Access Control List (ACL)

Dr. Kashif Ishaq

 What is Router and What it does?
▪ Routers make routing decisions based on information in the
packet header.
▪ Traffic entering a router interface is routed solely based on
information within the routing table.
▪ The router compares the destination IP address with routes in
the routing table to find the best match and then forwards the
packet.
▪ That same process can be used to filter traffic using an access
control list (ACL).
 What is Router and What it does?
▪ An ACL is a series of IOS commands, used to filter packets
based on information found in the packet header.
▪ By default, a router does not have any ACLs configured.
▪ However, when an ACL is applied to an interface, the router
performs the additional task of evaluating all network packets as
they pass through the interface to determine if the packet can be
forwarded.
▪ An ACL uses a sequential list of permit or deny statements,
known as access control entries (ACEs).
 What is Router and What it does?
▪ Packet Filtering
An interface configured with an ACL, the router compares the
information within the packet against each ACE, in sequential
order, to determine if the packet matches one of the ACEs.
Packet Header
 Router Tasks
Several tasks performed by routers require the use of ACLs to identify
traffic. The table lists some of these tasks with examples.
Task Example

▪ A corporate policy prohibits video traffic on

Limit network traffic to increase the network to reduce the network load.
network performance ▪ A policy can be enforced using ACLs to block
video traffic.

▪ A corporate policy requires that routing

protocol traffic be limited to certain links only.
Provide traffic flow control ▪ A policy can be implemented using ACLs to
restrict the delivery of routing updates to only
those that come from a known source.
 Router Tasks
Task Example

▪ Corporate policy demands that access to the

Human Resources network be restricted to
Provide a basic level of security for
authorized users only.
network access
▪ A policy can be enforced using ACLs to limit
access to specified networks.

▪ Corporate policy requires that email traffic be

permitted into a network, but that Telnet
Filter traffic based on traffic type access be denied.
▪ A policy can be implemented using ACLs to
filter traffic by type
 Router Tasks
Task Example

▪ Corporate policy requires that access to some

file types (e.g., FTP or HTTP) be limited to user
Screen hosts to permit or deny access
groups.
to network services
▪ A policy can be implemented using ACLs to
filter user access to services.

▪ Corporate traffic specifies that voice traffic be

forwarded as fast as possible to avoid any
Provide priority to certain classes of interruption.
network traffic ▪ A policy can be implemented using ACLs and
QoS services to identify voice traffic and
process it immediately.
 Packet Filtering
Packet filtering controls access to a network by analyzing the incoming
and/or outgoing packets and forwarding them or discarding them
based on given criteria.
Types of ACLs
 Types of ACLs
Cisco routers support two types of ACLs:

Standard ACLs:

ACLs only filter at Layer 3 using the source IPv4 address only.

Extended ACLs:

ACLs filter at Layer 3 using the source and / or destination IPv4

address. They can also filter at Layer 4 using TCP, UDP ports, and
optional protocol type information for finer control.
 Numbered and Named ACLs
Numbered ACLs:
R1(config)# access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<700-799> 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<1100-1199> Extended 48-bit MAC address access list
<2000-2699> IP extended access list (expanded range)
rate-limit Simple rate-limit specific access list
template Enable IP template acls
 Numbered and Named ACLs
Numbered ACLs:

The access-list global configuration command is used to create a

numbered ACL, as shown in the following examples.

R1(config)#access-list 1 deny 10.0.0.1 0.0.0.0

OR
R1(config)#access-list 1 deny host 10.0.0.1
R1(config)#access-list 1 permit any

R1(config)#access-list 100 deny tcp 10.0.0.1 0.0.0.0 host 200.0.0.1 eq 80

R1(config)#access-list 100 permit tcp any any
 Numbered and Named ACLs
Named ACLs:
Named ACLs is the preferred method to use when configuring ACLs.
Specifically, standard and extended ACLs can be named to provide
information about the purpose of the ACL.
For example, naming an extended ACL FTP-FILTER is far better than
having a numbered ACL 100.
The ip access-list global configuration command is used to create a
named ACL, as shown in the following example.

