Extended

ACL
Any

Access
0.0.0.0
Lists

Workbook
Version 1.0

Instructor’s Edition

permit
deny

access-list

Standard

access-group
Wildcard Mask

Access-List Numbers
IP Standard
IP Extended
Ethernet Type Code
Ethernet Address
DECnet and Extended DECnet
XNS
Extended XNS
Appletalk
48-bit MAC Addresses
IPX Standard
IPX Extended
IPX SAP (service advertisement protocol)
IPX SAP SPX
Extended 48-bit MAC Addresses
IPX NLSP
IP Standard, expanded range
IP Extended, expanded range
SS7 (voice)
Standard Vines
Extended Vines
Simple Vines
Transparent bridging (protocol type)
Transparent bridging (vender type)
Extended Transparent bridging
Source-route bridging (protocol type)
Source-route bridging (vender type)

1
100
200
700
300
400
500
600
700
800
900
1000
1000
1100
1200
1300
2000
2700
1
101
201
200
700
1100
200
700

to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to

99
199
299
799
399
499
599
699
799
899
999
1099
1099
1199
1299
1999
2699
2999
100
200
300
299
799
1199
299
799

Produced by: Robb Jones
jonesr@careertech.net
Frederick County Career & Technology Center
Cisco Networking Academy
Frederick County Public Schools
Frederick, Maryland, USA
Special Thanks to Melvin Baker and Jim Dorsch
for taking the time to check this workbook for errors.
Instructors (and anyone else for that matter) please do not post the Instructors version on public websites.
When you do this your giving everyone else worldwide the answers. Yes, students look for answers this way.
It also discourages others; myself included, from posting high quality materials.
Inside Cover

What are Access Control Lists?
ACLs...
...are a sequential list of instructions that tell a router which packets to
permit or deny.

General Access Lists Information
Access Lists...
...are read sequentially.
...are set up so that as soon as the packet matches a statement it
stops comparing and permits or denys the packet.
...need to be written to take care of the most abundant traffic first.
...must be configured on your router before you can deny packets.
...can be written for all supported routed protocols; but each routed
protocol must have a different ACL for each interface.
...must be applied to an interface to work.

How routers use Access Lists
(Outbound Port - Default)
The router checks to see if the packet is routable. If it is it looks up
the route in its routing table.
The router then checks for an ACL on that outbound interface.
If there is no ACL the router switches the packet out that interface to its
destination.
If there is an ACL the router checks the packet against the access list
statements sequentially. Then permits or denys each packet as it is
matched.
If the packet does not match any statement written in the ACL it is
denyed because there is an implicit “deny any” statement at the end of
every ACL.

1

.Standard Access Lists Standard Access Lists. If you want to block traffic from Juan’s computer from reaching Janet’s computer with a standard access list you would place the ACL close to the destination on Router D.... interface E0. 2 Router D S1 E0 .work at layer 3 of the OSI model... Why standard ACLs are placed close to the destination.. because all the packets will have the same source address.. Router A Router B S0 S1 E0 S0 Router C S1 E0 S0 E0 Janet’s Computer Matt’s Computer Juan’s Computer Jimmy’s Computer If you place the ACL on router A to block traffic to Router D it will also block all packets going to Routers B. . and C... Since its using only the source address to permit or deny packets the ACL here will not effect packets reaching Routers B.filter (permit or deny) only source addresses. .are numbered from 1 to 99..do not have any destination information so it must placed as close to the destination as possible. . or C.

FA1 E0 S0 Router A Lisa’s Computer E1 S1 Router B Paul’s Computer Lisa has been sending unnecessary information to Paul.Standard Access List Placement Sample Problems FA0 FA1 Router A Jan’s Computer Juan’s Computer In order to permit packets from Juan’s computer to arrive at Jan’s computer you would place the standard access list at router interface ______. Where would you place the standard ACL to deny all traffic from Lisa to Paul? Router Name ______________ Router B Interface ___________ E1 Where would you place the standard ACL to deny traffic from Paul to Lisa? Router Name ______________ Router A Interface ___________ E0 3 .

Standard Access List Placement Router B S0 S1 Router A E0 S0 S1 Ricky’s Computer FA1 S1 Router C Jenny’s Computer Amanda’s Computer Carrol’s Computer George’s Computer Kathy’s Computer S1 Router D E0 Jeff’s Computer S0 Jim’s Computer S1 E0 S0 Router E Linda’s Computer 4 Sarah’s Computer FA1 S1 Router F Jackie’s Computer Melvin’s Computer .

Where would you place a standard access list to deny traffic to Carrol’s computer from Sarah’s computer? Router C Router Name_________________ Interface ____________________ FA1 4. Where would you place a standard access list to permit traffic from Ricky’s computer to reach Jeff’s computer? Router D Router Name_________________ Interface ____________________ E0 2. Where would you place an ACL to deny traffic from Jeff’s computer from reaching George’s computer? Router C Router Name_________________ Interface ____________________ FA1 11. Where would you place an ACL to deny traffic from Linda’s computer from reaching Jackie’s computer? Router F Router Name_________________ Interface ____________________ FA1 5 . Where would you place a standard access list to deny traffic to Sarah’s computer from Ricky’s computer? Router E Router Name_________________ Interface ____________________ E0 12. Where would you place a standard access list to permit traffic from George’s computer to reach Carrol and Amanda’s computer? Router C Router Name_________________ Interface ____________________ FA1 8. Where would you place a standard access list to deny traffic from Amanda’s computer from reaching Jeff and Jim’s computer? Router D Router Name_________________ Interface ____________________ E0 6. Where would you place a standard access list to permit traffic from Ricky’s computer to reach Jeff’s computer? Router D Router Name_________________ Interface ____________________ E0 5. Where would you place a standard access list to deny traffic from Melvin’s computer from reaching Jenny’s computer? Router A Router Name_________________ Interface ____________________ E0 3.Standard Access List Placement 1. Where would you place a standard access list to deny traffic to Jenny’s computer from Jackie’s computer? Router A Router Name_________________ Interface ____________________ E0 9. Where would you place a standard access list to permit traffic from George’s computer to reach Linda and Sarah’s computer? Router E Router Name_________________ Interface ____________________ E0 10. Where would you place a standard access list to permit traffic from Jackie’s computer to reach Linda’s computer? Router E Router Name_________________ Interface ____________________ E0 7.

. However.. This increases the volume of useless network traffic.. Routers B.. 6 . or C. and C will have to route the packet before it is finally blocked at Router E. If you want to deny traffic from Juan’s computer from reaching Janet’s computer with an extended access list you would place the ACL close to the source on Router A.. Since it can permit or deny based on the destination address it can reduce backbone overhead and not effect traffic to Routers B. .are numbered from 100 to 199.filter (permit or deny) based on the: source address destination address protocol port number .. Router B S0 S1 Router A E0 FA0 S0 Router C S1 S0 E0 Janet’s Computer Matt’s Computer Juan’s Computer Router D S1 E0 Jimmy’s Computer If you place the ACL on Router E to block traffic from Router A. are placed close to the source.. interface E0. ..work at both layer 3 and 4 of the OSI model.Extended Access Lists Extended Access Lists. .. it will work.. Why extended ACLs are placed close to the source.

E0 FA0 S0 Router A Lisa’s Computer FA1 S1 Router B Paul’s Computer Lisa has been sending unnecessary information to Paul.Extended Access List Placement Sample Problems E0 E1 Router A Jan’s Computer Juan’s Computer In order to permit packets from Juan’s computer to arrive at Jan’s computer you would place the extended access list at router interface ______. Where would you place the extended ACL to deny all traffic from Lisa to Paul? Router A Interface ___________ Router Name ______________ FA0 Where would you place the extended ACL to deny traffic from Paul to Lisa? Router Name ______________ Router B Interface ___________ FA1 7 .

Extended Access List Placement Router B S0 S1 Router A FA0 S0 S1 Ricky’s Computer E1 S1 Router C Jenny’s Computer Amanda’s Computer Carrol’s Computer George’s Computer Kathy’s Computer S1 Router D FA0 Jeff’s Computer S0 Jim’s Computer S1 FA0 S0 Router E Linda’s Computer 8 Sarah’s Computer FA1 S1 Router F Jackie’s Computer Melvin’s Computer .

Where would you place an extended access list to permit traffic from Jackie’s computer to reach Linda’s computer? Router F Router Name_________________ Interface ____________________ FA1 3. Where would you place an extended access list to deny traffic from Melvin’s computer from reaching Jeff and Jim’s computer? Router F Router Name_________________ Interface ____________________ FA1 7. Where would you place an extended access list to deny traffic to Carrol’s computer from Ricky’s computer? Router A Router Name_________________ Interface ____________________ FA0 4. Where would you place an extended access list to permit traffic from George’s computer to reach Jeff’s computer? Router C Router Name_________________ Interface ____________________ E1 8. Where would you place an extended access list to deny traffic to Jenny’s computer from Sarah’s computer? Router E Router Name_________________ Interface ____________________ FA0 11. Where would you place an extended access list to permit traffic from George’s computer to reach Linda and Sarah’s computer? Router C Router Name_________________ Interface ____________________ E1 12. Where would you place an extended access list to deny traffic from Linda’s computer from reaching Jenny’s computer? Router E Router Name_________________ Interface ____________________ FA0 9 . Where would you place an ACL to deny traffic from Jeff’s computer from reaching George’s computer? Router D Router Name_________________ Interface ____________________ FA0 2. Where would you place an extended access list to permit traffic from Jim’s computer to reach Carrol and Amanda’s computer? Router D Router Name_________________ Interface ____________________ FA0 9. Where would you place an extended access list to permit traffic from Carrol’s computer to reach Jeff’s computer? Router C Router Name_________________ Interface ____________________ E1 6. Where would you place an extended access list to deny traffic to Sarah’s computer from Jackie’s computer? Router F Router Name_________________ Interface ____________________ FA1 5.Extended Access List Placement 1. Where would you place an ACL to deny traffic from Linda’s computer from reaching Kathy’s computer? Router E Router Name_________________ Interface ____________________ FA0 10.

