.127


11. access-list 110 permit ip 192.168.15.0 0.0.0.3 192.168.30.10 0.0.0.0

Answer: 192.168.15.1 to 192.168.15.3

12. access-list 120 permit ip 192.168.15.0 0.0.0.7 192.168.30.10 0.0.0.0

Answer: 192.168.15.1 to 192.168.15.7

13. access-list 130 permit ip 192.168.15.0 0.0.0.15 192.168.30.10 0.0.0.0

Answer: 192.168.15.1 to 192.168.15.15

14. access-list 140 permit ip 192.168.15.0 0.0.0.31 192.168.30.10 0.0.0.0

Answer: 192.168.15.1 to 192.168.15.31

15. access-list 150 permit ip 192.168.15.0 0.0.0.63 192.168.30.10 0.0.0.0

Answer: 192.168.15.1 to 192.168.15.63

16. access-list 101 Permit ip 192.168.15.0 0.0.0.127 192.168.30.10 0.0.0.0

Answer: 192.168.15.1 to 192.168.15.127

17. access-list 185 permit ip 192.168.15.0 0.0.0.255 192.168.30.0 0.0.0.255

Answer: 192.168.15.1 to 192.168.15.254

18. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 gt 22

Answer: 172.16.0.1 to 172.16.1.254

19. access-list 195 permit icmp 172.85.0.0 0.0.15.255 172.50.10.0 0.0.0.255

Answer: 172.85.0.1 to 172.85.15.254

20. access-list 10 permit 175.15.120.0 0.0.0.255

Answer: 175.15.120.1 to 175.15.120.254

21. access-list 190 permit tcp 172.15.0.0 0.0.15.31 any

Answer: 172.15.0.1 to 172.15.15.31

22. access-list 100 permit ip 10.0.0.0 0.255.255.255 172.50.10.0 0.0.0.255

Answer: 10.0.0.1 to 10.255.255.254


Wildcard Mask Problems
Based on the given information list the usable destination addresses or range
of usable destination addresses that would be permitted or denied for each
access list statement.

1.access-list 125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1 fragments

Answer: 172.168.10.1

2. access-list 115 permit any any

Answer: Any address

3. access-list 150 permit ip 192.168.30.10 0.0.0.0 192.168.15.0 0.0.0.63

Answer: 192.168.15.1 to 192.168.15.63

4. access-list 120 deny tcp 172.32.4.0 0.0.0.255 192.220.10.0 0.0.0.15

Answer: 192.220.10.1 to 192.220.10.15

5. access-list 108 deny ip 192.220.10.0 0.0.0.15 172.32.4.0 0.0.0.255

Answer: 172.32.4.1 to 172.32.4.254

6. access-list 101 deny ip 140.130.110.100 0.0.0.0 0.0.0.0 255.255.255.255

Answer: Any Address

7. access-list 105 permit any 192.168.15.0 0.0.0.255

Answer: 192.168.15.1 to 192.168.15.254

8. access-list 120 permit ip 192.168.15.10 0.0.0.0 192.168.30.0 0.0.0.7

Answer: 192.168.30.1 to 192.168.30.7

9. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 eq 21

Answer: 172.18.10.18

10. access-list 150 permit ip 192.168.15.10 0.0.0.0 192.168.30.0 0.0.0.63

Answer: 192.168.30.1 to 192.168.30.63


Writing
Standard Access Lists...
Router A
172.16.70.1 192.168.90.2
E1
E
S0
0
Frank’s
Jim’s
Computer 210.30.28.0 Computer
172.16.70.32 192.168.90.36 Kathy’s
Computer
Melvin’s 192.168.90.38
Computer
172.16.70.35

Standard Access List Sample #1


Write a standard access list to block Melvin’s computer from sending information to Kathy’s
computer; but will allow all other traffic. Keep in mind that there may be multiple ways many of
the individual statements in an ACL can be written.