R1(config)# ip access-list extended FTP-FILTER

R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp-data
 Numbered and Named ACLs
Rules for Named ACLs:

1. Assign a name to identify the purpose of the ACL.

2. Names can contain alphanumeric characters.
3. Names cannot contain spaces or punctuation.
4. It is suggested that the name be written in CAPITAL LETTERS.
5. Entries can be added or deleted within the ACL.
 ACL Operation
ACLs define the set of rules that give added control for packets that enter
inbound interfaces, packets that relay through the router, and packets
that exit outbound interfaces of the router.

ACLs can be configured to apply to inbound traffic and outbound traffic,

as shown in the figure.
 ACL Operation

Note:
ACLs do not have to be configured in both directions. The number of
ACLs and their direction applied to the interface will depend on the
security policy of the organization.
 ACL Operation

To write ACL statements:

1. On which router to implement

2. Identify the source and destination
3. In/Out
ACL Operation
Standard ACL Placement Example
 Standard ACL Placement Example
Following the basic placement guidelines, the administrator would place a
standard ACL on router R3. There are two possible interfaces on R3 to apply
the standard ACL:
R3 S0/1/1 interface (inbound) – The standard ACL can be applied
inbound on the R3 S0/1/1 interface to deny traffic from .10 network.
However, it would also filter .10 traffic to the 192.168.31.0/24 (.31 in this
example) network. Therefore, the standard ACL should not be applied to
this interface.

R3 G0/0 interface (outbound) – The standard ACL can be applied

outbound on the R3 G0/0/0 interface. This will not affect other networks
that are reachable by R3. Packets from .10 network will still be able to reach
the .31 network. This is the best interface to place the standard ACL to
meet the traffic requirements.
Extended ACL Placement Example
 Extended ACL Placement Example
There are two possible interfaces on R1 to apply the extended ACL:

R1 S0/1/0 interface (outbound) – The extended ACL can be applied

outbound on the S0/1/0 interface. However, this solution will process all
packets leaving R1 including packets from 192.168.10.0/24.

R1 G0/0/1 interface (inbound) – The extended ACL can be applied

inbound on the G0/0/1 and only packets from the 192.168.11.0/24
network are subject to ACL processing on R1. Because the filter is to be
limited to only those packets leaving the 192.168.11.0/24 network,
applying the extended ACL to G0/1 is the best solution.
 ACL Operation

▪ Using ACLs requires attention to detail and great care.

▪ Mistakes can be costly in terms of downtime, troubleshooting
efforts, and poor network service.
▪ Basic planning is required before configuring an ACL.
 ACL Operation
Best Practices
Guideline Benefit

Base ACLs on the organizational security This will ensure you implement
policies. organizational security guidelines.

This will help you avoid inadvertently

Write out what you want the ACL to do.
creating potential access problems.

Use a text editor to create, edit, and save all of This will help you create a library of reusable
your ACLs. ACLs.

Document the ACLs using This will help you (and others) understand
the remark command. the purpose of an ACE.

Test the ACLs on a development network

before implementing them on a production This will help you avoid costly errors.
network.
 Wildcard Mask
A wildcard mask is used in access control lists (ACLs) and routing to
define which portions of an IP address should be considered when
matching traffic.

In a subnet mask, in which binary 1 is equal to a match and binary 0 is

not a match, in a wildcard mask, the reverse is true.

▪ Wildcard masks use the following rules to match binary 1s and 0s:

Wildcard mask bit 0 – Match the corresponding bit value in the address
Wildcard mask bit 1 – Ignore the corresponding bit value in the address
 Quick Comparison
Subnet Mask Wildcard Mask
Used for subnetting and dividing an
Used in access control lists (ACLs)
IP address into network and host
and routing to match specific criteria.
portions.

