Accessfew

access-list
Standa
IP Standard
IP Extended
Ethernet Type Code
Ethernet Address
DECnet and Extended DECnet
XNS
Extended XNS
Appletalk
48-bit MAC Addresses
IPX Standard
IPX Extended
IPX SAP (service advertisement protocol)
IPX SAP SPX
Extended 48-bit MAC Addresses
IPX NLSP
IP Standard, expanded range
IP Extended, expanded range
SS7 (voice)
Standard Vines
Extended Vines
Simple Vines
Transparent bridging (protocol type)
Transparent bridging (vendor type)
Extended Transparent bridging
Source-route bridging (protocol type)
Source-route bridging (vendor type)
to
99
1
100
to
199
Access-List
200
to Numbers
299
700
to
799
300
to
399
400
to
499
500
600
700
800
900
1000
1000
1100
1200
1300
2000
2700
1
101
201
200
700
1100
200
700
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
599
699
799
899
999
1099
1099
1199
1299
1999
2699
2999
100
200
300
299
799
1199
299
799
What are Access Control Lists?

ACLs...
...are a sequential list of instructions that tell a router which packets to
permit or deny.
General Access Lists Information

Access Lists...
...are read sequentially.
...are set up so that as soon as the packet matches a statement it stops
comparing and permits or denys the packet.
...need to be written to take care of the most abundant traffic first. ...must
be configured on your router before you can deny packets. ...can be written
for all supported routed protocols; but each routed protocol must have a
different ACL for each interface.
...must be applied to an interface to work.
How routers use Access Lists

(Outbound Port - Default)
The router checks to see if the packet is routable. If it is it looks up the route
in its routing table.
The router then checks for an ACL on that outbound interface.
If there is no ACL the router switches the packet out that interface to its
destination.
Produced by: Robb Jones
If there is an ACL the router
checks the packet against the access list
jonesr@careertech.net
statements sequentially.
or denysCenter
each packet as it is matched.
FrederickThen
County permits
Career & Technology
Cisco Networking Academy
Frederick County Public Schools
match
any statement written
Frederick, Maryland, USA
If the packet does not

in the ACL it is denyed
because there is an implicit deny any statement at the end of every ACL.
Special Thanks to Melvin Baker and Jim Dorsch
for taking the time to check this workbook for errors.
Instructors (and anyone else for that matter) please do not post the Instructors version on public websites.
When you do this your giving everyone else worldwide the answers. Yes, students look for answers this way.
It also discourages others; myself included, from posting high quality materials.
Inside Cover
Standard Access Lists

Standard Access Lists...
...are numbered from 1 to 99.
...filter (permit or deny) only source addresses.
...do not have any destination information so it must placed as close to
the destination as possible.
...work at layer 3 of the OSI model.
Why standard ACLs are placed close to the destination.

If you want to block traffic from Juans computer from reaching
Janets computer with a standard access list you would place the ACL
close to the destination on Router D, interface E0. Since its using
only the source address to permit or deny packets the ACL here will
not effect packets reaching Routers B, or C.
Router D
Router B
Router A
jg
E0
S1
E0
S1
S
O
Router C
S1
S0
E0
so
Janets
Computer
Matts
sComputer
Juans
Computer
Jimmys
Computer
If you place the ACL on router A to block traffic to Router D it

will also block all packets going to Routers B, and C; because
all the packets will have the same source address.
Standard Access List Placement

Standard
Standard Access
Access List
List Placement
Placement
1. Where would you place a standard access list to
Router Name Rou_ter D
SampleRouter
Problems
B
S1 0
computer?
FA0 -

deny traffic from Melvins computer from reaching
Interface
EO
Router Name
FA1
Router A
EO
Interface
I
JSfr .9> ,9>
alS! ^
,] ,]
Juan's
Computer
Jan's
Computer
Rickys
Computer
Amandas
Computer
In order to permit packets from Juans Computer to arrive at Jans

Computer you would place the standard access list at router interface
Router D
S1
Jj J# J#
& .ISO -9
Lisa's
Computer
.90 .90
.90 .90 J90
Paul's
Computer
Lisa has been sending unnecessary information to Paul. Where would

you place the standard ACL to deny all traffic from Lisa to Paul?
Router Name Router B Interface
E_ /
.fifr
^ ;]
Lindas
Computer
JS
Where would you place the standard ACL to deny traffic from Paul to
Jackie s
Lisa?
Melvins
Computer
Computer
Router Name Router A Interface E__
Sarahs
Computer
Jennys computer?
deny traffic to Carrols computer from Sarahs
Router Name
Interface
Router C
FAZ
computer?
permit traffic from Rickys computer to reach Jeffs
Router Name
Interface
Router D
EO
Router Name
Interface
Router D
EO
computer?
deny traffic from Amandas computer from reaching
Jeff and Jims computer?
Router Name
Interface
Router E
EO
Router Name
Interface
Router C
FAZ
Router Name
Interface
Router A
EO
Router Name
Interface
Router E
EO
10. Where would you place an ACL to deny traffic from

Jeffs computer from reaching Georges computer?
Router Name
Interface
Router C
FAZ

deny traffic to Sarahs computer from Rickys
Router Name
Interface
Router E
EO
permit traffic from Jackies computer to reach Lindas

computer?
permit traffic from Rickys computer to reach Carrol
and Amandas computer?
deny traffic to Jennys computer from Jackies
computer?
permit traffic from Georges computer to reach Linda
and Sarahs computer?
computer?
12. Where would you place an ACL to deny traffic from
Lindas computer from reaching Jackies computer?
Router Name
Interface
Router F
FAZ
Extended Access Lists

Extended Access Lists...
...are numbered from 100 to 199.
...filter (permit or deny) based on the:
source address
destination address
protocol
port number
... are placed close to the source.

...work at both layer 3 and 4 of the OSI model.
Why extended ACLs are placed close to the source.

If you want to deny traffic from Juans computer from reaching Janets
computer with an extended access list you would place the ACL close
to the source on Router A, interface E0. Since it can permit or deny
based on the destination address it can reduce backbone overhead
and not effect traffic to Routers B, or C.
Router D
Router B
S1
Si/^fcSO
> Router A
O E0I
FA0
Router C
E0
E0 S
Janets
Computer
Matts
Computer
Juans
Computer
S1
Jimmys
Computer
If you place the ACL on Router E to block traffic from Router A,

it will work. However, Routers B, and C will have to route the
packet before it is finally blocked at Router E. This increases
the volume of useless network traffic.
Extended Access List Placement

Sample Problems
EO^ E1
,e> :Sfr
,0* ,0*
j
Juan's
Computer
Jan's
Computer
In order to permit packets from Juans Computer to arrive at Jans

computer you would place the extended access list at router
interface
m iSb
.Efrl J# ,1 ,e> ^ ,3b

jfr jfr
Lisa's
Computer
Paul's
Computer
Lisa has been sending unnecessary information to Paul. Where would

you place the extended ACL to deny all traffic from Lisa to Paul?
Router Name Router A Interface _
FAQ
Where would you place the extended ACL to deny traffic from Paul to
Lisa?
Router Name Router __ Interface
ExtendedAccess
AccessList
ListPlacement
Placement
Extended
Router
B
1. Where would you place an ACL to deny traffic
from Jeffs
computer from reaching Georges computer?
S1. - ^ S0
2. Where would you place an extended access list to
Router A
permit traffic from Jackies computer to reach Lindas
computer?
Router Name_
Interface
Router D
FAQ
Router Name_____Router
Interface ________
FA
Router
C Name_____Router A
3. Where would you place an extended access list to deny traffic
Router
Interface ________
to Carrols computer from Rickys computer?
FAQ
to Sarahs computer from Jackies computer?
5. Where would you place an extended access list to permit
Rickys
traffic from Carrols computer to reach Jeffs computer?
Computer
from Melvins computer from reaching Jeff and Jims computer?
7. Where would you place an extended access list to
permit traffic from Georges computer to reach Jeffs
computer?
traffic from Jims computer to reach Carrol and Amandas
S1
computer?
Interface ________
Interface ________
Interface ________
Interface ________
Interface ________
Interface ________
Interface ________
FAZ
Amandas |
Computer
EZ
FAZ
EZ
Router D '
9. Where would you place an ACL to deny traffic from Lindas

"from reaching Kathys computer?
computer
10. Where S0
would you place an extended access list to deny
traffic to Jennys computer from Sarahs computer?
traffic from Georges computer to reach Linda and Sarahs
computer?
12. Where would you place an extended access list to deny
traffic from Lindas computer from reaching Jennys computer?
,1 ^ ^
Lindas
Computer
Sarahs
Computer
FAQ
FAQ
FAQ
,1 .flfr C
Interface ________
EZ
.fifr .S>.fifr
Jackie s
Melvins
Computer
Computer
Router Name_____Router E
Interface ________
FAQ
Choosing to Filter Incoming or Outgoing Packets

Access Lists on your incoming port...
...requires less CPU processing.
...filters and denys packets before the router has to make a routing
decision.
Access Lists on your outgoing port...
...are outbound by default unless otherwise specified.
...increases the CPU processing time because the routing decision is
made and the packet switched to the correct outgoing port before it is
tested against the ACL.
10
What are Named Access Control Lists?

