Extended

ACL
Any

Access
0.0.0.0
Lists

Workbook
Version 1.5

permit

deny

access-list

Standard

access-group
Wildcard Mask
Student Name:

Access-List Numbers
IP Standard
IP Extended
Ethernet Type Code
Ethernet Address
DECnet and Extended DECnet
XNS
Extended XNS
Appletalk
48-bit MAC Addresses
IPX Standard
IPX Extended
IPX SAP (service advertisement protocol)
IPX SAP SPX
Extended 48-bit MAC Addresses
IPX NLSP
IP Standard, expanded range
IP Extended, expanded range
SS7 (voice)
Standard Vines
Extended Vines
Simple Vines
Transparent bridging (protocol type)
Transparent bridging (vendor type)
Extended Transparent bridging
Source-route bridging (protocol type)
Source-route bridging (vendor type)

1
100
200
700
300
400
500
600
700
800
900
1000
1000
1100
1200
1300
2000
2700
1
101
201
200
700
1100
200
700

to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to

99
199
299
799
399
499
599
699
799
899
999
1099
1099
1199
1299
1999
2699
2999
100
200
300
299
799
1199
299
799

Produced by: Robb Jones
jonesr@careertech.net and/or Robert.Jones@fcps.org
Frederick County Career & Technology Center
Cisco Networking Academy
Frederick County Public Schools
Frederick, Maryland, USA
Special Thanks to Melvin Baker, Jim Dorsch, and Brent Sieling
for taking the time to check this workbook for errors, and making suggestions for improvements.

Inside Cover

What are Access Control Lists?
ACLs...
...are a sequential list of instructions that tell a router which packets to
permit or deny.

General Access Lists Information
Access Lists...
...are read sequentially.
...are set up so that as soon as the packet matches a statement it
stops comparing and permits or denys the packet.
...need to be written to take care of the most abundant traffic first.
...must be configured on your router before you can deny packets.
...can be written for all supported routed protocols; but each routed
protocol must have a different ACL for each interface.
...must be applied to an interface to work.

How routers use Access Lists
(Outbound Port - Default)
The router checks to see if the packet is routable. If it is it looks up
the route in its routing table.
The router then checks for an ACL on that outbound interface.
If there is no ACL the router switches the packet out that interface to its
destination.
If there is an ACL the router checks the packet against the access list
statements sequentially. Then permits or denys each packet as it is
matched.
If the packet does not match any statement written in the ACL it is
denyed because there is an implicit “deny any” statement at the end of
every ACL.

1

.do not have any destination information so it must placed as close to the destination as possible. Since its using only the source address to permit or deny packets the ACL here will not effect packets reaching Routers B.... . and C. because all the packets will have the same source address.. interface E0. If you want to block traffic from Juan’s computer from reaching Janet’s computer with a standard access list you would place the ACL close to the destination on Router D.Standard Access Lists Standard Access Lists. ..are numbered from 1 to 99... Router A E0 Router B S0 S1 E0 S0 Router C S1 E0 S0 Janet’s Computer Matt’s Computer Juan’s Computer Jimmy’s Computer If you place the ACL on router A to block traffic to Router D it will also block all packets going to Routers B.work at layer 3 of the OSI model. Why standard ACLs are placed close to the destination. or C..filter (permit or deny) only source addresses. . . 2 Router D S1 E0 ..

- 3 . Where would you place the standard ACL to deny all traffic from Lisa to Paul? Router Name ______________ $%&'()* + Interface ___________ . !"# E0 S0 Router A Lisa’s Computer E1 S1 Router B Paul’s Computer Lisa has been sending unnecessary information to Paul.Standard Access List Placement Sample Problems FA0 FA1 Router A Jan’s Computer Juan’s Computer In order to permit packets from Juan’s computer to arrive at Jan’s computer you would place the standard access list at router interface ______.# Where would you place the standard ACL to deny traffic from Paul to Lisa? Router Name ______________ $%&'()*" Interface ___________ .

Standard Access List Placement Router B S0 S1 Router A E0 S0 S1 Ricky’s Computer FA1 S1 Router C Jenny’s Computer Amanda’s Computer Carrol’s Computer George’s Computer Kathy’s Computer S1 Router D S0 E0 Jeff’s Computer Jim’s Computer S1 E0 S0 Router E Linda’s Computer 4 Sarah’s Computer FA1 S1 Router F Jackie’s Computer Melvin’s Computer .

Where would you place an ACL to deny traffic from Linda’s computer from reaching Jackie’s computer? Router Name_________________ Interface ____________________ 5 . Where would you place a standard access list to permit traffic from Ricky’s computer to reach Carrol and Amanda’s computer? Router Name_________________ Interface ____________________ 8. Where would you place a standard access list to deny traffic to Sarah’s computer from Ricky’s computer? Router Name_________________ Interface ____________________ 12. Where would you place a standard access list to deny traffic to Carrol’s computer from Sarah’s computer? Router Name_________________ Interface ____________________ 4. Where would you place a standard access list to deny traffic to Jenny’s computer from Jackie’s computer? Router Name_________________ Interface ____________________ 9. Where would you place a standard access list to deny traffic from Amanda’s computer from reaching Jeff and Jim’s computer? Router Name_________________ Interface ____________________ 6.- 3. Where would you place a standard access list to permit traffic from Ricky’s computer to reach Jeff’s computer? 2.$%&'()*" Router Name_________________ Interface ____________________ . Where would you place a standard access list to deny traffic from Melvin’s computer from reaching Jenny’s computer? $%&'()* . Where would you place a standard access list to permit traffic to Ricky’s computer from Jeff’s computer? Router Name_________________ Interface ____________________ 5. Where would you place a standard access list to permit traffic from Jackie’s computer to reach Linda’s computer? Router Name_________________ Interface ____________________ 7.Standard Access List Placement 1. Router Name_________________ Interface ____________________ . Where would you place a standard access list to permit traffic from George’s computer to reach Linda and Sarah’s computer? Router Name_________________ Interface ____________________ 10. Where would you place an ACL to deny traffic from Jeff’s computer from reaching George’s computer? Router Name_________________ Interface ____________________ 11.

... 6 . .Extended Access Lists Extended Access Lists.. Routers B... or C. . are placed close to the source. Since it can permit or deny based on the destination address it can reduce backbone overhead and not effect traffic to Routers B.filter (permit or deny) based on the: source address destination address protocol application / port number .are numbered from 100 to 199.. interface E0.. . If you want to deny traffic from Juan’s computer from reaching Janet’s computer with an extended access list you would place the ACL close to the source on Router A. Router B S0 S1 Router A E0 FA0 S0 Router C S1 S0 Janet’s Computer Matt’s Computer Juan’s Computer E0 Router D S1 E0 Jimmy’s Computer If you place the ACL on Router E to block traffic from Router A. it will work. This increases the volume of useless network traffic. and C will have to route the packet before it is finally blocked at Router E. However... Why extended ACLs are placed close to the source.work at both layer 3 and 4 of the OSI model.

Extended Access List Placement Sample Problems E0 E1 Router A Jan’s Computer Juan’s Computer In order to permit packets from Juan’s computer to arrive at Jan’s computer you would place the extended access list at router interface ______.- FA0 S0 Router A Lisa’s Computer FA1 S1 Router B Paul’s Computer Lisa has been sending unnecessary information to Paul. Where would you place the extended ACL to deny all traffic from Lisa to Paul? Router Name ______________ $%&'()*" Interface ___________ !"Where would you place the extended ACL to deny traffic from Paul to Lisa? Router Name ______________ $%&'()* + Interface ___________ !"# 7 . .

Extended Access List Placement Router B S0 S1 Router A FA0 S1 Ricky’s Computer S0 E1 S1 Router C Jenny’s Computer Amanda’s Computer Carrol’s Computer George’s Computer Kathy’s Computer S1 Router D FA0 Jeff’s Computer S0 Jim’s Computer S1 FA0 S0 Router E Linda’s Computer 8 Sarah’s Computer FA1 S1 Router F Jackie’s Computer Melvin’s Computer .

Where would you place an extended access list to permit traffic from George’s computer to reach Linda and Sarah’s computer? Router Name_________________ Interface ____________________ 12. Where would you place an extended access list to deny traffic from Melvin’s computer from reaching Jeff and Jim’s computer? Router Name_________________ Interface ____________________ 7. Where would you place an extended access list to permit traffic from Jackie’s computer to reach Linda’s computer? $%&'()* . Where would you place an extended access list to permit traffic from George’s computer to reach Jeff’s computer? Router Name_________________ Interface ____________________ 8. Router Name_________________ Interface ____________________ !"$%&'()* ! Router Name_________________ Interface ____________________ !"# 3. Where would you place an extended access list to deny traffic to Carrol’s computer from Ricky’s computer? Router Name_________________ Interface ____________________ 4. Where would you place an extended access list to deny traffic to Sarah’s computer from Jackie’s computer? Router Name_________________ Interface ____________________ 5. Where would you place an ACL to deny traffic from Linda’s computer from reaching Kathy’s computer? Router Name_________________ Interface ____________________ 10. Where would you place an ACL to deny traffic from Jeff’s computer from reaching George’s computer? 2. Where would you place an extended access list to deny traffic from Linda’s computer from reaching Jenny’s computer? Router Name_________________ Interface ____________________ 9 . Where would you place an extended access list to permit traffic from Jim’s computer to reach Carrol and Amanda’s computer? Router Name_________________ Interface ____________________ 9. Where would you place an extended access list to permit traffic from Carrol’s computer to reach Jeff’s computer? Router Name_________________ Interface ____________________ 6. Where would you place an extended access list to deny traffic to Jenny’s computer from Sarah’s computer? Router Name_________________ Interface ____________________ 11.Extended Access List Placement 1.

filters and denys packets before the router has to make a routing decision.90...168. Breakdown of a Standard ACL Statement /()01' %) 2(34 :1...Choosing to Filter Incoming or Outgoing Packets Access Lists on your incoming port..168.90.0..36 log 5&'%3%0%&6 3&07() #*'%*88 10 132195'(6*5 6/(91=19*>%6' 522)(66 ?@/'1%35.36 0. ..are outbound by default unless otherwise specified.. .295)2 056< access-list 1 permit 192.. .0..requires less CPU processing.%B (3')4*%3*'>( )%&'()*=%)*(59> /59<('*'>5' 05'9>(6*'>16 6'5'(0(3' .increases the CPU processing time because the routing decision is made and the packet switched to the correct outgoing port before it is tested against the ACL... Access Lists on your outgoing port.0 5&'%3%0%&6 3&07() #*'%*88 6%&)9( 522)(66 /()01'*%)*2(34 6%&)9( 522)(66 access-list 78 deny host 192.A B(3()5'(6*5*. .

