Access Lists Workbook Student Edition v1 5

ACL
Extended
Any
Access
0.0.0.0
Lists
Workbook
Version 1.5
permit
deny access-group
access-list Wildcard Mask
Standard
Student Name:
Access-List Numbers
IP Standard 1 to 99
IP Extended 100 to 199
Ethernet Type Code 200 to 299
Ethernet Address 700 to 799
DECnet and Extended DECnet 300 to 399
XNS 400 to 499
Extended XNS 500 to 599
Appletalk 600 to 699
48-bit MAC Addresses 700 to 799
IPX Standard 800 to 899
IPX Extended 900 to 999
IPX SAP (service advertisement protocol) 1000 to 1099
IPX SAP SPX 1000 to 1099
Extended 48-bit MAC Addresses 1100 to 1199
IPX NLSP 1200 to 1299
IP Standard, expanded range 1300 to 1999
IP Extended, expanded range 2000 to 2699
SS7 (voice) 2700 to 2999
Standard Vines 1 to 100
Extended Vines 101 to 200
Simple Vines 201 to 300
Transparent bridging (protocol type) 200 to 299
Transparent bridging (vendor type) 700 to 799
Extended Transparent bridging 1100 to 1199
Source-route bridging (protocol type) 200 to 299
Source-route bridging (vendor type) 700 to 799
Produced by: Robb Jones

[email protected] and/or [email protected]
Frederick County Career & Technology Center
Cisco Networking Academy
Frederick County Public Schools
Frederick, Maryland, USA
Special Thanks to Melvin Baker, Jim Dorsch, and Brent Sieling

for taking the time to check this workbook for errors, and making suggestions for improvements.
Inside Cover
What are Access Control Lists?
ACLs...
...are a sequential list of instructions that tell a router which packets to
permit or deny.
General Access Lists Information

Access Lists...
...are read sequentially.
...are set up so that as soon as the packet matches a statement it
stops comparing and permits or denys the packet.
...need to be written to take care of the most abundant traffic first.
...must be configured on your router before you can deny packets.
...can be written for all supported routed protocols; but each routed
protocol must have a different ACL for each interface.
...must be applied to an interface to work.
How routers use Access Lists

(Outbound Port - Default)
The router checks to see if the packet is routable. If it is it looks up
the route in its routing table.
The router then checks for an ACL on that outbound interface.
If there is no ACL the router switches the packet out that interface to its
destination.
If there is an ACL the router checks the packet against the access list
statements sequentially. Then permits or denys each packet as it is
matched.
If the packet does not match any statement written in the ACL it is
denyed because there is an implicit “deny any” statement at the end of
every ACL.
1
Standard Access Lists
Standard Access Lists...
...are numbered from 1 to 99.
...filter (permit or deny) only source addresses.
...do not have any destination information so it must placed as close
to the destination as possible.
...work at layer 3 of the OSI model.
Why standard ACLs are placed close to the

destination.
If you want to block traffic from Juan’s computer from reaching
Janet’s computer with a standard access list you would place the
ACL close to the destination on Router D, interface E0. Since
its using only the source address to permit or deny packets the
ACL here will not effect packets reaching Routers B, or C.
Router B Router D
S1 S0 S1
Router A Router C E0
E0
S0 S1 S0
E0 E0
Janet’s
Matt’s
Computer
Computer
Juan’s Jimmy’s
Computer Computer
If you place the ACL on router A to block traffic to Router D

it will also block all packets going to Routers B, and C;
because all the packets will have the same source address.
2
Standard Access List Placement
Sample Problems
FA0 FA1
Router A
Juan’s Jan’s
Computer Computer
In order to permit packets from Juan’s computer to arrive at

Jan’s computer you would place the standard access list at
!"#
router interface ______.
E0 S0 E1
S1
Router A Router B
Lisa’s
Computer Paul’s
Computer
Lisa has been sending unnecessary information to Paul. Where

would you place the standard ACL to deny all traffic from Lisa to Paul?
$%&'()* + Interface ___________
Router Name ______________ ,#
Where would you place the standard ACL to deny traffic from Paul to
Lisa?
$%&'()*" Interface ___________
Router Name ______________ ,-
3
Router B
S1 S0
Router A
E0 FA1
S0 S1
S1 Router C
Ricky’s Jenny’s
Computer Computer
Amanda’s
Computer
Carrol’s Kathy’s
George’s
Computer Computer
Computer
S1
Router D E0 Jeff’s
S0 Computer
Jim’s
Computer
S1
E0 S0 FA1
S1
Router E Router F
Linda’s Jackie’s Melvin’s

Sarah’s
Computer Computer Computer
Computer
4
1. Where would you place a standard access list to $%&'()* .
Router Name_________________
permit traffic from Ricky’s computer to reach Jeff’s ,-
Interface ____________________
computer?
2. Where would you place a standard access list to $%&'()*"

Router Name_________________
deny traffic from Melvin’s computer from reaching ,-
Interface ____________________
Jenny’s computer?
3. Where would you place a standard access list to Router Name_________________

deny traffic to Carrol’s computer from Sarah’s Interface ____________________
computer?

permit traffic to Ricky’s computer from Jeff’s Interface ____________________
computer?

deny traffic from Amanda’s computer from reaching Interface ____________________
Jeff and Jim’s computer?

permit traffic from Jackie’s computer to reach Linda’s Interface ____________________
computer?

permit traffic from Ricky’s computer to reach Carrol Interface ____________________
and Amanda’s computer?

deny traffic to Jenny’s computer from Jackie’s Interface ____________________
computer?

permit traffic from George’s computer to reach Linda Interface ____________________
and Sarah’s computer?
10. Where would you place an ACL to deny traffic from Router Name_________________
Jeff’s computer from reaching George’s computer? Interface ____________________
deny traffic to Sarah’s computer from Ricky’s Interface ____________________
computer?
Linda’s computer from reaching Jackie’s computer? Interface ____________________
5
Extended Access Lists
Extended Access Lists...
...are numbered from 100 to 199.
...filter (permit or deny) based on the: source address
destination address
protocol
application / port number
... are placed close to the source.
...work at both layer 3 and 4 of the OSI model.
Why extended ACLs are placed close to the source.
If you want to deny traffic from Juan’s computer from reaching

Janet’s computer with an extended access list you would place
the ACL close to the source on Router A, interface E0. Since it
can permit or deny based on the destination address it can reduce
backbone overhead and not effect traffic to Routers B, or C.
Router B Router D
S1 S0 S1
Router A Router C E0
FA0
S0 S1 S0
E0 E0
Matt’s Janet’s
Computer Computer
Juan’s Jimmy’s
Computer Computer
If you place the ACL on Router E to block traffic from Router

A, it will work. However, Routers B, and C will have to route
the packet before it is finally blocked at Router E. This
increases the volume of useless network traffic.
6
Extended Access List Placement
Sample Problems
E0 E1
Router A
Jan’s
Juan’s
Computer
Computer
In order to permit packets from Juan’s computer to arrive at

Jan’s computer you would place the extended access list at
,-
router interface ______.
FA0 S0 FA1
S1
Router A Router B
Lisa’s Paul’s
Computer Computer
Lisa has been sending unnecessary information to Paul. Where would

you place the extended ACL to deny all traffic from Lisa to Paul?
$%&'()*" Interface ___________
Router Name ______________ !"-
Where would you place the extended ACL to deny traffic from Paul to
Lisa?
$%&'()* + Interface ___________
Router Name ______________ !"#
7
Router B
S1 S0
Router A
FA0 E1
S0 S1
S1 Router C
Ricky’s Jenny’s
Computer Computer Amanda’s
Computer
Carrol’s Kathy’s
George’s
Computer Computer
Computer
S1
Router D FA0 Jeff’s
S0 Computer
Jim’s
Computer
S1
FA0 S0 FA1
S1
Router E Router F
Linda’s Jackie’s Melvin’s

Sarah’s
Computer Computer Computer
Computer
8
1. Where would you place an ACL to deny traffic from $%&'()* .
Router Name_________________
Jeff’s computer from reaching George’s computer? !"-
Interface ____________________
2. Where would you place an extended access list to $%&'()* !