0 autonomous number 1 to 99 source address permit or deny source address access-list 78 deny host 192....0.. Access Lists on your outgoing port.filters and denys packets before the router has to make a routing decision. .168...Choosing to Filter Incoming or Outgoing Packets Access Lists on your incoming port....90. .requires less CPU processing. Breakdown of a Standard ACL Statement permit or deny wildcard mask access-list 1 permit 192.are outbound by default unless otherwise specified... .168..0.36 0.increases the CPU processing time because the routing decision is made and the packet switched to the correct outgoing port before it is tested against the ACL. .90.36 log autonomous number 1 to 99 10 indicates a specific host address (Optional) generates a log entry on the router for each packet that matches this statement .

90.175.36 0.0 permit or deny autonomous number 100 to 199 protocol icp.0. ip. tcp. icmp.36 host 192.0 192.0. operator eq for = gt for > lt for < neg for = (Optional) generates a log entry on the router for each packet that matches this statement 11 . ip.90.0. udp.12 eq 23 log permit or deny source address Protocols Include: IP IGMP TCP GRE UDP IGRP ICMP EIGRP indicates a specific host IPINIP OSPF NOS Integer 0-255 To match any internet protocol use IP.12 0. udp. source address destination address port number (23 = telnet) indicates a specific host destination address access-list 178 deny tcp host 192.Breakdown of an Extended ACL Statement autonomous number 100 to 199 protocol icp.0. etc. tcp.175.168. source wildcard mask destination wildcard mask access-list 125 permit ip 192. icmp.168. etc.63.63.

interface E1 to block Melvin’s computer from sending information to Kathy’s computer.. but will allow all other traffic.. Applying a Standard Named Access List called “George” Write a named standard access list on Router A. 1-99 or 100-199) Named Access Lists Information Named Access Lists. ... ......eliminate the limits imposed by using numbered ACLs.are not compatable with any IOS prior to Release 11. (ie..provide the ability to modify your ACLs without deleting and reloading the revised access list.identify ACLs with an intuutive name instead of a number.. It will only allow you to add statements to the end of the exsisting statements. ..can not repeat the same name on multiple ACLs..What are Named Access Control Lists? Named ACLs.. .. (798 for standard and 799 for extended) . Place the access list at: Router Name: Router A Interface: E1 Access-list #: George [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# access-list standard George Router(config)# access-list deny host 72.16.are standard or extended ACLs which have an alphanumeric name instead of a number.35 Router(config)# access-list permit any Router(config)# interface e1 Router(config-if)# ip access-group George out Router(config-if)# exit Router(config)# exit 12 .. .2.70.

but will permit all other HTTP traffic to reach the only the 192.168.0 network.168.207.168.27 eq www Router(config)# access-list permit tcp any 192.207. Deny all other IP traffic.255 eq www Router(config)# interface e0 Router(config-if)# ip access-group Gracie in Router(config-if)# exit Router(config)# exit [Writing and installing an ACL] Place the access list at: Router Name: Router A Interface: E0 Access-list #: Gracie Write a named extended access list on Router A.27.0.207. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Applying an extended Named Access List called “Gracie” Creating a Named Access Lists 13 .0 0.168.0.Router# configure terminal (or config t) Router(config)# access-list extended Gracie Router(config)# access-list deny tcp any host 192.207. Interface E0 called “Gracie” to deny HTTP traffic intended for web server 192.

0.150.0 0.Choices for Using Wildcard Masks Wildcard masks are usually set up to do one of four things: 1.168.0.0 or ACL’s Access-List 10 permit 192.0 0.0 Access-list 125 deny udp 10.255.0 Subnet Mask: 255.0.0 Subnet Mask: 255.50 any 2.0 0.0.0.168.0 Access-list 12 permit 172.255 Example 3 Address: 10.0 Access-list 25 deny 192.150.0. For standard access lists: Access-List 10 permit 192.0.0 mask) or Access-List 10 permit host 192.255 any 14 .0. Match an entire subnet.0 Subnet Mask: 255.50 For extended access lists: Access-list 110 deny ip 192.16.0.50.255.168.0. 3.16.150.255. Matching a specific host.0.0. 4.255.0. 1.0.50 0. Match a specific range.255.255 Example 2 Address: 172.255.0.0. Matching an entire subnet Example 1 Address: 192.0 any or Access-list 110 deny ip host 192. Match a specific host. 2. Match all addresses.150.0.168.0.168.150.50.168.50 (standard assume a 0.50 0.168.

255.112 Subnet Mask: 255.3. 250.63 Wildcard: 172.0.15.0.224 255.112. 31 Access-list 125 permit ip 172. 224 Wildcard: 0.16.0. 255 Custom Subnet mask: -255.168. Match everyone.250.50.255 For extended access lists: Access-List 175 permit ip any any or Access-List 175 deny tcp 0.32 to 172. 255.16. 15. 63 -172. 0.0 to 192. 0. 16. 0.255.31.50.16.) Example 3 Address: 172.0.0 255.168.127 Access-list 125 deny ip 192.16.31 any e Example 2 Address Range: 192. For standard access lists: Access-List 15 permit any or Access-List 15 deny 0. 0 0.127 any (This ACL would block the lower half of the subnet.0 0.255 any 15 .16.32 0. 0. 32 0. 0.127 -192. 31 Access-list 125 permit udp 10. 31. 255.0.255.31 any 4.250.255. 255. 250.0 255.250.127 Wildcard: 192. 168.255. 16.250. 16.255.0.0. 168.0.0. 255. Match a specific range Example 1 Address: 10.168.250.0.

0 172.128.255 (This is the inverse of the subnet mask.24.0. one (1) will be ignored.128.255.25.0. a range of addresses.25.255 (Any 10.150.100.Creating Wildcard Masks Just like a subnet mask the wildcard mask tells the router what part of the address to check or ignore.255) This also works with subnets.31 (Subtract the subnet mask from 255.0.24.150.95 0. 255 .10.10.100.) .0 255.255. Example #2: 10. or an entire subnet..10.255..170.150. As a rule of thumb the wildcard mask is the reverse of the subnet mask.255.127. 10.0 255.150.0.0 subnet address will match.0.255 = 0 255 .0) means the address must match exactly.128.0.0 = 255 16 192.30 255.224 = 31 Example #5: IP Address and subnet mask: IP Address and wildcard mask: Do the math.255 = 0 255 .0 204.0 (This address must match exactly. The source address can be a single address.95 0.255 All zero’s (or 0..0 to 10.0. Example #3: 10.255.128 = 127 255 . Example #1: IP Address and subnet mask: IP Address and wildcard mask: 204.30 0.255.0.10..10.0.0 0.0.100. Example #4: IP Address and subnet mask: IP Address and wildcard mask: Do the math.0 0.255.255 to create the wildcard) (This is the inverse of the subnet mask.150. 255 .224 192.0.) One’s will be ignored.170.) 172. Zero (0) must match exactly.100.

255. IP Address: 165.10.150. 0 Subnet Mask: 255.255. Create a wildcard mask to match this host.0. 0 .255.255.70 0 .224 __________________________________ 8.192 __________________________________ 9. 255 . 0 . 0 .0 0 .0 0 .190.0. 0 .130 0 .150. 0 . 255 Subnet Mask: 255.35.0. 0 .35 0 .2 0 .255.18.10. 0 . 255 .128 0 . Create a wildcard mask to match this range.230. 255 Subnet Mask: 255.255.0 0 . Create a wildcard mask to match this exact address.30.255. IP Address: 210.255. 0 Subnet Mask: 255. IP Address: 195.0.16 0 .Wildcard Mask Problems 1.224.10. Create a wildcard mask to match this range. 0 . IP Address: 172. 255 Subnet Mask: 255.0 ___________________________________ 2.0 __________________________________ 4. IP Address: 10.255. 0 .255. Create a wildcard mask to match this range.250.255.0 __________________________________ 5. IP Address: 210.248 __________________________________ 11. IP Address: 10.100. IP Address: 192.0. 63 Subnet Mask: 255.248 __________________________________ 17 . 7 Subnet Mask: 255.16 0 .255.192 __________________________________ 7. 0 Subnet Mask: 255. 31 .0 __________________________________ 12. 0 . Create a wildcard mask to match this range. 0 .0.0. 255 Subnet Mask: 255. IP Address: 172.255. Create a wildcard mask to match this exact address.0 0 . 31 Subnet Mask: 255. 0 .0.0. Create a wildcard mask to match this range.28. 0 . 7 Subnet Mask: 255. 0 Subnet Mask: 255.255.0.50.16. 0 . Create a wildcard mask to match this range. 0 . 0 . Create a wildcard mask to match this range.255.0 ___________________________________ 3.255. IP Address: 135.0 __________________________________ 10. 255 .32 0 .75.0 __________________________________ 6.168. Create a wildcard mask to match this range. IP Address: 192.255. 0 .25. Create a wildcard mask to match this host. 0 . 0 .255.10. IP Address: 171. 0 .