Is the inverse of the subnet mask,

Consists of consecutive '1' bits
where '0' bits in the subnet mask
followed by consecutive '0' bits.
become '1' bits in the wildcard mask.

Defines which parts of an IP address

Defines the structure of the subnet,
should be considered when
including network and host bits.
matching traffic.
 Wildcard Mask
The table lists some examples of wildcard masks and what they would identify.

Wildcard Mask Last Octet (in Binary) Meaning (0 – match, 1 – ignore)

0.0.0.0 00000000 Match all octets.

Match the first three octets
0.0.0.63 00111111 Match the two left most bits of the last octet
Ignore the last 6 bits
Match the first three octets
0.0.0.15 00001111 Match the four left most bits of the last octet
Ignore the last 4 bits of the last octet
Match the first three octets
0.0.0.252 11111100 Ignore the six left most bits of the last octet
Match the last two bits
Match the first three octet
0.0.0.255 11111111
Ignore the last octet
 Wildcard Mask - Match a host
In this example, the wildcard mask is used to match a specific host IPv4 address.
Assume ACL 10 needs an ACE that only permits the host with IPv4 address
192.168.1.1.

Recall that “0” equals a match and “1” equals ignore. To match a specific host
IPv4 address, a wildcard mask consisting of all zeroes (i.e., 0.0.0.0) is required.

The table lists in binary, the host IPv4 address, the wildcard mask, and the
permitted IPv4 address.

The 0.0.0.0 wildcard mask stipulates that every bit must match exactly. Therefore,
when the ACE is processed, the wildcard mask will permit only the 192.168.1.1
address.

The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.1 0.0.0.0.

 Wildcard Mask - Match a host

Decimal Binary

IPv4 address 192.168.1.1 11000000.10101000.00000001.00000001

Wildcard Mask 0.0.0.0 00000000.00000000.00000000.00000000

Permitted IPv4 Address 192.168.1.1 11000000.10101000.00000001.00000001

 Wildcard Mask - Match a subnet
In this example, ACL 10 needs an ACE that permits all hosts in the
192.168.1.0/24 network. The wildcard mask 0.0.0.255 stipulates that the very
first three octets must match exactly but the fourth octet does not.

The table lists in binary, the host IPv4 address, the wildcard mask, and the
permitted IPv4 addresses.

When processed, the wildcard mask 0.0.0.255 permits all hosts in the
192.168.1.0/24 network.

The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.0

0.0.0.255.
 Wildcard Mask - Match a subnet

Decimal Binary

IPv4 address 192.168.1.1 11000000.10101000.00000001.00000001

Wildcard Mask 0.0.0.255 00000000.00000000.00000000.11111111

Permitted IPv4 Address 192.168.1.0/24 11000000.10101000.00000001.00000000

 Wildcard Mask - Match an Address Range
In this example, ACL 10 needs an ACE that permits all hosts in the
192.168.16.0/24, 192.168.17.0/24, …, 192.168.31.0/24 networks.

The wildcard mask 0.0.15.255 would correctly filter that range of addresses.

The table lists in binary the host IPv4 address, the wildcard mask, and the
permitted IPv4 addresses.

The highlighted wildcard mask bits identify which bits of the IPv4 address must
match. When processed, the wildcard mask 0.0.15.255 permits all hosts in the
192.168.16.0/24 to 192.168.31.0/24 networks.

The resulting ACE in ACL 10 would be access-list 10 permit 192.168.16.0

0.0.15.255.
 Wildcard Mask - Match an Address Range

Decimal Binary

IPv4 address 192.168.16.0 11000000.10101000.00010000.00000000

Wildcard Mask 0.0.15.255 00000000.00000000.00001111.11111111

192.168.16.0/24 11000000.10101000.00010000.00000000
Permitted IPv4 Address to
192.168.31.0/24 11000000.10101000.00011111.00000000
 Wildcard Mask Calculation - 1
Assume you wanted an ACE in ACL 10 to permit access to all users in the
192.168.3.0/24 network. To calculate the wildcard mask, subtract the subnet
mask (i.e., 255.255.255.0) from 255.255.255.255, as shown in the table.

