Ex Te ND Ed: Access Lists
Ex Te ND Ed: Access Lists
Ex Te ND Ed: Access Lists
Ex An y
te Lists
0.0
Access
0.0.
nd permit
Workbook
Version 1.2
Instructor’s Edition
ed access-group
deny
access-list Wildcard Mask
Standard
Access-List Numbers
IP Standard 1 t 99
o
IP Extended 100 t 19
o 9
Ethernet Type Code 200 t 29
o 9
Ethernet Address 700 t 79
o 9
DECnet and Extended DECnet 300 t 39
o 9
XNS 400 t 49
o 9
Extended XNS 500 t 59
o 9
Appletalk 600 t 69
o 9
48-bit MAC Addresses 700 t 79
o 9
IPX Standard 800 t 89
o 9
IPX Extended 900 t 99
o 9
IPX SAP (service advertisement 100 t 10
protocol) 0 o 99
IPX SAP SPX 100 t 10
0 o 99
Extended 48-bit MAC Addresses 110 t 11
0 o 99
IPX NLSP 120 t 12
0 o 99
IP Standard, expanded range 130 t 19
0 o 99
IP Extended, expanded range 200 t 26
0 o 99
SS7 (voice) 270 t 29
0 o 99
Standard Vines 1 t 10
o 0
Extended Vines 101 t 20
o 0
Simple Vines 201 t 30
o 0
Transparent bridging (protocol type) 200 t 29
o 9
Transparent bridging (vendor type) 700 t 79
o 9
Extended Transparent bridging 110 t 11
0 o 99
Source-route bridging (protocol 200 t 29
type) o 9
Source-route bridging (vendor type) 700 t 79
o 9
Instructors (and anyone else for that matter) please do not post the Instructors version on public websites.
When you do this your giving everyone else worldwide the answers. Yes, students look for answers this
way.
It also discourages others; myself included, from posting high quality materials.
Inside Cover
What are Access Control Lists?
ACLs...
...are a sequential list of instructions that tell a router which packets to permit or deny.
If there is no ACL the router switches the packet out that interface to its
destination.
If there is an ACL the router checks the packet against the access list
statements sequentially. Then permits or denys each packet as it is
matched.
If the packet does not match any statement written in the ACL it is
denyed because there is an implicit “deny any” statement at the end of
every ACL.
1
Standard Access Lists
Standard Access Lists...
...are numbered from 1 to 99.
...filter (permit or deny) only source addresses.
...do not have any destination information so it must placed as close to the destination
as possible.
...work at layer 3 of the OSI model.
Router B Router D S1
S1 S0 E0
Router A Router C
E0
S0 S1 S0
E0 E0
Janet’s
Matt’s
Computer
Computer
Juan’s Jimmy’s
Computer Computer
FA0 FA1
Router A
Juan’s Jan’s
Computer Computer
E0 S 0 E
S1 1
Router A Router
B
Lisa’s
Computer Paul’s
Computer
Ricky’s Jenny’s
Computer Computer
Amanda’s
Computer
Carrol’s Kathy’s
George’s
Computer Computer
Computer
S1
Router D E0 Jeff’s
S0 Computer
Jim’s
Computer
S1
E0 S0 FA1
S1
Router E Router F
Linda’s Jackie’s
Sarah’s Melvin’s
Computer Computer
Computer Computer
Standard Access List Placement
1. Where would you place a standard access list
to permit traffic from Ricky’s computer to reach Router Name Router D
Jeff’s computer? Interface E0
4. Where would you place a standard access list Router Name Router D
to permit traffic from Ricky’s computer to reach Interface E0
Jeff’s computer?
5. Where would you place a standard access list Router Name Router D
to deny traffic from Amanda’s computer from Interface E0
reaching Jeff and Jim’s computer?
6. Where would you place a standard access list to Router Name Router E
permit traffic from Jackie’s computer to reach Interface E0
Linda’s computer?
7. Where would you place a standard access list Router Name Router C
to permit traffic from Ricky’s computer to reach Interface FA1
Carrol and Amanda’s computer?
8. Where would you place a standard access list to Router Name Router A
deny traffic to Jenny’s computer from Interface E0
Jackie’s computer?
from
9. Where would you place a standard access list to
permit traffic from George’s computer to reach
Linda and Sarah’s computer?
