Standa
IP Standard
IP Extended
Ethernet Type Code
Ethernet Address
DECnet and Extended DECnet
XNS
Extended XNS
Appletalk
48-bit MAC Addresses
IPX Standard
IPX Extended
IPX SAP (service advertisement protocol)
IPX SAP SPX
Extended 48-bit MAC Addresses
IPX NLSP
IP Standard, expanded range
IP Extended, expanded range
SS7 (voice)
Standard Vines
Extended Vines
Simple Vines
Transparent bridging (protocol type)
Transparent bridging (vendor type)
Extended Transparent bridging
Source-route bridging (protocol type)
Source-route bridging (vendor type)
to
99
1
100
to
199
Access-List
200
to Numbers
299
700
to
799
300
to
399
400
to
499
500
600
700
800
900
1000
1000
1100
1200
1300
2000
2700
1
101
201
200
700
1100
200
700
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
599
699
799
899
999
1099
1099
1199
1299
1999
2699
2999
100
200
300
299
799
1199
299
799
Instructors (and anyone else for that matter) please do not post the Instructors version on public websites.
When you do this your giving everyone else worldwide the answers. Yes, students look for answers this way.
It also discourages others; myself included, from posting high quality materials.
Inside Cover
Router B
Router A
jg
E0
S1
E0
S1
S
O
Router C
S1
S0
E0
so
Janets
Computer
Matts
sComputer
Juans
Computer
Jimmys
Computer
computer?
FA0 -
Interface
EO
Router Name
FA1
Router A
EO
Interface
I
JSfr .9> ,9>
alS! ^
,] ,]
Juan's
Computer
Jan's
Computer
Rickys
Computer
Amandas
Computer
Router D
S1
Jj J# J#
& .ISO -9
Lisa's
Computer
.90 .90
.90 .90 J90
Paul's
Computer
^ ;]
Lindas
Computer
JS
Where would you place the standard ACL to deny traffic from Paul to
Jackie s
Lisa?
Melvins
Computer
Computer
Router Name Router A Interface E__
Sarahs
Computer
Jennys computer?
3. Where would you place a standard access list to
deny traffic to Carrols computer from Sarahs
Router Name
Interface
Router C
FAZ
computer?
4. Where would you place a standard access list to
permit traffic from Rickys computer to reach Jeffs
Router Name
Interface
Router D
EO
Router Name
Interface
Router D
EO
computer?
5. Where would you place a standard access list to
deny traffic from Amandas computer from reaching
Jeff and Jims computer?
6. Where would you place a standard access list to
Router Name
Interface
Router E
EO
Router Name
Interface
Router C
FAZ
Router Name
Interface
Router A
EO
Router Name
Interface
Router E
EO
Router Name
Interface
Router C
FAZ
Router Name
Interface
Router E
EO
computer?
12. Where would you place an ACL to deny traffic from
Lindas computer from reaching Jackies computer?
Router Name
Interface
Router F
FAZ
source address
destination address
protocol
port number
Router B
S1
Si/^fcSO
> Router A
O E0I
FA0
Router C
E0
E0 S
Janets
Computer
Matts
Computer
Juans
Computer
S1
Jimmys
Computer
,e> :Sfr
,0* ,0*
j
Juan's
Computer
Jan's
Computer
m iSb
Paul's
Computer
ExtendedAccess
AccessList
ListPlacement
Placement
Extended
Router
B
1. Where would you place an ACL to deny traffic
from Jeffs
computer from reaching Georges computer?
S1. - ^ S0
2. Where would you place an extended access list to
Router A
permit traffic from Jackies computer to reach Lindas
computer?
Router Name_
Interface
Router D
FAQ
Router Name_____Router
Interface ________
FA
Router
C Name_____Router A
3. Where would you place an extended access list to deny traffic
Router
Interface ________
to Carrols computer from Rickys computer?
FAQ
4. Where would you place an extended access list to deny traffic
to Sarahs computer from Jackies computer?
5. Where would you place an extended access list to permit
Rickys
traffic from Carrols computer to reach Jeffs computer?
Computer
6. Where would you place an extended access list to deny traffic
from Melvins computer from reaching Jeff and Jims computer?
7. Where would you place an extended access list to
permit traffic from Georges computer to reach Jeffs
computer?
8. Where would you place an extended access list to permit
traffic from Jims computer to reach Carrol and Amandas
S1
computer?
Router Name_____Router
Interface ________
Router Name_____Router
Interface ________
Router Name_____Router
Interface ________
Router Name_____Router
Interface ________
Router Name_____Router
Interface ________
Router Name_____Router
Interface ________
Router Name_____Router
Interface ________
FAZ
Amandas |
Computer
EZ
FAZ
EZ
Router D '
,1 ^ ^
Lindas
Computer
Sarahs
Computer
FAQ
FAQ
FAQ
,1 .flfr C
Router Name_____Router
Interface ________
EZ
.fifr .S>.fifr
Jackie s
Melvins
Computer
Computer
Router Name_____Router E
Interface ________
FAQ
10
12
11
X W X
IAJIAJIAJ
2. Match Choices
a specificfor Using Wildcard Masks
range
Example
1 are usually set up to do one of four things
Wildcard
masks
Address:
10.250.50.112
Subnet Mask: 255.255.255.224
1. Match
a specific
host.
