Courses  Forum Support Welcome, Landry!

 Search … 

You are here: Home » Cisco » CCNA 200-301

Standard access-list example on Cisco Router 

Let’s con gure some access-lists so I can demonstrate to you how this is done on Cisco IOS routers. In this Course Contents
lesson we’ll cover the standard access-list. Here’s the topology:
CCNA 200-301

  Unit 1: Introduction

 Unit 2: Network Fundamentals

 Unit 3: Network Access

 Unit 4: IP Connectivity

 Unit 5: IP Services

 Unit 6: IPv6
Two routers and each router has a loopback interface. I will use two static routes so that the routers can
 Unit 7: Security Fundamentals
reach each other’s loopback interface:
 7.1 Access-Lists

Introduction to Access-Lists
R1(config)#ip route 2.2.2.0 255.255.255.0 192.168.12.2
Wildcard Bits

Standard Access-List

Extended Access-List
R2(config)#ip route 1.1.1.0 255.255.255.0 192.168.12.1
Time-based Access-List

 7.2 Misc

 Unit 8: Network Management

If you choose to use a routing protocol to advertise networks, be careful that your access-list

doesn’t block your RIP, EIGRP or OSPF tra c…  Unit 9: Network Design

Unit 10: Automation and


Programmability

Now let’s start with a standard access-list! I’ll create something on R2 that only permits tra c from network  Unit 11: Cloud Computing

192.168.12.0 /24:  Unit 12: Practice Exam

R2(config)#access-list 1 permit 192.168.12.0 0.0.0.255

This single permit entry will be enough. Keep in mind at the bottom of the access-list is a “deny any”. We
don’t see it but it’s there. Let’s apply this access-list inbound on R2:

R2(config)#interface fastEthernet 0/0

R2(config-if)#ip access-group 1 in

Use the ip access-group command to apply it to an interface. I applied it inbound with the in keyword.

R2#show ip interface fastEthernet 0/0

FastEthernet0/0 is up, line protocol is up
Internet address is 192.168.12.2/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1

You can verify that the access-list has been applied with the show ip interface command. Above you see
that access-list 1 has been applied inbound.

Now let’s generate some tra c…

R1#ping 192.168.12.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Our ping is successful; let’s check the access-list:

R2#show access-lists
Standard IP access list 1
10 permit 192.168.12.0, wildcard bits 0.0.0.255 (27 matches)

As you can see the access-list shows the number of matches per statement. We can use this to verify our
access-list. Let me show you something useful when you are playing with access-lists:

R1#ping 192.168.12.2 source loopback 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
U.U.U
Success rate is 0 percent (0/5)

When you send a ping you can use the source keyword to select the interface. The source IP address of
this IP packet is now 1.1.1.1 and you can see these pings are failing because the access-list drops them.

R2#show access-lists
Standard IP access list 1
10 permit 192.168.12.0, wildcard bits 0.0.0.255 (27 matches)

You won’t see them with the show access-list command because the “deny any” is dropping them.

What if I wanted something di erent? Let’s say I want to deny tra c from network 192.168.12.0 /24 but
permit all other networks? I can do something like this:

R2(config)#access-list 2 deny 192.168.12.0 0.0.0.255

R2(config)#access-list 2 permit any

I’ll create a new access-list and the rst statement will deny network 192.168.12.0 /24. The second
statement is a permit any. Because of this permit any nothing will ever hit the invisible “deny any” with the
exception of 192.168.12.0 /24. Let’s apply the new access-list:

R2(config-if)#no ip access-group 1 in
R2(config-if)#ip access-group 2 in

Now it’s active, let’s give it a test run:

R1#ping 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

R2#show access-lists 2
Standard IP access list 2
10 deny 192.168.12.0, wildcard bits 0.0.0.255 (11 matches)
20 permit any

These pings are hitting the rst statement and are dropped….