The solution produces the wildcard mask 0.0.0.255. Therefore, the ACE would be
access-list 10 permit 192.168.3.0 0.0.0.255.

Starting value 255.255.255.255

Subtract the subnet mask - 255.255.255. 0

Resulting wildcard mask 0. 0. 0.255

 Wildcard Mask Calculation - 2
In this example, assume you wanted an ACE in ACL 10 to permit network access
for the 14 users in the subnet 192.168.3.32/28. Subtract the subnet (i.e.,
255.255.255.240) from 255.255.255.255, as shown in the table.

This solution produces the wildcard mask 0.0.0.15. Therefore, the ACE would be
access-list 10 permit 192.168.3.32 0.0.0.15.

Starting value 255.255.255.255

Subtract the subnet mask - 255.255.255. 240

Resulting wildcard mask 0. 0. 0.15

 Wildcard Mask Calculation - 3
In this example, assume you needed an ACE in ACL 10 to permit only networks
192.168.10.0 and 192.168.11.0. These two networks could be summarized as
192.168.10.0/23 which is a subnet mask of 255.255.254.0. Again, you subtract
255.255.254.0 subnet mask from 255.255.255.255, as shown in the table.

This solution produces the wildcard mask 0.0.1.255. Therefore, the ACE would be
access-list 10 permit 192.168.10.0 0.0.1.255.

Starting value 255.255.255.255

Subtract the subnet mask - 255.255.254. 0

Resulting wildcard mask 0. 0. 1.255

 Wildcard Mask Calculation - 4
Consider an example in which you need an ACL number 10 to match networks in
the range between 192.168.16.0/24 to 192.168.31.0/24. This network range
could be summarized as 192.168.16.0/20 which is a subnet mask of
255.255.240.0. Therefore, subtract 255.255.240.0 subnet mask from
255.255.255.255, as shown in the table.

This solution produces the wildcard mask 0.0.15.255. Therefore, the ACE would be
access-list 10 permit 192.168.16.0 0.0.15.255.

Starting value 255.255.255.255

Subtract the subnet mask - 255.255.240. 0

Resulting wildcard mask 0. 0. 15.255

 Wildcard Mask Keywords
Working with decimal representations of binary wildcard mask bits can be tedious.
To simplify this task, the Cisco IOS provides two keywords to identify the most
common uses of wildcard masking.

The two keywords are:

host – This keyword substitutes for the 0.0.0.0 mask. This mask states
that all IPv4 address bits must match to filter just one host address.

any – This keyword substitutes for the 255.255.255.255 mask. This mask
says to ignore the entire IPv4 address or to accept any addresses.
 Wildcard Mask Keywords -Example
Host:
R1(config)# access-list 10 permit 192.168.10.10 0.0.0.0

OR

R1(config)# access-list 10 permit host 192.168.10.10

Any:
R1(config)# access-list 11 permit 0.0.0.0 255.255.255.255

OR

R1(config)# access-list 11 permit any

 Standard ACL
R1(config)# access-list ACL_NUMBER permit|deny IP_ADDRESS WILDCARD_MASK

We want to allow traffic from the management LAN to the server S1. First, we need to write an ACL to
permit traffic from LAN 10.0.0.0/24 to S1. We can use the following command on R1:

R1(config)#access-list 1 permit 10.0.0.0 0.0.0.255

Next, we will deny traffic from the Users LAN (11.0.0.0/24):

R1(config)#access-list 1 deny 11.0.0.0 0.0.0.255

Next, we need to apply the access list to an interface.