Place the access list at:


Router Name: Router A
Interface: E1
Access-list #: 10

[Writing and installing an ACL]

Router# configure terminal (or config t)


Router(config)# access-list 10 deny 172.16.70.35
or
access-list 10 deny 172.16.70.35
0.0.0.0 or
access-list 10 deny host 172.16.70.35
Router(config)# access-list 10 permit 0.0.0.0 255.255.255.255
or
access-list 10 permit
any
Router(config)# interface e1
Router(config-if)# ip access-group 10 out
Router(config-if)# exit
Router(config)# exit

[Viewing information about existing ACL’s]

Router# show configuration(This will show which access groups are associated
with particular interfaces)

Router# show access list 10 (This will show detailed information about this ACL)

22
Standard Access List Sample #2
Write a standard access list to block Jim’s computer from sending information to Frank’s
computer; but will allow all other traffic from the 192.168.90.0 network. Permit all traffic from
the 210.30.28.0 network to reach the 172.16.70.0 network. Deny all other traffic. Keep in
mind that there may be multiple ways many of the individual statements in an ACL can be
written.

Place the access list at:


Router Name: Router A
Interface: E0
Access-list #: 28

[Writing and installing an ACL]

Router# configure terminal


Router(config)# access-list 28 deny 192.168.90.36
or
access-list 28 deny 192.168.90.36 0.0.0.0
or
access-list 28 deny host 192.168.90.36
Router(config)# access-list 28 permit 192.168.90.0 0.0.0.255
Router(config)# access-list 28 permit 210.30.28.0 0.0.0.255
Router(config)# interface e0
Router(config-if)# ip access-group 28
out Router(config-if)# exit
Router(config)# exit
Router# copy run start

[Disabling ACL’s]
Router# configure terminal
Router(config)# interface e0
Router(config-if)# no ip access-group 28 out
Router(config-if)# exit
Router(config)# exit

[Removing an ACL]

Router# configure terminal


Router(config)# interface e0
Router(config-if)# no ip access-group 28 out
Router(config-if)# exit
Router(config)# no access-list 28
Router(config)# exit
FA0 223.190.32.1 S0
Router A

Router B
S1 FA1 192.16.32.94

FA0

Michael’s 172.16.28.36 Debbie’s


Computer Computer
223.190.32.16 192.16.32.95

Standard Access List Problem #1


Write a standard access list to block Debbie’s computer from receiving information from
Michael’s computer; but will allow all other traffic. List all the command line options for this
problem. Keep in mind that there may be multiple ways many of the individual statements
in an ACL can be written.

Place the access list at:


Router Name: Router B
Interface: FA1
Access-list #: 35 (1-99)

[Writing and installing an ACL]

Router# configure terminal (or config t)

Router(config) access-list 35 deny 223.190.32.16


# or
access-list 35 deny host 223.190.32.16
or
access-list 35 deny 223.190.32.16 0.0.0.0

Router(config)# access-list 35 permit any


or
access-list 35 permit 0.0.0.0 255.255.255.255

Router(config-if)#
exit
Router(config)#
exit

24
Standard Access List Problem #2
Write a standard access list to permit Debbie’s computer to receive information from
Michael’s computer; but will deny all other traffic from the 224.190.32.0 network. Block all
traffic from the 172.16.0.0 network. Permit all other traffic. List all the command line
options for this problem. Keep in mind that there may be multiple ways many of the
individual statements in an ACL can be written.