10.0.0.1 to 192.10.10.10.50.0.15. access-list 109 permit tcp 172. access-list 5 permit any Any address Answer: __________________________________________________________________ 3.254 Answer: __________________________________________________________________ 5.16.50 Answer: __________________________________________________________________ 2.0 0.10.16.0.30.150.0.10.18.0 0.1 to 192.127 172.254 Answer: __________________________________________________________________ 8.1 to 195.10.223.10.255 210.63 Answer: __________________________________________________________________ 4.0. access-list 11 deny 210.10.1 to 172.168.127 Answer: __________________________________________________________________ 18 .63 host 172.4.223.1 to 210.168.0.0. access-list 171 deny any host 175. access-list 125 deny tcp 195.255 host 192.15.10.24.0.10. access-list 105 permit 192.50.Wildcard Mask Problems Based on the given information list the usable source addresses or range of usable source addresses that would be permitted or denied for each access list statement.220.10.15.50.0. access-list 108 deny ip 192.220.223.254 Answer: __________________________________________________________________ 9.10.10.15 Answer: __________________________________________________________________ 6.168.12.150.30.16.10.255 any 192.10 fragments Any Address Answer: __________________________________________________________________ 7.12.1 to 172.0.255 172.0 0.168.0.0 0.50.0. access-list 10 permit 192.32.0 192.0.50 0.0 0.168. access-list 111 permit ip any any Any Address Answer: __________________________________________________________________ 10.255 192.168.15 172.0.220.1 eq 80 172.0 0.0.12.1 fragments 195.0 0.0. access-list 195 permit udp 172.0.168.0 0. 1.30.

168.0.168.168.15.31 any 172.0 0.168.0 0.168.15.0.16.7 Answer: _________________________________________________________________ 13.0 192.168.168.0.0. access-list 195 permit icmp 172.0.15.0.1 to 192. access-list 120 permit ip 192.168.15.50.10 0.0.254 Answer: _________________________________________________________________ 20.255 172.63 192.0.0.0. access-list 160 deny udp 172.0 192.63 Answer: _________________________________________________________________ 16.0.85.0.168.31 Answer: _________________________________________________________________ 15.168.255 172.0.168.0.168. access-list 100 permit ip 10.0.120.0.31 Answer: _________________________________________________________________ 22.30.15.85.15.0.0.1 to 192.10 0.127 Answer:__________________________________________________________________ 17.0.15.0 0.255.15. access-list 10 permit 175.15.255 172.0 0.0 0.0 192.30.0.127 192.1.0 192.11.15.0.255. access-list 150 permit ip 192.0.50.254 Answer: _________________________________________________________________ 18.30.85.1 to 192.0 192.0 0.0.0.168.255 175.255 10.168.0.0.15.168.168.15.0.168.0.255 172.30.15.15.10. access-list 130 permit ip 192.0.255 192.1 to 175.15.168.168.0.168.1 to 192.0 0.168.15.16.1 to 192.0.10 0.120.0.0.0.120.1 to 192.0 192.0.1 to 10.15.15 192.10 0.0 0.15.15.15.16.15.15.30.254 Answer: _________________________________________________________________ 21.0 0.3 192.1 to 172.168.1.168.0.255 192.168.254 Answer: _________________________________________________________________ 19.1 to 192.0.15.10 0.1 to 172.7 192.1 to 172.18 0.0.168.0 0.10.0.31 192.15.255.15.0.0.168.0 0.0.0.15.15 Answer: _________________________________________________________________ 14.168.15.0.0 0.0.15.0 0. access-list 140 permit ip 192.3 Answer: _________________________________________________________________ 12.0 0.0.0 0. access-list 110 permit ip 192. access-list 185 permit ip 192.0.0 gt 22 172.168.255.10 0. access-list 190 permit tcp 172.0.254 Answer: _________________________________________________________________ 19 .15.30.15.10.30.18. access-list 101 Permit ip 192.15.0.

18 0.0.0. access-list 150 permit ip 192.63 Answer: __________________________________________________________________ 20 .4.255 192.0.0.168.0 0.10.15.10.4.220.0 0.255.220.0.15.1.255 172.0. access-list 150 permit ip 192.0 0.18.1 to 192.4.10.15 Answer: __________________________________________________________________ 5.access-list 125 deny tcp 195.100 0.10.10.168.30.0.0 eq 21 172.110. access-list 101 deny ip 140. access-list 5 permit any any Any address Answer: __________________________________________________________________ 3.0.15 192.Wildcard Mask Problems Based on the given information list the usable destination addresses or range of usable destination addresses that would be permitted or denied for each access list statement.10 0.50.1 fragments 172.0 0.30.168.168.168.63 Answer: __________________________________________________________________ 4.168.0.168.15 172.0.30.30.1 to 195.0. access-list 120 deny tcp 172.168.254 Answer: __________________________________________________________________ 6.0.0.168.18 Answer: __________________________________________________________________ 10.0 0.30. access-list 160 deny udp 172.220.1 to 192. 1.0.50.168.255.168.0.15.0 0.32.0 0.15. access-list 108 deny ip 192.0.63 host 172.15.32.0.63 195.10.0.10.10.1 to 172.0 0.7 Answer: __________________________________________________________________ 9.254 Answer: __________________________________________________________________ 8.168.10 0.0 0.18.0.0 0.0 192.0.0.255 172.1 to 192.223.1 Answer: __________________________________________________________________ 2.30.0.0.168.255 192.168.0 192.16.63 192.0.50.30.0.10 0.168.4.0.7 192.0.15.168.0 0. access-list 105 permit any 192.0 192.0.0.0.32.130.223.1 to 192.0.255 Any Address Answer: __________________________________________________________________ 7. access-list 120 permit ip 192.32.0.0 255.220.

.Writing Standard Access Lists. ..

70.16.35 or access-list 10 deny 72.90.36 172.38 172.70.0 or access-list 10 deny host 72.255 or access-list 10 permit any Router(config)# interface e1 Router(config-if)# ip access-group 10 out Router(config-if)# exit Router(config)# exit [Viewing information about existing ACL’s] 22 Router# show configuration (This will show which access groups are associated with particular interfaces) Router# show access list 10 (This will show detailed information about this ACL) .16.70.168.16.2 172.32 Frank’s Computer Melvin’s Computer Kathy’s Computer 192.28.0.90.70.255. but will allow all other traffic.35 Router(config)# access-list 10 permit 0.255.35 Standard Access List Sample #1 Write a standard access list to block Melvin’s computer from sending information to Kathy’s computer.30.0 255.16.35 0.16.70.Router A 192.168.0.0.0.90.16.1 E1 E0 S0 Jim’s 210.168. Place the access list at: Router Name: Router A Interface: E1 Access-list #: 10 [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# access-list 10 deny 172.0 Computer 192.70. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.

90.0 network to reach the 172.168.0.0 0.0.255 Router(config)# access-list 28 permit 210.30.0. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.0.0. Permit all traffic from the 210.0 or access-list 28 deny host 192.168.Standard Access List Sample #2 Write a standard access list to block Jim’s computer from sending information to Frank’s computer. but will allow all other traffic from the 192.0.90.36 Router(config)# access-list 28 permit 192.168.255 Router(config)# interface e0 Router(config-if)# ip access-group 28 out Router(config-if)# exit Router(config)# exit Router# copy run start [Disabling ACL’s] Router# configure terminal Router(config)# interface e0 Router(config-if)# no ip access-group 28 out Router(config-if)# exit Router(config)# exit [Removing an ACL] Router# configure terminal Router(config)# interface e0 Router(config-if)# no ip access-group 28 out Router(config-if)# exit Router(config)# no access-list 28 Router(config)# exit 23 .70.36 or access-list 28 deny 192.90.36 0.30.90.90.28.168.0 0. Place the access list at: Router Name: Router A Interface: E0 Access-list #: 28 [Writing and installing an ACL] Router# configure terminal Router(config)# access-list 28 deny 192.16.0 network.168.0 network. Deny all other traffic.28.

16.16.32.0.32. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.190.190.0 network.36 Michael’s Computer 224.32.255. List all the command line options for this problem.32.255.16 0.94 FA0 172.16 ________________________________________________________ or access-list 35 deny 224.32.32.0.28.16 or access-list 35 deny host 224.0.FA0 S0 224. but will allow all other traffic from the 224.16 Debbie’s Computer 192.190.32.0 ________________________________________________________ access-list 35 permit any Router(config)# ________________________________________________________ or access-list 35 permit 0.95 Standard Access List Problem #1 Write a standard access list to block Debbie’s computer from receiving information from Michael’s computer.0 255.1 Router A Router B S1 E1 192.190.190.255 ______________________________________________________ FA0 Router(config)# interface ________ 35 Router(config-if)# ip access-group ________ in or out (circle one) Router(config-if)# exit Router(config)# exit 24 .190.0. Place the access list at: Router B Router Name: ___________________________ FA0 Interface: _______________________________ 35 (1-99) Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# ________________________________________________________ access-list 35 deny 224.16.32.