0 /()01'*%)*2(34 5&'%3%0%&6 3&07() #--*'%*#88 /)%'%9%.175. %/()5'%) (E*=%)*F B'*=%)*G .'*=%)*H 3(B*=%)*F ?@/'1%35.295)2 056< access-list 125 permit ip 192. 19/C 190/C '9/C*&2/C 1/C ('9D 6%&)9( 522)(66 2(6'135'1%3 522)(66 /%)' 3&07() ?IJ*F*'(.3(') 132195'(6*5 6/(91=19 >%6' 2(6'135'1%3 522)(66 access-list 178 deny tcp host 192.Breakdown of an Extended ACL Statement 5&'%3%0%&6 3&07() #--*'%*#88 /)%'%9%.90.A B(3()5'(6*5*.175.0.63.168.63.12 0. 19/C 190/C '9/C*&2/C 1/C ('9D 6%&)9( :1.0.0 192.%B (3')4*%3*'>( )%&'()*=%)*(59> /59<('*'>5' 05'9>(6*'>16 6'5'(0(3' 11 .295)2 056< 2(6'135'1%3 :1.168.36 host 192.0.36 0.12 eq 23 log /()01' %) 2(34 6%&)9( 522)(66 132195'(6*5 6/(91=19 >%6' Protocols Include: (Layers 3 and 4) IP IGMP IPINIP TCP GRE OSPF UDP IGRP NOS ICMP EIGRP Integer 0-255 To match any internet protocol use IP.90.0.

1-99 or 100-199) Named Access Lists Information Named Access Lists.provide the ability to modify your ACLs without deleting and reloading the revised access list....are not compatable with any IOS prior to Release 11...eliminate the limits imposed by using numbered ACLs.16'*6'5325)2*K(%)B( Router(config-std-nacl)#*2(34*>%6'*MID#NDM-DJO Router(config-std-nacl)#*/()01'*534 Router(config-std-nacl)#*13'()=59(*(# Router(config-if)#*1/*599(66LB)%&/*K(%)B(*%&' Router(config-if)#*(P1' Router(config)#*(P1' 12 . ...*?%)*9%3=1B*'A Router(config)#1/*599(66L.# Access-list Name: K(%)B( [Writing and installing an ACL] Router#*9%3=1B&)(*'()0135.identify ACLs with an intuutive name instead of a number.. . Applying a Standard Named Access List called “George” Write a named standard access list called “George” on Router A. interface E1 to block Melvin’s computer from sending information to Kathy’s computer..can not repeat the same name on multiple ACLs....2. . It will only allow you to add statements to the end of the exsisting statements. .. (ie..are standard or extended ACLs which have an alphanumeric name instead of a number.. but will allow all other traffic.What are Named Access Control Lists? Named ACLs. (798 for standard and 799 for extended) . . Place the access list at: Router Name: *******$%&'()*" Interface: ****************..

but will permit all other HTTP traffic to reach the only the 192.0 network.168.16'*(P'(32(2*K)591( Router(config-ext-nacl)# 2(34*'9/*534*>%6'*#8ID#NQDI-MDIM*(E*::: Router(config-ext-nacl)# /()01'*'9/*534*#8ID#NQDI-MD-*-D-D-DIOO*(E*::: Router(config-ext-nacl)# 13'()=59(*(Router(config-if)# 1/*599(66LB)%&/*K)591(*13 Router(config-if)# (P1' Router(config)# (P1' [Writing and installing an ACL] Place the access list at: Router Name: *******$%&'()*" Interface: ****************.27.207.207.*?%)*9%3=1B*'A Router(config)#1/*599(66L. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Interface E0 called “Gracie” to deny HTTP traffic intended for web server 192.13 Router# 9%3=1B&)(*'()0135.168.Access-list Mail: K)591( Write a named extended access list called “Gracie” on Router A. Applying an extended Named Access List called “Gracie” . Deny all other IP traffic.

0.150.168.0.0.0.0. Match all addresses.0 0. 1.50.50 For extended access lists: Access-list 110 deny ip 192.0 Subnet Mask: 255.0 mask) or Access-List 10 permit host 192.255.0.255 Example 3 Address: 10.0 any or Access-list 110 deny ip host 192.0 Subnet Mask: 255.16. Matching a specific host.0 0.150.0.0.255.50 any 2.Choices for Using Wildcard Masks Wildcard masks are usually set up to do one of four things: 1.0.0 Access-list 12 permit 172. Match a specific host. For standard access lists: Access-List 10 permit 192. Matching an entire subnet Example 1 Address: 192.255.0.255 any 14 .255.255.0.0.0. 2.50 (standard assume a 0.0. Match a specific range.255.50.150.255 Example 2 Address: 172.168.150.0 0.0 Access-list 25 deny 192.0.0.0.50 0.0 or ACL’s Access-List 10 permit 192.168.150.168.0 Subnet Mask: 255.50 0. 3. Match an entire subnet.0 Access-list 125 deny udp 10. 4.168.168.16.0.168.

31.255.255.0.15.0.0 255. 16.127 -192.32 to 172.224 255.250. 0. Match everyone.16. 31 Access-list 125 permit ip 172.127 Access-list 125 deny ip 192.112 0.0. 32 0.0 0.50.250.16. For standard access lists: Access-List 15 permit any or Access-List 15 deny 0.0.250. 168.) Example 3 Address: 172.255.0. 16.0. 255.31 any 4. 63 -172. 31. 250.31 any e Example 2 Address Range: 192.3.50.63 Wildcard: 172. 0.127 Wildcard: 192.255.16.255 any 15 .16. 0.250. 16.250.0. 255.168. 168.168. Match a specific range Example 1 Address: 10. 250.16. 0. 0 0. 15.32 0.168. 255. 0.0 255.0. 255 Custom Subnet mask: -255.255.127 any (This ACL would block the lower half of the subnet. 255.112 Subnet Mask: 255.255 For extended access lists: Access-List 175 permit ip any any or Access-List 175 deny tcp 0.0 to 192.255. 224 Wildcard: 0.0. 31 Access-list 125 permit udp 10.

0 subnet address will match. Example #3: 10.0 0.255.10.255 to create the wildcard) (This is the inverse of the subnet mask.128.100.) One’s will be ignored.30 0..0) means the address must match exactly.128.0 255. 255 ..0 (This address must match exactly.10. one (1) will be ignored.25.) .0.0.25.150.0 0.100. Example #2: 10.224 = 31 Example #5: IP Address and subnet mask: IP Address and wildcard mask: Do the math.0.170.0.10.0 204.0.127.255.30 255.0.255.170.95 0.150..0. Zero (0) must match exactly.255) This also works with subnets.0 to 10.) 172.0 172.150.150.150.0 = 255 16 192. Example #1: IP Address and subnet mask: IP Address and wildcard mask: 204.0 255. 10.Creating Wildcard Masks Just like a subnet mask the wildcard mask tells the router what part of the address to check or ignore.255 (Any 10.0.255 All zero’s (or 0.100..224 192.0.100.10.0.128.255.255 = 0 255 .255.95 0. 255 .255 (This is the inverse of the subnet mask. a range of addresses. or an entire subnet.255. Example #4: IP Address and subnet mask: IP Address and wildcard mask: Do the math.255 = 0 255 .31 (Subtract the subnet mask from 255.0.255. The source address can be a single address. As a rule of thumb the wildcard mask is the reverse of the subnet mask.10.128 = 127 255 .24.24.