Matt’s Janet’s
Computer Computer
Juan’s Jimmy’s
Computer Computer
E0 E1
Router A
Juan’s Jan’s
Computer Computer
FA0 S 0 FA
S1 1
Router A Router
B
Lisa’s Paul’s
Computer Computer
Ricky’s Jenny’s
Computer Computer Amanda’s
Computer
Carrol’s Kathy’s
George’s
Computer Computer
Computer
S1
Router D FA0 Jeff’
s
S0 Computer
Jim’s
Computer
S1
FA0 S0 FA1
S1
Router E Router F
Linda’s Jackie’s
Sarah’s Melvin’s
Computer Computer
Computer Computer
Extended Access List Placement
1. Where would you place an ACL to deny traffic
from Jeff’s computer from reaching George’s Router Name Router D
computer? Interface FA0
2. Where would you place an extended access list to Router Name Router F
permit traffic from Jackie’s computer to reach Interface FA1
Linda’s computer?
3. Where would you place an extended access list Router Name Router A
to deny traffic to Carrol’s computer from Ricky’s Interface FA0
computer?
4. Where would you place an extended access list Router Name Router F
to deny traffic to Sarah’s computer from Jackie’s Interface FA1
computer?
6. Where would you place an extended access list Router Name Router F
to
deny traffic from Melvin’s computer from reaching Interface FA1
Jeff and Jim’s computer?
7. Where would you place an extended access list Router Name Router C
to permit traffic from George’s computer to reach Interface E1
Jeff’s computer?
8. Where would you place an extended access list to Router Name Router D
permit traffic from Jim’s computer to reach Carrol Interface FA0
and Amanda’s computer?
9. Where would you place an ACL to deny traffic Router Name Router E
from Linda’s computer from reaching Kathy’s Interface FA0
computer?
Router Name Router E
10. Where would you place an extended access Interface FA0
list to deny traffic to Jenny’s computer from
Sarah’s computer?
Router Name Router C
11. Where would you place an extended access list
to
permit traffic from George’s computer to reach Interface E1
Linda and Sarah’s computer?
12. Where would you place an
extended access list to deny traffic from Linda’s
computer from reaching Jenny’s computer? Router Name Router E
Interface FA0
Choosing to Filter Incoming or Outgoing Packets
Access Lists on your incoming port...
...requires less CPU processing.
...filters and denys packets before the router has to make a routing decision.
autonomous
source address
number 1
to 99
permit or deny
source
address
10
Breakdown of an Extended ACL Statement
protocol
icp,
icmp,
tcp, source destinatio
udp, wildcar n
autonomou
ip,
s number d mask wildcard
etc.
100 to 199 mask
permit or deny
source destinatio
address n
address
port
protocol
number
icp,
icmp, (23 = telnet)
tcp, udp,
autonomou ip, indicates destinatio
s number etc. a specific n
100 to 199 host address
permi
t or source indicates operator
address a specific eq for =
deny
host gt for >
lt for <
Protocols Include: neg for
=
Write a named extended access list called “Gracie” on Router A, Interface E0 called “Gracie” to deny HTTP traffic intended
for web server 192.168.207.27, but will permit all other HTTP traffic to reach the only the 192.168.207.0 network. Deny all
other IP traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be
written.
13
Choices for Using Wildcard Masks
Wildcard masks are usually set up to do one of four things:
1. Match a specific host.
2. Match an entire subnet.
3. Match a specific range.
4. Match all addresses.
Example 2
Address: 172.16.0.0 Subnet Mask: 255.255.0.0
Example 3
Address: 10.0.0.0 Subnet Mask: 255.0.0.0
14
3. Match a specific range
Example 1
Address: 10.250.50.112 Subnet Mask: 255.255.255.224
255. 255.255.255
Custom Subnet mask: -255. 255.255.224
Wildcard: 0. 0. 0. 31
Access-list 125 permit udp 10.250.50.112 0.0.0.31 any
Example 2
Address Range: 192.168.16.0 to 192.168.16.127
192. 168. 16.127
-192. 168. 16. 0
Wildcard: 0. 0. 0.127
Access-list 125 deny ip 192.168.16.0 0.0.0.127 any
(This ACL would block the lower half of the subnet.)
Example 3
Address: 172.250.16.32 to 172.250.31.63
172. 250. 31. 63
-172. 250. 16. 32
Wildcard: 0. 0. 15. 31
4. Match everyone.
As a rule of thumb the wildcard mask is the reverse of the subnet mask.