Named ACLs...
...are standard or extended ACLs which have an alphanumeric name instead
of a number. (ie. 1-99 or 100-199)
Named Access Lists Information

Named Access Lists...
...identify ACLs with an intuutive name instead of a number. ...eliminate
the limits imposed by using numbered ACLs.
(798 for standard and 799 for extended)
...provide the ability to modify your ACLs without deleting and reloading
the revised access list. It will only allow you to add statements to the
end of the exsisting statements.
...are not compatable with any IOS prior to Release 11.2.
...can not repeat the same name on multiple ACLs.
Applying a Standard Named Access List

called George
Write a named standard access list called "George on Router A, interface E1 to block Melvins computer
from sending information to Kathys computer; but will allow all other traffic.
Place the access list at:
Router Name:_________Router A ____________
Interface:_______________E1 _______________
Access-list Name:
George _____________
[Writing and installing an ACL]

Router# configure terminal (or config t)
Router(config)#ip access-list standard George
Router(config-std-nacl)#
Router(config-std-nacl)# access-list permit any
Router(config-std-nacl)# interface el
Router(config-if)# ip access-group George out
Router(config-if)# exit
Router(config)# exit
12
11
Applying an extended Named Access List

called Grade
Write a named extended access list called Grade on RouterA, Interface EO called Grade to deny HTTP traffic intended for web
server 192.168.207.27, but will permit all other HTTP traffic to reach the only the 192.168.207.0 network. Deny all other IP traffic.
Keep in mind that there may be mltiple ways many of the individual statements in an ACL can be written.
Router ame:_________Reixter A ____________
Interface:_________________EO__________________
Access-list Mail:_________&rîe ________________

Router# Ohrf i jure te m i ( o t Ohrfij )
Router (conf ig) #rp .ess^'lis 't extended &r&.ie
Router (conf ig-ext-nacl) # de^y
Uost /92. /G3.2.07.27
Router(config-ext-nacl) # pemi-t iUp *.*if 1^2.1^3.207.0 0.0.0.255
Router (conf ig-ext-nacl) # ixiterf.e eO Router (conf ig-if) # ip .
ess~jro<Ap & x^cie rA Router (conf ig-if) # exi't Router (conf ig) # exi't
X W X
IAJIAJIAJ
2. Match Choices
a specificfor Using Wildcard Masks
range
Example
1 are usually set up to do one of four things
Wildcard
masks
Address:
10.250.50.112
Subnet Mask: 255.255.255.224
1. Match
a specific
host.
2. Match an entire subnet.
255.255.255.255
3. Match a specificCustom
range. Subnet mask: -255.255.255.224 Wildcard:
4. Match all addresses.
0. 0. 0. 31
Access-list 125 permit udp 10.250.50.112 0.0.0.31 any
5. Example
Matching
2 a specific
host.
For standard
access192.168.16.0
lists:
Address Range:
to 192.168.16.127
Access-List 10 permit 192.168.150.50 0.0.0.0
192.168.16.127
or
-192.168.16.
0
Access-List 10 permit 192.168.150.50 Isabel ^
Wildcard:
0. 0. 0.127
or
Access-list
125
ip 192.168.16.0
0.0.0.127 any (This ACL
Access-List
10deny
permit
host 192.168.150.50
would block the lower half of the subnet.)
For extended access lists:
Example
3
Access-list
110 deny ip 192.168.150.50 0.0.0.0 any
Address: 172.250.16.32 toor
172.250.31.63
172.250.31. 63
Access-list 110 deny ip host 192.168.150.50 any
-172.250.16. 32 Wildcard:
0.
0.15. 31
1. Matching an entire
Access-list
125 permit ip 172.250.16.32 0.0.15.31 any
subnet
Example
1
Address: 192.168.50.0 Subnet Mask: 255.255.255.0
3. Match
everyone.
Access-list 25 deny 192.168.50.0 0.0.0.255 Example 2
For standard access lists:
Address: 172.16.0.0
Subnet Mask:
255.255.0.0
Access-list
Access-List
15 permit
any
or
12 permit
172.16.0.0
0.0.255.255
Example
3
Access-List 15 deny 0.0.0.0 255.255.255.255
For extended
access
lists:
Address:
10.0.0.0
Subnet Mask: 255.0.0.0 Access-list 125
Access-List 175 permit ip any any or
Access-List
175 deny
tcp 0.0.0.0 255.255.255.255
any
deny udp 10.0.0.0
0.255.255.255
any
14
15
Creating Wildcard Masks

Just like a subnet mask the wildcard mask tells the router what part of the address to check or
ignore. Zero (0) must match exactly,
one (1)Mask
will be ignored.
Wildcard
Problems
The source address can be a single address, a range of addresses, or an entire subnet.
1.
Create a wildcard mask to match this exact address.
As a rule of thumb the wildcard mask is the reverse of the subnet mask.
N
Êxample #1:
2.
IP Address and subnet mask:
204.100.100.0 255.255.255.0
IP Address and wildcard mask:
204.100.100.0 0.0.0.255
\_____________________________________________________________________/
All 3.
zeros (or 0.0.0.0) means the address must match exactly.
N
Êxample #2:
^10.10.150.95 0.0.0.0 (This address must match exactly.)^
4.
Ones will be ignored.

Êxample #3:
^
10.10.150.95
0.0.0.255 (Any 10.10.150.0 subnet address will match.
5.
10.10.150.0 to 10.10.150.255)
\____________________________________________________________________________/
This also works with subnets.

Êxample #4:
6.

7.
Do the math..
. 255 - 255 = 0
255 - 224 = 31
8.
Êxample #5:

9.
Do the math..
. 255 - 255 = 0
255- 128 = 127
V
255 - 0 = 255
10.
\
192.170.25.30 255.255.255.224
192.170.25.30 0.0.0.31
(Subtract the subnet mask from 255.255.255.255
to create the wildcard)
(This is the inverse of the subnet mask.)
___)
172.24.128.0
172.24.128.0
\
255.255.128.0
0.0.127.255
(This is the inverse of the subnet mask.)
IP Address: 192.168.25.70 Subnet Mask:

255.255.255.0
Create a wildcard mask to match this range. IP
11.
Address: 210.150.10.0
Subnet Mask: 255.255.255.0
___)
O . _ O _O . ^5'5'
_________
Create a wildcard mask to match this host. IP
12.
16
O.O _O . O
. O. O .O
___________________

O . O. 2 5 5 . 2 5 5

O . 2 5 5 . 2 5 5 . 2 5 5
Create a wildcard mask to match this exact address. IP Address:

165.100.0.130 Subnet Mask: 255.255.255.192
.O . O
. O

Address: 192.10.10.16 Subnet Mask:
255.255.255.224
________O
. O
. O
. 3 /
. O
. O
. 6 3

255.255.255.192
________ O
Create a wildcard mask to match this host. IP

_________O .
O . O
. O

255.255.255.248
_________O .
O . O
. 7

O . O
. 3 / .
2 5 5

255.255.255.248
_________O .
O . O
. 7
17
11. access-list 110 permit ip 192.168.15.0 0.0.0.3 192.168.30.10 0.0.0.0
Wildcard Mask Problems
2 . 6 8information
. 5 . to 192168153
Based on the 9given
list the usable source addresses or range of usable
Answer:
source addresses that would be permitted or denied for each access
list
statement. 120 permit ip 192.168.15.0 0.0.0.7 192.168.30.10 0.0.0.0
12. access-list
Answer: 92 J 6 8 . 5 J t o 9 2 . 1 6 8 1 5 7 ________________________
1. access-list 10 permit 192.168.150.50 0.0.0.0

92/68/50.50
Answer: /
9 2 . 6 8 . 5 t o 9 2 6 8 5 5
Answer:
2. access-list 5 permit any
14. access-list
140 permit ip 192.168.15.0 0.0.0.31 192.168.30.10 0.0.0.0
Answer:
Any address
Answer: 9 2 6 8 5 t o 9 2 6 8 5 3 ___________________________
125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1
fragments
3. access-list
/ 95 .2 2 3 .50 . / to /95 .2 2 3 .50.63 ______________________________

9 2 . 6 8 5 t o 9 2 6 8 5 . 6 3
Answer:
4. access-list 11 deny 210.10.10.0 0.0.0.255
2 / 0 /101
O/O
/ t o ip2192.168.15.0
/ 0 / 0 / 0 2 5 40.0.0.127 192.168.30.10 0.0.0.0
16. access-list
Permit
Answer:
Answer:
Answer: 9 2 6 8 5 t o 9 2 6 8 5 2 7 __________________________
5. access-list 108 deny ip 192.220.10.0 0.0.0.15 172.32.4.0 0.0.0.255
17. access-list
192.168.30.0 0.0.0.255
/ 9 2 2185
2 0 permit
/ 0 / t oip /192.168.15.0
9 2 2 2 0 / 0 / 0.0.0.255
5
Answer:
Answer: 9 2 6 8 5 t o 9 2 J 6 8 J 5 . 2 5 4 ___________________________
6. access-list 171 deny any host 175.18.24.10 fragments
18. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 gt 22
Any Address
Answer:
Answer: 1 7 2 6 0 t o 7 2 . 6 . . 2 5 4 _________________________________
7. access-list 105 permit 192.168.15.0 0.0.0.255 any
19. access-list 195 permit icmp 172.85.0.0 0.0.15.255 172.50.10.0 0.0.0.255

/92/6S/5 / to /92/6S/5254
Answer:
Answer:
CQ^*8
__________________
20. access-list 10 permit 175.15.120.0 0.0.0.255
8. access-list 109 permit tcp 172.16.10.0 0.0.0.255 host 192.168.10.1 eq 80
Answer: > 7 5 5 . 2 0 t o 7 5 . / 5 . / 2 Q . 2 5 4 ________________________
Answer: / 7 2 / 6 . / 0 . / t o / 7 2 / 6 / 0 2 5 4 __________________________________
21.9.access-list
190111
permit
tcpip172.15.0.0
access-list
permit
any any 0.0.15.31 any
Answer: A n y
ddress ________________________________________________________
7 2 195
5 Opermit
t o udp
7 2 172.30.12.0
553
10. access-list
0.0.0.127 172.50.10.0 0.0.0.255
Answer:
22. access-list
10.0.0.0
172.50.10.0 0.0.0.255
/ 7 2 3 0 100
/ 2 / permit
t o / 7ip
23
0 / 2 / 20.255.255.255
7
Answer:
Answer: O O O t o 0 2 5 5 2 5 5 2 5 4
18
19
Wildcard Mask Problems