2. Match an entire subnet.
255.255.255.255
3. Match a specificCustom
range. Subnet mask: -255.255.255.224 Wildcard:
4. Match all addresses.
0. 0. 0. 31
Access-list 125 permit udp 10.250.50.112 0.0.0.31 any
5. Example
Matching
2 a specific
host.
For standard
access192.168.16.0
lists:
Address Range:
to 192.168.16.127
Access-List 10 permit 192.168.150.50 0.0.0.0
192.168.16.127
or
-192.168.16.
0
Access-List 10 permit 192.168.150.50 Isabel ^
Wildcard:
0. 0. 0.127
or
Access-list
125
ip 192.168.16.0
0.0.0.127 any (This ACL
Access-List
10deny
permit
host 192.168.150.50
would block the lower half of the subnet.)
For extended access lists:
Example
3
Access-list
110 deny ip 192.168.150.50 0.0.0.0 any
Address: 172.250.16.32 toor
172.250.31.63
172.250.31. 63
Access-list 110 deny ip host 192.168.150.50 any
-172.250.16. 32 Wildcard:
0.
0.15. 31
1. Matching an entire
Access-list
125 permit ip 172.250.16.32 0.0.15.31 any
subnet
Example
1
Address: 192.168.50.0 Subnet Mask: 255.255.255.0
3. Match
everyone.
Access-list 25 deny 192.168.50.0 0.0.0.255 Example 2
For standard access lists:
Address: 172.16.0.0
Subnet Mask:
255.255.0.0
Access-list
Access-List
15 permit
any
or
12 permit
172.16.0.0
0.0.255.255
Example
3
Access-List 15 deny 0.0.0.0 255.255.255.255
For extended
access
lists:
Address:
10.0.0.0
Subnet Mask: 255.0.0.0 Access-list 125
Access-List 175 permit ip any any or
Access-List
175 deny
tcp 0.0.0.0 255.255.255.255
any
deny udp 10.0.0.0
0.255.255.255
any
14
15
As a rule of thumb the wildcard mask is the reverse of the subnet mask.
N
^Example #1:
2.
IP Address and subnet mask:
204.100.100.0 255.255.255.0
IP Address and wildcard mask:
204.100.100.0 0.0.0.255
\_____________________________________________________________________/
All 3.
zeros (or 0.0.0.0) means the address must match exactly.
N
^Example #2:
^10.10.150.95 0.0.0.0 (This address must match exactly.)^
4.
Do the math..
. 255 - 255 = 0
255 - 224 = 31
8.
^Example #5:
IP Address and subnet mask:
\
192.170.25.30 255.255.255.224
192.170.25.30 0.0.0.31
(Subtract the subnet mask from 255.255.255.255
to create the wildcard)
(This is the inverse of the subnet mask.)
___)
172.24.128.0
172.24.128.0
\
255.255.128.0
0.0.127.255
___)
O . _ O _O . ^5'5'
_________
Create a wildcard mask to match this host. IP
12.
Address: 195.190.10.35 Subnet Mask: 255.255.255.0
16
O.O _O . O
. O. O .O
___________________
O . O. 2 5 5 . 2 5 5
O . 2 5 5 . 2 5 5 . 2 5 5
.O . O
. O
. O
. O
. 3 /
. O
. O
. 6 3
O . O
. O
O . O
. 7
O . O
. 3 / .
2 5 5
O . O
. 7
17
2 . 6 8information
. 5 . to 192168153
Based on the 9given
list the usable source addresses or range of usable
Answer:
source addresses that would be permitted or denied for each access
list
statement. 120 permit ip 192.168.15.0 0.0.0.7 192.168.30.10 0.0.0.0
12. access-list
Answer: 92 J 6 8 . 5 J t o 9 2 . 1 6 8 1 5 7 ________________________
Answer: /
9 2 . 6 8 . 5 t o 9 2 6 8 5 5
Answer:
14. access-list
140 permit ip 192.168.15.0 0.0.0.31 192.168.30.10 0.0.0.0
Answer:
Any address
Answer: 9 2 6 8 5 t o 9 2 6 8 5 3 ___________________________
125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1
fragments
15. access-list 150 permit ip 192.168.15.0 0.0.0.63 192.168.30.10 0.0.0.0
3. access-list
Answer: 9 2 6 8 5 t o 9 2 6 8 5 2 7 __________________________
17. access-list
192.168.30.0 0.0.0.255
/ 9 2 2185
2 0 permit
/ 0 / t oip /192.168.15.0
9 2 2 2 0 / 0 / 0.0.0.255
5
Answer:
Answer: 9 2 6 8 5 t o 9 2 J 6 8 J 5 . 2 5 4 ___________________________
6. access-list 171 deny any host 175.18.24.10 fragments
18. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 gt 22
Any Address
Answer:
Answer: 1 7 2 6 0 t o 7 2 . 6 . . 2 5 4 _________________________________
7. access-list 105 permit 192.168.15.0 0.0.0.255 any
ddress ________________________________________________________
7 2 195
5 Opermit
t o udp
7 2 172.30.12.0
553
10. access-list
0.0.0.127 172.50.10.0 0.0.0.255
Answer:
22. access-list
10.0.0.0
172.50.10.0 0.0.0.255
/ 7 2 3 0 100
/ 2 / permit
t o / 7ip
23
0 / 2 / 20.255.255.255
7
Answer:
Answer: O O O t o 0 2 5 5 2 5 5 2 5 4
18
19
Writing
Standard Access Lists...