Place the access list at:


Router Name: Router B
Interface: FA0
Access-list #: 40 (1-99)

[Writing and installing an ACL]

Router# configure terminal (or config t)

Router(config)
# access-list 40 permit 223.190.32.16
or
access-list 40 permit host 223.190.32.16
or
access-list 40 permit 223.190.32.16 0.0.0.0

Router(config)# access-list 40 deny 223.190.32.0 0.0.0.255

Router(config)# access-list 40 deny 172.16.0.0 0.0.255.255

Router(config)# access-list 40 permit any


or
access-list 40 permit 0.0.0.0 255.255.255.255

Router(config)# interface FA0

Router(config-if)# ip access-group 40 in or
Router(config-if)# exit out (circle one)
Router(config)# exit
Router A
204.90.30.124 E0
S0
10.250.30.35 Router B
Jim’s
S1 FA1 Computer

Carol’s 10.250.30.36 192.168.88.4 192.168.88.5


Computer
Rodney’s
Computer
204.90.30.125
204.90.30.126

Standard Access List Problem #3


Write a standard access list to block Rodney and Carol’s computer from sending
information to Jim’s computer; but will allow all other traffic from the 204.90.30.0 network.
Block all other traffic. Keep in mind that there may be multiple ways many of the individual
statements in an ACL can be written.

Place the access list at:


Router Name: Router B
Interface: FA1
Access-list #: 45 (1-99)

[Writing and installing an ACL]

Router# configure terminal (or config t)

Router(config) access-list 45 deny 204.90.30.125


# or
access-list 45 deny host 204.90.30.125
or access-list 45 deny 204.90.30.125 0.0.0.0

or access-list 45 deny 204.90.30.126


access-list 45 deny host 204.90.30.126
or access-list 45 deny 204.90.30.126 0.0.0.0

access-list 45 permit 204.90.30.0 0.0.0.255


Router(config)# interface FA1

Router(config-if)# ip access-group 45 in or out (circle one)

Router(config-if)#
exit
Router(config)#
exit
26
Standard Access List Problem #4
Using a minimum number of commands write a standard access list named “Ralph” to
block Carol’s computer from sending information to Jim’s computer; but will permit Jim to
receive data from Rodney. Block the upper half of the 204.90.30.0 range from reaching
Jim’s computer while permitting the lower half of the range. Block all other traffic. For help
with blocking the upper half of the range review page 13 or the wildcard mask problems on
pages 16 and 17. For help with named ACLs review pages 12 and 13.

Place the access list at:


Router Name: Router B
Interface: FA1
Access-list Name: Ralph

[Writing and installing an ACL]

Router# configure terminal (or config t)

Router(config)# ip access-list standard Ralph

Router(config-std-nacl)# permit 204.90.30.0 0.0.0.127

Router(config-std-nacl)# interface FA1

Router(config-if)# ip access-
group Router(config-if)# exit Ralp in or out (circle one)
Router(config)# exit h
Router B
S1 S0
Router A
172.30.225.1 E1
S0 S1 212.180.10.5
E0
S1 Router C

172.30.225.2 212.180.10.6
172.30.225.3
212.180.10.2

Standard Access List Problem #5


Write a standard access list to block 172.30.225.2 and 172.30.225.3 from sending
information to the 212.180.10.0 network; but will allow all other traffic. Keep in mind that
there may be multiple ways many of the individual statements in an ACL can be written.

Place the access list at:


Router Name: Router C
Interface: E1
Access-list #: 55 (1-99)

[Writing and installing an ACL]

Router# configure terminal (or config t)

Router(config) 55 deny host 172.30.225.2


# access-list 55 deny 172.30.225.2 0.0.0.0
or access-list
55 deny or access-list 55 deny 172.30.225.3
172.30.225.2 or access-list 55 deny host 172.30.225.3
access-list access-list 55 deny 172.30.225.3 0.0.0.0
or
access-list 55 permit any

Router(config)# interface E1

Router(config-if)# ip access-group 55 in or out (circle one)

Router(config-if)#
exit
Router(config)#
exit

28
Standard Access List Problem #6
Write a standard access list to block and log 212.180.10.2 from sending information to the
172.30.225.0 network. Permit and log 212.180.10.6 to send data to the 172.30.225.0 network.
Deny all other traffic. Keep in mind that there may be multiple ways many of the individual
statements in an ACL can be written. (Check the example on page 10 for help with the
logging option.)