250.255.0 __________________________________ 10.100. Create a wildcard mask to match this range.70 -*D*-*D*-*D*Subnet Mask: 255.0.190. Create a wildcard mask to match this host.0 Subnet Mask: 255.0. Create a wildcard mask to match this host.255. IP Address: 171.150. Create a wildcard mask to match this range.255.0. Create a wildcard mask to match this range.25. Create a wildcard mask to match this range.35 Subnet Mask: 255.255.0.255.168. Create a wildcard mask to match this exact address.255.255.10.255. IP Address: 192.0 Subnet Mask: 255. IP Address: 10.30. IP Address: 10.10. IP Address: 210.32 Subnet Mask: 255.255.255.0.0 __________________________________ 6.130 Subnet Mask: 255.16.224.16 Subnet Mask: 255.255.0.0 __________________________________ 5.10.35.18.248 __________________________________ 17 . Create a wildcard mask to match this range.0 __________________________________ 12.255.0.16 Subnet Mask: 255. IP Address: 135.0.75.255.0 -*D*-*D*-*D*IOO Subnet Mask: 255. IP Address: 172.224 __________________________________ 8.0 Subnet Mask: 255.0 ___________________________________ 3.0.255.255.10.50. IP Address: 192.2 Subnet Mask: 255.255.255. IP Address: 195.0.128 Subnet Mask: 255.Wildcard Mask Problems 1. IP Address: 172. IP Address: 165. Create a wildcard mask to match this range. Create a wildcard mask to match this range.28.0 ___________________________________ 2.0 __________________________________ 4. IP Address: 210.230.192 __________________________________ 7.150.240 __________________________________ 11. Create a wildcard mask to match this exact address.255. Create a wildcard mask to match this range.192 __________________________________ 9.

168.0 0.10. access-list 11 deny 210.0 0.32.0.1 fragments #8ODIIJDO-D-* '%* #8ODIIJDO-DNJ Answer: __________________________________________________________________ 4.0 0.168.16.4. access-list 5 permit any "34*522)(66 Answer: __________________________________________________________________ 3.10.50. 1.0 0.0.0 0.24.63 host 172.50 0.0.255 Answer: __________________________________________________________________ 18 .0. access-list 109 permit tcp 172.168.0. access-list 195 permit udp 172.0. access-list 125 deny tcp 195.220.15. access-list 10 permit 192.0.10.1 eq 80 Answer: __________________________________________________________________ 9.10 fragments Answer: __________________________________________________________________ 7.0.0.0.15 172.0 0.10.0.255 any Answer: __________________________________________________________________ 8.0. access-list 108 deny ip 192.0.223.0 0. access-list 171 deny any host 175.0. access-list 105 permit 192.0 0.0.10.168.255 Answer: __________________________________________________________________ 6.127 172.Wildcard Mask Problems Based on the given information list the total number of source addresses for each access list statement.255 host 192.18.0 #8ID#NQD#O-DOAnswer: __________________________________________________________________ 2.255 Answer: __________________________________________________________________ 5.50.0. access-list 111 permit ip any any Answer: __________________________________________________________________ 10.0.10.0.150.10.12.30.

access-list 120 permit ip 192.255 172.30.0 0.168. access-list 101 Permit ip 192.0.0.10 0.127 192.0.168.0.168.255 192.0.31 any Answer: _________________________________________________________________ 22.0.50.168.3 192.18.10 0.0 0.255 Answer: _________________________________________________________________ 18.30.0 0.0.168.0.255.0 gt 22 Answer: _________________________________________________________________ 19.15.0.0.168.0 0.15.0 0.0.15.7 192.11.0 0.16.10 0.0 0.0.0 0.15.0.0.0. access-list 130 permit ip 192.0.0 0.255 Answer: _________________________________________________________________ 21.15.0 0.0.10.30.10.0 0.0.15 192.10 0. access-list 100 permit ip 10.15.15.0 Answer: _________________________________________________________________ 16.0.30.10 0.15.168.255 172.255.168.0.0. access-list 160 deny udp 172.63 192.255 Answer: _________________________________________________________________ 19 .15.30.0.0. access-list 110 permit ip 192.0 Answer:__________________________________________________________________ 17.0. access-list 185 permit ip 192.85.10.30.0.0.0.0.0.168. access-list 195 permit icmp 172.0.0.0. access-list 140 permit ip 192.30.0 Answer: _________________________________________________________________ 13.168.0 Answer: _________________________________________________________________ 15.15.0.10 0.0.120.0 Answer: _________________________________________________________________ 12.0 0.0 0. access-list 150 permit ip 192.168.50.168.0.0.168.0 0.10.0.0.31 192.0.255 Answer: _________________________________________________________________ 20.168.1.0. access-list 190 permit tcp 192.0 0.0 Answer: _________________________________________________________________ 14.255 172.0.0.0.18 0.0. access-list 10 permit 175.

0.0 255.0 0.255.168.255 Answer: __________________________________________________________________ 6.15.0 0. access-list 150 permit ip 192.0.50.16.0.0.32.0.10 0.0.0 0. 1.32.0.0.220.223.0 192.0.15.168. access-list 120 deny tcp 172.0 0.0.110.Wildcard Mask Problems Based on the given information list the total number of destination addresses for each access list statement.0.10.10 0.168.220.100 0.0 0. access-list 160 deny udp 172.0. access-list 105 permit any 192.255 192.63 Answer: __________________________________________________________________ 20 .0 0.255 172.4. access-list 120 permit ip 192.0.0.0.0.10.130.0.0 0.63 host 172.168.0.15 Answer: __________________________________________________________________ 5.0.30.0.255 Answer: __________________________________________________________________ 7.168.0.0.0.0. access-list 101 deny ip 140.1 fragments #MID#NQD#-D# Answer: __________________________________________________________________ 2.10.255 Answer: __________________________________________________________________ 8.0.0.15 172.0 0. access-list 150 permit ip 192.15.0.18.0 eq 21 Answer: __________________________________________________________________ 10.168. access-list 115 permit any any "34*522)(66 Answer: __________________________________________________________________ 3.0.0 0.30.0.access-list 125 deny tcp 195.63 #8ID#NQD#OD-* '%* #8ID#NQD#ODNJ Answer: __________________________________________________________________ 4.168.0 0.0.168.15.0 192.4.0 0. access-list 108 deny ip 192.0 192.7 Answer: __________________________________________________________________ 9.30.255.18 0.0.10.0.1.10 0.

.Writing Standard Access Lists. ..

16'*#- (This will show detailed information about this ACL) .1 E1 E0 S0 210.38 172.16'*#-*/()01'*534 Router(config)#*13'()=59(*(# Router(config-if)#*1/*599(66LB)%&/*#-*%&' Router(config-if)#*(P1' Router(config)#*(P1' [Viewing information about existing ACL’s] 22 Router# 6>%:*9%3=1B&)5'1%3 (This will show which access groups are associated with particular interfaces) Router# 6>%:*599(66*.16.16'*#-*2(34*#MID#NDM-DJO*-D-D-D%) *******599(66L.Router A 192.32 Frank’s Computer Melvin’s Computer Kathy’s Computer 192.16.90.90.16.36 172.16'*#-*/()01'*-D-D-D-*IOODIOODIOODIOO %) *******599(66L.*?%)*9%3=1B*'A Router(config)#*599(66L.16'*#-*2(34*>%6'*#MID#NDM-DJO Router(config)#*599(66L.168.168.70.# Access-list #: #[Writing and installing an ACL] Router#*9%3=1B&)(*'()0135.28. but will allow all other traffic.16'*#-*2(34*#MID#NDM-DJO %) *******599(66L.90.35 Standard Access List Sample #1 Write a standard access list to block Melvin’s computer from sending information to Kathy’s computer.0 Jim’s Network Computer 192. Place the access list at: Router Name: *******$%&'()*" Interface: ****************. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.30.70.168.2 172.70.

16'*IQ*/()01'*#8ID#NQD8-D-*-D-D-DIOO Router(config)# 599(66L.%9<*R10*=)%0*)(59>13B*!)53< Router(config)# 599(66L. Router(config)# 13'()=59(*(Router(config-if)# 3%*1/*599(66LB)%&/*IQ*%&' Router(config-if)# (P1' Router(config)# 3%*599(66L.0 network to reach the 172.16. [Disabling ACL’s] Router# 9%3=1B&)(*'()0135.0 network.16'*IQ*)(05)<*+.*%'>()*')5==19 Router(config)# 599(66L.16'*IQ*/()01'*I#-DJ-DIQD-*-D-D-DIOO Router(config)# 13'()=59(*(Router(config-if)# 1/*599(66LB)%&/*IQ*%&' Router(config-if)# (P1' Router(config)#*(P1' Router#*9%/4*)&3*6'5)' [Remark Command] The remark command allows you to place text within the ACL so it can be viewed after it is inserted on the router..Access-list #: IQ [Writing and installing an ACL] Router# 9%3=1B&)(*'()0135.16'*IQ*2(34*#8ID#NQD8-DJN*-D-D-D%) *599(66L.16'*IQ*)(05)<*".16'*IQ*)(05)<*".28. Permit all traffic from the 210.Standard Access List Sample #2 Write a standard access list to block Jim’s computer from sending information to Frank’s computer. It can be viewed using the show run or any command that lists the ACL. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Deny all other traffic.168.*')5==19 Router(config)# 599(66L.16'*IQ*2(34*>%6'*#8ID#NQD8-DJN Router(config)# 599(66L. Router(config)# 13'()=59(*(Router(config-if)# 3%*1/*599(66LB)%&/*IQ*%&' Router(config-if)# (P1' Router(config)#*(P1' [Removing an ACL] Router# 9%3=1B&)(*'()0135..16'*IQ*2(34*#8ID#NQD8-DJN %) *599(66L.16'*IQ Router(config)#*(P1' 23 . Place the access list at: Router Name: *******$%&'()*" Interface: ****************.0 network.. but will allow all other traffic from the 192..70. Include a remark with each statement of your ACL.%:*5. Router(config)# 599(66L.90.%:*5.30.