Router Name_________________
permit traffic from Jackie’s computer to reach Linda’s !"#
Interface ____________________
computer?
3. Where would you place an extended access list to Router Name_________________

deny traffic to Carrol’s computer from Ricky’s Interface ____________________
computer?

deny traffic to Sarah’s computer from Jackie’s Interface ____________________
computer?

permit traffic from Carrol’s computer to reach Jeff’s Interface ____________________
computer?

deny traffic from Melvin’s computer from reaching Jeff Interface ____________________
and Jim’s computer?

permit traffic from George’s computer to reach Jeff’s Interface ____________________
computer?

permit traffic from Jim’s computer to reach Carrol and Interface ____________________
Amanda’s computer?
Linda’s computer from reaching Kathy’s computer? Interface ____________________
10. Where would you place an extended access list Router Name_________________
to deny traffic to Jenny’s computer from Sarah’s Interface ____________________
computer?
permit traffic from George’s computer to reach Linda Interface ____________________
and Sarah’s computer?
12. Where would you place an extended access list Router Name_________________
to deny traffic from Linda’s computer from reaching Interface ____________________
Jenny’s computer?
9
Choosing to Filter Incoming or Outgoing Packets
Access Lists on your incoming port...
...requires less CPU processing.
...filters and denys packets before the router has to make a
routing decision.
Access Lists on your outgoing port...

...are outbound by default unless otherwise specified.
...increases the CPU processing time because the routing decision
is made and the packet switched to the correct outgoing port
before it is tested against the ACL.
Breakdown of a Standard ACL Statement

/()01'
%) :1;295)2
2(34 056<
access-list 1 permit 192.168.90.36 0.0.0.0
5&'%3%0%&6 6%&)9(
3&07() 522)(66
#*'%*88
6%&)9(
/()01'*%)*2(34 522)(66
access-list 78 deny host 192.168.90.36 log
5&'%3%0%&6 132195'(6*5 ?@/'1%35;A

3&07() 6/(91=19*>%6' B(3()5'(6*5*;%B
#*'%*88 522)(66 (3')4*%3*'>(
)%&'()*=%)*(59>
/59<('*'>5'
05'9>(6*'>16
6'5'(0(3'
10
Breakdown of an Extended ACL Statement
/)%'%9%;
19/C
190/C
'9/C*&2/C 6%&)9( 2(6'135'1%3
1/C :1;295)2 :1;295)2
5&'%3%0%&6
('9D 056< 056<
3&07()
#--*'%*#88
access-list 125 permit ip 192.168.90.36 0.0.0.0 192.175.63.12 0.0.0.0
/()01'*%)*2(34 6%&)9( 2(6'135'1%3

522)(66 522)(66
/%)'
/)%'%9%;
3&07()
19/C
190/C ?IJ*F*'(;3(')
'9/C*&2/C
5&'%3%0%&6 1/C 132195'(6*5 2(6'135'1%3
3&07() ('9D 6/(91=19 522)(66
#--*'%*#88 >%6'
access-list 178 deny tcp host 192.168.90.36 host 192.175.63.12 eq 23 log
/()01' 6%&)9( 132195'(6*5 %/()5'%)

%) 522)(66 6/(91=19 (E*=%)*F
2(34 >%6' B'*=%)*G
;'*=%)*H
3(B*=%)*F
Protocols Include: (Layers 3 and 4)
IP IGMP IPINIP ?@/'1%35;A
B(3()5'(6*5*;%B
TCP GRE OSPF (3')4*%3*'>(
UDP IGRP NOS )%&'()*=%)*(59>
ICMP EIGRP Integer 0-255 /59<('*'>5'
05'9>(6*'>16
To match any internet protocol use IP. 6'5'(0(3'
11
What are Named Access Control Lists?
Named ACLs...
...are standard or extended ACLs which have an alphanumeric name
instead of a number. (ie. 1-99 or 100-199)
Named Access Lists Information

Named Access Lists...
...identify ACLs with an intuutive name instead of a number.
...eliminate the limits imposed by using numbered ACLs.
(798 for standard and 799 for extended)
...provide the ability to modify your ACLs without deleting and
reloading the revised access list. It will only allow you to add
statements to the end of the exsisting statements.
...are not compatable with any IOS prior to Release 11.2.
...can not repeat the same name on multiple ACLs.
Applying a Standard Named Access List

called “George”
Write a named standard access list called “George” on Router A, interface E1 to block Melvin’s
computer from sending information to Kathy’s computer; but will allow all other traffic.
Place the access list at:

Router Name: *******$%&'()*"
Interface: ****************,#
Access-list Name: K(%)B(
[Writing and installing an ACL]
Router#*9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)#1/*599(66L;16'*6'5325)2*K(%)B(
Router(config-std-nacl)#*2(34*>%6'*MID#NDM-DJO
Router(config-std-nacl)#*/()01'*534
Router(config-std-nacl)#*13'()=59(*(#
Router(config-if)#*1/*599(66LB)%&/*K(%)B(*%&'
Router(config-if)#*(P1'
Router(config)#*(P1'
12
Applying an extended Named Access List
called “Gracie”
Write a named extended access list called “Gracie” on Router A, Interface E0 called “Gracie” to deny HTTP traffic intended for web
server 192.168.207.27, but will permit all other HTTP traffic to reach the only the 192.168.207.0 network. Deny all other IP traffic.
Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.

Router Name: *******$%&'()*"
Interface: ****************,-
Access-list Mail: K)591(
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)#1/*599(66L;16'*(P'(32(2*K)591(
Router(config-ext-nacl)# 2(34*'9/*534*>%6'*#8ID#NQDI-MDIM*(E*:::
Router(config-ext-nacl)# /()01'*'9/*534*#8ID#NQDI-MD-*-D-D-DIOO*(E*:::
Router(config-ext-nacl)# 13'()=59(*(-
Router(config-if)# 1/*599(66LB)%&/*K)591(*13
Router(config-if)# (P1'
Router(config)# (P1'
13
Choices for Using Wildcard Masks
Wildcard masks are usually set up to do one of four things:
1. Match a specific host.
2. Match an entire subnet.
3. Match a specific range.
4. Match all addresses.
1. Matching a specific host.

For standard access lists:
Access-List 10 permit 192.168.150.50 0.0.0.0
or
Access-List 10 permit 192.168.150.50 (standard ACL’s
assume a 0.0.0.0 mask)
or
Access-List 10 permit host 192.168.150.50
For extended access lists:

Access-list 110 deny ip 192.168.150.50 0.0.0.0 any
or
Access-list 110 deny ip host 192.168.150.50 any
2. Matching an entire subnet

Example 1
Address: 192.168.50.0 Subnet Mask: 255.255.255.0
Access-list 25 deny 192.168.50.0 0.0.0.255
Example 2
Access-list 12 permit 172.16.0.0 0.0.255.255
Example 3
Access-list 125 deny udp 10.0.0.0 0.255.255.255 any
14
3. Match a specific range
Example 1
255. 255. 255. 255
Custom Subnet mask: -255. 255. 255. 224
Wildcard: 0. 0. 0. 31
Access-list 125 permit udp 10.250.50.112 0.0.0.31 any
e Example 2
Address Range: 192.168.16.0 to 192.168.16.127
192. 168. 16.127
-192. 168. 16. 0
Wildcard: 0. 0. 0.127
Access-list 125 deny ip 192.168.16.0 0.0.0.127 any

(This ACL would block the lower half of the subnet.)
Example 3
Address: 172.250.16.32 to 172.250.31.63
172. 250. 31. 63
-172. 250. 16. 32
Wildcard: 0. 0. 15. 31
Access-list 125 permit ip 172.250.16.32 0.0.15.31 any
4. Match everyone.
For standard access lists:

Access-List 15 permit any
or
Access-List 15 deny 0.0.0.0 255.255.255.255
For extended access lists:

Access-List 175 permit ip any any
or
Access-List 175 deny tcp 0.0.0.0 255.255.255.255 any
15
Creating Wildcard Masks
Just like a subnet mask the wildcard mask tells the router what part of the
address to check or ignore. Zero (0) must match exactly, one (1) will be
ignored.
The source address can be a single address, a range of addresses, or

an entire subnet.
As a rule of thumb the wildcard mask is the reverse of the subnet mask.
Example #1:
IP Address and subnet mask: 204.100.100.0 255.255.255.0
IP Address and wildcard mask: 204.100.100.0 0.0.0.255
All zero’s (or 0.0.0.0) means the address must match exactly.
Example #2:
10.10.150.95 0.0.0.0 (This address must match exactly.)
One’s will be ignored.
Example #3:
10.10.150.95 0.0.0.255 (Any 10.10.150.0 subnet address will match.
10.10.150.0 to 10.10.150.255)
This also works with subnets.
Example #4:
(Subtract the subnet mask from
255.255.255.255 to create the wildcard)
Do the math... 255 - 255 = 0 (This is the inverse of the subnet mask.)
255 - 224 = 31
Example #5:
Do the math... 255 - 255 = 0 (This is the inverse of the subnet mask.)
255 - 128 = 127
255 - 0 = 255
16
Wildcard Mask Problems
1. Create a wildcard mask to match this exact address.
IP Address: 192.168.25.70
Subnet Mask: 255.255.255.0 -*D*-*D*-*D*-
___________________________________
2. Create a wildcard mask to match this range.