_ _ _ _
192168301 to 192168307
l7Q^IC_./8_ _____________________________________
20
192168301 to 1921683063
Router Name:
Interface:
Access-list #:
^ ^ ,Sfr
Router A
________El
10
Router A
192.168.90.2
172.16.70.1 v.;.
E1
I IWWMT
.a* ^
COmputer
172.16.70.32
Compums
210.30.28.0
192.168.90.36
Kathys
Computer
192.168.90.38
Melvins
Computer
172.16.70.35
E0
28
Interface:
Access-list #:
Write a standard access list to block Jims Computer from sending information to Franks
Computer; but will allow all other traffic from the 192.168.90.0 network. Permit all traffic from the
210.30.28.0 network to reach the 172.16.70.0 network. Deny all other traffic. Keep in mind that
there may be mltiple ways many of the individual statements in an ACL can be written.
Place the access list at:
Router Name:
Router A
or
access-list 10 deny 172167035 0000
or
access-list 10 deny h^ost 172.167035 Router(config)#
access-list 10 permit 0.0.00 255.255.255.255
or
access-list 10 permit any
Router(config)# interface e1 Router(config-if)# ip access-group 10 out
Router(config-if)# exit Router(config)# exit
22
Router#
show configuration
Router#
or
access-list 28 deny 192.168.90.36 0.0.00
or
access-list 28 deny h^ost 192.168.90.36 Router(config)#
access-ltst 28 permtt 192.168.90.0 0.0.0.255 Router(config)# access-ltst
28 permit 210.30.28.0 0.0.0.255
Router(config)# interface e0 Router(config-if)# ip access-group 28 out
Router(config-if)# exit Router(config)# exit Router# copy run start
[Disabling ACLs]
exit
[Removing an ACL]
no
access-list 28
Router(config)#
exit
23
FA0
223.190.32.1
^ SO
'
Router B
FA1 192.16.32.94
J>| aJ# ^
,e> ^
Michael's
Computer
172.16.28.36
:2fr J
>Sb -8b :8b
Debbie's
Computer
223.190.32.16
192.16.32.95
or
access-list35deny h^ost 223.190.3216 _________________
or
access-list 35 deny 223.190.32.16 0.000
Router(config)# access-ltst 35 permit any __________________________________
or
access-list35permit 0.0.0.0 255.255.255.255
Router(config-if)# ip access-group 3 5
Router(config-if)# exit
Router(config)# exit
24
in oA^u^(circle one)
or
access-list 40 permit host 223.190.32.16 _______________
or
access-Ust4Qpermit 2 2 3 . 90.32. 6 0.0.00
or
access-Ust40permit 0.0.0.0 255.255.255.255
Router(config)# interface F A0
Router(config-if)# ip access-group 4 0
Router(config-if)# exit Router(config)# exit
in
or(out)(circle one)
25
Router A
204.90.30.124 E0
J* J*
& .ISO -9
Rodney's
Computer
S1
10.250.30.36
Carol's
Computer
FA1
192.168.88.4
Jim's
Computer
192.168.88.5
204.90.30.125
204.90.30.126
or
4 5 den
y 2 0 4 9 0. 3 0.Z 2 5
Router(config-std-nacDftinterface
FA Z
27
Router B
S1.
S0
172.30.225.1
S1'
^'212.180.10.5
Router C
J J J
:L^
:L^
172.30.225.2
:
212.180.10.6 . ; ; 212.180.10.2
172.30.225.3
or
55 permit any
Router(config)# interface E /
E0
Router(config)# interface ______________
Router(config-if)# ip access-group
Router(config-if)# exit
Router(config)# exit
60
in
or
29
Router C
Router A
S1
S0
198.32.10.25
FA0
192.168.15.172
,3HL# m
192.168.15.3
Sfr # #210.140.15.8
198.32.10.25
Router(config)# interfac e
FA
'
Router(config-if)# ip access-group
Router(config-if)# exit
Router(config)# exit
30
65
in oFCgufy(circleone)
Router(config-std-nacl)# interface
Router(config-if)# ip access-group
Router(config-if)# exit
Router(config)# exit
FA0
Lab
in or
31
Writing
Extended Access Lists...
or
access-list 75 deny host Q.25Q.. or
access-list75deny Q 25Q Q Q Q Q _________________
access-list 75 deny Q.25Q2. or
access-list 75 deny host Q.25Q2. or
access-list 75 deny Q25Q2. Q.Q.Q.Q ________________
access-list 75 deny Q.25Q.4. or
access-list 75 deny host Q 25Q 4 or
access-list 75 deny Q25Q4. Q.Q.Q.Q
access-list 75 deny Q.25Q3.Q Q.Q.Q.255
access-list 75 permit any
Router(config)# interface F AQ
Router(config-if)# ip access-group 75 in or^out^(circle one)
Router(config-if)# exit
Router(config)# exit
32
00
Router A
Deny/Permit
Specific Addresses
192.168.90.
