Professional Documents
Culture Documents
Access Control List ACL
Access Control List ACL
11
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
172.16.2.0 172.16.4.0
Computer e0 e1
172.16.2.2
Computer
172.16.3.1 s0
172.16.4.3
172.16.3.0
Server
s1 172.16.3.2
172.16.4.2
Extended
• Interface Fa 0/0/0
• ip access-group 1 out
• Extended:
• Interface Fa 0/0/0
• ip access-group 101 in
Router(config-if)# ip access-group 1
Router(config-if)# ip access-group 50
To delete an ACL group statement (this will not delete the associated list):
Perrine Router(config)#
modified by Brierley 01/28/19<ACL number>
no access-group Page 21
CCNA2 Routing Wildcard Module
11
NOTE!!!
Do NOT think subnet mask – that is a totally
different meaning not related to the WILDCARD
Criteria:
• block all traffic from a network
• allow all traffic from a network
• deny entire protocol suits
Router(config-if)# ip access-group 33 in
Router(config-if)# ip access-group 44 out
show ip access-list
Shows only the IP access lists configured on the router
show ip interface
Shows which interfaces have access lists set (containing an
access-group).
show running-config
Shows the routers entire configuration
Perrine modified by Brierley 01/28/19 Page 31
CCNA2 Routing Standard ACLs Module
11
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
R(config)# Interface e0
R(config-if)# ip access-group 1 out
R(config)# Interface e1
R(config-if)# ip access-group 1 out
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
R(config)# Interface e0
R(config-if)# ip access-group 1 out
R(config)# Interface e1
R(config-if)# ip access-group 1 out
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
R(config)# Interface e0
R(config-if)# ip access-group 1 out
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
R(config)# Interface e0
R(config-if)# ip access-group 1 out
Denies traffic from a specific device, 172.16.4.13 & allows all other
traffic thru e0 to network 172.16.3.0.
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
Interface e0
ip access-group 1 out
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
Interface e0
ip access-group 1 out
Denies traffic from the subnet, 172.16.4.0 & allows all other traffic thru
e0 to network 172.16.3.0.
Criteria:
• checks both the packet’s source & destination addresses
• check for specific protocol
• check for specific port numbers
• permit or denied applications – pings, telnets, FTP, etc.
•ACL values range between 100 – 199 (for IP)
ACL number
100 – 199
permit | deny
Packet is allowed or blocked
protocol
IP, TCP, UDP, ICMP, GRE or IGRP
Continued
Perrine modified by Brierley 01/28/19 Page 40
CCNA2 Routing Extended ACLs Module
11
operator
lt, gt, eq, neq
Operand
Port number
established
Allows TCP traffic to pass if the packet uses an established connection ( for
example, has ACK bits set ).
Router(config)# int E0
Router(config-if)# ip access-group 101 in
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
Interface e0
ip access-group 101
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
Interface e0
ip access-group 101
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
Interface e0
ip access-group 101
172.16.3.0 172.16.4.0
e0 e1
s0 server
Non-172.16.0.0 172.16.4.13
Interface e0
ip access-group 101
NOTE:
You can not add ACL statements into the body of the
access-list (ONLY at the end of the list).
Otherwise the access list must be deleted first, and then
rewritten.
NOTE:
10101100.00010000.00000000.00000000
00000000.00000000.xxxxxxxx. xxxxxxxx
10101100.00010000.xxxxxxxx. xxxxxxxx Matched value
10101100.00010000.00000000.00000000
00000000.00000000.xxxxxxxx. xxxxxxxx
10101100.00010000.xxxxxxxx. xxxxxxxx Match value
10101100.00010000.00000000.00000000
00000000.00000000.xxxxxxxx. xxxxxxxx
10101100.00010000.xxxxxxxx. xxxxxxxx Match value
10101100.00010000.00000000.00000000
00000000.00000000.xxxxxxxx. xxxxxxx0
10101100.00010000.xxxxxxxx. xxxxxxx0 Matched value
10101100.00010000.00000000.00000000
00000000.00000000.xxxxxxxx. xxxxxxx0
10101100.00010000.xxxxxxxx. xxxxxxx0 Matched value
You can control access via the VTY ports controlling telnet
sessions coming into the router.
You write the ACL as usual, but use access-class to apply it.
As an example:
A response B
establish
As a practical example:
172.16.3.0
e0 e1
INTERNET
172.16.4.0
172.16.3.13
172.16.3.0
e0 e1
INTERNET
172.16.4.0
172.16.3.13
Router(config)# int e1
Router(config-if)# ip access-group 101 in
172.16.3.0
e0 e1
INTERNET
172.16.4.0
172.16.3.13
Router(config)# int e1
Router(config-if)# ip access-group 101 in
172.16.3.0
e0 e1
INTERNET
172.16.4.0
172.16.3.13
ACL Rules:
Standard ACL
Place the ACL as near the destination as possible.
Extended ACL
Put the ACL as close as possible to the source
Access Lists
Standard
Extended
End of Session