IP Address: 210.150.10.0
Subnet Mask: 255.255.255.0 -*D*-*D*-*D*IOO
___________________________________
3. Create a wildcard mask to match this host.

IP Address: 195.190.10.35
Subnet Mask: 255.255.255.0 __________________________________

IP Address: 172.16.0.0
Subnet Mask: 255.255.0.0 __________________________________

Subnet Mask: 255.0.0.0 __________________________________
6. Create a wildcard mask to match this exact address.

IP Address: 165.100.0.130
Subnet Mask: 255.255.255.192 __________________________________

IP Address: 192.10.10.16
Subnet Mask: 255.255.255.224 __________________________________

IP Address: 171.50.75.128
Subnet Mask: 255.255.255.192 __________________________________
9. Create a wildcard mask to match this host.

IP Address: 10.250.30.2
Subnet Mask: 255.0.0.0 __________________________________

IP Address: 210.150.28.16
Subnet Mask: 255.255.255.240 __________________________________

Subnet Mask: 255.255.224.0 __________________________________

IP Address: 135.35.230.32
Subnet Mask: 255.255.255.248 __________________________________
17
Based on the given information list the total number of source addresses for
each access list statement.
1. access-list 10 permit 192.168.150.50 0.0.0.0
#8ID#NQD#O-DO-
Answer: __________________________________________________________________
2. access-list 5 permit any
"34*522)(66
Answer: __________________________________________________________________
3. access-list 125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1 fragments
#8ODIIJDO-D-* '%* #8ODIIJDO-DNJ

Answer: __________________________________________________________________
4. access-list 11 deny 210.10.10.0 0.0.0.255
Answer: __________________________________________________________________
5. access-list 108 deny ip 192.220.10.0 0.0.0.15 172.32.4.0 0.0.0.255
Answer: __________________________________________________________________
6. access-list 171 deny any host 175.18.24.10 fragments
Answer: __________________________________________________________________
7. access-list 105 permit 192.168.15.0 0.0.0.255 any
Answer: __________________________________________________________________
8. access-list 109 permit tcp 172.16.10.0 0.0.0.255 host 192.168.10.1 eq 80
Answer: __________________________________________________________________
9. access-list 111 permit ip any any
Answer: __________________________________________________________________
10. access-list 195 permit udp 172.30.12.0 0.0.0.127 172.50.10.0 0.0.0.255
Answer: __________________________________________________________________
18
11. access-list 110 permit ip 192.168.15.0 0.0.0.3 192.168.30.10 0.0.0.0
Answer: _________________________________________________________________
Answer: _________________________________________________________________
Answer: _________________________________________________________________
Answer: _________________________________________________________________
Answer: _________________________________________________________________
16. access-list 101 Permit ip 192.168.15.0 0.0.0.127 192.168.30.10 0.0.0.0
Answer:__________________________________________________________________
Answer: _________________________________________________________________
18. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 gt 22
Answer: _________________________________________________________________
19. access-list 195 permit icmp 172.85.0.0 0.0.15.255 172.50.10.0 0.0.0.255
Answer: _________________________________________________________________
20. access-list 10 permit 175.15.120.0 0.0.0.255
Answer: _________________________________________________________________
21. access-list 190 permit tcp 192.15.10.0 0.0.0.31 any
Answer: _________________________________________________________________
Answer: _________________________________________________________________
19
Based on the given information list the total number of destination addresses
for each access list statement.
1.access-list 125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1 fragments
#MID#NQD#-D#
Answer: __________________________________________________________________
2. access-list 115 permit any any
"34*522)(66
Answer: __________________________________________________________________
#8ID#NQD#OD-* '%* #8ID#NQD#ODNJ

Answer: __________________________________________________________________
4. access-list 120 deny tcp 172.32.4.0 0.0.0.255 192.220.10.0 0.0.0.15
Answer: __________________________________________________________________
Answer: __________________________________________________________________
Answer: __________________________________________________________________
7. access-list 105 permit any 192.168.15.0 0.0.0.255
Answer: __________________________________________________________________
Answer: __________________________________________________________________
9. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 eq 21
Answer: __________________________________________________________________
Answer: __________________________________________________________________
20
Writing
Standard Access Lists...
Router A
172.16.70.1 192.168.90.2
E1
E0
S0
210.30.28.0
Frank’s Jim’s
Computer
Network Computer
Kathy’s
172.16.70.32 192.168.90.36 Computer
Melvin’s 192.168.90.38
Computer
172.16.70.35
Standard Access List Sample #1

Write a standard access list to block Melvin’s computer from sending information to Kathy’s
computer; but will allow all other traffic. Keep in mind that there may be multiple ways many of
the individual statements in an ACL can be written.

Router Name: *******$%&'()*"
Interface: ****************,#
Access-list #: #-
Router#*9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)#*599(66L;16'*#-*2(34*#MID#NDM-DJO
%)
*******599(66L;16'*#-*2(34*#MID#NDM-DJO*-D-D-D-
%)
*******599(66L;16'*#-*2(34*>%6'*#MID#NDM-DJO
Router(config)#*599(66L;16'*#-*/()01'*-D-D-D-*IOODIOODIOODIOO
%)
*******599(66L;16'*#-*/()01'*534
Router(config)#*13'()=59(*(#
Router(config-if)#*1/*599(66LB)%&/*#-*%&'
[Viewing information about existing ACL’s]
Router# 6>%:*9%3=1B&)5'1%3 (This will show which access groups are associated
with particular interfaces)
Router# 6>%:*599(66*;16'*#- (This will show detailed information about this ACL)
22
Standard Access List Sample #2
Write a standard access list to block Jim’s computer from sending information to Frank’s
computer; but will allow all other traffic from the 192.168.90.0 network. Permit all traffic from the
210.30.28.0 network to reach the 172.16.70.0 network. Deny all other traffic. Include a remark
with each statement of your ACL. Keep in mind that there may be multiple ways many of the
individual statements in an ACL can be written.

Router Name: *******$%&'()*"
Interface: ****************,-
Access-list #: IQ
Router# 9%3=1B&)(*'()0135;
Router(config)# 599(66L;16'*IQ*)(05)<*+;%9<*R10*=)%0*)(59>13B*!)53<
Router(config)# 599(66L;16'*IQ*2(34*#8ID#NQD8-DJN
%)
*599(66L;16'*IQ*2(34*#8ID#NQD8-DJN*-D-D-D-
%)
*599(66L;16'*IQ*2(34*>%6'*#8ID#NQD8-DJN
Router(config)# 599(66L;16'*IQ*)(05)<*";;%:*5;;*%'>()*')5==19
Router(config)# 599(66L;16'*IQ*/()01'*#8ID#NQD8-D-*-D-D-DIOO
Router(config)# 599(66L;16'*IQ*)(05)<*";;%:*5;;*')5==19
Router(config)# 599(66L;16'*IQ*/()01'*I#-DJ-DIQD-*-D-D-DIOO
Router(config)# 13'()=59(*(-
Router(config-if)# 1/*599(66LB)%&/*IQ*%&'
Router#*9%/4*)&3*6'5)'
[Remark Command]
The remark command allows you to place text within the ACL so it can be viewed after it is
inserted on the router. It can be viewed using the show run or any command that lists the ACL.
[Disabling ACL’s]
Router# 9%3=1B&)(*'()0135;
Router(config-if)# 3%*1/*599(66LB)%&/*IQ*%&'
[Removing an ACL]
Router# 9%3=1B&)(*'()0135;
Router(config-if)# 3%*1/*599(66LB)%&/*IQ*%&'
Router(config)# 3%*599(66L;16'*IQ
23
FA0 S0
223.190.32.1
Router A
Router B
FA1 192.16.32.94
S1
FA0
Michael’s 172.16.0.0 Debbie’s