2
Write an extended access listto blockthe 172.16.70.0 networkfrom receiving informationfrom
Mikes Computer at 192.168.90.36. Blockthe lowerhalf ofthe
FA1
ip addresses from 192.168.90.0 network from reaching Gails Computer at 172.16.70.32. Permitan other traffic. Keep in mind that there may be mltiple
ways many of the individual statements in an ACL can be written.
Mikes .Igjfr alSfr
jisfr i Gails
Johns
Computer
f 172.16.70.1
Computer
Place
the access
&
8b list at:
Computer
FA0
172.16.70.3
Router
ame:__________Rouftex
A
i------ 172.16.70.3
2
Interface:________________FA
/
5
Access-list #:_____________35
m
192.168.90.3
6
Celestes
Computer
192.168.90.3
8
no
OX
OK
*.ess-Ust lio
peXh^i't ip
OK
Mcess-tirt HO pemit ip O .O .O .O 25 5.25 5.25 5.25 50.0.0.0 255.255.255.255
Router(config)# i r t te x f
f0
Router(config-if)# ip *.cce s oup IIO i* [Viewing information about existing ACLs]
Router (config-if) # exi't
Router# SUOCAJ
Router (config) # exi't
|
Router# skottj
oo
en
Router A
00
CD
FAO^SKkSO
nr^yi
172.20.70.15
J^
ji^cindys
Bobs
Computer
172.20.70.8
0
Router B
FA1
S1
192.168.122.52
Jays
Computer
Computer
Jackies
192.168.122.
Computer
128 192.168.122.
129
172.20.70.8
9
Writean extended access listto prevent Jayscomputerfrom receiving informationfrom Cindyscomputen Permitan othertraffic. Keep in mind that there
may be mltiple ways many of the individual statements in an ACL can be written.
Place the access list at:
Router ame:
R curte x A___________________
Interface:_____ FAQ ____________________i________
Access-Iist #:
05 ( !OQ~ 799)
ox
^ccess-Us-t 105 dew tp I72.3Q.22F .2 POPO 92./ G8 J 22./ 28 O POP
.ess~~liS't OF pexxni't ip
OF
___________________________________________
Write an extended access list to blockthe 172.20.70.0 255.255.255.0 networkfrom receiving informationfrom Jackies Computer at 192.168.122.129. Block
the lower half of the ip addresses from 192.168.122.0 network from reaching Cindys Computer at 172.20.70.89. Permit all other traffic. Keep in mind
thatthere may be mltiple ways many of the individual statements in anACLcan bewritten.
'
ess~list no dew ip 192.168.1220 0.0.0727 72.2070.39 0.0.00 ess~((s~t IIP pemif fp>
ry ry ____________________________________________________________________________________
B!
Router (config) # tFterfii.ee
Router (config-if) # ip .es s~jrcu\p
Router (config-if) # exif
w Router (config) # exif
Router# opy ru\r strt
05
ourt (circleone)
Router A
00
EO
218.35.50.1
00
mmm
i----------- Computer
Juans
218.35.50.12
Jans
Computer
172.59.2.1
218.35.50.10
Computer
Write a named extended access list called Lab_166 to permit Jans Computer at 218.35.50.10 to receive packets from Rachaels Computer at
172.59.2.18; but not Rebeccas Computer at 172.59.2.15. Deny all other packets. Keep in mind thatthere may be mltiple ways many of the individual
statements in an ACL can be written.
Place the access list at:
Router ame:
Rotxtei' B
Interface:_________FA /______________
Access-list ame:
L*.>
/>>
Router (config)
/>>______________________________
Router A
Extended
#4
Extended Access
Access List
List Sample
Problem
#4
Deny/Permit
Specific
Addresses
Denv/Permit
Entire
Ranaes
Router B
Rou\ex A
Write an
extended
accesslistto
list to
allow Juans
Computer
at 218.35.50.12
to send
information tothe
Rebeccas
Computer
at 172.59.2.15;
but traffic.
not Rachaels
Writean
extended
access
blockthe
192.18.50.0
networkfrom
receiving
informationfrom
192.16.20.0
network.
Permitan other
Keep in
rj
Interface:
EO
.a>
.&&
Computer
at 172.59.2.18.
Permitan
other of
traffic.
Keep in mind
thatthere
be mltiple
ways many of the individual statements in anACLcan be written.
mind
thatthere
may be mltiple
ways many
the individual
statements
in may
anACLcan
be written.