Example #1:
IP Address and subnet mask: 204.100.100.0 255.255.255.0
IP Address and wildcard mask: 204.100.100.0 0.0.0.255
All zero’s (or 0.0.0.0) means the address must match exactly.
Example #2:
10.10.150.95 0.0.0.0 (This address must match exactly.)
Example #3:
10.10.150.95 0.0.0.255 (Any 10.10.150.0 subnet address will match.
10.10.150.0 to 10.10.150.255)
Example #4:
IP Address and subnet mask: 192.170.25.30 255.255.255.224
IP Address and wildcard mask: 192.170.25.30 0.0.0.31
(Subtract the subnet mask from
255.255.255.255 to create the wildcard)
Example #5:
IP Address and subnet mask: 172.24.128.0 255.255.128.0
IP Address and wildcard mask: 172.24.128.0 0.0.127.255
Do the math... 255 - 255 = 0 (This is the inverse of the subnet mask.)
255 - 128 = 127
255 - 0 = 255
Wildcard Mask Problems
1. Create a wildcard mask to match this exact address.
IP Address: 192.168.25.70
Subnet Mask: 0 . 0 . 0 .0
255.255.255.0
Answer: 192.168.150.50
Answer: 172.168.10.1
Answer: 172.18.10.18
Router# show configuration(This will show which access groups are associated
with particular interfaces)
Router# show access list 10 (This will show detailed information about this ACL)
22
Standard Access List Sample #2
Write a standard access list to block Jim’s computer from sending information to Frank’s
computer; but will allow all other traffic from the 192.168.90.0 network. Permit all traffic from
the 210.30.28.0 network to reach the 172.16.70.0 network. Deny all other traffic. Keep in
mind that there may be multiple ways many of the individual statements in an ACL can be
written.
[Disabling ACL’s]
Router# configure terminal
Router(config)# interface e0
Router(config-if)# no ip access-group 28 out
Router(config-if)# exit
Router(config)# exit
[Removing an ACL]
Router B
S1 FA1 192.16.32.94
FA0
Router(config-if)#
exit
Router(config)#
exit
24
Standard Access List Problem #2
Write a standard access list to permit Debbie’s computer to receive information from
Michael’s computer; but will deny all other traffic from the 224.190.32.0 network. Block all
traffic from the 172.16.0.0 network. Permit all other traffic. List all the command line
options for this problem. Keep in mind that there may be multiple ways many of the
individual statements in an ACL can be written.
Router(config)
# access-list 40 permit 223.190.32.16
or
access-list 40 permit host 223.190.32.16
or
access-list 40 permit 223.190.32.16 0.0.0.0
Router(config-if)# ip access-group 40 in or
Router(config-if)# exit out (circle one)
Router(config)# exit
Router A
204.90.30.124 E0
S0
10.250.30.35 Router B
Jim’s
S1 FA1 Computer
Router(config-if)#
exit
Router(config)#
exit
26
Standard Access List Problem #4
Using a minimum number of commands write a standard access list named “Ralph” to
block Carol’s computer from sending information to Jim’s computer; but will permit Jim to
receive data from Rodney. Block the upper half of the 204.90.30.0 range from reaching
Jim’s computer while permitting the lower half of the range. Block all other traffic. For help
with blocking the upper half of the range review page 13 or the wildcard mask problems on
pages 16 and 17. For help with named ACLs review pages 12 and 13.
Router(config-if)# ip access-
group Router(config-if)# exit Ralp in or out (circle one)
Router(config)# exit h
Router B
S1 S0
Router A
172.30.225.1 E1
S0 S1 212.180.10.5
E0
S1 Router C
172.30.225.2 212.180.10.6
172.30.225.3
212.180.10.2
Router(config)# interface E1
Router(config-if)#
exit
Router(config)#
exit
28
Standard Access List Problem #6
Write a standard access list to block and log 212.180.10.2 from sending information to the
172.30.225.0 network. Permit and log 212.180.10.6 to send data to the 172.30.225.0 network.
Deny all other traffic. Keep in mind that there may be multiple ways many of the individual
statements in an ACL can be written. (Check the example on page 10 for help with the
logging option.)
Router(config)# interface E0
210.140.15.1 FA1
192.168.15.3
210.140.15.8 198.32.10.25
Router(config)
# access-list 65 deny 192.168.15.0 0.0.0.31
permit any
FA0 Router(
Router(config-std-nacl)# interface config-
if)# ip
access-group
Cisco_Lab_A in or
Router(config-if)#
exit
Router(config)#
exit
32