Computer Computer
Network
223.190.32.16 192.16.32.95
Standard Access List Problem #1

Write a standard access list to block Debbie’s computer from receiving information from
Michael’s computer; but will allow all other traffic. List all the command line options for this
problem. Keep in mind that there may be multiple ways many of the individual statements in
an ACL can be written.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# ________________________________________________________
%)
________________________________________________________
%)
________________________________________________________
Router(config)# ________________________________________________________
%)
* * ______________________________________________________
Router(config)# 13'()=59(*________
Router(config-if)# 1/*599(66LB)%&/*________ i3*%)*%&'*(circle one)

24
Write a standard access list to permit Debbie’s computer to receive information from
Michael’s computer; but will deny all other traffic from the 223.190.32.0 network. Block all
traffic from the 172.16.0.0 network. Permit all other traffic. List all the command line options
for this problem. Keep in mind that there may be multiple ways many of the individual
statements in an ACL can be written.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# ________________________________________________________
%)
________________________________________________________
%)
________________________________________________________
Router(config)#_________________________________________________________
Router(config)#_________________________________________________________
Router(config)#_________________________________________________________
%)
* _______________________________________________________
Router(config)# 13'()=59(*________

25
Router A
204.90.30.124 E0
S0
10.250.30.35 Router B
Jim’s
S1 FA1 Computer
Carol’s 10.250.30.36 192.168.88.4 192.168.88.5

Computer
Rodney’s 204.90.30.130
Computer
204.90.30.126

Write a standard access list to block Rodney and Carol’s computer from sending information
to Jim’s computer; but will allow all other traffic from the 204.90.30.0 network. Block all other
traffic. Keep in mind that there may be multiple ways many of the individual statements in an
ACL can be written.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Router(config)# 13'()=59(*________

26
Using a minimum number of commands write a standard access list named “Ralph” to block
Carol’s computer from sending information to Jim’s computer; but will permit Jim to receive
data from Rodney. Block the upper half of the 204.90.30.0 range from reaching Jim’s
computer while permitting the lower half of the range. Block all other traffic. Include a remark
with each statement of your ACL. For help with blocking the upper half of the range review
page 13 or the wildcard mask problems on pages 16 and 17. For help with named ACLs
review pages 12 and 13. For help with the remark command review page 23.

Router Name: ___________________________
Interface: _______________________________
Access-list Name: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# ________________________________________________________
Router(config-std-nacl)# _______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
Router(config-std-nacl)# 13'()=59(*________

27
Router B
S1 S0
Router A
172.30.225.1 E0 S0 S1
E1 212.180.10.5
S1 Router C
172.30.225.2 212.180.10.6
172.30.225.3 212.180.10.2

Write a standard access list to block 172.30.225.2 and 172.30.225.3 from sending
information to the 212.180.10.0 network; but will allow all other traffic. Keep in mind that
there may be multiple ways many of the individual statements in an ACL can be written.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Router(config)# 13'()=59(*________

28
Write a standard access list to block and log 212.180.10.2 from sending information to the
172.30.225.0 network. Permit and log 212.180.10.6 to send data to the 172.30.225.0 network.
Deny all other traffic. Add a remark to each statement explaining its purpose. Keep in mind
that there may be multiple ways many of the individual statements in an ACL can be written.
Check the example on page 10 for help with the logging option. For help with the remark
command review page 23.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Router(config)# 13'()=59(*________

29
Router C
Router A
S0 S1
FA0
FA0 S1 Router B 198.32.10.25
192.168.15.172 S0
FA1
210.140.15.1
192.168.15.3 198.32.10.25
210.140.15.8

Write a standard access list to block the addresses 192.168.15.1 to 192.168.15.31 from
sending information to the 210.140.15.0 network. Do not permit any traffic from 198.32.10.25
to reach the 210.140.15.0 network. Permit all other traffic. For help with this problem review
page 13 or the wildcard mask problems on pages 16 and 17.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Router(config)# 13'()=59(*________

30
Write a standard named access list called “Cisco_Lab_A” to permit traffic from the lower half of
the 198.32.10.0 network to reach 192.168.15.0 network; block the upper half of the addresses.
Allow host 198.32.10.192 to reach network 192.168.15.0. Permit all other traffic. For help with
this problem review page 13 or the wildcard masks problems on pages 16 and 17. For
assistance with named ACLs review pages 12 and 13.

Router Name: ___________________________
Interface: _______________________________
Access-list Name: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# ________________________________________________________
Router(config-std-nacl)#*_______________________________________________
****_______________________________________________
****_______________________________________________
****_______________________________________________
****_______________________________________________
****_______________________________________________
****_______________________________________________
****_______________________________________________
****_______________________________________________
****_______________________________________________
****_______________________________________________
Router(config-std-nacl)# 13'()=59(*________
Router(config-if)# 1/*599(66LB)%&/*__________________ i3*%)*%&'*(circle one)

31
Write a standard access list to block network 192.168.255.0 from receiving information from
the following addresses: 10.250.1.1, 10.250.2.1, 10.250.4.1, and the entire 10.250.3.0
255.255.255.0 network. Allow all other traffic. Keep in mind that there may be multiple ways
many of the individual statements in an ACL can be written.

$%&'()* "
Router Name: ___________________________
!"-
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
!"-
Router(config)# 13'()=59(*________

32
Writing
Extended Access Lists...
Router A
34
172.16.70.1 192.168.90.2
FA1
FA0
Gail’s Mike’s
Computer Computer
John’s Celeste’s
Computer 172.16.70.32 192.168.90.36 Computer
172.16.70.35 192.168.90.38
Extended Access List Sample #1 Deny/Permit Specific Addresses

Write an extended access list to prevent John’s computer from sending information to Mike’s computer; but will allow all other
traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.

Router Name: *******$%&'()*"
Interface: ****************!"-
Access-list #: ##-
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# 599(66L;16'*##-*2(34*1/*#MID#NDM-DJO*-D-D-D-*#8ID#NQD8-DJN*-D-D-D-
%)
*****599(66L;16'*##-*2(34*1/*>%6'*#MID#NDM-DJO*>%6'*#8ID#NQD8-DJN
Router(config)# 599(66L;16'*##-*/()01'*1/*534*534
%)
* * * **599(66L;16'*##-*/()01'*1/*-D-D-D-*IOODIOODIOODIOO*-D-D-D-*IOODIOODIOODIOO
Router(config)# 13'()=59(*=5-
Router(config-if)# 1/*599(66LB)%&/*##-*13 [Viewing information about existing ACL’s]
Router(config-if)# (P1' Router# 6>%:*9%3=1B&)5'1%3 (This will show which access groups
Router(config)# (P1' are associated with particular interfaces)
Router# 6>%:*599(66*;16'*##- (This will show detailed information
about this ACL)
Extended Access List Sample #2 Deny/Permit Specific Addresses
Write an extended access list to block the 172.16.70.0 network from receiving information from Mike’s computer at 192.168.90.36.
Block the lower half of the ip addresses from 192.168.90.0 network from reaching Gail’s computer at 172.16.70.32. Permit all other

Router Name: *******$%&'()*"
Interface: ****************!"#
Access-list #: #JO
Router# 9%3=1B&)(*'()0135;
Router(config)# 599(66L;16'*#JO*2(34*1/*#8ID#NQD8-DJN*-D-D-D-*#MID#NDM-D-*-D-D-DIOO
%)
********599(66L;16'*#JO*2(34*1/*>%6'*#8ID#NQD8-DJN*#MID#NDM-D-*-D-D-DIOO
Router(config)# 599(66L;16'*#JO*2(34*1/*#8ID#NQD8-D-*-D-D-D#IM*#MID#NDM-DJI*-D-D-D-
%)
*599(66L;16'*#JO*2(34*1/*#8ID#NQD8-D-*-D-D-D#IM*>%6'*#MID#NDM-DJI
Router(config)# 599(66L;16'*#JO*/()01'*1/*534*534
%)
* * * * * 599(66L;16'* #JO* /()01'* 1/* -D-D-D-* IOODIOODIOODIOO* -D-D-D-* IOODIOODIOODIOO
Router(config)# 13'()=59(*=5#
Router(config-if)# 1/*599(66LB)%&/*#JO*13
Router#*9%/4*)&3*6'5)'
[Disabling ACL’s] [Removing an ACL]
Router# 9%3=1B&)(*'()0135; Router# 9%3=1B&)(*'()0135;