Based on the given information list the usable destination addresses or range of
usable destination addresses that would be permitted or denied for each
access list statement.
Writing
Standard Access Lists...
1. access-list 125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1

fragments
172168101
Answer:
2. access-list 115 permit any any Answer: _____
_ _ _ _
3. access-list 150 permit ip 192.168.30.10 0.0.0.0 192.168.15.0

0.0.0.63
192168151 to 19216815.63
Answer:
4. access-list 120 deny tcp 172.32.4.0 0.0.0.255 192.220.10.0 0.0.0.15
Answer: 192.220101 to 192.2201015 _____________________________
Answer: < 7 2 3 2 , 4 1 to 17232.4.254 ______________________________
Answer: A _ y Address _____________________________________________
7. access-list 105 permit any 192.168.15.0 0.0.0.255
Answer: 92168151 to 9216815254 ______________________________
Answer:
192168301 to 192168307
9. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 eq 21

Answer:
l7QÎC_./8_ _____________________________________

Answer:
20
192168301 to 1921683063
Router Name:
Interface:
Access-list #:
^ ^ ,Sfr
Router A
________El
10
Router A
192.168.90.2
172.16.70.1 v.;.
E1
I IWWMT
.a* ^
COmputer
172.16.70.32
Compums
210.30.28.0
192.168.90.36
Kathys
Computer
192.168.90.38
Melvins
Computer
172.16.70.35
Standard Access List Sample #1

Write a standard access list to block Melvins Computer from sending information to Kathys Computer; but will
allow all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL
can be written.
E0
28
Interface:
Access-list #:
Write a standard access list to block Jims Computer from sending information to Franks
Computer; but will allow all other traffic from the 192.168.90.0 network. Permit all traffic from the
210.30.28.0 network to reach the 172.16.70.0 network. Deny all other traffic. Keep in mind that
there may be mltiple ways many of the individual statements in an ACL can be written.
Router Name:
Router A

Router# configure 'terminal (or config t)
Router(config)# access-list O deny 172.167035
or
access-list 10 deny 172167035 0000
or
access-list 10 deny hôst 172.167035 Router(config)#
access-list 10 permit 0.0.00 255.255.255.255
or
access-list 10 permit any
Router(config)# interface e1 Router(config-if)# ip access-group 10 out
Router(config-if)# exit Router(config)# exit
[Viewing information about existing ACLs]
22
Router#
show configuration
(This will show which access groups are associated

with particular interfaces)
Router#
show access list 10
(This will show detailed information about this ACL)

Router# configure terminal
Router(config)# access-list 28 deny 192.168.90.36
or
access-list 28 deny 192.168.90.36 0.0.00
or
access-list 28 deny hôst 192.168.90.36 Router(config)#
access-ltst 28 permtt 192.168.90.0 0.0.0.255 Router(config)# access-ltst
28 permit 210.30.28.0 0.0.0.255
Router(config)# interface e0 Router(config-if)# ip access-group 28 out
Router(config-if)# exit Router(config)# exit Router# copy run start
[Disabling ACLs]

Router(config)# interface e0
Router(config-if)# no ip access-group 28 out
Router(config-if)# exit Router(config)#
exit
[Removing an ACL]

Router(config)# interface e0
Router(config-if)# no ip access-group 28 out
Router(config-if)# exit Router(config)#
no
access-list 28
Router(config)#
exit
23
FA0
223.190.32.1
^ SO
'
Router B
FA1 192.16.32.94
J>| aJ# ^
,e> ^
Michael's
Computer
172.16.28.36
:2fr J
>Sb -8b :8b
Debbie's
Computer
223.190.32.16
192.16.32.95
Standard Access List Problem #1

Write a standard access list to block Debbies computer from receiving information from Michaels
computer; but will allow all other traffic. List all the command line options for this problem. Keep in mind
that there may be multiple ways many of the individual statements in an ACL can be written.
Router Name:
Router B ____________________
Interface:____ FAI
_____________
Access-list #:
35
(1-99)
'

Router(config)# access-list35deny 223.190.32.16 __________________________
or
access-list35deny hôst 223.190.3216 _________________
or
access-list 35 deny 223.190.32.16 0.000
Router(config)# access-ltst 35 permit any __________________________________
or
access-list35permit 0.0.0.0 255.255.255.255
Router(config)# interfa ce FAI
Router(config-if)# ip access-group 3 5
24
in oAû^(circle one)

Write a standard access list to permit Debbies Computer to receive information from Michaels Computer;
but will deny all other traffic from the 224.190.32.0 network. Block all traffic from the 172.16.0.0 network.
Permit all other traffic. List all the command line options for this problem. Keep in mind that there may be
mltiple ways many of the individual statements in an ACL can be written.
Router Name:
Router B _________________
Interface:_________FAO _______________________
Access-list #:
40 ( - 9 9 )
'

Router(config)# access-list40permit 223190.3216 __________________________
or
access-list 40 permit host 223.190.32.16 _______________
or
access-Ust4Qpermit 2 2 3 . 90.32. 6 0.0.00
Router(config)# access-list 4 0 d e n y 2 2 3 190.320 000.255 _________________

Router(config)# access-ltst 40 d e n y 7 2 . 600 00.255.255 _________________
Router(config)# access-ltst 40 permitany __________________________________
or
access-Ust40permit 0.0.0.0 255.255.255.255
Router(config)# interface F A0
Router(config-if)# ip access-group 4 0
Router(config-if)# exit Router(config)# exit
in
or(out)(circle one)
25
Router A
204.90.30.124 E0
J* J*
& .ISO -9
Rodney's
Computer
S1
10.250.30.36
Carol's
Computer
FA1
192.168.88.4
Jim's
Computer
192.168.88.5
204.90.30.125
204.90.30.126

Write a standard access list to block Rodney and Carols computer from sending information to Jims
computer; but will allow all other traffic from the 204.90.30.0 network. Block all other traffic. Keep in mind that
there may be multiple ways many of the individual statements in an ACL can be written.
Router Name:
Router B ____________________
Interface:____ FAZ
_____________
Access-list #:
45
(1-99)
'

Router(config)# acc e s s h s t
or
4 5 den
y 2 0 4 9 0. 3 0.Z 2 5
access-list 45 deny host 2049030125 or

access-list 45 deny 2049030325 000.0
access-list 45 deny 2049030326 or
access-list 45 deny host 2049030326 or
access-list 45 deny 2049030326 0 0 00
access-list 45 permit 20490300 000255
Router(config)# interface FAZ

Router(config-if)# ip access-group 45
in or)out)(circle one)
Router(config-if)# exit Router(config)# exit 26

Using a mnimum number of commands write a standard access list named "Ralph to block Carols
computer from sending information to Jims computer; but will permit Jim to receive data from Rodney. Block
the upper half of the 204.90.30.0 range from reaching Jims computer while permitting the lower half of the
range. Block all other traffic. For help with blocking the upper half of the range review page 13 or the
wildcard mask problems on pages 16 and 17. For help with named ACLs review pages 12 and 13.
Router Name:
R o u t e r B _______________
Interface:__________F A i _____________________
Access-list Name: Ralph ______________________________

Router(config)# ip access-liststandard Ralph _____________________________
Router(config-st ne 1) #permit20490300 000127 __________________________
Router(config-std-nacDftinterface
FA Z
Router(config-if)# ip access-group Ralph in orioUt^circle one)

27
Router B
S1.
S0
172.30.225.1
S1'
^'212.180.10.5
Router C
J J J
:L^
:L^
172.30.225.2
:
212.180.10.6 . ; ; 212.180.10.2
172.30.225.3

Write a standard access list to block 172.30.225.2 and 172.30.225.3 from sending information to the
212.180.10.0 network; but will allow all other traffic. Keep in mind that there may be multiple ways many
of the individual statements in an ACL can be written.
Router Name:
Router C _________________
Interface:_________E/ __________________________
Access-list #:
55
(1-99)
'

Router(config)# access-list 55 deny 172.30.225.2
or
access-list 55 deny host 17230.2252 or

access-list55 d e n y / 7 2 3 0 . 2 2 5 . 2 0000
access-list 55 deny 172.30.225.3 or
access-list 55 deny host 172.30.225.3 or
access-list 55 deny 172.30.225.3 0000 access-list
55 permit any
Router(config)# interface E /
Router(config-if)# ip accessgroup 5 5 in orû't^circle one)

28

Write a standard access list to block and log 212.180.10.2 from sending information to the 172.30.225.0
network. Permit and log 212.180.10.6 to send data to the 172.30.225.0 network. Deny all other traffic. Keep in
mind that there may be multiple ways many of the individual statements in an ACL can be written. (Check the
example on page 10 for help with the logging option.)
Router Name: Router A ________________________
Interface:_________EO ________________________
Access-list #:
60
(1-99)
'

Router(config)# access-list 60 deny 212.180.10.2 log or
access-list 60 deny hôst 212.180.10.2 log or

access-list60deny 212.180.10.2 0.0.00 log ______________
access-list 60 permit 212.180.10.6 log or
access-list 60 permit host 212.180.10.6 log or
access-list60permit 212.180.10.6 0.0.0.0log
E0
Router(config)# interface ______________
Router(config-if)# ip access-group
60
in
or
out (circle one)
29
Router C
Router A
S1
S0
198.32.10.25
FA0
192.168.15.172
,3HL# m
192.168.15.3
Sfr # #210.140.15.8
198.32.10.25

Write a standard access list to block the addresses 192.168.15.1 to 192.168.15.31 from sending information
to the 210.140.15.0 network. Do not permit any traffic from 198.32.10.25 to reach the 210.140.15.0 network.
Permit all other traffic. For help with this problem review page 13 or the wildcard mask problems on pages
16 and 17.
Router Name:
Router B ____________________
Interface:____ FAZ
_____________
Access-list #:
65
(1-99)
~

Router(config)# access-list 65 d e n y 9 2 . 6 8 . 5 . 0 0.0.0.3 ________________
access-list 65 deny 198.32.10.25 or

access-list 65 deny host 198.32.10.25 or
access-list 65 deny 198.32.10.25 0.0.00 ________________
access-list 65 permit any ______________________________
Router(config)# interfac e
FA
'
30
65
in oFCgufy(circleone)

Write a standard named access list called Cisco_Lab_A to permit traffic from the lower half of
the 198.32.10.0 network to reach 192.168.15.0 network; block the upper half of the addresses.
Allow host 198.32.10.192 to reach network 192.168.15.0. Permit all other traffic. For help with this
problem review page 13 or the wildcard masks problems on pages 16 and 17. For assistance
with named ACLs review pages 12 and 13.
Router Name:
Router A __________________
Interface:_______FAO ______________________
Access-list Name :
Cisco ___Lab ___A ____________
Router(config)# access-ltststandard Cisco Lab _____________A
Router(config-std- nac 1) # p e r m i t l 9 8 3 2 .l. . 0 ..l 2 7 __________________________________
deny 19832100000255 _________________________

permitany _____________________________________
Router(config-std-nacl)# interface
FA0
Lab
in or
out (circle one)
31

Write a standard access list to block network 192.168.255.0 from receiving information from
the following addresses: 10.250.1.1, 10.250.2.1, 10.250.4.1, and the entire 10.250.3.0
255.255.255.0 network. Allow all other traffic. Keep in mind that there may be multiple ways
many of the individual statements in an ACL can be written.
Writing
Extended Access Lists...