0.190.16 or ________________________________________________________ access-list 40 permit host 224. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.0 Router(config)#_________________________________________________________ access-list 40 deny 224. but will deny all other traffic from the 224.16 0.0 255.32.Standard Access List Problem #2 Write a standard access list to permit Debbie’s computer to receive information from Michael’s computer.255 _______________________________________________________ FA0 Router(config)# interface ________ 40 Router(config-if)# ip access-group ________ in or out (circle one) Router(config-if)# exit Router(config)# exit 25 . Place the access list at: Router Name: ___________________________ Router B Interface: _______________________________ FA0 Access-list #: ____________________________ 40 (1-99) [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# ________________________________________________________ access-list 40 permit 224.0 network.32.0 0.255. List all the command line options for this problem.16 or ________________________________________________________ access-list 40 permit 224.255.255. Permit all other traffic.190.0.0.190.255 Router(config)#_________________________________________________________ access-list 40 permit any Router(config)#_________________________________________________________ or access-list 40 permit 0.0.16.32.190.0 0.16.0.0. Block all traffic from the 172.0 network.190.32.0.255.255 access-list 40 deny 172.0.32.

90.90.30.125 access-list 45 deny host 204.30.30.126 0.0.90.88.90.5 204.30.90.124 E0 S0 10.168.36 Jim’s Computer FA1 192.90.126 Standard Access List Problem #3 Write a standard access list to block Rodney and Carol’s computer from sending information to Jim’s computer.126 access-list 45 deny 204.Router A 204. Block all other traffic.250.88.125 0.0.126 access-list 45 deny host 204.30.30.30.90.30.30.0 access-list 45 permit 204.90.30.168.0 access-list 45 deny 204.30.90.0.30.90.0. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.125 204.30.0.0 0.0 network.125 access-list 45 deny 204. but will allow all other traffic from the 204.250.0.255 FA1 Router(config)# interface ________ 45 in or out (circle one) Router(config-if)# ip access-group ________ Router(config-if)# exit Router(config)# exit 26 . Place the access list at: Router B Router Name: ___________________________ FA1 Interface: _______________________________ 45 (1-99) Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# or or or or access-list 45 deny 204.90.35 Carol’s Computer Rodney’s Computer Router B S1 10.4 192.

30.90.0.127 ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ FA1 Router(config)# interface ________ Ralph in or out (circle one) Router(config-if)# ip access-group ________ Router(config-if)# exit Router(config)# exit 27 . For help with blocking the upper half of the range review page 13 or the wildcard mask problems on pages 16 and 17. but will permit Jim to receive data from Rodney.30.0 0. Block the upper half of the 204. For help with named ACLs review pages 12 and 13.0.90. Place the access list at: Router B Router Name: ___________________________ FA1 Interface: _______________________________ Ralph Access-list Name: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# access-list ________________________________________________________ standard Ralph ________________________________________________________ access-list permit 204.0 range from reaching Jim’s computer while permitting the lower half of the range. Block all other traffic.Standard Access List Problem #4 Using a minimum number of commands write a standard access list named “Ralph” to block Carol’s computer from sending information to Jim’s computer.

2 Standard Access List Problem #5 Write a standard access list to block 172.30.30.225.3 0.30.30.225.225.3 from sending information to the 212.225.225.180.2 0.180.180.2 and 172.0.2 172.225.2 access-list 55 deny host 172.6 172.0.5 S1 Router C 212.225.0.Router B S0 S1 Router A 172. but will allow all other traffic.225.10.225.3 or access-list 55 deny 172.180.30. Place the access list at: Router C Router Name: ___________________________ E1 Interface: _______________________________ 55 (1-99) Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# or access-list 55 deny 172.10.30.225.1 E0 S0 S1 E1 212.3 access-list 55 deny host 172.10.0.225.30.30. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.30.30.10.0 network.3 212.2 or access-list 55 deny 172.0 ________________________________________________________ access-list 55 permit any E1 Router(config)# interface ________ 55 in or out (circle one) Router(config-if)# ip access-group ________ Router(config-if)# exit Router(config)# exit 28 .30.0 ________________________________________________________ or access-list 55 deny 172.

30.2 log access-list 60 deny host 212.180.) Place the access list at: Router A Router Name: ___________________________ E0 Interface: _______________________________ 60 (1-99) Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# or access-list 60 deny 212.6 log or access-list 60 permit 212.225.180.0 network.2 log or access-list 60 deny 212.6 0.10.2 from sending information to the 172.0.10.0 network.180.10.180. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.0 log ________________________________________________________ or access-list 60 permit 212.225.0.6 to send data to the 172.180.6 log access-list 60 permit host 212.2 0.10.10.180.Standard Access List Problem #6 Write a standard access list to block and log 212.0. (Check the example on page 10 for help with the logging option.180.10.0 log ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ E0 Router(config)# interface ________ 60 in or out (circle one) Router(config-if)# ip access-group ________ Router(config-if)# exit Router(config)# exit 29 .30.180. Deny all other traffic.0.10.10. Permit and log 212.

10.25 or access-list 65 deny 198.32.32.15.1 FA0 FA1 192. Permit all other traffic.0 0.15.0.168.168.31 from sending information to the 210.0.10.15.10.0 network.15.140.3 210.32.25 to reach the 210.0 ________________________________________________________ access-list 65 permit any ________________________________________________________ ________________________________________________________ FA1 Router(config)# interface ________ 65 in or out (circle one) Router(config-if)# ip access-group ________ Router(config-if)# exit Router(config)# exit 30 .0.15.32.140.15.140.168.10.1 to 192.10.172 210.Router C Router A S0 S1 FA0 S1 198.0.25 Router B S0 192. For help with this problem review page 13 or the wildcard mask problems on pages 16 and 17.0 network.140.8 198.25 0. Do not permit any traffic from 198.15.15.32.25 Standard Access List Problem #7 Write a standard access list to block the addresses 192. Place the access list at: Router B Router Name: ___________________________ FA1 Interface: _______________________________ 65 (1-99) Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# ________________________________________________________ access-list 65 deny 192.168.10.25 access-list 65 deny host 198.31 or access-list 65 deny 198.168.15.32.

Standard Access List Problem #8 Write a standard named access list called “Cisco_Lab_A” to permit traffic from the lower half of the 198.0.127 ________________________________________________________ access-list deny 198. Permit all other traffic.0.0. Allow host 198.10.10.32.15.168.32.10.32.10. Place the access list at: Router Name: ___________________________ Router A Interface: _______________________________ FA0 Access-list Name: ____________________________ Cisco_Lab_A [Writing and installing an ACL] Router# configure terminal (or config t) access-list standard Cisco_Lab_A Router(config)# ________________________________________________________ access-list permit 198.0.255 ________________________________________________________ access-list permit any ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ FA0 Router(config)# interface ________ Cisco_Lab_A Router(config-if)# ip access-group __________________ in or out (circle one) Router(config-if)# exit Router(config)# exit 31 .0 0.0 0.32.192 to reach network 192.168.0 network.15.0 network to reach 192.0. For help with this problem review page 13 or the wildcard masks problems on pages 16 and 17. For assistance with named ACLs review pages 12 and 13. block the upper half of the addresses.

250.250.0.1.1 access-list 75 deny 10.2.0.250.250.255.250.0 0.250.1.1 0.4.255 ________________________________________________________ access-list 75 permit any ________________________________________________________ ________________________________________________________ FA0 Router(config)# interface ________ 75 Router(config-if)# ip access-group ________ in or out (circle one) Router(config-if)# exit Router(config)# exit 32 .0 ________________________________________________________ access-list 75 deny 10.255.2.4.4.1 0.250.250. Place the access list at: Router A Router Name: ___________________________ FA0 Interface: _______________________________ Access-list #: ____________________________ 75 (1-99) [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# or access-list 75 deny 10.0 ________________________________________________________ or or access-list 75 deny 10.0 ________________________________________________________ or or access-list 75 deny 10.250.1 access-list 75 deny host 10.Standard Access List Problem #9 Write a standard access list to block network 192.250.0.255.1.2.3.250.250.0 255.3.0 from receiving information from the following addresses: 10.1 or access-list 75 deny 10.0.1 0.1 access-list 75 deny host 10. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.1.1 access-list 75 deny 10. Allow all other traffic.0.0.4.168.250. 10.0 network.0.1. and the entire 10.1.250.2.0. 10.1 access-list 75 deny host 10.1.

Writing Extended Access Lists. ...