Router(config)# 13'()=59(*(# Router(config)# 13'()=59(*(#
Router(config-if)# 3%*1/*599(66LB)%&/*#JO*%&' Router(config-if)# 3%*1/*599(66LB)%&/*#JO*%&'
Router(config-if)# (P1' Router(config-if)# (P1'
Router(config)# 3%*599(66L;16'*#JO
35
Router A Router B
36
FA0 S0 FA1
S1 192.168.122.52
172.20.70.15
Cindy’s Jay’s
Computer Computer
Bob’s Jackie’s
Computer
172.20.70.89 192.168.122.128 Computer
172.20.70.80 192.168.122.129
Extended Access List Problem #1 Deny/Permit Specific Addresses

Write an extended access list to prevent Jay’s computer from receiving information from Cindy’s computer. Permit all other traffic.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)#______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
Router(config)# 13'()=59(**__________
Router(config-if)# 1/*599(66LB)%&/*_________*13*%)*%&'*(circle one)
Router#*9%/4*)&3*6'5)'
Write an extended access list to block the 172.20.70.0 255.255.255.0 network from receiving information from Jackie’s computer at
192.168.122.129. Block the lower half of the ip addresses from 192.168.122.0 network from reaching Cindy’s computer at
172.20.70.89. Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can
be written.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;
Router(config)#
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Router(config)# 13'()=59(**__________
37
Router#*9%/4*)&3*6'5)'
Router A
38
E0 S0
218.35.50.1
Juan’s
Computer
218.35.50.12 S1 Rebecca’s
Computer
Jan’s Rachael’s
Computer Router B FA1 172.59.2.15 Computer
218.35.50.10 172.59.2.1 172.59.2.18

Write a named extended access list called “Lab_166” to permit Jan’s computer at 218.35.50.10 to receive packets from Rachael’s
computer at 172.59.2.18; but not Rebecca’s computer at 172.59.2.15. Deny all other packets. Keep in mind that there may be
multiple ways many of the individual statements in an ACL can be written.

Router Name: ___________________________
Interface: _______________________________
Access-list Name: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)#_____________________________________________________________________________________
Router(config-ext-nacl) ___________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
Router(config-ext-nacl)# 13'()=59(*____________
Write an extended access list to allow Juan’s computer at 218.35.50.12 to send information to Rebecca’s computer at 172.59.2.15;
but not Rachael’s computer at 172.59.2.18. Permit all other traffic. Keep in mind that there may be multiple ways many of the
individual statements in an ACL can be written.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;
Router(config)# _____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Router(config)# 13'()=59(**__________
Router((config-if)# (P1'
Router#*9%/4*)&3*6'5)'
39
Router A
40
S0 Router B
S1
E0
Ralph’s Bob’s
Computer E1 Computer
Cindy’s 192.16.20.0 Barbra’s
Network 192.17.40.0
192.16.20.6 192.18.50.12
Network
Extended Access List Sample #3 Deny/Permit Entire Ranges

Write an extended access list to permit the 192.16.20.0 network to receive packets from the 192.18.50.0 network. Deny all other

Router Name: *******$%&'()*+
Interface: ****************,#
Access-list #: ###
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# 599(66L;16'*###*/()01'*1/*#8ID#QDO-D-*-D-D-DIOO*#8ID#NQDI-D-*-D-D-DIOO
Router(config)# 599(66L;16'*###*2(34*1/*534*534
%)
*****599(66L;16'*###*2(34*1/*-D-D-D-*IOODIOODIOODIOO-D-D-D-*IOODIOODIOODIOO
Router(config)# 13'()=59(*(#
Router(config-if)# 1/*599(66LB)%&/*###*13
Router# 6>%:*599(66*;16'*### (This will show detailed information about this ACL)
Extended Access List Sample #4 Deny/Permit Entire Ranges
Write an extended access list to block the 192.18.50.0 network from receiving information from the 192.16.20.0 network. Permit all
other traffic. Add a remark to each statement. Keep in mind that there may be multiple ways many of the individual statements in an
ACL can be written.

Router Name: *******$%&'()*" [Remark Command]
Interface: ****************,- The remark command allows you to place text within the ACL so it
Access-list #: #QQ can be viewed after it is inserted on the router. It can be viewed
using the show run or any command that lists the ACL.
Router# 9%3=1B&)(*'()0135;
Router(config)# 599(66L;16'*#QQ*)(05)<*7;%9<*5;;*')5==19*=)%0*'>(*S91(39(*;57
Router(config)# 599(66L;16'*#QQ*2(34*1/*#8ID#NDI-D-*-D-D-DIOO*#8ID#QDO-D-*-D-D-DIOO
Router(config)# 599(66L;16'*#QQ*)(05)<*5;;%:*(T()4%3(*(;6(*&3)(6')19'(2*599(66
Router(config)# 599(66L;16'*#QQ*/()01'*1/*534*534
%)
* * * 599(66L;16'* #QQ* /()01'* 1/* -D-D-D-* IOODIOODIOODIOO* -D-D-D-* IOODIOODIOODIOO
Router(config-if)# 1/*599(66LB)%&/*#QQ*13
Router#*9%/4*)&3*6'5)'
Router# 9%3=1B&)(*'()0135; Router# 9%3=1B&)(*'()0135;

Router(config)# 13'()=59(*(- Router(config)# 13'()=59(*(-
Router(config-if)# 3%*1/*599(66LB)%&/*#QQ*%&' Router(config-if)# 3%*1/*599(66LB)%&/*#QQ*%&'
Router(config)# 3%*599(66L;16'*#QQ
41
Router A
210.250.10.0
42
FA0 S0 Network
204.95.150.11
Todd’s S0 Rebecca’s
Computer S1 Computer
Rachel’s 172.59.2.15 David’s
Computer 204.95.150.12 FA1 Computer
204.95.150.10 Router B 172.59.2.1 172.59.2.18
Extended Access List Problem #5 Deny/Permit Entire Ranges

Write an extended access list to permit network 204.95.150.0 to send packets to network 172.59.0.0, but not to the 210.250.10.0
network. Permit all other traffic. Include a remark with each statement of your ACL. For help with the remark command review
page 41. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)#______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
Router(config)# 13'()=59(*____________
Write an extended access list to allow Rachel’s computer at 204.95.150.10 to receive information from the 172.59.2.0 network.
Deny all other hosts on the 204.95.150.0 network access from the 172.59.2.0 network. Permit all other traffic. Keep in mind that
there may be multiple ways many of the individual statements in an ACL can be written.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;
Router(config)#______________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Router(config)# 13'()=59(**__________
Router#*9%/4*)&3*6'5)'
43
Router A Router B
44
E0 S0 E1
172.120.170.47 S1 192.168.50.2
E1 S0
Tommy’s
Computer
Phyllis’s 10.250.1.0 Tim’s Denise’s
Computer 172.120.170.46 210.168.70.0 Computer Computer
Network
172.120.170.45 Network 192.168.50.3 192.168.50.4

Write a named extended access list called “Godzilla” to prevent the 172.120.0.0 network from sending information to the
210.168.70.0 , and 10.250.1.0 255.255.255.0 networks; but will permit traffic to the 192.168.50.0 network. Permit all other traffic.

Router Name: ___________________________
Interface: _______________________________
Access-list Name: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# _____________________________________________________________________________________
Router(config-ext-nacl)#_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Router(config-ext-nacl)# 13'()=59(*____________
Assuming default subnet masks write an extended access list to permit Tim at 192.168.50.3 to receive data from the 172.120.0.0
network. Allow the 192.168.50.0 network to receive information from Phyllis’s computer at 172.120.170.45. Deny all other traffic.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;
Router(config)#
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Router(config)# 13'()=59(**__________
Router#*9%/4*)&3*6'5)'
45
Router A
46
S0 Router B
FA0 S1
192.168.15.20 E1
Jim’s Carol’s
Computer 172.21.50.95 Computer
Rodney’s Frank’s
192.168.15.44 172.21.50.97
Extended Access List Sample #5 Deny/Permit a Range of Addresses

Write an extended access list to deny the first 15 usable addresses of the 192.168.15.0 network from reaching the 172.21.0.0
network. Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be
written.