Router Name: Router A ____________________
Interface:___ FAQ __________________________
Access-list #:
75
(1-99)
'
Router(config)# access-ltst 25 deny Q.25Q..
or
access-list 75 deny host Q.25Q.. or
access-list75deny Q 25Q Q Q Q Q _________________
access-list 75 deny Q.25Q2. or
access-list 75 deny host Q.25Q2. or
access-list 75 deny Q25Q2. Q.Q.Q.Q ________________
access-list 75 deny Q.25Q.4. or
access-list 75 deny host Q 25Q 4 or
access-list 75 deny Q25Q4. Q.Q.Q.Q
access-list 75 deny Q.25Q3.Q Q.Q.Q.255
access-list 75 permit any
Router(config)# interface F AQ
Router(config-if)# ip access-group 75 in orôut^(circle one)
32
00
Router A
Deny/Permit
Specific Addresses
192.168.90.
2
Write an extended access listto blockthe 172.16.70.0 networkfrom receiving informationfrom
Mikes Computer at 192.168.90.36. Blockthe lowerhalf ofthe
FA1
Extended Access List Sample #2
ip addresses from 192.168.90.0 network from reaching Gails Computer at 172.16.70.32. Permitan other traffic. Keep in mind that there may be mltiple
ways many of the individual statements in an ACL can be written.
Mikes .Igjfr alSfr
jisfr i Gails
Johns
Computer
f 172.16.70.1
Computer
Place
the access
&
8b list at:
Computer
FA0
172.16.70.3
Router
ame:__________Rouftex
A
i------ 172.16.70.3
2
Interface:________________FA
/
5
Access-list #:_____________35
m
192.168.90.3
6
Celestes
Computer
192.168.90.3
8
Deny/Permit Specific Addresses
Write an extended Raxtex

access A
listto prevent Johns computerfrom sending information to Mikes Computer; butwill allowall other traffic. Keep in mind
Interface:
FAO
thatthere
be mltiple
ways
Router#may
oxcf
iav\xe
exx*imany
r\&.lof the individual statements in anACLcan be written.
Access-list#:
Router (config) # &.e s s~~lt s 35 dexij tp / 3 2. / 68 .30.36 O .O .O .O 17 2./ 6.70 .O O.O.O.25 5
OX
[Removing an ACL]
no
*.ess~Us 35 dexu ip Uos 132.168.30.36 172.16.70.O O.O.O.25 5 Router (config) #
Router# orf ijtxre ermtred

Router#
ermtred
s~~(t s / orf
35 ijtxre
dex\ij
ip 132.168.30.0 O.O.O.I27 I72.IG770.32
O .O .O .O
Router (config) # t rderf e /
Router (config) # n^terfêe e /
OX
Router (config-if) # ro ip s~'jrotAp 135 ouft
Router (config-if) # ro ip êss~'jroi*p 135 otx
Router(config-if)#
exi
*.ess-Us
135
dexy
ip
1*32.168.30.0
O.O.O.I27 Uos 172.1670.32
Router(config-if)# ext Router(config)# exrt
Router
(config)
#
re> e^ccess~~{ts~t !35
Router (config)
# &.es
[Writing
and installing
ans~~lis
ACL] 35 pexxni ip A.x\if
Router(config)# ext
OX
Router# Oh*f fatAte

(otpemit
Ohtf
ia 1255.255.255.255
0
c.ccess-Ust 135
ip 0.0.00
OD.O.O 255.255.255.255 Router (config) # ixexfôe / A /
Router
(config)
#
fi^CCeSS
list
IIO
d
e
^
y
i
p
I72.IG70.35
0.0.00
132.168.30.3G
0.0.00
Router (config-if) # ip .ess~jxouyp 135 ix Router (config-if) # exi
Router (config) # exi Router# opy xmx s^x
OK
*.ess-Ust lio
Router (config) # fi^cceSS~~ltSt / /O
ip Uost I72.IG70.35 Uost <32.168.30.3G
peXhî't ip
OK
Mcess-tirt HO pemit ip O .O .O .O 25 5.25 5.25 5.25 50.0.0.0 255.255.255.255
Router(config)# i r t te x f
f0
Router(config-if)# ip *.cce s oup IIO i* [Viewing information about existing ACLs]
Router (config-if) # exi't
Router# SUOCAJ
Router (config) # exi't
|
Router# skottj
onf iatAredio* (This will show which access groups
are associated with particular interfaces)
Ust IIO (This will show detailed information

about this ACL)
oo
en
Router A
00
CD
FAO^SKkSO
nr^yi
172.20.70.15
J^
ji^cindys
Bobs
Computer
172.20.70.8
0
Router B
FA1
S1
192.168.122.52
Jays
Computer
Computer
Jackies
192.168.122.
Computer
128 192.168.122.
129
172.20.70.8
9
Extended Access List Problem #1
Writean extended access listto prevent Jayscomputerfrom receiving informationfrom Cindyscomputen Permitan othertraffic. Keep in mind that there
may be mltiple ways many of the individual statements in an ACL can be written.
Router ame:
R curte x A___________________
Interface:_____ FAQ ____________________i________
Access-Iist #:
05 ( !OQ~ 799)

Router# cx\fijute t e m ( e x cxtfij "t)
Router (config) #
ss~i.ts~t OF dex\y f> Ucs~t /V2.20770.89 Ucs~t 1*32. .1G3.122.128
ox
^ccess-Us-t 105 dew tp I72.3Q.22F .2 POPO 92./ G8 J 22./ 28 O POP
.ess~~liS't OF pexxni't ip
Router (config) # ixrtexf.e

A&
Router (config-if) # tf> .es s~jxcu\p
Router(config-if)# extrt
Router (config) # exit
Router# cpy xux, st^xt
OF
___________________________________________
ourt (circle one)
Write an extended access list to blockthe 172.20.70.0 255.255.255.0 networkfrom receiving informationfrom Jackies Computer at 192.168.122.129. Block
the lower half of the ip addresses from 192.168.122.0 network from reaching Cindys Computer at 172.20.70.89. Permit all other traffic. Keep in mind
thatthere may be mltiple ways many of the individual statements in anACLcan bewritten.

Router ame:
Rcurter B ___________________
Interface:_________FA t ___________________________
Access-list #:
/ !Q ( IOO~lc)c))

Router# orcf iju\re 'tere*! VIA/
Router (config) # .es
OX
/ O deru ip fosf. 92../68./22./29 72.2070.00.0.0.255
ess-lis-t IIP derij ip 9 2 . / 6 8 . / 2 2 . / 2 9 O .O .O .O 72.2070.00.0.0.255 ess~lis-t //O

deru ip 92.168.122.0 O.O.O.I27 fcst 172.2070.39
Or
'
ess~list no dew ip 192.168.1220 0.0.0727 72.2070.39 0.0.00 ess~((s~t IIP pemif fp>
ry ry ____________________________________________________________________________________
B!
Router (config) # tFterfii.ee
Router (config-if) # ip .es s~jrcu\p
Router (config-if) # exif
w Router (config) # exif
Router# opy ru\r strt
05
ourt (circleone)
Router A
00
EO
218.35.50.1
00
mmm
i----------- Computer
Juans
218.35.50.12
Jans
Computer
172.59.2.1
218.35.50.10
Computer
Write a named extended access list called Lab_166 to permit Jans Computer at 218.35.50.10 to receive packets from Rachaels Computer at
172.59.2.18; but not Rebeccas Computer at 172.59.2.15. Deny all other packets. Keep in mind thatthere may be mltiple ways many of the individual
statements in an ACL can be written.
Router ame:
Rotxtei' B
Interface:_________FA /______________
Access-list ame:
L*.>
/>>

Router#
OhrfijtAte " t e m ( o t Ohrffj 't)

extended
Router (config)
/>>______________________________
Router (conf ig-ext-nacl) # pemit tp Uost 172. 39.2. /8 Uost 2 /8.3530 JO

OX
permit tp 172.5<1.2.13 OPPP 2 133550.!Q OPPP
Router (conf ig-ext-nacl) # t t^te xf