FA0
S0
223.190.32.1
Router A
S1

Router B
FA1 192.16.32.94
FA0

172.16.0.0
Network

Michael’s
Computer

223.190.32.16

Debbie’s
Computer

192.16.32.95

Standard Access List Problem #1
Write a standard access list to block Debbie’s computer from receiving information from
Michael’s computer; but will allow all other traffic. List all the command line options for this
problem. Keep in mind that there may be multiple ways many of the individual statements in
an ACL can be written.
Place the access list at:
Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
[Writing and installing an ACL]
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# ________________________________________________________
%)
________________________________________________________
%)
________________________________________________________
Router(config)# ________________________________________________________
%)
* * ______________________________________________________
Router(config)# 13'()=59(*________
Router(config-if)# 1/*599(66LB)%&/*________ i3*%)*%&'*(circle one)
Router(config-if)# (P1'
Router(config)# (P1'
24

Standard Access List Problem #2
Write a standard access list to permit Debbie’s computer to receive information from
Michael’s computer; but will deny all other traffic from the 223.190.32.0 network. Block all
traffic from the 172.16.0.0 network. Permit all other traffic. List all the command line options
for this problem. Keep in mind that there may be multiple ways many of the individual
statements in an ACL can be written.
Place the access list at:
Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
[Writing and installing an ACL]
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# ________________________________________________________
%)
________________________________________________________
%)
________________________________________________________
Router(config)#_________________________________________________________
Router(config)#_________________________________________________________
Router(config)#_________________________________________________________
%)
* _______________________________________________________
Router(config)# 13'()=59(*________
Router(config-if)# 1/*599(66LB)%&/*________ i3*%)*%&'*(circle one)
Router(config-if)# (P1'
Router(config)# (P1'

25

Router A
204.90.30.124 E0
S0
10.250.30.35

Carol’s
Computer
Rodney’s
Computer

Router B

S1
10.250.30.36

Jim’s
Computer

FA1
192.168.88.4

192.168.88.5

204.90.30.130

204.90.30.126

Standard Access List Problem #3
Write a standard access list to block Rodney and Carol’s computer from sending information
to Jim’s computer; but will allow all other traffic from the 204.90.30.0 network. Block all other
traffic. Keep in mind that there may be multiple ways many of the individual statements in an
ACL can be written.
Place the access list at:
Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
[Writing and installing an ACL]
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Router(config)# 13'()=59(*________
Router(config-if)# 1/*599(66LB)%&/*________ i3*%)*%&'*(circle one)
Router(config-if)# (P1'
Router(config)# (P1'
26

but will permit Jim to receive data from Rodney. For help with the remark command review page 23. For help with blocking the upper half of the range review page 13 or the wildcard mask problems on pages 16 and 17.*?%)*9%3=1B*'A Router(config)# ________________________________________________________ Router(config-std-nacl)# _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ Router(config-std-nacl)# 13'()=59(*________ Router(config-if)# 1/*599(66LB)%&/*________ i3*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)# (P1' 27 .90. Include a remark with each statement of your ACL. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list Name: ____________________________ [Writing and installing an ACL] Router# 9%3=1B&)(*'()0135.Standard Access List Problem #4 Using a minimum number of commands write a standard access list named “Ralph” to block Carol’s computer from sending information to Jim’s computer. For help with named ACLs review pages 12 and 13. Block all other traffic.0 range from reaching Jim’s computer while permitting the lower half of the range. Block the upper half of the 204.30.

5 S1 Router C 212.225.Router B S0 S1 Router A 172.180.2 172.0 network. but will allow all other traffic.2 Standard Access List Problem #5 Write a standard access list to block 172.30.10.30.180.180.30. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.30. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# 9%3=1B&)(*'()0135.3 212.180.*?%)*9%3=1B*'A Router(config)# ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ Router(config)# 13'()=59(*________ Router(config-if)# 1/*599(66LB)%&/*________ i3*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)# (P1' 28 .10.225.225.225.225.10.10.1 E0 S0 S1 E1 212.30.2 and 172.6 172.3 from sending information to the 212.

30. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# 9%3=1B&)(*'()0135.2 from sending information to the 172. Check the example on page 10 for help with the logging option.6 to send data to the 172.0 network.10.225.225. Add a remark to each statement explaining its purpose. Permit and log 212.*?%)*9%3=1B*'A Router(config)# ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ Router(config)# 13'()=59(*________ Router(config-if)# 1/*599(66LB)%&/*________ i3*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)# (P1' 29 .0 network.30. Deny all other traffic.180.180. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.Standard Access List Problem #6 Write a standard access list to block and log 212. For help with the remark command review page 23.10.

Router C Router A S0 S1 FA0 S1 198.25 to reach the 210. For help with this problem review page 13 or the wildcard mask problems on pages 16 and 17.15.140.140.15.168. Do not permit any traffic from 198.25 Standard Access List Problem #7 Write a standard access list to block the addresses 192.15.32.140.15.32.10.10.1 to 192.1 FA0 FA1 192.172 210.168.168.25 Router B S0 192.31 from sending information to the 210.15.15.15.15. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# 9%3=1B&)(*'()0135.0 network.8 198.168.3 210.*?%)*9%3=1B*'A Router(config)# ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ Router(config)# 13'()=59(*________ Router(config-if)# 1/*599(66LB)%&/*________ i3*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)# (P1' 30 .32.0 network.140.10. Permit all other traffic.

Standard Access List Problem #8 Write a standard named access list called “Cisco_Lab_A” to permit traffic from the lower half of the 198.15.32.10.0.10.0 network. Allow host 198. For help with this problem review page 13 or the wildcard masks problems on pages 16 and 17.*?%)*9%3=1B*'A Router(config)# ________________________________________________________ Router(config-std-nacl)#*_______________________________________________ ****_______________________________________________ ****_______________________________________________ ****_______________________________________________ ****_______________________________________________ ****_______________________________________________ ****_______________________________________________ ****_______________________________________________ ****_______________________________________________ ****_______________________________________________ ****_______________________________________________ Router(config-std-nacl)# 13'()=59(*________ Router(config-if)# 1/*599(66LB)%&/*__________________ i3*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)# (P1' 31 .192 to reach network 192.32. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list Name: ____________________________ [Writing and installing an ACL] Router# 9%3=1B&)(*'()0135. Permit all other traffic.0 network to reach 192.168. block the upper half of the addresses.15.168. For assistance with named ACLs review pages 12 and 13.

1.255. 10.255.168.0 255.250.4.3.1.*?%)*9%3=1B*'A Router(config)# ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ !"Router(config)# 13'()=59(*________ Router(config-if)# 1/*599(66LB)%&/*________ i3*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)# (P1' 32 . Allow all other traffic. and the entire 10. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.0 from receiving information from the following addresses: 10.2.Standard Access List Problem #9 Write a standard access list to block network 192. Place the access list at: $%&'()* " Router Name: ___________________________ !"Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# 9%3=1B&)(*'()0135.250. 10.255.0 network.250.1.250.1.

. .Writing Extended Access Lists..

90.16'*##-*2(34*1/*#MID#NDM-DJO*-D-D-D-*#8ID#NQD8-DJN*-D-D-D- [Writing and installing an ACL] Place the access list at: Router Name: *******$%&'()*" Interface: ****************!"Access-list #: ##- Write an extended access list to prevent John’s computer from sending information to Mike’s computer. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.168.16'*##-*2(34*1/*>%6'*#MID#NDM-DJO*>%6'*#8ID#NQD8-DJN Router(config)# 599(66L.16.36 Router A 192.168.70.16.70.16'*##-*/()01'*1/*-D-D-D-*IOODIOODIOODIOO*-D-D-D-*IOODIOODIOODIOO Router(config)# 13'()=59(*=5Router(config-if)# 1/*599(66LB)%&/*##-*13 [Viewing information about existing ACL’s] Router(config-if)# (P1' Router# 6>%:*9%3=1B&)5'1%3 (This will show which access groups are associated with particular interfaces) Router(config)# (P1' Router# 9%3=1B&)(*'()0135.70.90.168.1 FA1 FA0 Router# 6>%:*599(66*.90.32 Extended Access List Sample #1 172.38 Celeste’s Computer Deny/Permit Specific Addresses 192.35 John’s Computer Gail’s Computer Mike’s Computer 192.172.16'*##-*/()01'*1/*534*534 %) * * * **599(66L.16.*?%)*9%3=1B*'A Router(config)# 599(66L.2 172.16'*##- (This will show detailed information about this ACL) %) *****599(66L. but will allow all other traffic. 34 .

Router(config)# 13'()=59(*(# Router(config-if)# 3%*1/*599(66LB)%&/*#JO*%&' Router(config-if)# (P1' Router(config)#*(P1' Router# 9%3=1B&)(*'()0135.0 network from receiving information from Mike’s computer at 192.16. Router(config)# 599(66L.16'*#JO*2(34*1/*#8ID#NQD8-D-*-D-D-D#IM*>%6'*#MID#NDM-DJI Router(config)# 599(66L. Router(config)# 13'()=59(*(# Router(config-if)# 3%*1/*599(66LB)%&/*#JO*%&' Router(config-if)# (P1' Router(config)# 3%*599(66L.32.70.16'* #JO* /()01'* 1/* -D-D-D-* IOODIOODIOODIOO* -D-D-D-* IOODIOODIOODIOO Router(config)# 13'()=59(*=5# Router(config-if)# 1/*599(66LB)%&/*#JO*13 Router(config-if)# (P1' Router(config)#*(P1' Router#*9%/4*)&3*6'5)' [Writing and installing an ACL] Place the access list at: Router Name: *******$%&'()*" Interface: ****************!"# Access-list #: #JO Write an extended access list to block the 172.16'*#JO*/()01'*1/*534*534 %) * * * * * 599(66L.90.168.70.36.16.168.16'*#JO*2(34*1/*#8ID#NQD8-DJN*-D-D-D-*#MID#NDM-D-*-D-D-DIOO %) ********599(66L. Block the lower half of the ip addresses from 192.16'*#JO Router(config)#*(P1' [Disabling ACL’s] Router# 9%3=1B&)(*'()0135. 35 . Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.16'*#JO*2(34*1/*#8ID#NQD8-D-*-D-D-D#IM*#MID#NDM-DJI*-D-D-D%) *599(66L.90.16'*#JO*2(34*1/*>%6'*#8ID#NQD8-DJN*#MID#NDM-D-*-D-D-DIOO Router(config)# 599(66L.0 network from reaching Gail’s computer at 172.Extended Access List Sample #2 Deny/Permit Specific Addresses [Removing an ACL] Router# 9%3=1B&)(*'()0135.