Router Name: *******$%&'()*"
Interface: ****************!"-
Access-list #: #QO
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# 599(66L;16'*#QO*2(34*1/*#8ID#NQD#OD-*-D-D-D#O*#MIDI#DO-D-*-D-DIOODIOO
Router(config)# 599(66L;16'*#QO*/()01'*1/*534*534
%)
* 599(66L;16'* #QO* /()01'* 1/* -D-D-D-* IOODIOODIOODIOO* -D-D-D-* IOODIOODIOODIOO
Router(config)# 13'()=59(*=5#
Router(config-if)# 1/*599(66LB)%&/*#QO*13
Router(config)# (P1' [Viewing information about existing ACL’s]
Router# 6>%:*599(66*;16'*#QO (This will show detailed information about this ACL)
Extended Access List Sample #6 Deny/Permit a Range of Addresses
Write an extended access list which will allow the lower half of 192.168.15.0 network access to the 172.21.50.0 network. Deny all
other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.

Router Name: *******$%&'()*"
Interface: ****************!"-
Access-list #: #I#
Router# 9%3=1B&)(*'()0135;
Router(config)# 599(66L;16'*#I#*/()01'*1/*#8ID#NQD#OD-*-D-D-D#IM*#MIDI#DO-D-*-D-D-DIOO
Router(config)# 599(66L;16'*#I#*2(34*1/*534*534
%)
* 599(66L;16'* #I#* 2(34* 1/* -D-D-D-* IOODIOODIOODIOO* -D-D-D-* IOODIOODIOODIOO
Router(config)# 13'()=59(*=5-
Router(config-if)# 1/*599(66LB)%&/*#I#*13
Router#*9%/4*)&3*6'5)'
Router# 9%3=1B&)(*'()0135; Router# 9%3=1B&)(*'()0135;

Router(config)# 13'()=59(*=5- Router(config)# 13'()=59(*=5-
Router(config-if)# 3%*1/*599(66LB)%&/*#I#*13 Router(config-if)# 3%*1/*599(66LB)%&/*#I#*13
Router(config)# 3%*599(66L;16'*#I#
47
Router A
48
192.168.195.90 192.168.125.254
E0 E1
S0
Gail’s Mike’s
Computer 172.31.195.0 Computer
John’s Celeste’s
Computer 192.168.195.145 Network 192.168.125.17 Computer
192.168.195.88 192.168.125.108
Extended Access List Problem #9 Deny/Permit a Range of Addresses

Write an extended access list to prevent the first 31 usable addresses in the 192.168.125.0 network from reaching the
192.168.195.0 network. Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an
ACL can be written.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)#______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
Router(config)# 13'()=59(*____________
Write a named extended access list called “Media_Center” to permit the range of addresses from 172.31.195.1 through
172.31.195.7 to send data to the 192.168.125.0 network. Deny all other traffic. Include a remark with each statement of your ACL.
For help with the remark command review page 41. Keep in mind that there may be multiple ways many of the individual statements
in an ACL can be written.

Router Name: ___________________________
Interface: _______________________________
Access-list Name: ____________________________
Router# 9%3=1B&)(*'()0135;
Router(config)#______________________________________________________________________________________
Router(config-ext-nacl)#_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Router(config-ext-nacl)# 13'()=59(**__________
Router(config-if)# 1/*599(66LB)%&/*________________*13*%)*%&'*(circle one)
Router#*9%/4*)&3*6'5)'
49
192.16.20.5 Router A Router C
50
FA0
S0 S1
FA1
S1 172.18.50.10
Jill’s
Computer
Ralph’s Router B Bob’s
Computer S0 172.22.75.9 Computer
Cindy’s Barbra’s
Computer
192.16.20.7 Brad’s 172.18.50.11 Computer
E1
Computer 172.18.50.12
192.16.20.6 172.22.75.8 172.22.75.10
Write an extended access list to permit the first 3 usable addresses in the 192.16.20.0 network to reach the 172.22.75.0 network.
Deny the addresses from 192.16.20.4 through 192.16.20.31 from reaching the 172.22.75.0 network. Permit all other traffic. Keep in
mind that there are multiple ways this ACL can be written.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)#______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
Router(config)# 13'()=59(*____________
Write an extended access list to deny the addresses from 172.22.75.8 through 172.22.75.127 from sending data to the 172.18.50.0
network. Deny the first half of the addresses from the 172.22.75.0 network from reaching the 192.16.20.0 network. Permit all other
traffic. Keep in mind that there are multiple ways this ACL can be written.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;
Router(config)#______________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Router(config)# 13'()=59(**__________
Router#*9%/4*)&3*6'5)'
51
Router A Router B
52
FA0 S0 FA1
172.16.70.1 S1 192.168.88.1
FA1 FA0
Bob’s Peggy’s
Computer Computer
Celeste’s Denise’s
Computer
172.16.70.155 10.250.4.0 192.168.88.200 Computer
10.250.1.0
172.16.70.145 Network Network 192.168.88.204

Write an extended access list to permit the first 63 usable addresses in the 192.168.88.0 network to reach the lower half of the
addresses in the 172.16.70.0 network; but not the upper half. Deny all other traffic. Include a remark with each statement of your
ACL. For help with the remark command review page 41. Keep in mind that there may be multiple ways many of the individual

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)#______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
Router(config)# 13'()=59(*____________
Write an extended access list to deny the addresses from 10.250.1.0 through 10.250.1.63 from sending data to Denise’s computer.
Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;
Router(config)#______________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Router(config)# 13'()=59(**__________
Router#*9%/4*)&3*6'5)'
53
Router A
54
S0 Router B
E0 S1
Web Server 192.168.207.25 E1 Web Server
192.168.207.27 210.128.50.10 210.128.50.11
192.168.207.26 210.128.50.12
Extended Access List Sample #7 Deny/Permit Port Numbers

Write an extended access list to deny HTTP traffic intended for web server 192.168.207.27 from all other networks, but will permit all
other HTTP traffic to reach the 192.168.207.0 network. Deny all other IP traffic. Keep in mind that there may be multiple ways many
of the individual statements in an ACL can be written.

Router Name: *******$%&'()*"
Interface: ****************,-
Access-list #: #8Q
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# 599(66L;16'*#8Q*2(34*'9/*534*#8ID#NQDI-MDIM*-D-D-D-*(E*:::
%)
*599(66L;16'*#8Q*2(34*'9/*534*>%6'*#8ID#NQDI-MDIM*(E*:::
Router(config)# 599(66L;16'*#8Q*/()01'*'9/*534*#8ID#NQDI-MD-*-D-D-DIOO*(E*:::
Router(config)# 13'()=59(*(*-
Router(config-if)# 1/*599(66LB)%&/*#8Q*13
Router(config)# (P1' [Viewing information about existing ACL’s]
Router# 6>%:*599(66*;16'*#8Q (This will show detailed information about this ACL)
Write an extended access list to deny pings from hosts on the 210.128.50.0 network from reaching the 192.168.207.0 network.

Router Name: *******$%&'()*+
Interface: ****************,#
Access-list #: #JU
Router# 9%3=1B&)(*'()0135;
Router(config)# 599(66L;16'*#JU*2(34*190/*I#-D#IQDO-D-*-D-D-DIOO*#8ID#NQDI-MD-*-D-D-DIOO
Router(config)# 599(66L;16'*#JU*/()01'*190/*534*534
Router(config)# 13'()=59(*(#
Router(config-if)# 1/*599(66LB)%&/*#JU*13
Router#*9%/4*)&3*6'5)'
Router# 9%3=1B&)(*'()0135; Router# 9%3=1B&)(*'()0135;

Router(config-if)# 3%*1/*599(66LB)%&/*#JU*%&' Router(config-if)# 3%*1/*599(66LB)%&/*#JU*%&'
Router(config)# 3%*599(66L;16'*#JU
55
10.250.4.0 Router B
56
Network S1 E1
192.168.33.1
172.20.70.1 E0
E0 E1
Bob’s Peggy’s
Computer S0 Computer
Celeste’s Denise’s
Computer
192.30.76.155 Computer
Router A 172.16.16.0 192.168.33.210
192.30.76.145 Network 192.168.33.214

Write an Extended access list to permit Denise’s computer to use TFTP with Bob’s computer. Deny all other traffic from the 192.168.33.0
network to the 192.30.76.0 network. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be
written.