Access-list#:
188
Ralphs
Bobs
Computer
192.18.50.1
1
Barbras
Computer
192.18.50.1
2
Write an extended access listto permitthe 192.16.20.0 networkto receive packetsfrom the 192.18.50.0 network. Deny all other traffic. Keep in mind
Router#may
o^cf
'termi'V
IA/
thatthere
beiju\xe
mltiple
ways
many of the individual statements in anACLcan be written.
Router (config) # .es s~list /20 de^y i> Uost 2 !3.35.50.!2 Uost 172.5*3.2.13
Place the access list at: OK
Router ame:__________Rou\-tex B
AAAess-lirt 120 de*i i> 213.35.50.12 0.000 172.53.2.13 0.000 fi^ccess^'is't /20 pemi't fp> .^____________
Interface:________________BI
Access-list #:
III
Router
Router
Router
Router
F A [Viewing
! 5 _^^cxabout
oud (circle
one)
information
existing
ACLs]
Router#
Router# s k ottj
tjtAroy-\
[Disabling ACLs]
[Removing an ACL]
/88 oixt
K>
Router
lilil I II
r~ J \J
204.95.150.11
FA0^^
,1 Jfr
-n^cr J****r
Rachels
Compute
r
*^<r Computer
204.95.150.12
204.95.150.10
FA1
172.59.2.
1
Davids
Computer
172.59.2.1
8
Write an extended access list to permit network 204.95.150.0 to send packets to network 172.59.0.0, but not the 210.250.10.0 network. Permitan other
traffic. Keep in mind thatthere may be mltiple ways many of the individual statements in an ACLcan be written.
25 ( /OQ~ 799J
Router
Router
Router
Router
(conf
(conf
(conf
(conf
_______________________________________________
^ 172.120.170.45^^^
Router A^
E1
192.168.50.2
Router B
Write an extended access list to allow Rachels Computer at 204.95.150.10 to receive information from the 172.59.0.0 network. Deny all other hosts
on the 204.95.150.0 network access from the 172.59.2.0 network. Permitan other traffic. Keep in mind that there may be mltiple ways many of the
individual statements in an ACL can be written.
Place the access list at:
Router ame: Rcurfex B___________________________
Interface:
FA t __________________________
Access-list #: /30 ( fOO~ /99J
ijtAxe 'termiVIA/
ess~Us-t 130 pemi-t t> !7 2 5 3 O O O 0.25 5.25 5 204 35.150 JO O .O .O O ess~Us-t 130 dew t> 172.5*3.0.0 O 0.25
5.25 5 204.35.! 50.0 O .O0255 es s~list /30 pemi't ^ ^__________________________________________________
FA!
Router (config) # tFtexfe
Router (config-if) # tf> es s~jxov\p>
Router (config-if) # exi't
Router (config) # exi't
00 Router# opnj stx't
130
oud (circleone)
alfr
Computer
172.120.170.
172.120.170.4 45
5
210.168.70.0
10.250.1.0
Tims
Computer
192.168.50.
3
Denises
Computer
192.168.50.
4
Writeanamed extended access listcalled Godzilla to preventthe 172.120.0.0 network from sending informationtothe 210.168.70.0 , and 10.250.1.0
255.255.255.0 networks; butwill permittraffictothe 192.168.50.0 network. Permitall other traffic. Keep in mind that there may be mltiple ways many of
the individual statements in an ACL can be written.
Place the access list at:
Router ame:
Rcurfer A
Interface:_____________BO__________
Access-list ame:
&od-iill.
Router(config-ext-nacl)#
fp
d e t p
pemrt tp
Router (conf ig-ext-nacl) # irtterf ^.e
BO
Router (conf ig-if) # t> .ess~jrou\[> &od'iill\K ouct (circle one)
Router (conf ig-if) # ext't Router (conf ig) # ext't
_____________________________________________________
Assuming default subnet masks write an extended access listto permit Tim at 192.168.50.3 to receive datafrom the 172.120.0.0 network. Allow the
192.168.50.0 network to receive information from Phylliss Computer at 172.120.170.45. Deny all other traffic. Keep in mind thatthere may be mltiple
ways many of the individual statements in anACLcan be written.
Place the access list at:
Router ame: Rexxter A___________________________
Interface:
BO ______________________________
Access-list #: 40 !OQ~ 199 )
CD
Router#6
A
Extended Access List Sample
^SO
Write an extended access listwhich will allow the lower halfof 192.168.15.0 network access to the 172.21.50.0 network. Deny all other traffic. Keep in
FAO^^
mind
& that there may be mltiple ways many of the individual statements in an ACL can be written.
ra
192.168.15.20
E1
172.21.50.
95
&m
Rexxter
Place the access list
at: A
Router ame: Computer 192.168.15.43
Interface:
FAO
192.168.15.44
Access-list#:
12/
Carols ^
Computer
172.21.50.9
6
^
Franks
Computer
172.21.50.9
7
Write an extended access listto deny the first 15 usable addresses of the 192.168.15.0 networkfrom reaching the 172.21.0.0 network. Permit all other
traffic. Keep in mind that there may be mltiple ways many of the individual statements in an ACL can be written.