FA /
Router (conf ig-if) # tp
ss~~^rotAp L_J?
Router (conf ig-if) # eXft Router (conf ig) #
itxi\c>x oixt (circle one)

eXft
Router A
Extended
#4
Extended Access
Access List
List Sample
Problem
#4
Deny/Permit
Specific
Addresses
Denv/Permit
Entire
Ranaes
Router B
Rou\ex A
Write an
extended
accesslistto
list to
allow Juans
Computer
at 218.35.50.12
to send
information tothe
Rebeccas
Computer
at 172.59.2.15;
but traffic.
not Rachaels
Writean
extended
access
blockthe
192.18.50.0
networkfrom
receiving
informationfrom
192.16.20.0
network.
Permitan other
Keep in
rj
Interface:
EO
.a>
.&&
Computer
at 172.59.2.18.
Permitan
other of
traffic.
Keep in mind
thatthere
be mltiple
ways many of the individual statements in anACLcan be written.
mind
thatthere
may be mltiple
ways many
the individual
statements
in may
anACLcan
be written.
Access-list#:
188
Ralphs
Place the access list at: Computer

Cindys
192.16.20.5
192.16.20.
Place Computer
the access list at:
7
192.16.20.
Router
ame:
Rcurtex A___________________
6
Interface:__________BO
___________________________
Access-list #:
120 ( 100-199)
Bobs
Computer
192.18.50.1
1
Barbras
Computer
192.18.50.1
2
Denv/Permit Entire Ranqes
Write an extended access listto permitthe 192.16.20.0 networkto receive packetsfrom the 192.18.50.0 network. Deny all other traffic. Keep in mind
Router#may
o^cf
'termi'V
IA/
thatthere
beiju\xe
mltiple
ways
many of the individual statements in anACLcan be written.
Router (config) # .es s~list /20 de^y i> Uost 2 !3.35.50.!2 Uost 172.5*3.2.13
Place the access list at: OK
Router ame:__________Rou\-tex B
AAAess-lirt 120 de*i i> 213.35.50.12 0.000 172.53.2.13 0.000 fi^ccess^'is't /20 pemi't fp> .^____________
Interface:________________BI
Access-list #:
III
Router# obcf/av\xe 'termKA.1 (ot Oh*f ia 10

Router (config) # &.ess its't III permrt ip !c)2.18 .BO .O 0.0.0,2B B !c)2./68.20.O 0.O.O,2B B
Router (config) #
ss~~liSt III de^y ip
OK
Router
Router
Router
Router
êss-Ust III de*L Ip 0.0.0.0 2BB.2BB.2BB.2BBO.O.O.O 2BB.2BB.2BB.2BB

(config) # iîlexf^ce e /
(config-if) # ip .ess~jro<Ap III rA
(config-if) # exi't
(config) # exi't
Router (config) # tistexf.e

Router (config-if) # fp> .es s~jxcu\p>
Router ( (config-if) # exi't
w Router# opij xu\h> Sta.rt
F A [Viewing
! 5 _^^cxabout
oud (circle
one)
information
existing
ACLs]
Router#
Router# s k ottj
tjtAroy-\

Us t II I (This will show detailed information about this ACL)
Router# coxcf iatAxe emih\.(

Router(config)#
s s~~lt s 188 dexij tp f *3 2. f & .20.0 0.0.0.25 5 152.18.50.00.0.0.255
Router(config)#
s s~~lt s 138 petmi tp
OX
tLccess-tis m pexnt tp 0.000 255.255.255.255 00.0.0 255.255.255.255

Router(config)# ix<texf^ce eO
Router(config-if)# tp .ess~jxotAp 188 tx\
Router(config-if) # ex t Router(config) # ext Router# opy xu\x\ s^x
[Disabling ACLs]
Router# orf jtAre ermtred

Router (conf ig) # t trerf e^ce eO
Router (conf ig-if) # ro tp e^cces s~~jro<Ap 188 oixt
Router(config-if)# ext Router (conf ig) # exrt
[Removing an ACL]
Router# orf tjtAre ermtre.1

Router (conf ig) # ttstexf e~ce eO
Router (conf ig-if) # ro tp
s~'jrotAp
Router(config-if)# ext
Router (conf ig) # ro e^ccess~~lts /88
Router(config)# ext
/88 oixt
K>
Router
lilil I II
r~ J \J
204.95.150.11
FA0^^
,1 Jfr
jfifc Jft JTodd's
-n^cr J****r
Rachels
Compute
r
*^<r Computer
204.95.150.12
204.95.150.10
FA1
172.59.2.
1
Deny/Permit Entire Ranges
Davids
Computer
172.59.2.1
8
Write an extended access list to permit network 204.95.150.0 to send packets to network 172.59.0.0, but not the 210.250.10.0 network. Permitan other
traffic. Keep in mind thatthere may be mltiple ways many of the individual statements in an ACLcan be written.

Router ame:
Rcuxtex B______________________
Interface:_________FA I ____________________________
Access-list #:
25 ( /OQ~ 799J

Router# OhrfijtAte t e m ( o t Ohrfij )
Router (conf ig) s s~liS't / 2.F
i> 2.04 .FO .O 0.0.0.2.5 F 2. O .2.50 JO .O 0.0.0.2.5 F
fi^ccess^'is't 2.5 pemi't tp>
Router
Router
Router
Router
(conf
(conf
(conf
(conf
_______________________________________________
ig) # tFtexf Ace FAO

ig-if) # tp> fi^ccess~jrov\p> !2F _r,g ot OIA (circle one)
ig-if) # exi't
ig) # exi't
^ 172.120.170.45^^^
Router A^
E1
192.168.50.2
Router B
Write an extended access list to allow Rachels Computer at 204.95.150.10 to receive information from the 172.59.0.0 network. Deny all other hosts
on the 204.95.150.0 network access from the 172.59.2.0 network. Permitan other traffic. Keep in mind that there may be mltiple ways many of the
individual statements in an ACL can be written.
Router ame: Rcurfex B___________________________
Interface:
FA t __________________________
Access-list #: /30 ( fOO~ /99J

Router#
ijtAxe 'termiVIA/
Router (config) # .es

0>r
30 pemi't i> !7 2 .5 *3.0.0 0.0.2.5 F .2.5 F lôs't 2.04 .*35 JFO JO
ess~Us-t 130 pemi-t t> !7 2 5 3 O O O 0.25 5.25 5 204 35.150 JO O .O .O O ess~Us-t 130 dew t> 172.5*3.0.0 O 0.25
5.25 5 204.35.! 50.0 O .O0255 es s~list /30 pemi't ^ ^__________________________________________________
FA!
Router (config) # tFtexfe
Router (config-if) # tf> es s~jxov\p>
00 Router# opnj stx't
130
oud (circleone)
alfr
jfll jfl .jgiTommy's

Phylliss
Computer
Computer
172.120.170.
172.120.170.4 45
5
210.168.70.0
10.250.1.0
Tims
Computer
192.168.50.
3
Denises
Computer
192.168.50.
4
Writeanamed extended access listcalled Godzilla to preventthe 172.120.0.0 network from sending informationtothe 210.168.70.0 , and 10.250.1.0
255.255.255.0 networks; butwill permittraffictothe 192.168.50.0 network. Permitall other traffic. Keep in mind that there may be mltiple ways many of
the individual statements in an ACL can be written.
Router ame:
Rcurfer A
Interface:_____________BO__________
Access-list ame:
&od-iill.

Router# OhtfijtAte t e m ( o t Ohfij ) Router (conf ig) %.ess~(iS"t extended &>dzi((.
Router(config-ext-nacl)#
fp
172120.0.0 00.255.255 2I0.IGS70.0 0.0.0.255
d e t p
172.120.00 00.255.255 IO .250.1.0 0.0.0.255
pemrt tp
Router (conf ig-ext-nacl) # irtterf ^.e
BO
Router (conf ig-if) # t> .ess~jrou\[> &od'iill\K ouct (circle one)
Router (conf ig-if) # ext't Router (conf ig) # ext't
_____________________________________________________
Assuming default subnet masks write an extended access listto permit Tim at 192.168.50.3 to receive datafrom the 172.120.0.0 network. Allow the
192.168.50.0 network to receive information from Phylliss Computer at 172.120.170.45. Deny all other traffic. Keep in mind thatthere may be mltiple
ways many of the individual statements in anACLcan be written.
Router ame: Rexxter A___________________________
Interface:
BO ______________________________
Access-list #: 40 !OQ~ 199 )

Router# cortf ijtAre terralVIA/
Router (config)# e.cce s s~ti st 40 perît ip 172.1200000.255.255 fost c)2.168.50.3
As.s.ess-lrs- 40 pemil. ip /72./20.0.0 0.0.255.255 192.168.50.3 0.0.00 *.ess-Ust 140 pemil ip fosl 172.120.170.45
192.168.50.0 0.0.0.255 0>r êss-Ust 140 pemil ip 172.120.170.45 0.000 192.168.500 000.255
Router (config) # irtter-fA.ee E-

Router (config-if) # ip .es s~jrov\p
Router (config-if) # ex i!
Router (config) # exil
en Router# opy ru\r sl^rl
or oirtt (circle one)
CD
Router#6
A
Extended Access List Sample
Denv/Permit a Ranqe of Addresses
^SO
Write an extended access listwhich will allow the lower halfof 192.168.15.0 network access to the 172.21.50.0 network. Deny all other traffic. Keep in
FAO^^
mind
& that there may be mltiple ways many of the individual statements in an ACL can be written.
ra
192.168.15.20
E1
172.21.50.
95
&m
Rexxter
Place the access list
at: A
Router ame: Computer 192.168.15.43
Interface:
FAO
192.168.15.44
Access-list#:
12/
Carols ^
Computer
172.21.50.9
6
^
Franks
Computer
172.21.50.9
7
Denv/Permit a Ranqe of Addresses
Write an extended access listto deny the first 15 usable addresses of the 192.168.15.0 networkfrom reaching the 172.21.0.0 network. Permit all other
traffic. Keep in mind that there may be mltiple ways many of the individual statements in an ACL can be written.