122.168.70.129 Jackie’s Computer Deny/Permit Specific Addresses 192.172.20.122. Permit all other traffic.168.52 Router(config)# 13'()=59(**__________ Router(config-if)# 1/*599(66LB)%&/*_________*13*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)#*(P1' Router#*9%/4*)&3*6'5)' * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ Router(config)#______________________________________________________________________________________ Router# 9%3=1B&)(*'()0135.20.168.70.80 Bob’s Computer Cindy’s Computer 172. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.122. 36 .128 Jay’s Computer Router B FA1 S1 192.70.20.15 Router A S0 FA0 192.*?%)*9%3=1B*'A [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ Write an extended access list to prevent Jay’s computer from receiving information from Cindy’s computer.89 Extended Access List Problem #1 172.

Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.129. Extended Access List Problem #2 .255. Permit all other traffic. Block the lower half of the ip addresses from 192.37 Deny/Permit Specific Addresses Router(config)# 13'()=59(**__________ Router(config-if)# 1/*599(66LB)%&/*_________*13*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)#*(P1' Router#*9%/4*)&3*6'5)' ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Router# 9%3=1B&)(*'()0135.89.122.70.255.20.20.168.0 network from reaching Cindy’s computer at 172.122.70.0 network from receiving information from Jackie’s computer at 192.168. Router(config)# [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ Write an extended access list to block the 172.0 255.

59.1 Router A FA1 172. but not Rebecca’s computer at 172.2.35.50.12 Juan’s Computer E0 218.35.2. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.59. 38 .59.50.Router B S0 Extended Access List Problem #3 218.2.15 Rebecca’s Computer 172.2.2.50.18.1 172.59.10 to receive packets from Rachael’s computer at 172.50.18 Rachael’s Computer Deny/Permit Specific Addresses S1 __________________________________________________________________________ __________________________________________________________________________ ___________________________________________________________________________ Router(config-ext-nacl)# 13'()=59(*____________ Router(config-if)# 1/*599(66LB)%&/*_________*13*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)# (P1' Router(config-ext-nacl) Router(config)#_____________________________________________________________________________________ Router# 9%3=1B&)(*'()0135.*?%)*9%3=1B*'A [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list Name: ____________________________ Write a named extended access list called “Lab_166” to permit Jan’s computer at 218.59.35.35. Deny all other packets.10 Jan’s Computer 218.15.

59.12 to send information to Rebecca’s computer at 172.18.2. Extended Access List Problem #4 .39 Deny/Permit Specific Addresses Router(config)# 13'()=59(**__________ Router(config-if)# 1/*599(66LB)%&/*_________*13*%)*%&'*(circle one) Router((config-if)# (P1' Router(config)#*(P1' Router#*9%/4*)&3*6'5)' _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Router# 9%3=1B&)(*'()0135.15. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.35.59. Permit all other traffic. but not Rachael’s computer at 172. Router(config)# _____________________________________________________________________________________ [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ Write an extended access list to allow Juan’s computer at 218.2.50.

16'*###*2(34*1/*-D-D-D-*IOODIOODIOODIOO-D-D-D-*IOODIOODIOODIOO Router(config)# 13'()=59(*(# Router(config-if)# 1/*599(66LB)%&/*###*13 Router(config-if)# (P1' Router(config)# (P1' [Writing and installing an ACL] Place the access list at: Router Name: *******$%&'()*+ Interface: ****************.40.11 Bob’s Computer Deny/Permit Entire Ranges 192.0 network to receive packets from the 192.16.7 192.0 Network E1 Router B S1 192.16'*###*/()01'*1/*#8ID#QDO-D-*-D-D-DIOO*#8ID#NQDI-D-*-D-D-DIOO Router(config)# 599(66L.16.20.20.16'*### Router# 6>%:*9%3=1B&)5'1%3 (This will show detailed information about this ACL) (This will show which access groups are associated with particular interfaces) Router# 9%3=1B&)(*'()0135.50.0 Network E0 Extended Access List Sample #3 192.20.16.*?%)*9%3=1B*'A Router(config)# 599(66L.18.0 network.18.20.17.16. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.18.6 Cindy’s Computer Ralph’s Computer Router A S0 192.12 Barbra’s Computer [Viewing information about existing ACL’s] Router# 6>%:*599(66*.# Access-list #: ### Write an extended access list to permit the 192.192. 40 . Deny all other traffic.50.50.16'*###*2(34*1/*534*534 %) *****599(66L.

Router(config)# 599(66L. Router(config)# 13'()=59(*(Router(config-if)# 3%*1/*599(66LB)%&/*#QQ*%&' Router(config-if)# (P1' Router(config)#*(P1' Router# 9%3=1B&)(*'()0135.50.6(*&3)(6')19'(2*599(66 Router(config)# 599(66L.Access-list #: #QQ Write an extended access list to block the 192. [Remark Command] [Removing an ACL] Router# 9%3=1B&)(*'()0135.%:*(T()4%3(*(.16'*#QQ*2(34*1/*#8ID#NDI-D-*-D-D-DIOO*#8ID#QDO-D-*-D-D-DIOO Router(config)# 599(66L. Router(config)# 13'()=59(*(Router(config-if)# 3%*1/*599(66LB)%&/*#QQ*%&' Router(config-if)# (P1' Router(config)# 3%*599(66L. Permit all other traffic..16'*#QQ*)(05)<*7.%9<*5.0 network from receiving information from the 192. 41 ..20.*')5==19*=)%0*'>(*S91(39(*. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.16'*#QQ*)(05)<*5. It can be viewed using the show run or any command that lists the ACL. Add a remark to each statement.16'*#QQ Router(config)#*(P1' [Disabling ACL’s] Router# 9%3=1B&)(*'()0135.Extended Access List Sample #4 Deny/Permit Entire Ranges The remark command allows you to place text within the ACL so it can be viewed after it is inserted on the router.57 Router(config)# 599(66L.16'*#QQ*/()01'*1/*534*534 %) * * * 599(66L.16.0 network.18.16'* #QQ* /()01'* 1/* -D-D-D-* IOODIOODIOODIOO* -D-D-D-* IOODIOODIOODIOO Router(config)# 13'()=59(*(Router(config-if)# 1/*599(66LB)%&/*#QQ*13 Router(config-if)#*(P1' Router(config)#*(P1' Router#*9%/4*)&3*6'5)' [Writing and installing an ACL] Place the access list at: Router Name: *******$%&'()*" Interface: ****************.

150. but not to the 210.150.2.150.250.12 S1 FA1 172.0 to send packets to network 172.18 David’s Computer Router(config)# 13'()=59(*____________ Router(config-if)# 1/*599(66LB)%&/*_________*13*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)# (P1' * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ Router(config)#______________________________________________________________________________________ Router# 9%3=1B&)(*'()0135.95.204.0 Network 172.0.95. Permit all other traffic.150.*?%)*9%3=1B*'A [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ Write an extended access list to permit network 204. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.0.250.1 S0 210.59. For help with the remark command review page 41.0 network. 42 .59.95.2.10.15 Rebecca’s Computer Deny/Permit Entire Ranges Router B Extended Access List Problem #5 204.2.59. Include a remark with each statement of your ACL.95.11 Router A S0 FA0 172.10 Rachel’s Computer Todd’s Computer 204.10.59.

Extended Access List Problem #6 . Router(config)#______________________________________________________________________________________ [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ Write an extended access list to allow Rachel’s computer at 204.0 network.43 Deny/Permit Entire Ranges Router(config)# 13'()=59(**__________ Router(config-if)# 1/*599(66LB)%&/*_________*13*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)#*(P1' Router#*9%/4*)&3*6'5)' _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Router# 9%3=1B&)(*'()0135.150.2.59. Permit all other traffic.59. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.2.0 network.95.150.0 network access from the 172.10 to receive information from the 172. Deny all other hosts on the 204.95.

170. 44 .1.0.0 networks.0 .120.4 Denise’s Computer Router(config-ext-nacl)# 13'()=59(*____________ Router(config-if)# 1/*599(66LB)%&/*_________*13*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)# (P1' _____________________________________________________________________________ _____________________________________________________________________________ Router(config-ext-nacl)#_____________________________________________________________________________ Router(config)# _____________________________________________________________________________________ Router# 9%3=1B&)(*'()0135.172.0 network from sending information to the 210.168. Permit all other traffic.45 Phyllis’s Computer Tommy’s Computer 172.70.168.46 210.168. and 10.2 S0 Router B 192. but will permit traffic to the 192.3 Tim’s Computer Deny/Permit Entire Ranges 10.168.0 255.0 Network S1 E1 192.255.255.170.168.50.0 Network E1 Extended Access List Problem #7 172.0 network.50.1.50.120.168.120.*?%)*9%3=1B*'A [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list Name: ____________________________ Write a named extended access list called “Godzilla” to prevent the 172.50.70.250. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.47 Router A S0 E0 192.250.120.170.