OK
# exit
skottj
list 185 (This will show detailed nformation about this ACL)
exif
192.168.125.254
E1
4[
00
nrmjjl
Johns
Computer
i---------
ufifr
Router A
192.168.195.90
Gails
Computer
192.168.195.88
192.168.195.145
Router#
iatAxe "termnit^ed
Router(config)# &.es s~~lt s't 2/permrt tp 52./68 ,/F .O O .O .O./27 !7 2.2 / .5O .O 0.0.0.25 5
Router(config)#
SS~USt
12.1 dex\y tp
OK
c.ccess-Ust 121 de^Lf tp OD.O.O 255255255255 OD.0.0 255255255255
[Disabling ACLs]
[Removing an ACL]
Mikes
Computer
192.168.125.17
is>
Celestes
Computer
192.168.125.108
Writean extended access listto preventthefirst 31 usable addresses in the 192.168.125.0 network from reachingthe 192.168.195.0 network. Permit all other
traffic. Keep in mind thatthere may be mltiple ways many of the individual statements in an ACL can be written.
.ess~~liSt M E pemi't t p
_____________________________________________
Write a named extended access list called Media_Center to permit the range of addresses from 172.31.195.1 through
172.31.195.7 to send date to the 192.168.125.0 network. Deny all other traffic. Keep in mind thatthere may be mltiple ways many
of the individual statements in an ACL can be written.
Place the access list at:
Router ame:
Rouitex A______________________
Interface:____________SO_________________________
Access-list ame:
Me di*. Centex___________________
CD
192.16.20.
5
FAO
en
o
Router A
Router C
172.18.50.10
m ,ei> -ia>
A
Jfr
jRalph's
Cindys
Computer
Computer
192.16.20.
6
192.16.20.
7
__
Brads
_ Computer
172.22.75.8
BobSjg^
172.22.75.9
Computer
172.18.50.11
Compute^
172.18.50.12
172.22.75.10
,1 Hl>
Compute,
Write an extended access list to permit the first 3 usable addresses in the 192.16.20.0 network to reach the 172.22.75.0 network. Denytheaddressesfrom
192.16.20.4through 192.16.20.31 from reachingthe 172.22.75.0network. Permitanothertraffic. Keepin mind that there are mltiple ways this ACL can be
written.
Place the access list at:
Router ame:
Rcurfer A_______________________
Interface:_________FAQ ________________________
Access-list #:
55 ( fOO~f 99J
Router(config)# irtterf .e
Router (conf ig-if) # tf>
Router (conf ig-if) # ext't
FAQ
SS~~JXOt/yp>
155
Write an extended access listtodeny the addresses from 172.22.75.8 through 172.22.75.127 from sending datatothe 172.18.50.0 network. Deny thefirst
half of the addresses from the 172.22.75.0 networkfrom reaching the 192.16.20.0 network. Permitan other traffic. Keep in mind that there are mltiple ways
this ACL can be written.
Place the access list at:
Router ame:
ROCAter B_________________
Interface:_________B /
______________________
Access-list #:
!GO ( /OQ~ 799J
Router A
en
K>
FAO^T^SO
upj
172.16.70.1
SI* m ^
Celestes
Computer
Router B
FA1
192.168.88.
1
FAO
FA1
Bobs
Computer
172.16.70.15
172.16.70.14 5
5
eggy'sj^
Computer
10.250.1.0
192.168.88.20
0
10.250.4.0
JQ
Denises
Computer
192.168.88.20
4
Write an extended access listto permitthefirst63 usable addresses in the 192.168.88.0 network to reach the lower half of the addresses in the
172.16.70.0 network; but notthe upper half. Deny all other traffic. Keep in mind thatthere may be mltiple ways many of the individual statements in an
ACL can be written.
Place the access list at:
Router ame:
Router B________________________
Interface:_________FA / ____________________________
Access-list #:
IGF ( /OQ~ 799J
Oh>f ijtAte
Ov\p>
Router (conf ig-if) #
eXft
Write an extended access list to deny the addresses from 10.250.1.0 through 10.250.1.63 from sending data to Denises Computer. Permitan othertraffic.
Interface:
EO
Keep in mind thatthere may be mltipleways many of the individual statements in anACLcan bewritten.
Access-list#:
198
Place the access list at:
Router ame:
Rcurfer A_______________________
192.168.207.26
Interface:_________
FA t _________________________
Access-list #:
/70 ( fOO~ /99J
210.128.50.12
Write an extended access list to deny HTTP traffic intended for web server 192.168.207.27, but will permit all other HTTP traffic to reach the only the
Router# o^cfnetwork.
ijv\xe texmi
192.168.207.0
Deny all other IP traffic. Keep in mind thatthere may be mltiple ways many of the individual statements in anACLcan be written.