Router ame:__________Rcurter A_________________
Interface:_________________FAQ_______________
Access-list #:______________85__________________
Router# o rf t aure terr^t (or orf ia tJ

Router(config)# e.eees s~U sf 85 dery ip 192.168.15.0 0.0.0.15 !72.2 !.50.0 0.0.255.255 Router (config) # &.ess~~lts~t /85
permrt ip
OK
êss-Ust 185 pemit fp O .O .O .O 255.255.255.255 O .O .O .O 255.255.255.255

Router (config) # tFterfii.ee fe. /
Router (config-if) # tp e.eee s s~jroup 185 ir
Router
(config-if)
|
Router (config)
# exit
Wiewing information about existing ACLs]

Router#
o^f ijtAredio*
Router#
skottj

list 185 (This will show detailed nformation about this ACL)
exif
192.168.125.254
E1
4[
00
nrmjjl
Johns
Computer
i---------
ufifr
Router A
192.168.195.90
Gails
Computer
192.168.195.88
192.168.195.145
Router#
iatAxe "termnitêd
Router(config)# &.es s~~lt s't 2/permrt tp 52./68 ,/F .O O .O .O./27 !7 2.2 / .5O .O 0.0.0.25 5
Router(config)#
SS~USt
12.1 dex\y tp
OK
c.ccess-Ust 121 de^Lf tp OD.O.O 255255255255 OD.0.0 255255255255
Router (config) # t xtexf fX?

Router(config-if)# tp .ess~jro<Ap 121 ix\
Router(config-if)# ext't Router (conf ig) # ext't Router# opy xv\x\ st^rt
[Disabling ACLs]
[Removing an ACL]
Router# onf jtAre 'termt

Router (conf ig) # thdexf^ce j.O
Router (conf ig-if) # KO ip êss~'jroi*p 121 tn
Router (conf ig-if) # exH Router (conf ig) #
exrt
Router# onf jtAKe

Router (conf ig) # thdexf^ce j.O
Router (conf ig-if) # KO ip êss~'jxo<Ap 121 tn
Router(config-if)# exrt
Router (conf ig) # e-cces s~~{t s~t 121
Router (conf ig) # exH
Mikes
Computer
192.168.125.17
is>
Celestes
Computer
192.168.125.108
Deny/Permit a Range of Addresses
Writean extended access listto preventthefirst 31 usable addresses in the 192.168.125.0 network from reachingthe 192.168.195.0 network. Permit all other
traffic. Keep in mind thatthere may be mltiple ways many of the individual statements in an ACL can be written.

Router ame:
Rctrfter A__________________
Interface:_________E /
____________________
Access-list #:
M E ( !OQ~ 799J
Router# Ohcf tgu\re

Router (conf ig)
(ot Ohrfij "t)

s s~lis~t ME
.ess~~liSt M E pemi't t p
Router (conf ig) # irtterf .e E /

Router (conf ig-if) # tf> .
ess~jrovyp>
Router (conf ig-if) # exi't
t> 1*32. ,!G3.12E ,Q O ,Q ,Q 3 / / 9 2 . / . M E .O 0.0.0,2E E
_____________________________________________
ME \JX\DK OI (circle one)
Deny/Permita Range of Addresses
Write a named extended access list called Media_Center to permit the range of addresses from 172.31.195.1 through
172.31.195.7 to send date to the 192.168.125.0 network. Deny all other traffic. Keep in mind thatthere may be mltiple ways many
of the individual statements in an ACL can be written.
Router ame:
Rouitex A______________________
Interface:____________SO_________________________
Access-list ame:
Me di*. Centex___________________

Router#
ijtAXe 'tere*!VIA/
Router (config) #
sîst extended Medie. Centex_____________________________________________________
Router(config-ext-nacl) fyemft f> 1 7 2 3 1 . O 0007 192.168.125.0 0.0.0.255
Router (conf ig-ext-nacl) # intexfA.ee

Router (conf ig-if) # i> A.eee s s~^xou[p M ed i A. Centexyityox oint (circle one)
Router (conf ig-if) # exi't Router
(config) # exi't Router# opnj xmx\
CD
192.16.20.
5
FAO
en
o
Router A
Router C
172.18.50.10
m ,ei> -ia>
A
Jfr
jRalph's
Cindys
Computer
Computer
192.16.20.
6
192.16.20.
7
__
Brads
_ Computer
172.22.75.8
BobSjg^
172.22.75.9
Computer
172.18.50.11
Compute^
172.18.50.12
172.22.75.10
,1 Hl>
Compute,
Write an extended access list to permit the first 3 usable addresses in the 192.16.20.0 network to reach the 172.22.75.0 network. Denytheaddressesfrom
192.16.20.4through 192.16.20.31 from reachingthe 172.22.75.0network. Permitanothertraffic. Keepin mind that there are mltiple ways this ACL can be
written.
Router ame:
Rcurfer A_______________________
Interface:_________FAQ ________________________
Access-list #:
55 ( fOO~f 99J

Router#
Router (conf ig)
tju\re " t e m ( o t Ohrf't)

s~lis't 55
tj> / 92 J & .2.0.0 O ,Q ,Q .3 /72.22.75.0 0.0.0.255
155 dew ip I92.IG.2Q O O O 3 ! 72.2275.0 000.255 s ' s t 5 5

t >
Router(config)# irtterf .e
Router (conf ig-if) # tf>
Router (conf ig-if) # ext't
FAQ
SS~~JXOt/yp>
155
x oud (circle one)
Write an extended access listtodeny the addresses from 172.22.75.8 through 172.22.75.127 from sending datatothe 172.18.50.0 network. Deny thefirst
half of the addresses from the 172.22.75.0 networkfrom reaching the 192.16.20.0 network. Permitan other traffic. Keep in mind that there are mltiple ways
this ACL can be written.
Router ame:
ROCAter B_________________
Interface:_________B /
______________________
Access-list #:
!GO ( /OQ~ 799J
Router# o^-f ijiAXe

Router (conf ig) # e^cces s~Us~t / GO pemi't tp> /72.22.7B.O 0.0.07 172.13.50.0 0.O.O.2.5 5
!GO dew ip 72.2275 O OOP.27 17 2.18.50.O 0.O.O.25 5 trecess~lis't
Router (conf ig) #

B/
Router (conf ig-if) # ip .ess~jxo(Ap !GO
Router (conf ig-if) # exi't
Router (conf ig) # exi't
Router# opy XAX,
ox oist (circle one)
/GO pemi't tp> AAiy_
Router A
en
K>
FAO^T^SO
upj
172.16.70.1
SI* m ^
Celestes
Computer
Router B
FA1
192.168.88.
1
FAO
FA1
Bobs
Computer
172.16.70.15
172.16.70.14 5
5
eggy'sj^
Computer
10.250.1.0
192.168.88.20
0
10.250.4.0
JQ
Denises
Computer
192.168.88.20
4
Write an extended access listto permitthefirst63 usable addresses in the 192.168.88.0 network to reach the lower half of the addresses in the
172.16.70.0 network; but notthe upper half. Deny all other traffic. Keep in mind thatthere may be mltiple ways many of the individual statements in an
ACL can be written.
Router ame:
Router B________________________
Interface:_________FA / ____________________________
Access-list #:
IGF ( /OQ~ 799J

Router#
Oh>f ijtAte
Router (conf ig)
(ot Ohrfij 't)
s~~lis't IGF permrt tp /92.. /GS.88.0 O.O.O.G3 /72../G.7Q.O 0.0.0.12.7
Router (config) # thCetf &.e _______FA /

Router (conf ig-if) # tf> SS~~JX
Ov\p>
Router (conf ig-if) #
eXft
K oud (circle one)

Rouftex A
Deny/Permita Range of Addresses
Write an extended access list to deny the addresses from 10.250.1.0 through 10.250.1.63 from sending data to Denises Computer. Permitan othertraffic.
Interface:
EO
Keep in mind thatthere may be mltipleways many of the individual statements in anACLcan bewritten.
Access-list#:
198
Router ame:
Rcurfer A_______________________
192.168.207.26
Interface:_________
FA t _________________________
Access-list #:
/70 ( fOO~ /99J
210.128.50.12
Denv/Permit Port Numbers
Write an extended access list to deny HTTP traffic intended for web server 192.168.207.27, but will permit all other HTTP traffic to reach the only the
Router# o^cfnetwork.
ijv\xe texmi
192.168.207.0
Deny all other IP traffic. Keep in mind thatthere may be mltiple ways many of the individual statements in anACLcan be written.
Router (config) #
.e S S~Ust /70 de^y ip O .250./.O O .O .O .G3 Uost 192./68.88.204

.ess~Us-t 70 deîf ip !Q .250.! O
O O O 3 92.! G8.88.204 O .O .O .O .es s~list 70 pemi't ip
oAiy oAiy
__________________________________________________________________________________________
Router (config) # itstexf.e
FA/
Router (config-if) # ip .es s~jrov\p

Router# opy S'tL.rt
O
00
170 -O ox otAt (circle one)
Router ame:
Interface:
Access-list #:
^.Oxtex A
EO
134
Deny/Permit Port Numbers
Write an extended access listto permit pings in eitherdirection between hosts on the 210.128.50.0 and 192.168.207.0 networks. Deny all other traffic.
Keep in mind that there may be mltiple ways many of the individual statements in an ACL can be written.
[Disabling ACLs]
[Removing an ACL]
Router# ot^f ijtAKe ~termtKed

Router (conf ig) # t n t e x f e O
Router (conf ig-if) # tp s~'jxoi*p 3 4 oixt
Router(config-if)# exiz
Router (conf ig) # tô s~~{t s~t 34
Router (conf ig) # exrt
Router# onf ijtAre termtêd

Router (conf ig) # n^terf eO
Router (conf ig-if) # tp s~~jro<Ap 34 oixt
[Writing
and(conf
installing
an ACL]
Router
ig-if)
# exi't Router (conf ig) # exi't
Router# oxtf iatAxe "temih\&.l

Router(config)# .ess~ltst 34 pemtt tr*p 210.128.50.0 0.0.0.255 1^2.1^8.207.0 0.0.0.255 et\0~xeply
Router (conf ig) # it^texf eO
Router(config-if)# fp .es s^jtoiAp 134 rA
Router(config-if) # exi't
Router# optp stfi.xt
Router# OhrfijtAte t e m ( o t Ohrfij )