R1(config-if)#ip access-group 1 out

Deleting a standard ACL

Router(config)no ip access-list 1
 Named Access List

▪ Access-lists are identified using Names rather than Numbers

▪ Names are case-sensitive
▪ No limitation of numbers here
▪ Editing of ACL is Possible (i.e.) Removing a specific
statement from the ACL is possible
▪ IOS version 11.2 or later allows Named ACL
Creation of Standard Named Access List

Router(config)#ip access-list standard <name>

Router(config-std-nacl)#<permit/deny> <source address> <source
wildcard mask>

Implementation of Standard Named Access List

Router(config)#interface <interface type><interface no>

Router(config-if)#ip access-group <name> <out/in>
 Standard ACL - Named
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip access-list standard Management
Router(config-std-nacl)#deny 11.0.0.0 0.0.0.255
Router(config-std-nacl)#permit any
Router(config-std-nacl)#exit
Router(config)#interface FastEthernet 0/0
Router(config-if)#ip access-group Management out
Router(config-if)#exit
Router(config)#exit
Router#Router#show access-list

Deleting a standard ACL

Router(config)no ip access-list standard Management
TASK

The ACL is designed to block traffic from the 192.168.11.0/24

network from accessing any local networks on R3.
Protocols
Port Numbers/Names
To keep each application's data separate from other applications, TCP and
UDP assign a unique numeric value to each application. This value is
known as the port number. We use the port number of an application to
match the traffic of that application.
Application Protocol Port number Keyword
FTP TCP 21 ftp
Telnet TCP 23 telnet
SMTP TCP 25 smtp
HTTP TCP 80 www
POP3 TCP 110 pop3
DNS UDP 53 dns
TFTP UDP 69 tftp
SNMP UDP 161 snmp
IP RIP UDP 520 rip
 Extended ACL
An extended access list is mainly used to filter two types of traffic.

These types are host-level and application-level. Host-level traffic

includes all traffic originating from a specific host.
There are two commands to create an extended access list. These
commands are 'access-list' and 'ip access-list'.
To filter all traffic from a host, the 'access-list' command uses the
following syntax:
Router(config)# access-list <100-199|2000-2699> <permit|deny>
<Protocol> <source_address> <source_wildcard_mask>
<destination_address> <destination_wildcard_mask> <eq>
<application/port>
 Extended ACL
Example to create four ACLs two ACLs on Router 0 and two ACLs on Router 1.
Router 0
Router>enable
Router0#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router0(config)#access-list 101 permit ip 10.0.0.0 0.255.255.255 host 50.0.0.10
Router0(config)#access-list 101 deny ip 10.0.0.0 0.255.255.255 50.0.0.0 0.255.255.255
Router0(config)#access-list 101 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
Router0(config)#access-list 101 deny ip 10.0.0.0 0.255.255.255 any
Router0(config)#interface gigabitethernet 0/0
Router0(config-if)#ip access-group 101 in
Router0(config-if)#exit
Router 1
Router1(config)#access-list 102 permit ip 20.0.0.0 0.255.255.255 host 50.0.0.20
Router1(config)#access-list 102 deny ip 20.0.0.0 0.255.255.255 50.0.0.0 0.255.255.255
Router1(config)#access-list 102 permit ip 20.0.0.0 0.255.255.255 any
Router1(config)#interface gigabitethernet 0/1
Router1(config-if)#ip access-group 102 in
Router1(config-if)#exit
 Extended ACL
The ACL 101 contains four statements. The following table lists these
statements and their meanings.
Statement
permit ip 10.0.0.0 0.255.255.255 host 50.0.0.10
deny ip 10.0.0.0 0.255.255.255 50.0.0.0
0.255.255.255
permit ip 10.0.0.0 0.255.255.255 20.0.0.0
0.255.255.255
deny ip 10.0.0.0 0.255.255.255 any
Description/Action
Allow a packet if its source address is from the
network 10.0.0.0/8 and the destination address is
50.0.0.10.
Deny a packet if its source address is from the
network 10.0.0.0/8 and the destination address is
from the network 50.0.0.0/8.
Allow a packet if its source address is from the
network 10.0.0.0/8 and the destination address is
from the network 20.0.0.0/8.
Deny a packet if its source address is from the
network 10.0.0.0/8 and the destination address is
from any network.
 Extended ACL
For every packet, ACL statements are checked from top to bottom in
sequential order until a match is found. Once a match is found, no further
statements are checked for the packet.
The ACL 102 contains three statements. The following table lists their
meanings.
Statement Description/Action
Allow a packet if its source address is from the
permit ip 20.0.0.0 0.255.255.255 host 50.0.0.20 network 20.0.0/8 and the destination address is
the host 50.0.0.20.
Deny a packet if its source address is from the
deny ip 20.0.0.0 0.255.255.255 50.0.0.0
network 20.0.0.0/8 and the destination address is
0.255.255.255
from the network 50.0.0.0/8
Allow a packet if its source address is from the
permit ip 20.0.0.0 0.255.255.255 any network 20.0.0.0/8 and the destination address is
from any network.
Extended ACL
 Extended ACL
Requirements
Create an extended access list that allows the Marketing section to access only the web
service and DNS service from the Server. The Marketing section should not be allowed to
access any other services running on the Server.