R1#ping 2.2.2.2 source loopback 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R2#show access-lists 2
Standard IP access list 2
10 deny 192.168.12.0, wildcard bits 0.0.0.255 (11 matches)
20 permit any (15 matches)

And pings from the loopback0 interface of R1 are hitting the second statement and are allowed.

If I want to remove a statement from an access-list, you will await a nice surprise:

R2(config)#no access-list 2 deny 192.168.12.0 0.0.0.255

Let’s say I want to remove the statement above. I’ll type no access-list and this is what you’ll discover:

R2#show access-lists 2

The whole access-list is gone…ouch! You can’t use no access-list to remove a statement. Your router will
just accept “no access-list 2” and remove the whole access-list. Fun to discover in a lab, not so much fun on
a production network. I’ll show you how to deal with this in a bit.

Besides applying an access-list inbound or outbound you can also apply them to the VTY lines. This is
useful if you want to secure telnet or SSH access to your router. Let’s con gure R1 so telnet access is only
allowed from network 192.168.12.0 /24:

R1(config)#access-list 3 permit 192.168.12.0 0.0.0.255

R1(config)#line vty 0 4
R1(config-line)#access-class 3 in

Above you can see that I created access-list 3 but I used the access-class command on the VTY lines. On
interfaces we use the “access-group” command but on VTY lines you need to use “access-class” to apply
them.

Let’s try to use telnet:

R2#telnet 192.168.12.1
Trying 192.168.12.1 ... Open

Password required, but none set

[Connection to 192.168.12.1 closed by foreign host]

It says “open” which means that it connects. The connection is closed because I didn’t con gure a
password for telnet but the access-list should work:

R1#show access-lists
Standard IP access list 3
10 permit 192.168.12.0, wildcard bits 0.0.0.255 (2 matches)

You can see that the packets have matched the statement in access-list 3.

Con gurations R1 R2

Want to take a look for yourself? Here you will nd the nal con guration of each device.

That’s all for now. You have now learned how to con gure standard access-lists and how to apply them to
your interfaces or VTY line. I hope you learned something from this lesson, if you have any questions
please leave a comment!

« Previous Lesson
Wildcard Bits
Next Lesson
Extended Access-List »
 Tags: ACL, Security

Forum Replies

system

Good work. I have a question.

I am using Packet Tracer 6.0.1.
I have a network with 2 routers, and 2 PC’s, one on each router. They are on three di erent networks. 15.x.x.x, 17.x.x.x, and 20.x.x.x. PC1 is on the 15.x.x.x network, and PC2 is on the
17.x.x.x network. They can ping each other before I put in the access-list. (I’m using RIP.)
Then I put in the access list on Router 2

access-list 5 deny 15.0.0.0 0.255.255.255

access-list 5 permit any

interface FastEthernet0/1
ip access-group 5 in

When I ping PC2 from PC1 I get "Reply from 20.1.1.2: Destination ho

... Continue reading in our forum

hussien.samer

Thank you very much Rene,

I try this policy and it’s work :-

!
access-list 100 permit icmp host 192.168.45.4 host 192.168.45.5
!
!
class-map match-all 1
match access-group 100
!
policy-map 1
class 1
drop
!
control-plane
service-policy output 1
!

Thanks again Rene

rodriarz

Hello Scott! Thanks for the answering! What do you mean about “the right image”? There is images on switches that cannot analyze the acces list before the switching proccess?

wellerk.scott

I try to answer as many questions as I can to expand my knowledge , and to help others and maybe one day they can return the favor when I need help. Anywho there are di erent
images that can be used on a switch for example lan lite and lan base. The di erences between the two are their features. For example the lan lite can do ACLs but only for virtual
interfaces not physical ones. Below is a link to a cisco article explaining ACLs on a switch and what di erent features the di erent images support.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalys

... Continue reading in our forum

rodriarz

Thank you so much scott!! I really appreciate it! Now I have a better understanding about acl on switches

 47 more replies! Ask a question or join the discussion by visiting our Community Forum

© 2013 - 2021 NetworkLessons.com 38423 Disclaimer Privacy Policy Support About