Router Name: *******$%&'()*+
Interface: ****,#
Access-list #: #UO
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# 599(66L;16'*#UO*/()01'*&2/#8ID#NQDJJDI#U*-D-D-D-*#8IDJ-DMND#OO*-D-D-D-*(E*'='/
%)
********599(66L;16'*#UO*/()01'*&2/*>%6'*#8ID#NQDJJDI#U*>%6'*#8IDJ-DMND#OO*(E*'='/
Router(config)# 13'()=59( **,#
Router(config-if)# 1/*599(66LB)%&/*#UO*13
Router# 6>%:*599(66*;16'*UO (This will show detailed information about this ACL)
Write an extended access list to deny FTP traffic from ip addresses 192.30.76.0 through 192.30.76.13.

Router Name: *******$%&'()*"
Interface: ****************,-
Access-list #: #OO
Router# 9%3=1B&)(*'()0135;
Router(config)# 599(66L;16'*#OO*2(34*'9/*#8IDJ-DMND-*-D-D-DQ*534*(E*='/**(Covers 0 to 7)
Router(config)# 599(66L;16'*#OO*2(34*'9/*#8IDJ-DMNDQ*-D-D-DU*534*(E*='/**(Covers 8 to 11)
Router(config)# 599(66L;16'*#OO*2(34*'9/*#8IDJ-DMND#I*-D-D-D#*534*(E*='/*(Covers 12 to 13)
Router(config)# 599(66L;16'*#OO*/()01'*'9/*534*534
%)
* 599(66L;16'* #OO* 2(34* '9/* -D-D-D-* IOODIOODIOODIOO* -D-D-D-* IOODIOODIOODIOO
Router(config-if)# 1/*599(66LB)%&/*#OO*13
Router#*9%/4*)&3*6'5)'
Router# 9%3=1B&)(*'()0135; Router# 9%3=1B&)(*'()0135;

Router(config-if)# 3%*1/*599(66LB)%&/*#OO*%&' Router(config-if)# 3%*1/*599(66LB)%&/*#OO*%&'
Router(config)# 3%*599(66L;16'*#OO
57
10.250.2.0 Router B
58
Network FA1
S1 192.128.45.8
FA0
E1 Bill’s
Computer
Jackie’s
S0 Jennifer’s
Computer
E0 192.128.45.33 Computer
172.16.70.1 10.250.8.0
172.16.125.1 Router A Network 192.128.45.35
Extended Access List Problem #15 Deny/Permit a Port Numbers

Write an extended access list to permit ICMP traffic from the 192.128.45.0 network to reach the 172.16.125.0 255.255.255.0 and
10.250.2.0 255.255.255.0 networks. Deny all other traffic. Keep in mind that there may be multiple ways many of the individual

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)#______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
Router(config)# 13'()=59(*____________
Extended Access List Problem #16 Deny/Permit a Port Numbers
Write a named extended access list called “Peggys_Lab” to deny telnet from 10.250.8.0 through 10.250.8.127 from reaching the
192.128.45.0 network. Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an
ACL can be written.

Router Name: ___________________________
Interface: _______________________________
Access-list Name: ____________________________

Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)#______________________________________________________________________________________
Router(config-std-nacl)#*____________________________________________________________________________
Router(config-std-nacl)#*____________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
Router(config-ext-nacl)# 13'()=59(**__________
Router(config-if)# 1/*599(66LB)%&/*_________________*13*%)*%&'*(circle one)
Router#*9%/4*)&3*6'5)'
Router#*9%/4*)&3*6'5)'
59
Router A 204.250.10.0
60
FA0 S0 Network
203.194.100.1
Web Server #1 S0 Jimmy’s

S1 Computer
Web Server #2 203.194.100.102 172.60.18.140 Jo’s
203.194.100.101 FA1 Computer
Router B 172.60.18.1 172.60.18.142
Extended Access List Problem #17 Deny/Permit Port Numbers

Write an access list to deny Jimmy’s computer from sending ftp packets to Web Server 1, but permit ftp to Web Server #2. Permit all
other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)#______________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Router(config)# 13'()=59(*____________
Write an extended access list to deny all HTTP traffic intended for the web server at 203.194.100.102 from the 172.66.0.0 network.
Permit all other HTTP traffic from the 204.250.10.0 and 172.60.0.0 networks to any other web servers. Deny all other IP traffic to the
203.194.100.0 network. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# _____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Router(config)# 13'()=59(**__________
Router#*9%/4*)&3*6'5)'
61
62
Router A
S0 Router B
E0 S1
E1
192.168.15.25 E1
Bobbie’s Web Server #2
Computer 172.23.50.195 172.23.50.196
Web Server #1 Gail’s
192.168.15.82 192.172.10.0 Computer
192.168.15.125
Network 172.23.50.197

Write an extended access list to permit TFTP traffic from all hosts on the 192.168.15.0 network. Deny all other traffic. Include a
remark with each statement of your ACL. For help with the remark command review page 41.Keep in mind that there may be
multiple ways many of the individual statements in an ACL can be written.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)#______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
Router(config)# 13'()=59(*____________
Write an extended access list that permits web traffic from web server #2 at 172.23.50.196 to reach everyone on the 192.168.15.0
network. Deny all other IP traffic going to the 192.172.10.0, and 192.168.15.0 networks from the 172.25.50.0 network. Keep in
mind that there may be multiple ways many of the individual statements in an ACL can be written.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;
Router(config)#______________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Router(config)# 13'()=59(**__________
Router#*9%/4*)&3*6'5)'
63
Writing Access Lists
to Restrict Telnet Access...
Restricting access to telnet can be a very usefull option. Telnet is
considered a very insecure protocol because it sends passwords
through the network in clear-text. By switching from the access-group
command to the access-class command you can increase your
security by allowing only those users through that you want to use
telnet. The access-class command also allows you to apply this
access list to the vty connections.
Router A Router B
E0 S0 E1
172.20.70.1 S1 192.168.33.1
E1 E0
Bob’s Peggy’s
Computer Computer
Celeste’s 172.16.16.0 Denise’s
Computer
192.30.76.155 10.250.4.0 192.168.33.210 Computer
Network
192.30.76.145 Network 192.168.33.214
Standard Access List Sample #11 Deny/Permit Telnet

Write a standard access list to permit Denise’s and Bob’s computers to telnet into Router B. Deny all other telnet traffic Keep in
mind that there may be multiple ways many of the individual statements in an ACL can be written.

Router Name: *******$%&'()*+
Interface: *********;13(*VWX*-*U ?&613B*;13(*VWX*-*U*136'(52*%=*53*13'()=59(*;1<(*,#*5;;%:6*4%&
Access-list #: UO '%*5//;4*'>16*599(66*;16'*'%*5;;*VWX*;13(6*:1'>*%3(*6'5'(0(3'A
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)# 599(66L;16'*UO*/()01'*#8ID#NQDJJDI#U*-D-D-D-
%)
*599(66L;16'*UO*/()01'*>%6'*#8ID#NQDJJDI#U
Router(config)# 599(66L;16'*UO*/()01'*#8IDJ-DMND#OO*-D-D-D-
%)
*599(66L;16'*UO*/()01'*>%6'*#8IDJ-DMND#OO
Router(config)# ;13(*T'4*-*U
Router(config-line)#599(66L9;566*UO*13
Router(config-line)# (P1'
Router# 6>%:*599(66*;16'*UO (This will show detailed information about this ACL)
65
Router A Router B
66
FA0 S0 S1
FA1
203.194.100.1 S0 172.60.18.1
Web Server #1 Becky’s
Computer
Web Server #2 203.194.100.102 172.60.18.140 Mary’s
203.194.100.101 204.250.10.0 Computer
Network 172.60.18.142
Access List Problem #21 Deny/Permit Telnet

Write a standard access list to permit Becky and Mary’s computer to telnet into Router B. Deny all other telnet traffic from the

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)#______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
Router(config)# *___________________
Router(config-line)# *599(66L9;566*_________*13*%)*%&'*(circle one)
Write a standard access list to permit which will permit Web Server #1 to telnet into Router A. Log the telnet attempts. Deny all other
telnet access. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)#______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
Router(config)# *___________________
Router(config-line)# 599(66L9;566*_________*13*%)*%&'*(circle one)
67
Router A
68
FA0
S0/0
FA1 Brent’s
172.32.0.0 Computer
204.250.10.0 Network 192.60.18.61 Bob’s
Network Computer
192.60.18.62

Write a standard access list to deny Brent and Bob’s computer telnet access to into Router A. Permit all other telnet traffic from the