36 0.16. Extended Access List Sample #1 172.0 255.34 172.70.0.90.255 Router(config)# interface fa0 Router(config-if)# ip access-group 110 in [Viewing information about existing ACL’s] Router(config-if)# exit Router# show configuration (This will show which access groups are associated with particular interfaces) Router(config)# exit Router# configure terminal (or config t) Router(config)# access-list 110 deny ip 172.1 FA1 FA0 .0.16.36 Mike’s Computer Router# show access list 110 (This will show detailed information about this ACL) or access-list 110 deny ip host 172.16.255.32 192.70.255.0.0 255.90.168.0.90.90.168.35 host 192.90.168.35 0.2 172. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.168.38 Celeste’s Computer Deny/Permit Specific Addresses 192.36 Router(config)# access-list 110 permit ip any any or access-list 110 permit ip 0.0. but will allow all other traffic.0.2550.70.0.70.255.0 192.16.0 [Writing and installing an ACL] Place the access list at: Router Name: Router A Interface: FA0 Access-list #: 110 Write an extended access list to prevent John’s computer from sending information to Mike’s computer.255.168.70.35 John’s Computer Gail’s Computer Router A 192.16.0.

168.168. Permit all other traffic.70. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.0 0.0.36.0.32 0.0.70.0.32 Router(config)# access-list 135 permit ip any any or access-list 135 permit ip 0.255.0.90. Extended Access List Sample #2 .16.0.16.0 255.255.0 network from reaching Gail’s computer at 172.70.0 255.0 0.0.36 0.16.70.0 or access-list 135 deny ip 192.255.70.0 network from receiving information from Mike’s computer at 192.255 Router(config)# access-list 135 deny ip 192.16.0.36 172.168.127 host 172.35 Deny/Permit Specific Addresses [Removing an ACL] Router# configure terminal Router(config)# interface e1 Router(config-if)# no ip access-group 135 out Router(config-if)# exit Router(config)# no access-list 135 Router(config)# exit [Disabling ACL’s] Router# configure terminal Router(config)# interface e1 Router(config-if)# no ip access-group 135 out Router(config-if)# exit Router(config)# exit Router# configure terminal Router(config)# access-list 135 deny ip 192.0.255 Router(config)# interface fa1 Router(config-if)# ip access-group 135 in Router(config-if)# exit Router(config)# exit Router# copy run start [Writing and installing an ACL] Place the access list at: Router Name: Router A Interface: FA1 Access-list #: 135 Write an extended access list to block the 172.16.255 0.90.0.168.0.255 or access-list 135 deny ip host 192.16.90.0 172.168.90.0.0 0.127 172. Block the lower half of the ip addresses from 192.90.70.0.90.32.255.0 0.168.0.0.0.

0 access-list 105 deny ip host 172.168.0.0.0 192.128 FA0 Router(config)# interface __________ 105 in or out (circle one) Router(config-if)# ip access-group _________ Router(config-if)# exit Router(config)# exit Router# copy run start or Router(config)# Router# configure terminal (or config t) [Writing and installing an ACL] Place the access list at: Router A Router Name: ___________________________ FA0 Interface: _______________________________ 105 (100-199) Access-list #: ____________________________ Write an extended access list to prevent Jay’s computer from receiving information from Cindy’s computer.128 Jay’s Computer Router B FA1 S1 192. Permit all other traffic.168.122.20.225.0.52 ______________________________________________________________________________________ access-list 105 permit ip any any ______________________________________________________________________________________ ______________________________________________________________________________________ access-list 105 deny ip 172. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.172.70.122.20.129 Jackie’s Computer Deny/Permit Specific Addresses 192.168.122.168.15 Router A S0 FA0 192.122.168.70.0.70.122.30.20. 36 .128 0.89 Extended Access List Problem #1 172.89 host 192.70.80 Bob’s Computer Cindy’s Computer 172.2 0.20.

168.122. Permit all other traffic.255. Block the lower half of the ip addresses from 192.0.122.255 or Router# configure terminal Router(config)# access-list 110 deny ip host 192.20.168.0.0.129.20.0 0.0. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.70.0 0.0 or _____________________________________________________________________________________ access-list 110 deny ip 192.122.70.89.0 172.0.122.127 host 172.20.122.168.0 0.0.37 Deny/Permit Specific Addresses access-list 110 deny ip 192.0.20.70.129 0.70.0.168.0 0.129 172.0 255.168.0.122.20.0.20.89 0.255 [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Router B Interface: _______________________________ FA1 Access-list #: ____________________________ 110 (100-199) Write an extended access list to block the 172.0.0 network from receiving information from Jackie’s computer at 192.127 172.168.0. Extended Access List Problem #2 .70.255.89 E1 Router(config)# interface __________ 105 in or out (circle one) Router(config-if)# ip access-group _________ Router(config-if)# exit Router(config)# exit Router# copy run start ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ access-list 110 permit ip any any _____________________________________________________________________________________ access-list 110 deny ip 192.0 network from reaching Cindy’s computer at 172.70.

59.50.59.10 to receive packets from Rachael’s computer at 172.50.35.59.10 Jan’s Computer 218.0 or access-list permit ip host 172.0.59.2.18 0.35.18.15 Rebecca’s Computer 172.12 Juan’s Computer E0 218.35.0.1 Router A . Extended Access List Problem #3 218.10 0.50.0 218.1 172.59.50.15.59.18 Rachael’s Computer Deny/Permit Specific Addresses S1 Router(config)# interface ____________ FA1 Lab_166 in or out (circle one) Router(config-if)# ip access-group _________ Router(config-if)# exit Router(config)# exit _____________________________________________________________________________________ _____________________________________________________________________________________ access-list permit ip 172.35.2.50.35.2.10 Router(config)#_____________________________________________________________________________________ access-list extended Lab_166 Router# configure terminal (or config t) [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Router B Interface: _______________________________ FA1 Access-list Name: ____________________________ Lab_166 Write a named extended access list called “Lab_166” to permit Jan’s computer at 218. but not Rebecca’s computer at 172.2.38 Router B S0 FA1 172.50.0. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Deny all other packets.18 host 218.59.35.2.0.2.2.

35.35.0.50.15.59.39 Deny/Permit Specific Addresses FA1 Router(config)# interface __________ 115 Router(config-if)# ip access-group _________ in or out (circle one) Router((config-if)# exit Router(config)# exit Router# copy run start _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ access-list 120 permit ip any any Router# configure terminal Router(config)# access-list 120 deny ip host 218.0.59.2.18 0.12 0.0 172.2.2. Extended Access List Problem #4 .59.18 or _____________________________________________________________________________________ access-list 120 deny ip 218.0.2. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.35.0 [Writing and installing an ACL] Place the access list at: Router A Router Name: ___________________________ E0 Interface: _______________________________ 120 (100-199) Access-list #: ____________________________ Write an extended access list to allow Juan’s computer at 218.50.0. but not Rachael’s computer at 172.50.18.59.12 host 172. Permit all other traffic.12 to send information to Rebecca’s computer at 172.

Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.0.168.20.0 network to receive packets from the 192.16.18.0 255.2550.20.255 192.16.255.0.20.16.12 Barbra’s Computer [Viewing information about existing ACL’s] (This will show which access groups are associated with particular interfaces) (This will show detailed information about this ACL) Router# show configuration Router# show access list 111 Router# configure terminal (or config t) Router(config)# access-list 111 permit ip 192.40 192.0 255.255 Router(config)# interface e1 Router(config-if)# ip access-group 111 in Router(config-if)# exit Router(config)# exit [Writing and installing an ACL] Place the access list at: Router Name: Router B Interface: E1 Access-list #: 111 Write an extended access list to permit the 192.20.50. Deny all other traffic.0.0.0 0.50.0 0.0. Extended Access List Sample #3 192.18.255.18.0 network.50.7 192.11 Bob’s Computer Deny/Permit Entire Ranges 192.18.0.0.5 E0 192.20.255.50.50.18.0.10 E1 Router B S1 192.255.6 Cindy’s Computer Ralph’s Computer Router A S0 .16.255 Router(config)# access-list 111 deny ip any any or access-list 111 deny ip 0.

20.0 network from receiving information from the 192.16.20.0.50.255 0.0. Extended Access List Sample #4 .0 255. Permit all other traffic.0.0 network.16.0 255.0 0.41 Deny/Permit Entire Ranges [Removing an ACL] Router# configure terminal Router(config)# interface e0 Router(config-if)# no ip access-group 188 out Router(config-if)# exit Router(config)# no access-list 188 Router(config)# exit [Disabling ACL’s] Router# configure terminal Router(config)# interface e0 Router(config-if)# no ip access-group 188 out Router(config-if)# exit Router(config)# exit Router# configure terminal Router(config)# access-list 188 deny ip 192.255.18.0.0.255.50.255 Router(config)# access-list 188 permit ip any any or access-list 188 permit ip 0. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.18.0.0.255 192.0 0.255.255 Router(config)# interface e0 Router(config-if)# ip access-group 188 in Router(config-if)# exit Router(config)# exit Router# copy run start [Writing and installing an ACL] Place the access list at: Router Name: Router A Interface: E0 Access-list #: 188 Write an extended access list to block the 192.255.0.

18 David’s Computer FA0 Router(config)# interface ____________ 125 Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Router(config)# exit ______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________ access-list 125 permit ip any any Router(config)#______________________________________________________________________________________ access-list 125 deny ip 204.0 0.150.95.59.2.1 S0 210.0. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. but not the 210.95.250.10.95.0 0. Permit all other traffic.255 210.0 network.59.255 Router# configure terminal (or config t) [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Router B Interface: _______________________________ FA1 Access-list #: ____________________________ 125 (100-199) Write an extended access list to permit network 204.15 Rebecca’s Computer 172.0.2.150.150.0.0.150.10 Rachel’s Computer Todd’s Computer 204.0 172.250.42 204.11 Router A S0 FA0 .2.10.0.12 S1 FA1 172.95.95.250.0 to send packets to network 172.59.10.0.150. Deny/Permit Entire Ranges Router B Extended Access List Problem #5 204.59.