Router (config) #
Place the access list at:
oAiy oAiy
__________________________________________________________________________________________
FA/
Router (config-if) # ip .es s~jrov\p
Router ame:
Interface:
Access-list #:
^.Oxtex A
EO
134
Write an extended access listto permit pings in eitherdirection between hosts on the 210.128.50.0 and 192.168.207.0 networks. Deny all other traffic.
Keep in mind that there may be mltiple ways many of the individual statements in an ACL can be written.
Place the access list at:
[Disabling ACLs]
[Removing an ACL]
/ 9 2. / G8.2.07.27 O .O .O .O AJAJAJ
OK
AAW
5 ea IAJIAJIAJ
Router# show e.ess Ust 98 (This will show detailed information about this ACL)
[Disabling ACLs]
[Removing an ACL]
Router A
Router
B
Router# orf
jtAre terr*,tr,l
Router (config) # tr<ter'fe eO
EO15 5 oixt
Router (config-if) E1
# ro it> ess~~jro<Ap /55 oixt
Router (config-if) # r,o tp ess~~jro<Ap
Router(config-if
)#
exit
Write
an
extended
access
list
to
deny
FTP
to
ip
addresses
192.30.76.0
through
192.30.76.13.
Router (config-if) # exH Router
(config) # exrt
192.168.33.1
172.20.70.1
Router (config) # r,e> ess~~lts~t /5 5
Router(config)
# exrt
Permitan othertraffic. Keep in mind thatthere may be mltipleways many
of the individual
statements in anACLcan bewritten. Place the access list at:
peggysjd^ Jg> JE
Bobs
.jgfr
,1
Router ame;__________Revfter
Computer A_________________
Celestes
Computer
Denises
Interface;________________
EO________________
Computer
192.30.76.15
192.168.33.21
Computer
192.30.76.14
Access-list #:_____________/55___________________
5
0
10.250.4.0
172.16.16.0
192.168.33.21
4
Denv/Permit Telnet
or
or
A.ccess~list 45 permit Uost 32.307G.I55
(config) # tire i/tif O 4
(config-if) # ff> . e s s 45 ir,
(config-if) # exit
Router
Router
Router
Router (config) # exit
en
en
Router#
st\on orf ijtAredior (This will show which access groups are associated
en
Router B
FA1
192.128.45.
8
FAO
en
oo
mmm
Jackies
Computer
EO
172.16.70.
1
172.16.125.1
Bills
Computer
192.128.45.3
3
10.250.8.0
Jennifers
Computer
192.128.45.35
Write an extended access listto permit ICMP traffiefrom the 192.128.45.0 network to reach the 172.16.125.0 255.255.255.0 and 10.250.2.0 255.255.255.0
networks. Deny all other traffic. Keep in mind that there may be mltiple ways many of the individual statements in an ACL can be written.
75 (IQO-I??)
Oh>f ijtAte
75
Write a named extended accesslstcalledPeggys_Labtodenytelnet from 10.250.8.0 through 10.250.8.127 from reachingthe 192.128.45.0 network. Permit
all other traffic. Keep in mind that there may be mltiple ways many of the individual statements in an ACL can be written.
____________________________________
Router A
C
D
203.194.100.1
^M
Web Server #1
203.194.100.102
203.194.100.101
Web Server #2
Router B 172.60.18.1
172.60.18.142
Router
Router
Router
Router
Write an extended access list to deny all HTTP traffic intendedfortheweb server at 203.194.100.102. Permit HTTP trafficto any other web servers. Deny
all other IP traffic to the 203.194.100.0 network. Keep in mind that there may be mltiple ways many of the individual statements in anACLcan be written.
C
D
Router A
^ ,190 ^
Web Server #1
Router B
EO
192.168.15.
Bobbies
25
Computer
192.168.15. 192.168.15.8
125
2
alai
192.172.10.0
E1
Web Server #2 A JEI
172.23.50.1 172.23.50.19
Gails
95
6
Computer
172.23.50.197
Write an access listto permitTFTP trafficto all hosts on the 192.168.15.0 network. Deny all otherTFTP traffic. Keep in mind that there may be mltiple
ways many of the individual statements in an ACL can be written.
Place the access list at:
Router ame:
Rcudex A_______________________
Interface:_________EO ____________________________
Access-list #:
90 ( fOO~ 799J
Router
Router
Router
Router
(config) # ixrtexf^ce_______EO
(conf ig-if) # ff> fi^ccess~jxcuyp
(conf ig-if) # exi't
(config) # exi't
ACL #20
Commands
Deny/Permit Port Numbers
Extended Access Optional
List Problem
Write an extended access list that permits web traffic
& Other
from web
Network
server #2
Security
at 172.23.50.196
Ideas to reach everyone on the 192.168.15.0
network. Deny all other IP traffic going to the 192.172.10.0, and 192.168.15.0 networks. Keep in mind thatthere may be mltiple ways
many of the individual statements in an ACL can be written.
In order to reduce the chance of spoofing from outside your network consider adding the
following statements to your networks inbound access list.