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router# 9%3=1B&)(*'()0135;*?%)*9%3=1B*'A
Router(config)#______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
* * * * * * ______________________________________________________________________________________
Router(config)# *___________________
Router(config-line)# 599(66L9;566*_________*13*%)*%&'*(circle one)
Optional ACL Commands
& Other Network Security Ideas
In order to reduce the chance of spoofing from outside your network consider adding the following
statements to your network’s inbound access list.
router# config t
router(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any
router(config)# access-list 100 deny ip your-subnet-# your-subnet-mask-# any
router(config)# access-list 100 deny igmp any any
router(config)# access-list 100 deny icmp any any redirect
router(config)# access-list 100 permit any any
router(config)# interface e0 *?%)*:>5'(T()*4%&)*137%&32*/%)'*16A
router(config-if)# ip access-group in
router(config-if)# exit
router(config)# exit
Another handy security tool is to only allow ip packets out of your network with your source
address.
router# config t
router(config)# access-list 100 permit ip your-subnet-# your-subnet-mask-# any
router(config)# interface e0 *?%)*:>5'(T()*4%&)*%&'7%&32*/%)'*16A
router(config-if)# ip access-group out
router(config-if)# exit
router(config)# exit
To keep packets with unreachable destinations from entering your network add this command:
ip route 0.0.0.0 0.0.0.0 null 0 255
To protect against smurf and other attacks add the following commands to every external
interface:
no ip directed-broadcast
no ip source-route
fair-queue
scheduler interval 500
69
Port Numbers
Port numbers are now assigned by the ICANN (Internet Corporation for
Assigned Names and Numbers). Commonly used TCP and UDP
applications are assigned a port number; such as: HTTP - 80, POP3 - 110,
FTP - 20. When an application communicates with another application on
another node on the internet, it specifies that application in each data
transmission by using its port number. You can also type the name (ie. Telnet)
instead of the port number (ie. 23). Port numbers range from 0 to 65536 and
are divided into three ranges:
Well Known Ports 0 to 1,023

Registered Ports 1,024 to 49,151
Dynamic and/or Private Ports 49,152 to 65,535
Below is a short list of some commonly used ports. For a complete list of
port numbers go to http://www.iana.org/assignments/port-numbers.
Some commonly used port numbers:
0 Reserved
1 TCPMUX (TCP Port Service Multiplexer)
5 RJE (Remote Job Entry)
7 ECHO
9 DISCARD
11 SYSTAT (Active users)
13 DAYTIME
17 QUOTE (Quote of the day)
18 MSP (Message Send Protocol)
19 CHARGEN (Character generator)
20 FTP-DATA (File Transfer Protocol - Data)
21 FTP (File Transfer Protocol - Control)
22 SSH (Remote Login Protocol)
23 Telnet (Terminal Connection)
25 SMTP (Simple Mail Transfer Protocol)
29 MSG ICP
37 TIME
39 RLP (Resource Location Protocol
42 NAMESERV (Host Name Server)
70
43 NICNAME (Who Is)
49 LOGIN (Login Host Protocol)
53 DNS (Domain Name Server)
67 BOOTP (Bootstrap Protocol Server)
68 BOOTPS (Bootstrap Protocol Client)
69 TFTP (Trivial File Transfer Protocol)
70 GOPHER (Gopher Services )
75 (Any Privite Dial-out Service)
79 FINGER
80 HTTP (Hypertext Transfer Protocol)
95 SUPDUP (SUPDUP Protocol)
101 HOSTNAME (NIC Host Name Server)
108 SNAGAS (SNA Gateway Access Server)
109 POP2 (Post Office Protocol - Version 2)
110 POP3 (Post Office Protocol - Version 3)
113 AUTH (Authentication Service)
115 SFTP (Simple File Transfer Protocol)
117 UUCP-PATH (UUCP Path Service)
118 SQLSERV (SQL Services)
119 NNTP (Newsgroup)
123 NTP (Network Tim Protocol)
137 NetBIOS-NS (NetBIOS Name Service)
139 NetBIOS-SSN (NetBIOS Session Service )
143 IMAP (Interim Mail Access Protocol)
150 SQL-NET (NetBIOS Session Service)
156 SQLSRV (SQL Service)
161 SNMP (Simple Network Management Protocol)
179 BGP (Border Gateway Protocol)
190 GACP (Gateway Access Control Protocol)
194 IRC (Internet Relay Chat)
197 DLS (Directory Location Service)
389 LDAP (Lightweight Directory Access Protocol)
396 NETWARE-IP (Novell Netware over IP )
443 HTTPS (HTTP MCom)
444 SNPP (Simple Network Paging Protocol)
445 Microsoft-DS
458 Apple QuickTime
546 DHCP Client
547 DHCP Server
563 SNEWS
569 MSN
Inside Cover

Access Lists Workbook Student Edition v1 5

Uploaded by

Copyright:

Available Formats

Access Lists Workbook Student Edition v1 5

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Access Lists Workbook Student Edition v1 5

Uploaded by

Copyright:

Available Formats

ACL

Produced by: Robb Jones

Special Thanks to Melvin Baker, Jim Dorsch, and Brent Sieling

General Access Lists Information

How routers use Access Lists

The router then checks for an ACL on that outbound interface.

Why standard ACLs are placed close to the

If you place the ACL on router A to block traffic to Router D

In order to permit packets from Juan’s computer to arrive at

Lisa has been sending unnecessary information to Paul. Where

Linda’s Jackie’s Melvin’s

2. Where would you place a standard access list to $%&'()*"

3. Where would you place a standard access list to Router Name_________________

4. Where would you place a standard access list to Router Name_________________

5. Where would you place a standard access list to Router Name_________________

6. Where would you place a standard access list to Router Name_________________

7. Where would you place a standard access list to Router Name_________________

8. Where would you place a standard access list to Router Name_________________

9. Where would you place a standard access list to Router Name_________________

Why extended ACLs are placed close to the source.

If you want to deny traffic from Juan’s computer from reaching

If you place the ACL on Router E to block traffic from Router

In order to permit packets from Juan’s computer to arrive at

Lisa has been sending unnecessary information to Paul. Where would

Linda’s Jackie’s Melvin’s

2. Where would you place an extended access list to $%&'()* !

3. Where would you place an extended access list to Router Name_________________

4. Where would you place an extended access list to Router Name_________________

5. Where would you place an extended access list to Router Name_________________

6. Where would you place an extended access list to Router Name_________________

7. Where would you place an extended access list to Router Name_________________

8. Where would you place an extended access list to Router Name_________________

Access Lists on your outgoing port...

Breakdown of a Standard ACL Statement

access-list 1 permit 192.168.90.36 0.0.0.0

access-list 78 deny host 192.168.90.36 log

5&'%3%0%&6 132195'(6*5 ?@/'1%35;A

access-list 125 permit ip 192.168.90.36 0.0.0.0 192.175.63.12 0.0.0.0

/()01'*%)*2(34 6%&)9( 2(6'135'1%3

access-list 178 deny tcp host 192.168.90.36 host 192.175.63.12 eq 23 log

/()01' 6%&)9( 132195'(6*5 %/()5'%)

Named Access Lists Information

Applying a Standard Named Access List

Place the access list at:

[Writing and installing an ACL]

Place the access list at:

[Writing and installing an ACL]

1. Matching a specific host.

For extended access lists:

2. Matching an entire subnet

Access-list 25 deny 192.168.50.0 0.0.0.255

Access-list 12 permit 172.16.0.0 0.0.255.255

Access-list 125 deny udp 10.0.0.0 0.255.255.255 any

Access-list 125 deny ip 192.168.16.0 0.0.0.127 any

Access-list 125 permit ip 172.250.16.32 0.0.15.31 any

For standard access lists:

For extended access lists:

The source address can be a single address, a range of addresses, or

One’s will be ignored.

This also works with subnets.

/()01'%)2(34 6%&)9( 2(6'135'1%3

Router(config-if)# 1/599(66LB)%&/________ i3%)%&'*(circle one)

Router(config-if)# 1/599(66LB)%&/________ i3%)%&'*(circle one)

Router(config-if)# 1/599(66LB)%&/________ i3%)%&'*(circle one)

Router(config-if)# 1/599(66LB)%&/________ i3%)%&'*(circle one)

Router(config-if)# 1/599(66LB)%&/________ i3%)%&'*(circle one)