0 network access from the 172.0. Deny all other hosts on the 204.150.95.59.150.2.59.95.0 0.0.0.95.0 network.150.255.255 host 204.0 0.0 FA1 Router(config)# interface __________ 130 Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Router(config)# exit Router# copy run start or Router# configure terminal Router(config)# access-list 130 permit ip 172.10 [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Router B Interface: _______________________________ FA1 Access-list #: ____________________________ 130 (100-199) Write an extended access list to allow Rachel’s computer at 204. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.255 204. Extended Access List Problem #6 .0 network.255.0.0.0.0.95.59.0.255 204.95. Permit all other traffic.0.59.59.10 to receive information from the 172.150.10 0.150.0 0.0.0255 _____________________________________________________________________________________ access-list 130 permit ip 172.0 0.255.43 Deny/Permit Entire Ranges _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ access-list 130 permit any any _____________________________________________________________________________________ access-list 130 deny ip 172.

0.70.255 10.45 Router A S0 E0 .45 210.70.44 172.0.168.0 0.50.0.120.0 0.168.0. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.0.120.0 255.255. Permit all other traffic.50.0.0.2 S0 Router B 192.0.0 networks.250.168.170. but will permit traffic to the 192.168.1.50.120.170.0 0.4 Denise’s Computer E0 Router(config)# interface ____________ Router(config-if)# ip access-group Godzilla _________ in or out (circle one) Router(config-if)# exit Router(config)# exit access-list permit ip any any ____________________________________________________________________________________ access-list deny ip 172.0 network from sending information to the 210.0.168.255.255.168.0 E1 10.0 192.168.250.0 network.120.120.255 210.255 Router(config)#access-list _____________________________________________________________________________________ extended Godzilla Router# configure terminal (or config t) [Writing and installing an ACL] Place the access list at: Router A Router Name: ___________________________ E0 Interface: _______________________________ Godzilla Access-list Name: ____________________________ Write a named extended access list called “Godzilla” to prevent the 172.0 .3 Tim’s Computer Deny/Permit Entire Ranges S1 E1 192. and 10.70.0 0.1.255 ____________________________________________________________________________________ ____________________________________________________________________________________ access-list deny ip 172120.255. Extended Access List Problem #7 172.170.250.1.50.45 Phyllis’s Computer Tommy’s Computer 172.

Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.0.0 0.50.0.3 [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Router A Interface: _______________________________ E0 Access-list #: ____________________________ 140 (100-199) Assuming default subnet masks write an extended access list to permit Tim at 192.120.50.0.0.120.0.45.255 access-list 140 permit ip host 172.255.170.50.0.45 Deny/Permit Entire Ranges ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ _____________________________________________________________________________________ access-list 140 permit ip 172.0 0.255.0.168.0.50.50.168.45 192.0 0.168. Allow the 192.168.0 network to receive information from Phyllis’s computer at 172. Extended Access List Problem #8 .170.0 network.120.168.0.0.45 0.168.50.3 0. Deny all other traffic.0 0.255 host 192.0 192.0.0 E0 Router(config)# interface __________ 140 Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Router(config)# exit Router# copy run start or or Router# configure terminal Router(config)# access-list 140 permit ip 172.3 to receive data from the 172.120.255 _____________________________________________________________________________________ access-list 140 permit ip 172.170.0.120.255 192.120.0.

0 0.21.255 Router(config)# access-list 185 permit ip any any or access-list 185 permit ip 0.46 192.255 0.15 172.15.168.44 Rodney’s Computer Jim’s Computer Router A S0 FA0 192.50.95 Router B 172.0 network. Extended Access List Sample #5 192.255.168.255.0.0 255.20 .0.96 Carol’s Computer 172.255.50.0.50.15.168.97 Frank’s Computer Deny/Permit a Range of Addresses S1 (This will show which access groups are associated with particular interfaces) (This will show detailed information about this ACL) Router# show configuration Router# show access list 185 Router# configure terminal (or config t) Router(config)# access-list 185 deny ip 192.50.255.21.15.15. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Permit all other traffic.0 255.21.255.21.0.0.0.15.0 0.43 E1 172.0.0.168.168.21.0 network from reaching the 172.255 Router(config)# interface fa1 Router(config-if)# ip access-group 185 in Router(config-if)# exit [Viewing information about existing ACL’s] Router(config)# exit [Writing and installing an ACL] Place the access list at: Router Name: Router A Interface: FA0 Access-list #: 185 Write an extended access list to deny the first 15 usable addresses of the 192.

0 network.255 Router(config)# access-list 121 deny ip any any or access-list 121 deny ip 0.21.21.0 255.47 Deny/Permit a Range of Addresses [Removing an ACL] Router# configure terminal Router(config)# interface fa0 Router(config-if)# no ip access-group 121 in Router(config-if)# exit Router(config)# no access-list 121 Router(config)# exit [Disabling ACL’s] Router# configure terminal Router(config)# interface fa0 Router(config-if)# no ip access-group 121 in Router(config-if)# exit Router(config)# exit Router# configure terminal Router(config)# access-list 121 permit ip 192. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.0.0.255 Router(config)# interface fa0 Router(config-if)# ip access-group 121 in Router(config-if)# exit Router(config)# exit Router# copy run start [Writing and installing an ACL] Place the access list at: Router Name: Router A Interface: FA0 Access-list #: 121 Write an extended access list which will allow the lower half of 192.0.255. Extended Access List Sample #6 .255.127 172.255.0.0 network access to the 172.0.50.255.0.0.168.168.0 255.255 0.50. Deny all other traffic.0.0 0.15.15.0 0.

168.17 192.168.195.0.0 network from reaching the 192.108 Celeste’s Computer Deny/Permit a Range of Addresses 192.125.125.0.0 Extended Access List Problem #9 192.255 Router# configure terminal (or config t) [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Router A Interface: _______________________________ E1 Access-list #: ____________________________ 145 (100-199) Write an extended access list to prevent the first 31 usable addresses in the 192.90 E0 Router A E1 Router(config)# interface ____________ 145 Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit ______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________ access-list 145 permit ip any any Router(config)#______________________________________________________________________________________ access-list 145 deny ip 192.195.0.168.88 John’s Computer Gail’s Computer 192.168. 48 .192.195.168. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.145 S0 Mike’s Computer 192.195.0 0.125.168.168.31 192.0.168.195.254 E1 172. Permit all other traffic.168.31.125.168.0 0.0 network.195.125.

31.168.0.49 Deny/Permit a Range of Addresses S0 Router(config)# interface __________ Router(config-if)# ip access-group Media_Center ________________ in or out (circle one) Router(config-if)# exit Router(config)# exit Router# copy run start _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ access-list permit ip 172. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.195.125.0 0.255 Router# configure terminal Router(config)#______________________________________________________________________________________ access-list extended Media_Center [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Router A Interface: _______________________________ S0 Access-list Name: ____________________________ Media_Center Write a named extended access list called “Media_Center” to permit the range of addresses from 172.195.195.0 0.0.1 through 172.0 network.7 192.7 to send date to the 192. Deny all other traffic.0.168. Extended Access List Problem #10 .31.125.0.31.

75.0.20.2.16.0 0.16.18.16.20.16.0 network to reach the 172.0.11 Jill’s Computer S1 Router C FA0 Router(config)# interface ____________ 155 in or out (circle one) Router(config-if)# ip access-group _________ Router(config-if)# exit ______________________________________________________________________________________ ______________________________________________________________________________________ access-list 155 permit ip any any ______________________________________________________________________________________ access-list 155 deny ip 192.31 172.0 0.7 S1 S0 S0 E1 172.12 Deny/Permit a Range of Addresses 172.18.10 Bob’s 172.75. Permit all other traffic.16.20.75.0.0 network.22.50.16.22.9 Computer 172.75. Deny the addresses from 192.31 from reaching the 172.50.10 Brad’s Computer FA1 172.0 network.22.16.0.6 Cindy’s Computer Ralph’s Computer 192.0 0.0 0.75.3 172.50.0. Extended Access List Problem #11 192.75.20.20.0.0.50 192.4 through 192.22.255 Router# configure terminal (or config t) [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Router A Interface: _______________________________ FA0 Access-list #: ____________________________ 155 (100-199) Write an extended access list to permit the first 3 usable addresses in the 192.0.22.8 Router B Router A Barbra’s Computer 172.5 FA0 .20. Keep in mind that there are multiple ways this ACL can be written.255 Router(config)#______________________________________________________________________________________ access-list 155 permit ip 192.22.18.20.16.22.75.