Understanding Requirements
To fulfill the above requirements, we have to add the following statements to
the extended access list.

▪ A statement that allows access to the web service.

▪ A statement that allows access to the DNS service.
▪ A statement that blocks access to all other services.
▪ A statement that allows access to the Management section.
▪ A statement that blocks all other traffic
 Extended ACL
Access the command line interface of the Router and run the following commands.

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip access-list extended UMT
Router(config-ext-nacl)#permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq 80
Router(config-ext-nacl)#permit udp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq 53
Router(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 host 30.0.0.10
Router(config-ext-nacl)#permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
Router(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 any
Router(config-ext-nacl)#exit
Router(config)#interface gigabitethernet 0/0
Router(config-if)#ip access-group UMT in
Router(config-if)#exit
Router(config)#exit
 Extended ACL
The above commands create an extended access list UMT and apply it to the GigabitEthernet 0/0
interface in the inward direction. The access list contains five statements. The following table lists the
meaning of these statements.
Statements
permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq
80
permit udp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq
53
deny ip 10.0.0.0 0.255.255.255 host 30.0.0.10
permit ip 10.0.0.0 0.255.255.255 20.0.0.0
0.255.255.255
deny ip 10.0.0.0 0.255.255.255 any
Description/action
Allow a packet if its source address is from the
network 10.0.0.0/8 and the destination address is
30.0.0.10 and the destination application is HTTP.
Allow a packet if its source address is from the
network 10.0.0.0/8 and the destination address is
30.0.0.10 and the destination application is FTP.
Block a packet if its source address is from the
network 10.0.0.0/8 and the destination address is
30.0.0.10.
Allow a packet if its source address is from the
network 10.0.0.0/8 and the destination address is
from the network 20.0.0.0/8.
Block a packet if its source address is from the
network 10.0.0.0/8 and the destination address is
from any network.
TASK

1. Configure the Network to deny all access from the ISP

(Internet) to the File Server (192.168.20.210). Allow
access from any other device.
2. Configure only Mail access for all devices to the Mail
Server (192.168.20.200)
3. Configure only Web access for all devices to the Web
Server (192.168.20.201)
 Updating the extended ACL
To view the sequence number of current statements, we can use the 'show ip access-lists' command.

Router>enable
Router#show ip access-lists

Extended IP access list University

10 permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq www
20 permit udp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq domain
30 deny ip 10.0.0.0 0.255.255.255 host 30.0.0.10
40 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
50 deny ip 10.0.0.0 0.255.255.255 any

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip access-list extended University
Router(config-ext-nacl)#21 permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq 21
Router(config-ext-nacl)#exit
Router(config)#exit
 Updating the extended ACL
Router#show ip access-lists
Extended IP access list University
10 permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq www
20 permit udp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq domain
21 permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq ftp
30 deny ip 10.0.0.0 0.255.255.255 host 30.0.0.10
40 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
50 deny ip 10.0.0.0 0.255.255.255 any
Router#
THANK YOU