168.120.0 network. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Allow the 192.45.50. Router(config)# [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ Assuming default subnet masks write an extended access list to permit Tim at 192. Deny all other traffic. Extended Access List Problem #8 .170.120.3 to receive data from the 172.0.45 Deny/Permit Entire Ranges Router(config)# 13'()=59(**__________ Router(config-if)# 1/*599(66LB)%&/*_________*13*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)#*(P1' Router#*9%/4*)&3*6'5)' ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Router# 9%3=1B&)(*'()0135.168.0 network to receive information from Phyllis’s computer at 172.50.

44 Rodney’s Computer Jim’s Computer Router A S0 FA0 192.21.15.21.168.168.*?%)*9%3=1B*'A Router(config)# 599(66L.50. Permit all other traffic.96 Carol’s Computer 172.15.168.50.168.192.15.0 network.0.15.16'*#QO (This will show detailed information about this ACL) (This will show which access groups are associated with particular interfaces) Router# 9%3=1B&)(*'()0135.50.0 network from reaching the 172.97 Frank’s Computer Deny/Permit a Range of Addresses S1 Router# 6>%:*9%3=1B&)5'1%3 Router# 6>%:*599(66*.16'*#QO*/()01'*1/*534*534 %) * 599(66L.16'* #QO* /()01'* 1/* -D-D-D-* IOODIOODIOODIOO* -D-D-D-* IOODIOODIOODIOO Router(config)# 13'()=59(*=5# Router(config-if)# 1/*599(66LB)%&/*#QO*13 Router(config-if)# (P1' [Viewing information about existing ACL’s] Router(config)# (P1' [Writing and installing an ACL] Place the access list at: Router Name: *******$%&'()*" Interface: ****************!"Access-list #: #QO Write an extended access list to deny the first 15 usable addresses of the 192.16'*#QO*2(34*1/*#8ID#NQD#OD-*-D-D-D#O*#MIDI#DO-D-*-D-DIOODIOO Router(config)# 599(66L.95 Router B 172. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.21.21.43 Extended Access List Sample #5 192. 46 .20 E1 172.

50. 47 .0 network access to the 172. Router(config)# 599(66L.168.16'* #I#* 2(34* 1/* -D-D-D-* IOODIOODIOODIOO* -D-D-D-* IOODIOODIOODIOO Router(config)# 13'()=59(*=5Router(config-if)# 1/*599(66LB)%&/*#I#*13 Router(config-if)# (P1' Router(config)#*(P1' Router#*9%/4*)&3*6'5)' [Writing and installing an ACL] Place the access list at: Router Name: *******$%&'()*" Interface: ****************!"Access-list #: #I# Write an extended access list which will allow the lower half of 192.21. Router(config)# 13'()=59(*=5Router(config-if)# 3%*1/*599(66LB)%&/*#I#*13 Router(config-if)# (P1' Router(config)# 3%*599(66L.0 network. Deny all other traffic.Extended Access List Sample #6 Deny/Permit a Range of Addresses [Removing an ACL] Router# 9%3=1B&)(*'()0135.15.16'*#I#*2(34*1/*534*534 %) * 599(66L.16'*#I# Router(config)#*(P1' [Disabling ACL’s] Router# 9%3=1B&)(*'()0135. Router(config)# 13'()=59(*=5Router(config-if)# 3%*1/*599(66LB)%&/*#I#*13 Router(config-if)# (P1' Router(config)#*(P1' Router# 9%3=1B&)(*'()0135.16'*#I#*/()01'*1/*#8ID#NQD#OD-*-D-D-D#IM*#MIDI#DO-D-*-D-D-DIOO Router(config)# 599(66L. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.

125.195.125.195.195.192.145 S0 Mike’s Computer 192.254 E1 172.195. 48 .168.31.108 Celeste’s Computer Deny/Permit a Range of Addresses 192.168.125.168.168.0 network from reaching the 192.168. Permit all other traffic.0 Network Extended Access List Problem #9 192.125.168. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.0 network.168.195.88 John’s Computer Gail’s Computer 192.168.*?%)*9%3=1B*'A [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ Write an extended access list to prevent the first 31 usable addresses in the 192.90 E0 Router A Router(config)# 13'()=59(*____________ Router(config-if)# 1/*599(66LB)%&/*_________*13*%)*%&'*(circle one) Router(config-if)# (P1' * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ Router(config)#______________________________________________________________________________________ Router# 9%3=1B&)(*'()0135.17 192.

Include a remark with each statement of your ACL.195.168. Deny all other traffic.0 network.195.7 to send data to the 192. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Router(config)#______________________________________________________________________________________ [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list Name: ____________________________ Write a named extended access list called “Media_Center” to permit the range of addresses from 172. Extended Access List Problem #10 .31.31. For help with the remark command review page 41.125.1 through 172.49 Deny/Permit a Range of Addresses Router(config-ext-nacl)# 13'()=59(**__________ Router(config-if)# 1/*599(66LB)%&/*________________*13*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)#*(P1' Router#*9%/4*)&3*6'5)' _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ Router(config-ext-nacl)#_____________________________________________________________________________ Router# 9%3=1B&)(*'()0135.

75.10 Bob’s 172.16.18.0 network.75.11 Jill’s Computer S1 Router C Router(config)# 13'()=59(*____________ Router(config-if)# 1/*599(66LB)%&/*_________*13*%)*%&'*(circle one) Router(config-if)# (P1' * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ Router(config)#______________________________________________________________________________________ Router# 9%3=1B&)(*'()0135.9 Computer 172.22.18.22.20. Permit all other traffic.*?%)*9%3=1B*'A [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ Write an extended access list to permit the first 3 usable addresses in the 192.20.22.31 from reaching the 172.16.0 network to reach the 172.18.20.192.4 through 192.50. 50 .16.20.16.12 Deny/Permit a Range of Addresses 172.0 network.20.8 Router B Router A Extended Access List Problem #11 192.50.16.20.10 Brad’s Computer FA1 172.22.75. Deny the addresses from 192.50.75.16.75. Keep in mind that there are multiple ways this ACL can be written.22.7 S1 S0 S0 E1 172.5 FA0 Barbra’s Computer 172.6 Cindy’s Computer Ralph’s Computer 192.

8 through 172.127 from sending data to the 172.22.22.18.75. Keep in mind that there are multiple ways this ACL can be written.75.0 network from reaching the 192.20. Permit all other traffic. Router(config)#______________________________________________________________________________________ [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ Write an extended access list to deny the addresses from 172. Deny the first half of the addresses from the 172. Extended Access List Problem #12 .16.51 Deny/Permit a Range of Addresses Router(config)# 13'()=59(**__________ Router(config-if)# 1/*599(66LB)%&/*_________*13*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)#*(P1' Router#*9%/4*)&3*6'5)' ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Router# 9%3=1B&)(*'()0135.22.50.75.0 network.0 network.

Include a remark with each statement of your ACL.16.250.16.16.1 FA0 Router(config)# 13'()=59(*____________ Router(config-if)# 1/*599(66LB)%&/*_________*13*%)*%&'*(circle one) Router(config-if)# (P1' * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ Router(config)#______________________________________________________________________________________ Router# 9%3=1B&)(*'()0135.70.0 network.155 10. but not the upper half.0 192. 52 .145 Celeste’s Computer Bob’s Computer 172.250. Deny all other traffic. For help with the remark command review page 41.88.16. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.88.70.168.*?%)*9%3=1B*'A [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ Write an extended access list to permit the first 63 usable addresses in the 192.1 Router A S0 FA0 Peggy’s Computer Denise’s Computer 192.172.88.88.204 Deny/Permit a Range of Addresses 10.4.168.0 network to reach the lower half of the addresses in the 172.70.168.168.70.1.0 Network FA1 Extended Access List Problem #13 172.200 Network Router B FA1 S1 192.

Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.1.1.0 through 10. 53 .250.250. Permit all other traffic. Router(config)#______________________________________________________________________________________ [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ Write an extended access list to deny the addresses from 10.Extended Access List Problem #14 Deny/Permit a Range of Addresses Router(config)# 13'()=59(**__________ Router(config-if)# 1/*599(66LB)%&/*_________*13*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)#*(P1' Router#*9%/4*)&3*6'5)' ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Router# 9%3=1B&)(*'()0135.63 from sending data to Denise’s computer.

12 210.168.207. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.16'*#8Q*/()01'*'9/*534*#8ID#NQDI-MD-*-D-D-DIOO*(E*::: Router(config)# 13'()=59(*(*Router(config-if)# 1/*599(66LB)%&/*#8Q*13 Router(config-if)# (P1' Router(config)# (P1' [Viewing information about existing ACL’s] [Writing and installing an ACL] Place the access list at: Router Name: *******$%&'()*" Interface: ****************.50. Deny all other IP traffic.207.16'*#8Q Router# 6>%:*9%3=1B&)5'1%3 (This will show detailed information about this ACL) (This will show which access groups are associated with particular interfaces) Router# 9%3=1B&)(*'()0135. but will permit all other HTTP traffic to reach the 192.128.207.168.0 network.207.27 from all other networks.*?%)*9%3=1B*'A Router(config)# 599(66L.11 Web Server Deny/Permit Port Numbers Router B S1 E1 210.16'*#8Q*2(34*'9/*534*>%6'*#8ID#NQDI-MDIM*(E*::: Router(config)# 599(66L.Extended Access List Sample #7 192.16'*#8Q*2(34*'9/*534*#8ID#NQDI-MDIM*-D-D-D-*(E*::: %) *599(66L.128.207.50.27 210.128.168.25 Web Server 192.10 Router# 6>%:*599(66*.168.26 Router A S0 E0 192. 54 .50.Access-list #: #8Q Write an extended access list to deny HTTP traffic intended for web server 192.168.