Extended Access List Problem #12 .75.127 from sending data to the 172. Keep in mind that there are multiple ways this ACL can be written.7 172.0 0.18.0.75.0.0.0.127 172.0 network.22.75.0 network.50.20.255 [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Router B Interface: _______________________________ E1 Access-list #: ____________________________ 160 (100-199) Write an extended access list to deny the addresses from 172.0. Permit all other traffic.22.18.75.0 network from reaching the 192.0.22.0 0.0.255 Router# configure terminal Router(config)#______________________________________________________________________________________ access-list 160 permit ip 172.22.51 Deny/Permit a Range of Addresses E1 Router(config)# interface __________ 160 Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Router(config)# exit Router# copy run start ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ access-list 160 permit ip any any _____________________________________________________________________________________ access-list 160 deny ip 172. Deny the first half of the addresses from the 172.0.18.16.50.0 0.0 0.8 through 172.50.75.22.

200 Router B FA1 S1 192.0 network.70.0.70.88.0.16.88.250.88.155 10.0 0.1.0 192.0 0.88.70.0 network to reach the lower half of the addresses in the 172.168.1 Router A S0 FA0 .16.168.52 172.88.16.250.16.0. Extended Access List Problem #13 172.168.1 FA0 FA1 Router(config)# interface ____________ 165 in or out (circle one) Router(config-if)# ip access-group _________ Router(config-if)# exit ______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________ Router(config)#______________________________________________________________________________________ access-list 165 permit ip 192.63 172.70. Deny all other traffic.168.70.127 Router# configure terminal (or config t) [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Router B Interface: _______________________________ FA1 Access-list #: ____________________________ 165 (100-199) Write an extended access list to permit the first 63 usable addresses in the 192.204 Deny/Permit a Range of Addresses 10. but not the upper half.4.145 Celeste’s Computer Bob’s Computer 172. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.0.0 FA1 Peggy’s Computer Denise’s Computer 192.16.168.

88.63 192.0 through 10.250.88.53 Deny/Permit a Range of Addresses Router(config)# interface __________ FA1 170 Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Router(config)# exit Router# copy run start ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ access-list 170 permit ip any any or _____________________________________________________________________________________ access-list 170 deny ip 10.0.1.1.0.63 host 192.250.168.250.0.63 from sending data to Denise’s computer. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.0.250.0.204 0.204 [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Router A Interface: _______________________________ FA1 Access-list #: ____________________________ 170 (100-199) Write an extended access list to deny the addresses from 10.168. Extended Access List Problem #14 .1.0 Router# configure terminal Router(config)# access-list 170 deny ip 10. Permit all other traffic.1.0.0 0.0 0.

168.0.128.12 210.11 Web Server Deny/Permit Port Numbers Router B S1 E1 210.168.207.27 eq www Router(config)# access-list 198 permit tcp any 192. but will permit all other HTTP traffic to reach the only the 192.207.54 210.27 .27.168. Extended Access List Sample #7 192.168.128.168.50.168.25 Web Server 192.0 eq www or access-list 198 deny tcp any host 192.168.168.0.27 0.26 Router A S0 E0 192.10 (This will show which access groups are associated with particular interfaces) (This will show detailed information about this ACL) Router# show configuration Router# show access list 198 Router# configure terminal (or config t) Router(config)# access-list 198 deny tcp any 192.207.0.207.0 0.50.255 eq www Router(config)# interface e0 Router(config-if)# ip access-group 198 in Router(config-if)# exit Router(config)# exit [Viewing information about existing ACL’s] [Writing and installing an ACL] Place the access list at: Router Name: Router A Interface: E0 Access-list #: 198 Write an extended access list to deny HTTP traffic intended for web server 192. Deny all other IP traffic.0 network.207.128.207.0.207.50. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.207.

Deny all other traffic.207.0 networks.0. 55 .50.128.0 0.Extended Access List Sample #8 Deny/Permit Port Numbers [Removing an ACL] Router# configure terminal Router(config)# interface e0 Router(config-if)# no ip access-group 134 out Router(config-if)# exit Router(config)# no access-list 134 Router(config)# exit [Disabling ACL’s] Router# configure terminal Router(config)# interface e0 Router(config-if)# no ip access-group 134 out Router(config-if)# exit Router(config)# exit Router# configure terminal Router(config)# access-list 134 permit icmp 210.207. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.0.255 192.0.128.0 and 192.168.50.0 0.168.255 echo-reply Router(config)# interface e0 Router(config-if)# ip access-group 134 in Router(config-if)# exit Router(config)# exit Router# copy run start [Writing and installing an ACL] Place the access list at: Router Name: Router A Interface: E0 Access-list #: 134 Write an extended access list to permit pings in either direction between hosts on the 210.0.

56

192.30.76.155
10.250.4.0

E1
Peggy’s
Computer

Deny/Permit Telnet

172.16.16.0

192.168.33.210

Router B
E1
S1
192.168.33.1
E0

192.168.33.214

Denise’s
Computer

(using line VTY 0 4 instead of an interface like E1 allows you
to apply this access list to all VTY lines with one statement)

(This will show which access groups are associated
with particular interfaces)
(This will show detailed information about this ACL)

Router# show configuration

Router# show access list 45

Router# configure terminal (or config t)
Router(config)# access-list 45 permit 192.168.33.214 0.0.0.0
or
access-list 45 permit host 192.168.33.214
Router(config)# access-list 45 permit 192.30.76.155 0.0.0.0
or
access-list 45 permit host 92.30.76.155
Router(config)# line vty 0 4
Router(config-if)# ip access-class 45 in
Router(config-if)# exit
[Viewing information about existing ACL’s]
Router(config)# exit

[Writing and installing an ACL]

Place the access list at:
Router Name:
Router B
Interface:
line VTY 0 4
Access-list #:
45

Write an extended access list to permit Denise’s and Bob’s computers to telnet into Router B. Deny all other telnet traffic Keep in
mind that there may be multiple ways many of the individual statements in an ACL can be written.

Standard Access List Sample #9

192.30.76.145

Celeste’s
Computer

Bob’s
Computer

172.20.70.1

Router A
S0
E0

57

Deny/Permit Port Numbers

[Removing an ACL]
Router# configure terminal
Router(config)# interface e0
Router(config-if)# no ip access-group 155 out
Router(config-if)# exit
Router(config)# no access-list 155
Router(config)# exit

[Disabling ACL’s]

Router# configure terminal
Router(config)# interface e0
Router(config-if)# no ip access-group 155 out
Router(config-if)# exit
Router(config)# exit

Router# configure terminal
Router(config)# access-list 155 deny tcp any 192.30.76.0 0.0.0.13 eq ftp
Router(config)# access-list 155 permit tcp any any
or
access-list 155 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Router(config)# interface e0
Router(config-if)# ip access-group 155 in
Router(config-if)# exit
Router(config)# exit
Router# copy run start

[Writing and installing an ACL]

Place the access list at:
Router Name:
Router A
Interface:
E0
Access-list #:
155

Write an extended access list to deny FTP to ip addresses 192.30.76.0 through 192.30.76.13.
Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.

Extended Access List Sample #10

58

E0
172.16.70.1

S0
10.250.8.0

192.128.45.33

Bill’s
Computer

192.128.45.35

Jennifer’s
Computer

FA1
Router(config)# interface ____________
175 in or out (circle one)
Router(config-if)# ip access-group _________
Router(config-if)# exit

______________________________________________________________________________________

______________________________________________________________________________________

______________________________________________________________________________________
access-list
175 permit icmp 192.128.45.0 0.0.0.255 10.250.2.0 0.0.0.255

Router(config)#______________________________________________________________________________________
access-list 175 permit icmp 192.128.45.0 0.0.0.255 172.16.125.0 0.0.0.255

Router# configure terminal (or config t)

[Writing and installing an ACL]

Place the access list at:
Router Name: ___________________________
Router B
Interface: _______________________________
FA1
Access-list #: ____________________________
175 (100-199)

Write an extended access list to permit ICMP traffic from the 192.128.45.0 network to reach the 172.16.125.0 255.255.255.0 and
10.250.2.0 255.255.255.0 networks. Deny all other traffic. Keep in mind that there may be multiple ways many of the individual
statements in an ACL can be written.

Deny/Permit a Port Numbers

Router A

Extended Access List Problem #15

172.16.125.1

Jackie’s
Computer

E1

10.250.2.0

Router B
FA1
S1
192.128.45.8
FA0

0.0.128.8.0 network.8.250. Extended Access List Problem #16 .0.45.8. Permit all other traffic.127 from reaching the 192.250.0.0 0.59 Deny/Permit a Port Numbers FA0 Router(config)# interface __________ Peggys_Lab Router(config-if)# ip access-group _________________ in or out (circle one) Router(config-if)# exit Router(config)# exit Router# copy run start ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ _____________________________________________________________________________________ access-list permit tcp any any _____________________________________________________________________________________ access-list deny tcp 10.127 192.45.0 through 10.0 0.255 eq 23 _____________________________________________________________________________________ Router# configure terminal access-list extended Peggys_Lab Router(config)#______________________________________________________________________________________ [Writing and installing an ACL] Place the access list at: Router B Router Name: ___________________________ FA0 Interface: _______________________________ Access-list Name: Peggys_Lab ____________________________ Write a named extended access list called “Peggys_Lab” to deny telnet from 10.250. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.128.