Router
B/
Router (config-if)
# tf> fi^cces s~jxovyp>
no ip directed-broadcast
no ip source-route fair-queue
scheduler
interval
500
Router
C (config-if) # exi't
D (config) # exi't
Router
00
64
Numbers
Index / Port
Table
of Contents
0 to 1,023
Port numbers are now assigned by the ICANN (Internet Corporation for Assigned
Registered Ports
1,024 to 49,151
Names and Numbers). Commonly used TCP and UDP applications are assigned a
Dynamic
and/or Private Ports
49,152 to 65,535
Access-List
port number;Numbers..............................................................................Inside
such as: HTTP - 80, POP3 - 110, FTP - 20. When an applicationCover
What
are Access
Control
Lists?
..................................................................................
communicates
with
another
application
on another node on the internet, it specifies1
General
Access in
Lists
Information
...............................................................................
that application
each
data transmission
by using its port number. You can also 1
How routers use Access Lists.....................................................................................1
type the name (ie. Telnet) instead of the port number (ie. 23). Port numbers range
Standard Access Lists................................................................................................2
from 0 to 65536 and are divided into three ranges:
Why Standard ACLs must be placed close to the destination...................................2
Standard Access List Placement Sample Problems.................................................3
Standard Access List Placement Problems.............................................................4-5
Extended Access Lists................................................................................................6
Why Extended ACLs must be placed close to the destination..................................6
Extended Access List Placement Sample Problems.................................................7
Extended Access List Placement Problems............................................................8-9
Below is atoshort
of some or
commonly
ports.
For a complete list of port
Choosing
FilterlistIncoming
Outgoingused
Packets
.....................................................
10
numbers goof
toahttp://www.iana.org/assignments/port-numbers.
Breakdown
Standard ACL Statement................................................................10
Breakdown of a Extended ACL Statement................................................................11
What are Named Access Control Lists.....................................................................12
Named
Access Lists
Information
..............................................................................12
Some commonly
used
port numbers:
Applying a Standard Named Access List called George........................................12
Applying an Extended Named Access List called Gracie.......................................13
Choices for Using Wildcard Masks......................................................................14-15
Creating Wildcard Masks..........................................................................................16
Wildcard Mask Problems.....................................................................................18-20
Writing Standard Access Lists.............................................................................21-32
Writing Extended Access Lists............................................................................33-63
Deny/Permit Specific Addresses..............................................................33-39
Deny/Permit Entire Ranges......................................................................40-45
Deny/Permit a Range of Addresses.........................................................46-53
Deny/Permit Port Numbers.......................................................................54-63
Optional ACL Commands.........................................................................................64
Index / Table of Contents..........................................................................................65
Port Numbers....................................................................................66-Inside Cover
0
1
5
7
9
11
13
17
Reserved
TCPMUX
RJE
ECHO
DISCARD
SYSTAT
DAYTIME
QUOTE
(Active users)
(Quote of the day)
65
18
MSP
19
CHARGEN
(Character generator)
20
FTP-DATA
21
FTP
22
SSH
23
Telnet
(Terminal Connection)
25
SMTP
29
MSG ICP
37
TIME
39
RLP
42
NAMESERV
(Host Name Server)
NICNAME
(Who Is)
LOGIN 43
(Login Host Protocol)
DNS
(Domain Name Server)
49
BOOTP 53
(Bootstrap Protocol Server)
BOOTPS67
(Bootstrap Protocol Client)
TFTP
(Trivial File Transfer Protocol)
68
GOPHER69
(Gopher Services )
(Any Privite Dial-out Service)
70
FINGER 75
HTTP 79
(Hypertext Transfer Protocol)
SUPDUP80
(SUPDUP Protocol)
HOSTNAME
(NIC Host Name Server)
95
SNAGAS101
(SNA Gateway Access Server)
POP2 108
(Post Office Protocol - Version 2)
POP3 109
(Post Office Protocol - Version 3)
AUTH 110
(Authentication Service)
SFTP 113
(Simple File Transfer Protocol)
UUCP-PATH
(UUCP Path Service)
115
SQLSERV
(SQL Services)
117
NNTP 118
(Newsgroup)
NTP
(Network Tim Protocol)
119
NetBIOS-NS
(NetBIOS Name Service)
123
NetBIOS-SSN
(NetBIOS Session Service )
137
IMAP
139
(Interim Mail Access Protocol)
SQL-NET143
(NetBIOS Session Service)
SQLSRV150
(SQL Service)
SNMP 156
(Simple Network Management Protocol)
BGP
(Border Gateway Protocol)
161
GACP 179
(Gateway Access Control Protocol)
IRC
(Internet Relay Chat)
190
DLS
(Directory Location Service)
194
LDAP 197
(Lightweight Directory Access Protocol)
NETWARE-IP
(Novell Netware over IP )
389
HTTPS 396
(HTTP MCom)
SNPP 443
(Simple Network Paging Protocol)
Microsoft-DS
444
Apple QuickTime
DHCP Client DHCP Server SNEWS MSN
445
458
546
547
563
569
66
Inside Cover