Router(config)# 13'()=59(*(Router(config-if)# 3%*1/*599(66LB)%&/*#JU*%&' Router(config-if)# (P1' Router(config)# 3%*599(66L.0 network from reaching the 192.# Access-list #: #JU Write an extended access list to deny pings from hosts on the 210.168.Deny/Permit Port Numbers [Removing an ACL] Router# 9%3=1B&)(*'()0135.0 network.16'*#JU*2(34*190/*I#-D#IQDO-D-*-D-D-DIOO*#8ID#NQDI-MD-*-D-D-DIOO Router(config)# 599(66L. Router(config)# 599(66L.16'*#JU Router(config)#*(P1' [Disabling ACL’s] Router# 9%3=1B&)(*'()0135.16'*#JU*/()01'*190/*534*534 Router(config)# 13'()=59(*(# Router(config-if)# 1/*599(66LB)%&/*#JU*13 Router(config-if)#*(P1' Router(config)#*(P1' Router#*9%/4*)&3*6'5)' [Writing and installing an ACL] Place the access list at: Router Name: *******$%&'()*+ Interface: ****************.128.50.207. Router(config)# 13'()=59(*(Router(config-if)# 3%*1/*599(66LB)%&/*#JU*%&' Router(config-if)# (P1' Router(config)#*(P1' Router# 9%3=1B&)(*'()0135. Permit all other traffic. Extended Access List Sample #8 55 . Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.

0 network.168.16.0 192.168.16'*UO Router# 6>%:*9%3=1B&)5'1%3 [Viewing information about existing ACL’s] (This will show detailed information about this ACL) (This will show which access groups are associated with particular interfaces) Router# 9%3=1B&)(*'()0135.33.145 Celeste’s Computer Bob’s Computer 172.1 E0 10.168.155 Router A E1 S0 Peggy’s Computer Denise’s Computer 192.210 Network Router B E1 S1 192.16'*#UO*/()01'*&2/#8ID#NQDJJDI#U*-D-D-D-*#8IDJ-DMND#OO*-D-D-D-*(E*'='/ %) ********599(66L.168. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.0 Network .20.16'*#UO*/()01'*&2/*>%6'*#8ID#NQDJJDI#U*>%6'*#8IDJ-DMND#OO*(E*'='/ Router(config)# 13'()=59( **.*?%)*9%3=1B*'A Router(config)# 599(66L.30.70.250.16.0 network to the 192. Deny all other traffic from the 192.30.76.76.56 192.33.76.33.33.4. Extended Access List Sample #9 192.# Router(config-if)# 1/*599(66LB)%&/*#UO*13 Router(config-if)# (P1' Router(config)# (P1' [Writing and installing an ACL] Place the access list at: Router Name: *******$%&'()*+ Interface: ****.1 E0 Router# 6>%:*599(66*.# Access-list #: #UO Write an Extended access list to permit Denise’s computer to use TFTP with Bob’s computer.30.214 Deny/Permit Port Numbers 172.

Access-list #: #OO Write an extended access list to deny FTP traffic from ip addresses 192.30.13.57 Deny/Permit Port Numbers [Removing an ACL] Router# 9%3=1B&)(*'()0135.30. Permit all other traffic. Router(config)# 599(66L. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.16'*#OO*2(34*'9/*#8IDJ-DMND-*-D-D-DQ*534*(E*='/**(Covers 0 to 7) Router(config)# 599(66L. Extended Access List Sample #10 .0 through 192.76. Router(config)# 13'()=59(*(Router(config-if)# 3%*1/*599(66LB)%&/*#OO*%&' Router(config-if)# (P1' Router(config)#*(P1' Router# 9%3=1B&)(*'()0135.16'*#OO*2(34*'9/*#8IDJ-DMNDQ*-D-D-DU*534*(E*='/**(Covers 8 to 11) Router(config)# 599(66L.16'*#OO*/()01'*'9/*534*534 %) * 599(66L. Router(config)# 13'()=59(*(Router(config-if)# 3%*1/*599(66LB)%&/*#OO*%&' Router(config-if)# (P1' Router(config)# 3%*599(66L.16'*#OO*2(34*'9/*#8IDJ-DMND#I*-D-D-D#*534*(E*='/*(Covers 12 to 13) Router(config)# 599(66L.76.16'*#OO Router(config)#*(P1' [Disabling ACL’s] Router# 9%3=1B&)(*'()0135.16'* #OO* 2(34* '9/* -D-D-D-* IOODIOODIOODIOO* -D-D-D-* IOODIOODIOODIOO Router(config)# 13'()=59(*(Router(config-if)# 1/*599(66LB)%&/*#OO*13 Router(config-if)#*(P1' Router(config)#*(P1' Router#*9%/4*)&3*6'5)' [Writing and installing an ACL] Place the access list at: Router Name: *******$%&'()*" Interface: ****************.

16.16.250.255. Deny all other traffic.0 and 10.255.45.16.45. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.45.255.0 networks.128.128.8.128.1 192.45.70.0 255.*?%)*9%3=1B*'A [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ Write an extended access list to permit ICMP traffic from the 192.0 network to reach the 172.255.0 Network Router B FA1 S1 192.128.33 Bill’s Computer Deny/Permit a Port Numbers 10.35 Jennifer’s Computer Router(config)# 13'()=59(*____________ Router(config-if)# 1/*599(66LB)%&/*_________*13*%)*%&'*(circle one) Router(config-if)# (P1' * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ Router(config)#______________________________________________________________________________________ Router# 9%3=1B&)(*'()0135.1 Jackie’s Computer E1 10.125.250.2.0 255.E0 172.250.2.0 Network 192.125. 58 .8 FA0 S0 Router A Extended Access List Problem #15 172.

0 network.*?%)*9%3=1B*'A Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list Name: ____________________________ Write a named extended access list called “Peggys_Lab” to deny telnet from 10. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.Extended Access List Problem #16 Deny/Permit a Port Numbers Router(config-ext-nacl)# 13'()=59(**__________ Router(config-if)# 1/*599(66LB)%&/*_________________*13*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)#*(P1' Router#*9%/4*)&3*6'5)' Router#*9%/4*)&3*6'5)' __________________________________________________________________________ __________________________________________________________________________ __________________________________________________________________________ __________________________________________________________________________ __________________________________________________________________________ Router(config-std-nacl)#*____________________________________________________________________________ Router(config-std-nacl)#*____________________________________________________________________________ Router(config)#______________________________________________________________________________________ [Writing and installing an ACL] Router# 9%3=1B&)(*'()0135.128.127 from reaching the 192. Permit all other traffic.250.0 through 10.250.45.8. 59 .8.

Permit all other traffic.194. 60 .18.102 S1 Router B Extended Access List Problem #17 203.10.60.60. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.60.0 Network Router(config)# 13'()=59(*____________ Router(config-if)# 1/*599(66LB)%&/*_________*13*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)# (P1' _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Router(config)#______________________________________________________________________________________ Router# 9%3=1B&)(*'()0135.101 Web Server #2 Web Server #1 203.*?%)*9%3=1B*'A [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ Write an access list to deny Jimmy’s computer from sending ftp packets to Web Server 1.203.100.140 FA1 172.1 S0 204.194.1 Router A S0 FA0 Jimmy’s Computer Jo’s Computer 172.194.100.250.100. but permit ftp to Web Server #2.18.142 Deny/Permit Port Numbers 172.18.

66.60. Permit all other HTTP traffic from the 204.194.0 and 172.10.61 Deny/Permit Port Numbers Router(config)# 13'()=59(**__________ Router(config-if)# 1/*599(66LB)%&/*_________*13*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)#*(P1' Router#*9%/4*)&3*6'5)' _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Router# 9%3=1B&)(*'()0135.0 network.250.0.194.0. Deny all other IP traffic to the 203.100.102 from the 172. Extended Access List Problem #18 .*?%)*9%3=1B*'A Router(config)# _____________________________________________________________________________________ [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ Write an extended access list to deny all HTTP traffic intended for the web server at 203. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.0 network.100.0 networks to any other web servers.

197 Gail’s Computer Router(config)# 13'()=59(*____________ Router(config-if)# 1/*599(66LB)%&/*_________*13*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)# (P1' * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ Router(config)#______________________________________________________________________________________ Router# 9%3=1B&)(*'()0135. Include a remark with each statement of your ACL.82 192. 62 . Deny all other traffic.25 Router B Deny/Permit Port Numbers E1 Web Server #2 172.125 Web Server #1 Bobbie’s Computer Router A S0 E0 E1 192.23.10.196 S1 172.23.195 172.15.168.23.50.15.15.15.168.50.0 Network Extended Access List Problem #19 192.50. For help with the remark command review page 41.Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.192.*?%)*9%3=1B*'A [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ Write an extended access list to permit TFTP traffic from all hosts on the 192.0 network.168.172.168.