194.60.0 172.18.100. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.100.140 host 172.142 50 permit host 172.60.140 172.0.60.18.18.18.18.18. Deny all other telnet traffic from the 172.194.1 Router A S0 FA0 .60 203.60.60.140 FA1 172.250.142 Mary’s Computer permit permit permit permit 172.0.0.10.18.0 network. Access List Problem #17 203.142 0.101 Web Server #2 Web Server #1 203.60.0 50 50 50 50 vty 04 Router(config)# interface line ____________ 50 Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Router(config)# exit Router(config)# access-list or access-list or access-list access-list or access-list or access-list Router# configure terminal (or config t) [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Router B Interface: _______________________________ line vty 04 Access-list #: ____________________________ 50 (1-99) Write an access list to permit Becky and Mary’s computer to telnet into Router B.60.18.194.1 S0 Deny/Permit Port Numbers Router B S1 204.0 172.18.100.0.60.140 0.102 Becky’s Computer 172.60.18.60.142 50 permit 172.

0.100.102 0.0 eq 80 [Writing and installing an ACL] Place the access list at: Router A Router Name: ___________________________ FA0 Interface: _______________________________ 185 (100-199) Access-list #: ____________________________ Write an extended access list to deny all HTTP traffic intended for the web server at 203.194.0 network.100. Permit HTTP traffic to any other web servers.100.194.0. Deny all other IP traffic to the 203.194.102 eq 80 or _____________________________________________________________________________________ access-list 185 deny tcp any 203. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.100. Extended Access List Problem #18 .194.61 Deny/Permit Port Numbers FA0 Router(config)# interface __________ 185 Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Router(config)# exit Router# copy run start _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ access-list 185 permit tcp any any eq 80 _____________________________________________________________________________________ Router# configure terminal (or config t) Router(config)# access-list 185 deny tcp any host 203.102.

0 network.0 0.255 eq ftp Router# configure terminal (or config t) [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Router A Interface: _______________________________ E0 Access-list #: ____________________________ 190 (100-199) Write an access list to permit TFTP traffic to all hosts on the 192.50.15.15.172.50.25 .62 192.23.196 S1 172.23.15.15.168.15.168.0. Access List Problem #19 192.10.125 Web Server #1 Bobbie’s Computer Router A S0 E0 E1 192.0 Router B E1 Web Server #2 172.168. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.23.168. Deny all other TFTP traffic.168.0.197 Gail’s Computer E0 Router(config)# interface ____________ 190 Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Router(config)# exit ______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________ Router(config)#______________________________________________________________________________________ access-list 175 permit tcp any 192.195 172.82 Deny/Permit Port Numbers 192.50.

0 0.255 eq 80 or _____________________________________________________________________________________ access-list 195 deny tcp 172. and 192.15.10.0.15.0 networks.172.196 0.50. Extended Access List Problem #20 .0 0.196 192. Deny all other IP traffic going to the 192. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.23.168.0.0.0 network.50.15.0.255 eq 80 [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Router B Interface: _______________________________ E1 Access-list #: ____________________________ 195 (100-199) Write an extended access list that permits web traffic from web server #2 at 172.0.23.0.23.15.50.0.0 192.168.63 Deny/Permit Port Numbers E1 Router(config)# interface __________ 195 Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Router(config)# exit Router# copy run start _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Router# configure terminal Router(config)# access-list 195 deny tcp host 172.168.168.196 to reach everyone on the 192.

255.0 0.0.0.0.255.0.0.0 0. router# config t router(config)# access-list 100 permit ip your-subnet-# your-subnet-mask-# any router(config)# interface e0 (or whatever your outbound port is) router(config-if)# ip access-group out router(config-if)# exit router(config)# exit To keep packets with unreachable destinations from entering your network add this command: ip route 0.0.16.255.0.Optional ACL Commands & Other Network Security Ideas In order to reduce the chance of spoofing from outside your network consider adding the following statements to your network’s inbound access list.255.0.255 any router(config)# access-list 100 deny ip your-subnet-# your-subnet-mask-# any router(config)# access-list 100 deny igmp any any router(config)# access-list 100 deny icmp any any redirect router(config)# access-list 100 permit any any router(config)# interface e0 (or whatever your inbound port is) router(config-if)# ip access-group in router(config-if)# exit router(config)# exit Another handy security tool is to only allow ip packets out of your network with your source address.168.255.255 any router(config)# access-list 100 deny ip 127.0 0.255 any router(config)# access-list 100 deny ip 192.0 null 0 255 To protect against smurf and other attacks add the following commands to every external interface: no ip directed-broadcast no ip source-route fair-queue scheduler interval 500 64 .255.255.0.255 any router(config)# access-list 100 deny ip 224.255.255 any router(config)# access-list 100 deny ip 172.0 0.0.0.0 0. router# config t router(config)# access-list 100 deny ip 10.0.0 31.0.0.

........................64 Index / Table of Contents..............................................46-53 Deny/Permit Port Numbers............33-63 Deny/Permit Specific Addresses.............................................................................................................6 Extended Access List Placement Sample Problems.........4-5 Extended Access Lists........................................65 Port Numbers..........................................................1 How routers use Access Lists....6 Why Extended ACLs must be placed close to the destination..............................................................66-Inside Cover 65 .......................................................................................................................................................10 Breakdown of a Standard ACL Statement............................................12 Applying a Standard Named Access List called “George”...............................................................54-63 Optional ACL Commands............................1 General Access Lists Information.................................10 Breakdown of a Extended ACL Statement.....................Inside Cover What are Access Control Lists?........................................11 What are Named Access Control Lists............................................................................12 Applying an Extended Named Access List called “Gracie”.........................................................................18-20 Writing Standard Access Lists.........2 Standard Access List Placement Sample Problems...............................................................................33-39 Deny/Permit Entire Ranges....................................................3 Standard Access List Placement Problems............................................................................................................................................................14-15 Creating Wildcard Masks.................................................12 Named Access Lists Information............................................1 Standard Access Lists............................................................................................................................................................2 Why Standard ACLs must be placed close to the destination.................................................................13 Choices for Using Wildcard Masks.................7 Extended Access List Placement Problems........................................................................Index / Table of Contents Access-List Numbers.........21-32 Writing Extended Access Lists..........................................................................................................................8-9 Choosing to Filter Incoming or Outgoing Packets.................................40-45 Deny/Permit a Range of Addresses..................................................................................................................16 Wildcard Mask Problems............................

it specifies that application in each data transmission by using its port number. POP3 .Data) (File Transfer Protocol . Telnet) instead of the port number (ie. For a complete list of port numbers go to http://www.iana.20. You can also type the name (ie. Commonly used TCP and UDP applications are assigned a port number.023 1. When an application communicates with another application on another node on the internet. FTP .535 Below is a short list of some commonly used ports.152 to 65.org/assignments/port-numbers.Port Numbers Port numbers are now assigned by the ICANN (Internet Corporation for Assigned Names and Numbers). Some commonly used port numbers: 0 1 5 7 9 11 13 17 18 19 20 21 22 23 25 29 37 39 42 66 Reserved TCPMUX RJE ECHO DISCARD SYSTAT DAYTIME QUOTE MSP CHARGEN FTP-DATA FTP SSH Telnet SMTP MSG ICP TIME RLP NAMESERV (TCP Port Service Multiplexer) (Remote Job Entry) (Active users) (Quote of the day) (Message Send Protocol) (Character generator) (File Transfer Protocol . such as: HTTP .110.024 to 49. 23).80. Port numbers range from 0 to 65536 and are divided into three ranges: Well Known Ports Registered Ports Dynamic and/or Private Ports 0 to 1.Control) (Remote Login Protocol) (Terminal Connection) (Simple Mail Transfer Protocol) (Resource Location Protocol (Host Name Server) .151 49.

Version 3) AUTH (Authentication Service) SFTP (Simple File Transfer Protocol) UUCP-PATH (UUCP Path Service) SQLSERV (SQL Services) NNTP (Newsgroup) NTP (Network Tim Protocol) NetBIOS-NS (NetBIOS Name Service) NetBIOS-SSN (NetBIOS Session Service ) IMAP (Interim Mail Access Protocol) SQL-NET (NetBIOS Session Service) SQLSRV (SQL Service) SNMP (Simple Network Management Protocol) BGP (Border Gateway Protocol) GACP (Gateway Access Control Protocol) IRC (Internet Relay Chat) DLS (Directory Location Service) LDAP (Lightweight Directory Access Protocol) NETWARE-IP (Novell Netware over IP ) HTTPS (HTTP MCom) SNPP (Simple Network Paging Protocol) Microsoft-DS Apple QuickTime DHCP Client DHCP Server SNEWS MSN Inside Cover .43 49 53 67 68 69 70 75 79 80 95 101 108 109 110 113 115 117 118 119 123 137 139 143 150 156 161 179 190 194 197 389 396 443 444 445 458 546 547 563 569 NICNAME LOGIN DNS BOOTP BOOTPS TFTP GOPHER (Who Is) (Login Host Protocol) (Domain Name Server) (Bootstrap Protocol Server) (Bootstrap Protocol Client) (Trivial File Transfer Protocol) (Gopher Services ) (Any Privite Dial-out Service) FINGER HTTP (Hypertext Transfer Protocol) SUPDUP (SUPDUP Protocol) HOSTNAME (NIC Host Name Server) SNAGAS (SNA Gateway Access Server) POP2 (Post Office Protocol .Version 2) POP3 (Post Office Protocol .

Sign up to vote on this title
UsefulNot useful