Place the access list at:


Router Name: Router A
Interface: E0
Access-list #: 60 (1-99)

[Writing and installing an ACL]

Router# configure terminal (or config t)

Router(config) access-list 60 deny 212.180.10.2 log


# or
or access-list 60 deny host 212.180.10.2 log
access-list 60 deny 212.180.10.2 0.0.0.0 log

access-list 60 permit 212.180.10.6 log


or
access-list 60 permit host 212.180.10.6 log
or
access-list 60 permit 212.180.10.6 0.0.0.0 log

Router(config)# interface E0

Router(config-if)# ip access-group 60 in or out (circle one)


Router A Router C
S0
S1
S1 FA0
FA0 198.32.10.25
Router B
192.168.15.172 S0

210.140.15.1 FA1

192.168.15.3
210.140.15.8 198.32.10.25

Standard Access List Problem #7


Write a standard access list to block the addresses 192.168.15.1 to 192.168.15.31 from
sending information to the 210.140.15.0 network. Do not permit any traffic from
198.32.10.25 to reach the 210.140.15.0 network. Permit all other traffic. For help with this
problem review page 13 or the wildcard mask problems on pages 16 and 17.

Place the access list at:


Router Name: Router B
Interface: FA1
Access-list #: 65 (1-99)

[Writing and installing an ACL]

Router# configure terminal (or config t)

Router(config)
# access-list 65 deny 192.168.15.0 0.0.0.31

or access-list 65 deny 198.32.10.25


or access-list 65 deny host 198.32.10.25
access-list 65 deny 198.32.10.25 0.0.0.0

access-list 65 permit any

Router(config)# interface FA1


Router(config-if)# ip access-group 65 in or out (circle one)
Standard Access List Problem #8
Write a standard named access list called “Cisco_Lab_A” to permit traffic from the lower half
of the 198.32.10.0 network to reach 192.168.15.0 network; block the upper half of the
addresses. Allow host 198.32.10.192 to reach network 192.168.15.0. Permit all other traffic.
For help with this problem review page 13 or the wildcard masks problems on pages 16 and
17. For assistance with named ACLs review pages 12 and 13.

Place the access list at:


Router Name: Router A
Interface: FA0
Access-list Name: Cisco_Lab_A

[Writing and installing an ACL]

Router# configure terminal (or config t)

Router(config) access-list standard Cisco_Lab_A


#

Router(config-std-nacl)# permit 198.32.10.0 0.0.0.127

deny 198.32.10.0 0.0.0.255

permit any

FA0 Router(
Router(config-std-nacl)# interface config-
if)# ip
access-group
Cisco_Lab_A in or

Out (circle one)


Standard Access List Problem #9
Write a standard access list to block network 192.168.255.0 from receiving information from
the following addresses: 10.250.1.1, 10.250.2.1, 10.250.4.1, and the entire 10.250.3.0
255.255.255.0 network. Allow all other traffic. Keep in mind that there may be multiple
ways many of the individual statements in an ACL can be written.

Place the access list at:


Router Name: Router A
Interface: FA0
Access-list #: 75 (1-99)

[Writing and installing an ACL]

Router# configure terminal (or config t)

Router(config) access-list 75 deny 10.250.1.1


# or
oraccess-list 75 deny host 10.250.1.1
access-list 75 deny 10.250.1.1 0.0.0.0

oraccess-list 75 deny 10.250.2.1


oraccess-list 75 deny host 10.250.2.1
access-list 75 deny 10.250.2.1 0.0.0.0

oraccess-list 75 deny 10.250.4.1


access-list 75 deny host 10.250.4.1
or
access-list 75 deny 10.250.4.1 0.0.0.0

access-list 75 deny 10.250.3.0 0.0.0.255

access-list 75 permit any

Router(config)# interface FA0

Router(config-if)# ip access-group 75 in or out (circle one)

Router(config-if)#
exit
Router(config)#
exit

32

You might also like