0.50. Deny all other IP traffic going to the 192.0 network.168.168.0 network.0 networks from the 172.15. and 192. Router(config)#______________________________________________________________________________________ [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ Write an extended access list that permits web traffic from web server #2 at 172.196 to reach everyone on the 192.50.15. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.172.63 Deny/Permit Port Numbers Router(config)# 13'()=59(**__________ Router(config-if)# 1/*599(66LB)%&/*_________*13*%)*%&'*(circle one) Router(config-if)# (P1' Router(config)#*(P1' Router#*9%/4*)&3*6'5)' _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Router# 9%3=1B&)(*'()0135. Extended Access List Problem #20 .23.25.10.

By switching from the access-group command to the access-class command you can increase your security by allowing only those users through that you want to use telnet. The access-class command also allows you to apply this access list to the vty connections. Restricting access to telnet can be a very usefull option. ..Writing Access Lists to Restrict Telnet Access.. Telnet is considered a very insecure protocol because it sends passwords through the network in clear-text.

30.1 Router A S0 E0 .13(*T'4*-*U Router(config-line)#599(66L9.214 Denise’s Computer Router# 6>%:*9%3=1B&)5'1%3 (This will show which access groups are associated with particular interfaces) ?&613B*..16'*UO (This will show detailed information about this ACL) Router# 9%3=1B&)(*'()0135.0 192.168.0 Network E1 Peggy’s Computer Deny/Permit Telnet 172.566*UO*13 Router(config-line)# (P1' [Viewing information about existing ACL’s] Router(config)# (P1' [Writing and installing an ACL] Place the access list at: Router Name: *******$%&'()*+ Interface: *********.155 10.70.16'*UO*/()01'*>%6'*#8ID#NQDJJDI#U Router(config)# 599(66L.4*'>16*599(66*.13(*VWX*-*U*136'(52*%=*53*13'()=59(*.16'*UO*/()01'*#8ID#NQDJJDI#U*-D-D-D%) *599(66L.1<(*.33.210 Network Router B E1 S1 192.16'*'%*5.76.#*5.1 E0 192..13(6*:1'>*%3(*6'5'(0(3'A Router# 6>%:*599(66*.16.33.30.168.13(*VWX*-*U Access-list #: UO Write a standard access list to permit Denise’s and Bob’s computers to telnet into Router B.%:6*4%& '%*5//.250.65 192.*?%)*9%3=1B*'A Router(config)# 599(66L.16'*UO*/()01'*>%6'*#8IDJ-DMND#OO Router(config)# .20.168. Standard Access List Sample #11 192.4.33.145 Celeste’s Computer Bob’s Computer 172.*VWX*.76.16'*UO*/()01'*#8IDJ-DMND#OO*-D-D-D%) *599(66L.16. Deny all other telnet traffic Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.

Deny all other telnet traffic from the 172.194.566*_________*13*%)*%&'*(circle one) Router(config-line)# (P1' Router(config)# (P1' * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ Router(config)#______________________________________________________________________________________ Router# 9%3=1B&)(*'()0135.60.1 Router B S1 Deny/Permit Telnet Router A S0 FA0 172.102 Access List Problem #21 203.100.100.250.18.1 204.60.0 Network S0 172.60.0 network.18.*?%)*9%3=1B*'A [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ Write a standard access list to permit Becky and Mary’s computer to telnet into Router B.140 Becky’s Computer FA1 172.194.18. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.10.194.18.203.60. 66 .142 Mary’s Computer Router(config)# *___________________ Router(config-line)# *599(66L9.100.101 Web Server #2 Web Server #1 203.

Deny all other telnet access. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.566*_________*13*%)*%&'*(circle one) Router(config-line)# (P1' Router(config)# (P1' * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ Router(config)#______________________________________________________________________________________ Router# 9%3=1B&)(*'()0135. Log the telnet attempts.*?%)*9%3=1B*'A [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ Write a standard access list to permit which will permit Web Server #1 to telnet into Router A. 67 .Access List Problem #22 Deny/Permit Telnet Router(config)# *___________________ Router(config-line)# 599(66L9.

18.FA1 FA0 Deny/Permit Telnet 172. Permit all other telnet traffic from the 192.*?%)*9%3=1B*'A [Writing and installing an ACL] Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ Write a standard access list to deny Brent and Bob’s computer telnet access to into Router A.0 Network S0/0 Router A 192. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.18.60.60.0 Network Access List Problem #23 204. 68 .250.61 Brent’s Computer 192.566*_________*13*%)*%&'*(circle one) Router(config-line)# (P1' Router(config)# (P1' * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ * * * * * * ______________________________________________________________________________________ Router(config)#______________________________________________________________________________________ Router# 9%3=1B&)(*'()0135.62 Bob’s Computer Router(config)# *___________________ Router(config-line)# 599(66L9.60.32.0 network.10.18.0.

0.255. router# config t router(config)# access-list 100 permit ip your-subnet-# your-subnet-mask-# any router(config)# interface e0 *?%)*:>5'(T()*4%&)*%&'7%&32*/%)'*16A router(config-if)# ip access-group out router(config-if)# exit router(config)# exit To keep packets with unreachable destinations from entering your network add this command: ip route 0.255 any router(config)# access-list 100 deny ip 224.255.255 any router(config)# access-list 100 deny ip 127.255.0.0.0.0.Optional ACL Commands & Other Network Security Ideas In order to reduce the chance of spoofing from outside your network consider adding the following statements to your network’s inbound access list.0.255 any router(config)# access-list 100 deny ip 192.0.0.255 any router(config)# access-list 100 deny ip your-subnet-# your-subnet-mask-# any router(config)# access-list 100 deny igmp any any router(config)# access-list 100 deny icmp any any redirect router(config)# access-list 100 permit any any router(config)# interface e0 *?%)*:>5'(T()*4%&)*137%&32*/%)'*16A router(config-if)# ip access-group in router(config-if)# exit router(config)# exit Another handy security tool is to only allow ip packets out of your network with your source address.0 0.255.0.0 null 0 255 To protect against smurf and other attacks add the following commands to every external interface: no ip directed-broadcast no ip source-route fair-queue scheduler interval 500 69 .0.0 0.255.0.0 0.0.255.0 0.255.0.168.255.16.255 any router(config)# access-list 100 deny ip 172.0 31.0 0.0. router# config t router(config)# access-list 100 deny ip 10.

Control) (Remote Login Protocol) (Terminal Connection) (Simple Mail Transfer Protocol) (Resource Location Protocol (Host Name Server) .org/assignments/port-numbers. You can also type the name (ie. 23).Data) (File Transfer Protocol .024 to 49. Some commonly used port numbers: 0 1 5 7 9 11 13 17 18 19 20 21 22 23 25 29 37 39 42 70 Reserved TCPMUX RJE ECHO DISCARD SYSTAT DAYTIME QUOTE MSP CHARGEN FTP-DATA FTP SSH Telnet SMTP MSG ICP TIME RLP NAMESERV (TCP Port Service Multiplexer) (Remote Job Entry) (Active users) (Quote of the day) (Message Send Protocol) (Character generator) (File Transfer Protocol .80. Telnet) instead of the port number (ie. it specifies that application in each data transmission by using its port number. When an application communicates with another application on another node on the internet.110. POP3 . such as: HTTP .Port Numbers Port numbers are now assigned by the ICANN (Internet Corporation for Assigned Names and Numbers). Commonly used TCP and UDP applications are assigned a port number.023 1.152 to 65. For a complete list of port numbers go to http://www.151 49.iana. Port numbers range from 0 to 65536 and are divided into three ranges: Well Known Ports Registered Ports Dynamic and/or Private Ports 0 to 1. FTP .535 Below is a short list of some commonly used ports.20.

43 49 53 67 68 69 70 75 79 80 95 101 108 109 110 113 115 117 118 119 123 137 139 143 150 156 161 179 190 194 197 389 396 443 444 445 458 546 547 563 569 NICNAME LOGIN DNS BOOTP BOOTPS TFTP GOPHER (Who Is) (Login Host Protocol) (Domain Name Server) (Bootstrap Protocol Server) (Bootstrap Protocol Client) (Trivial File Transfer Protocol) (Gopher Services ) (Any Privite Dial-out Service) FINGER HTTP (Hypertext Transfer Protocol) SUPDUP (SUPDUP Protocol) HOSTNAME (NIC Host Name Server) SNAGAS (SNA Gateway Access Server) POP2 (Post Office Protocol .Version 2) POP3 (Post Office Protocol .Version 3) AUTH (Authentication Service) SFTP (Simple File Transfer Protocol) UUCP-PATH (UUCP Path Service) SQLSERV (SQL Services) NNTP (Newsgroup) NTP (Network Tim Protocol) NetBIOS-NS (NetBIOS Name Service) NetBIOS-SSN (NetBIOS Session Service ) IMAP (Interim Mail Access Protocol) SQL-NET (NetBIOS Session Service) SQLSRV (SQL Service) SNMP (Simple Network Management Protocol) BGP (Border Gateway Protocol) GACP (Gateway Access Control Protocol) IRC (Internet Relay Chat) DLS (Directory Location Service) LDAP (Lightweight Directory Access Protocol) NETWARE-IP (Novell Netware over IP ) HTTPS (HTTP MCom) SNPP (Simple Network Paging Protocol) Microsoft-DS Apple QuickTime DHCP Client DHCP Server SNEWS MSN Inside Cover .

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.