Router(config)#
s s~(t s't 98 de^y ~tp
/ 9 2. / G8.2.07.27 O .O .O .O AJAJAJ
OK
&.ccess~~lis't 198 detû tcp
AAW
Uos't /92. /G8.207.27 ea cess-Ust IAJAJAJ
198 pemk tUp w I92.IG8.207O 0.0.0.25

Router(config)# Access
Router(config)# tistexf^ce eO
Router(config-if) # ip>i.ess~jro<Ap> 198 K
Router(config-if)# exi't
Router# s\OttJ ot-\f t j t A r o y - \
5 ea IAJIAJIAJ

Router# show e.ess Ust 98 (This will show detailed information about this ACL)
[Disabling ACLs]
[Removing an ACL]
Router A
Router
B
Router# orf
jtAre terr*,tr,l
Router (config) # tr<ter'fe eO
EO15 5 oixt
Router (config-if) E1
# ro it> ess~~jro<Ap /55 oixt
Router (config-if) # r,o tp ess~~jro<Ap
Router(config-if
)#
exit
Write
an
extended
access
list
to
deny
FTP
to
ip
addresses
192.30.76.0
through
192.30.76.13.
Router (config-if) # exH Router
(config) # exrt
192.168.33.1
172.20.70.1
Router (config) # r,e> ess~~lts~t /5 5
Router(config)
# exrt
Permitan othertraffic. Keep in mind thatthere may be mltipleways many
of the individual
statements in anACLcan bewritten. Place the access list at:
peggysjd^ Jg> JE
Bobs
.jgfr
,1
Router ame;__________Revfter
Computer A_________________
Celestes
Computer
Denises
Interface;________________
EO________________
Computer
192.30.76.15
192.168.33.21
Computer
192.30.76.14
Access-list #:_____________/55___________________
5
0
en Router# orftjtxre terr*,tr,l

enRouter (config) # nsterf e eO
10.250.4.0
172.16.16.0
192.168.33.21
4
Denv/Permit Telnet
Router# orcf i jure "temi r\.l

Write an extended access list to permit Denises and Bobs computers to telnet into Router B. Deny all other telnet traffic Keep in mind that there may be
Router (config) # .es s~~(f st 55 de^y tp .hy I52 .30 .7&.0 0 .0 .0.13 f'tp Router
mltiple ways many of the individual statements in anACLcan bewritten.
(config) # .ess~~(f st 55 permit ip .r\if .r\if
OK
ess-Ust 155 de**! tp 0.0.0.0 255.255.255.255 O.O.OD 255.255.255.255
Router ame:__________Rcufter B
Router (config) # irtterfe^ceeO Router
(config-if)
s^jtoiAp
(tASt'rj tire
VTY O 4 irste^d o?#e*rff>
irterf .es
^.oe lifce F
/ e.llor>s yotA to ir,
.ppty tt\iS eneres S list to
Interface:_________i i re VTY O 4
Router (config-if) #
edl VTY tires <*jitt\ ore stecternert)
Ai.
Access-list#:__________
exit Router (config) #

exi't Router# opnj r,
stL.rt
Router# orf iatAte termir^l f or orf i a 1 0

Router (config) # &.ess Itst 45 permit 1*32./68.33.2 4 O .O .O .O
ess-Us-t 45 permit ost 32 .!G3 .33.2
or
4 Router (config) # &.es s~(f st 45

permit 132 .30 .76 .155 O .O .O .O
or
A.ccess~list 45 permit Uost 32.307G.I55
(config) # tire i/tif O 4
(config-if) # ff> . e s s 45 ir,
(config-if) # exit
Router
Router
Router
Router (config) # exit
en
en
Router#
st\on orf ijtAredior (This will show which access groups are associated
Router# st\on .ess list 45
(This will show detailed information about this ACL)
en
Router B
FA1
192.128.45.
8
FAO
en
oo
mmm
Jackies
Computer
EO
172.16.70.
1
172.16.125.1
Bills
Computer
192.128.45.3
3
10.250.8.0
Jennifers
Computer
192.128.45.35
Deny/Permit a Port Numbers
Write an extended access listto permit ICMP traffiefrom the 192.128.45.0 network to reach the 172.16.125.0 255.255.255.0 and 10.250.2.0 255.255.255.0
networks. Deny all other traffic. Keep in mind that there may be mltiple ways many of the individual statements in an ACL can be written.

B
Router ame:
Reutter
FAI___________________
Interface:______
Access-list #:
75 (IQO-I??)

Router#
Oh>f ijtAte
Router (conf ig)
(ot Ohrfij 't)

ss~lis~t !7F
fn[> /92.128 AF,Q O,Q,Q.2.5F /72. .1G.12F,Q O,Q,Q.2.5F

175 per nit inp 192 J 23 45 O O O 0.25 5 O .250.2 O O O 0.25 5
Router (conf ig) # t hite rf _________FA /______

Router (conf ig-if) # fp
S O i / \ p _____
Router (conf ig-if) # eXft
75
K oud (circle one)
Deny/Permit a Port Numbers
Write a named extended accesslstcalledPeggys_Labtodenytelnet from 10.250.8.0 through 10.250.8.127 from reachingthe 192.128.45.0 network. Permit
all other traffic. Keep in mind that there may be mltiple ways many of the individual statements in an ACL can be written.

Router ame:
P curte x B_______________
Interface:_____ FAQ_______________________________
Access-list ame: Peggys_______________________
Router# ccxcfiju\xe temf

Router (conf ig) # .ess~~lisrt extended PeggyS
____________________________________
Router (conf ig-ext-nacl^g^y rtcp 10.250.3.0 0.0.0.12.7 1^2../2.3.45.0 0.0.0,2.5 5 e^ 23

pemirt rtp AAiy AAiy____________________________________________
Router (conf ig-ext-nacl) # /'xrtexf^.ce

Router (conf ig-if) # tp .cce s s~yxoup P egcjifS
Router(config-if)# extrt
Router(config) # extrt
cgRouter# opif xu\x srtfi^xrt
ex ourt (circle one)
Router A
C
D
203.194.100.1
^M
Web Server #1
203.194.100.102
203.194.100.101
Web Server #2
Router B 172.60.18.1
172.60.18.142

Write an access list to permit Becky and Marys Computerto telnet into Router B. Deny all othertelnet trafficfrom the 172.60.18.0 network. Keep in
mind thatthere may be mltiple ways many ofthe individual statements in an ACLcan be written.
Router ame:
Rcudex B_______________________
Interface:_________Uê vtu 04__________________
Access-list #:
50 (1 *9 9 )
Router# Ohrf ijwre t e m ( o t Ohrfij ~t)

Router (config) # &.ccess~ltS't 50 pexmrt /72.60.18.140
Kccess~Urt 50 pemil ios! 172.60.18.140 KMcess-lirt 50 permit
172.60.18.140 00.0.0 *,ess~Us-t 50 perfil I72.GO.IS.M2 K *.ess-Us-t 50
pemil Uosl 17 2.GO.18.142 K .cees s~U si 50 pemil 17 2 .GO .18.14 2 O .O
.O .O
Router
Router
Router
Router
(config) # nstexf.ce (f^ vi y 04

(config-if) # ip .e s s~yrou\p 50
(config-if) # exil
(config) # exi't
,A ex ourt (circle one)
Write an extended access list to deny all HTTP traffic intendedfortheweb server at 203.194.100.102. Permit HTTP trafficto any other web servers. Deny
all other IP traffic to the 203.194.100.0 network. Keep in mind that there may be mltiple ways many of the individual statements in anACLcan be written.

Router ame:
Rcurfex A______________________
Interface:
FAQ _______________
Access-list #:
/SF ( IOO~l^c.l)
Router# OhrfijtAte temh>.( (ot Ohrfij )

Router (config) #
.ess^'is't J8F de^y ~tp .^y iôs't 2.03.194 JOO.102. SO
OK
.e s s~~tist !8F deîf tp> .t^y 203,1*34 JOO JQ2 O .O JO JO eq 80

.ess~lis't !8F pemi't y .^y .^ e^ 80______________________________________
Router (config) # (Ftexf.e

F AO
Router (config-if) # tp> .ess~jrov\p>
Router# opnj S'tL.rt
x otA (circle one)
C
D
Router A
^ ,190 ^
Web Server #1
Router B
EO
192.168.15.
Bobbies
25
Computer
192.168.15. 192.168.15.8
125
2
Access List Problem #19
alai
192.172.10.0
E1
Web Server #2 A JEI
172.23.50.1 172.23.50.19
Gails
95
6
Computer
172.23.50.197
Write an access listto permitTFTP trafficto all hosts on the 192.168.15.0 network. Deny all otherTFTP traffic. Keep in mind that there may be mltiple
ways many of the individual statements in an ACL can be written.
Router ame:
Rcudex A_______________________
Interface:_________EO ____________________________
Access-list #:
90 ( fOO~ 799J
Router# oxcf tjuixe t e m ( o x oxrfij ~t)

Router (conf ig) %têess~'lis't !7E pexxni't -tcp
Router
Router
Router
Router
(config) # ixrtexf^ce_______EO
(conf ig-if) # ff> fi^ccess~jxcuyp
(conf ig-if) # exi't
(config) # exi't
I 9 2. / GS. / E .O 0.0.0.2.5 E e)[ f'tp
no ox oud (circle one)
ACL #20
Commands
Extended Access Optional
List Problem
Write an extended access list that permits web traffic
& Other
from web
Network
server #2
Security
at 172.23.50.196
Ideas to reach everyone on the 192.168.15.0
network. Deny all other IP traffic going to the 192.172.10.0, and 192.168.15.0 networks. Keep in mind thatthere may be mltiple ways
many of the individual statements in an ACL can be written.
In order to reduce the chance of spoofing from outside your network consider adding the
following statements to your networks inbound access list.

Router ame:
Re*ter B _______________________
router# config t
Interface:_________B /
______________________
router(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any
Access-list #:
9 5 ( IO O ~l9 9 )

router(config)#
[Writing and installing
an ACL] access-list 100 deny ip 192.168.0.0 0.0.255.255 any
Router#
ijtAxe
temi
router(config)#
access-list 100 deny ip 224.0.0.0 31.255.255.255 any
Router (config)
#
.
e
s
19 5 100 deny ip your-subnet-#
lô s't 72 .2 3your-subnet-mask-#
.5 0 J9G 1 92 ./68 .1 5 .0
0. 0 .0 . 25 5 e q 8 0
router(config)# access-list
any
OK
router(config)#
access-list 100 deny igmp any any router(config)# access-list
ess- Us-t 19 5 d e^ i 1 7 2 . 2 3 . 5 0 J 9 G 0 .0 .0 0 I9 2. I G3 . I5 Q 00 0. 2 55 eq 80
100 deny icmp any any redirect router(config)# access-list 100 permit any any
router(config)# interface e0 (or whatever your inbound port is) router(config-if)# ip
access-group in router(config-if)# exit router(config)# exit
Another handy security tool is to only allow ip packets out of your network with your source
address.
router# config t
router(config)# access-list 100 permit ip your-subnet-# your-subnet-mask-#any
router(config)# interface e0 (or whatever your outbound port is) router(config-if)# ip
access-group out router(config-if)# exit router(config)# exit
To keep packets with unreachable destinations from entering your network add this command:
Router
B/
ip route 0.0.0.0 0.0.0.0 null 0 255

To(config)
protect against#smurf and other attacks add the following commands to every external
195
ox oud (circle one)
interface:
Router (config-if)
# tf> fi^cces s~jxovyp>
no ip directed-broadcast
no ip source-route fair-queue
scheduler
interval
500
Router
C (config-if) # exi't
D (config) # exi't
Router
00
64
Numbers
Index / Port
Table
of Contents
0 to 1,023
Port numbers are now assigned by the ICANN (Internet Corporation for Assigned
Registered Ports
1,024 to 49,151
Names and Numbers). Commonly used TCP and UDP applications are assigned a
Dynamic
and/or Private Ports
49,152 to 65,535
Access-List
port number;Numbers..............................................................................Inside
such as: HTTP - 80, POP3 - 110, FTP - 20. When an applicationCover
What
are Access
Control
Lists?
..................................................................................
communicates
with
another
application
on another node on the internet, it specifies1
General
Access in
Lists
Information
...............................................................................
that application
each
data transmission
by using its port number. You can also 1
How routers use Access Lists.....................................................................................1
type the name (ie. Telnet) instead of the port number (ie. 23). Port numbers range
Standard Access Lists................................................................................................2
from 0 to 65536 and are divided into three ranges:
Why Standard ACLs must be placed close to the destination...................................2
Standard Access List Placement Sample Problems.................................................3
Standard Access List Placement Problems.............................................................4-5
Extended Access Lists................................................................................................6
Why Extended ACLs must be placed close to the destination..................................6
Extended Access List Placement Sample Problems.................................................7
Extended Access List Placement Problems............................................................8-9
Below is atoshort
of some or
commonly
ports.
For a complete list of port
Choosing
FilterlistIncoming
Outgoingused
Packets
.....................................................
10
numbers goof
toahttp://www.iana.org/assignments/port-numbers.
Breakdown
Standard ACL Statement................................................................10
Breakdown of a Extended ACL Statement................................................................11
What are Named Access Control Lists.....................................................................12
Named
Access Lists
Information
..............................................................................12
Some commonly
used
port numbers:
Applying a Standard Named Access List called George........................................12
Applying an Extended Named Access List called Gracie.......................................13
Choices for Using Wildcard Masks......................................................................14-15
Creating Wildcard Masks..........................................................................................16
Wildcard Mask Problems.....................................................................................18-20
Writing Standard Access Lists.............................................................................21-32
Writing Extended Access Lists............................................................................33-63
Deny/Permit Specific Addresses..............................................................33-39
Deny/Permit Entire Ranges......................................................................40-45
Deny/Permit a Range of Addresses.........................................................46-53
Deny/Permit Port Numbers.......................................................................54-63
Optional ACL Commands.........................................................................................64
Index / Table of Contents..........................................................................................65
Port Numbers....................................................................................66-Inside Cover
0
1
5
7
9
11
13
17
Reserved
TCPMUX
RJE
ECHO
DISCARD
SYSTAT
DAYTIME
QUOTE
(TCP Port Service Multiplexer)

(Remote Job Entry)
(Active users)
(Quote of the day)
65
18
MSP
(Message Send Protocol)
19
CHARGEN
(Character generator)
20
FTP-DATA
(File Transfer Protocol - Data)
21
FTP
(File Transfer Protocol - Control)
22
SSH
(Remote Login Protocol)
23
Telnet
(Terminal Connection)
25
SMTP
(Simple Mail Transfer Protocol)
29
MSG ICP
37
TIME
39
RLP
(Resource Location Protocol
42
NAMESERV
(Host Name Server)
NICNAME
(Who Is)
LOGIN 43
(Login Host Protocol)
DNS
(Domain Name Server)
49
BOOTP 53
(Bootstrap Protocol Server)
BOOTPS67
(Bootstrap Protocol Client)
TFTP
(Trivial File Transfer Protocol)
68
GOPHER69
(Gopher Services )
(Any Privite Dial-out Service)
70
FINGER 75
HTTP 79
(Hypertext Transfer Protocol)
SUPDUP80
(SUPDUP Protocol)
HOSTNAME
(NIC Host Name Server)
95
SNAGAS101
(SNA Gateway Access Server)
POP2 108
(Post Office Protocol - Version 2)
POP3 109
(Post Office Protocol - Version 3)
AUTH 110
(Authentication Service)
SFTP 113
(Simple File Transfer Protocol)
UUCP-PATH
(UUCP Path Service)
115
SQLSERV
(SQL Services)
117
NNTP 118
(Newsgroup)
NTP
(Network Tim Protocol)
119
NetBIOS-NS
(NetBIOS Name Service)
123
NetBIOS-SSN
(NetBIOS Session Service )
137
IMAP
139
(Interim Mail Access Protocol)
SQL-NET143
(NetBIOS Session Service)
SQLSRV150
(SQL Service)
SNMP 156
(Simple Network Management Protocol)
BGP
(Border Gateway Protocol)
161
GACP 179
(Gateway Access Control Protocol)
IRC
(Internet Relay Chat)
190
DLS
(Directory Location Service)
194
LDAP 197
(Lightweight Directory Access Protocol)
NETWARE-IP
(Novell Netware over IP )
389
HTTPS 396
(HTTP MCom)
SNPP 443
(Simple Network Paging Protocol)
Microsoft-DS
444
Apple QuickTime
DHCP Client DHCP Server SNEWS MSN
445
458
546
547
563
569
66
Inside Cover

Accessfew

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Accessfew

Diunggah oleh

Hak Cipta:

Format Tersedia

access-list

What are Access Control Lists?

General Access Lists Information

How routers use Access Lists

If the packet does not

Standard Access Lists

Why standard ACLs are placed close to the destination.

If you place the ACL on router A to block traffic to Router D it

Standard Access List Placement

2. Where would you place a standard access list to

In order to permit packets from Juans Computer to arrive at Jans

Lisa has been sending unnecessary information to Paul. Where would

10. Where would you place an ACL to deny traffic from

11. Where would you place a standard access list to

permit traffic from Jackies computer to reach Lindas

Extended Access Lists

... are placed close to the source.

Why extended ACLs are placed close to the source.

If you place the ACL on Router E to block traffic from Router A,

Extended Access List Placement

In order to permit packets from Juans Computer to arrive at Jans

.Efrl J# ,1 ,e> ^ ,3b

Lisa has been sending unnecessary information to Paul. Where would

9. Where would you place an ACL to deny traffic from Lindas

Choosing to Filter Incoming or Outgoing Packets

What are Named Access Control Lists?

Named Access Lists Information

Applying a Standard Named Access List

[Writing and installing an ACL]

Applying an extended Named Access List

[Writing and installing an ACL]

Creating Wildcard Masks

Create a wildcard mask to match this exact address.

Ones will be ignored.

This also works with subnets.

IP Address and wildcard mask:

IP Address and wildcard mask:

(This is the inverse of the subnet mask.)

IP Address: 192.168.25.70 Subnet Mask:

Create a wildcard mask to match this range. IP

Create a wildcard mask to match this range. IP

Create a wildcard mask to match this exact address. IP Address:

Create a wildcard mask to match this range. IP

Create a wildcard mask to match this range. IP

Create a wildcard mask to match this host. IP

Create a wildcard mask to match this range. IP

Create a wildcard mask to match this range. IP

Create a wildcard mask to match this range. IP

11. access-list 110 permit ip 192.168.15.0 0.0.0.3 192.168.30.10 0.0.0.0

Wildcard Mask Problems

1. access-list 10 permit 192.168.150.50 0.0.0.0

13. access-list 130 permit ip 192.168.15.0 0.0.0.15 192.168.30.10 0.0.0.0

2. access-list 5 permit any

/ 95 .2 2 3 .50 . / to /95 .2 2 3 .50.63 ______________________________

5. access-list 108 deny ip 192.220.10.0 0.0.0.15 172.32.4.0 0.0.0.255

19. access-list 195 permit icmp 172.85.0.0 0.0.15.255 172.50.10.0 0.0.0.255

Wildcard Mask Problems

1. access-list 125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1

3. access-list 150 permit ip 192.168.30.10 0.0.0.0 192.168.15.0

9. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 eq 21

10. access-list 150 permit ip 192.168.15.10 0.0.0.0 192.168.30.0 0.0.0.63

Standard Access List Sample #1

Standard Access List Sample #2

[Writing and installing an ACL]