0% found this document useful (0 votes)
57 views22 pages

CCNAv2 Chapter 02

The document discusses configuring and verifying IPv4 access control lists on Cisco routers, including how ACLs allow network engineers to filter packets based on values in the packet header, standard ACL syntax and configuration, and examples of creating ACLs to filter packets from certain IP addresses and subnets. ACLs can be used to filter traffic inbound or outbound on an interface based on source or destination IP addresses.

Uploaded by

Linux Hamza
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
57 views22 pages

CCNAv2 Chapter 02

The document discusses configuring and verifying IPv4 access control lists on Cisco routers, including how ACLs allow network engineers to filter packets based on values in the packet header, standard ACL syntax and configuration, and examples of creating ACLs to filter packets from certain IP addresses and subnets. ACLs can be used to filter traffic inbound or outbound on an interface based on source or destination IP addresses.

Uploaded by

Linux Hamza
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 22

CCNA 200-301, Volume 2

Chapter 2
Basic IPv4 Access Control Lists
Objectives
• Configure and verify access control lists
IPv4 Access Control List Basics
• IPv4 access control lists give network engineers
a way to identify different types of packets.
• ACL configurations list values that the router can
see in the IP, ICMP, TCP, and UDP (and other)
headers.
• IPv4 ACLs perform many functions in Cisco
routers, including packet filtering and QoS.
Locations to Filter Packets from Hosts A and
B Going Toward Server S1
Pseudocode to Demonstrate ACL Command-
Matching Logic
Comparisons of IP ACL Types
Backdrop for Discussion of List Process with
IP ACLs
ACL Items Compared for Packets from Hosts
A, B, and C on Previous Slide
Logic for WC Masks 0.0.0.255, 0.0.255.255,
and 0.255.255.255
Syntactically Correct ACL Replaces
Pseudocode
Binary Wildcard Mask Example
• For subnet 172.16.8.0 255.255.252.0, use the subnet
number as the address parameter and do the following
math to find the wildcard mask:
Matching Any/All Addresses
• In some cases, one ACL command can be used to
match any and all packets that reach that point
in the ACL using the any keyword.
• Example: access-list 1 permit any.
• All Cisco IP ACLs end with an implicit deny any.
Implementing Standard IP ACLs
• Step 1: Plan the location and direction on that
interface
• Step 2: Configuration one or more access-list
global configuration commands to create the
ACL
• Step 3: Enable the ACL on the chosen router
interface, in the correct direction, using the ip
access-group number {in | out} interface
subcommand.
Standard Numbered ACL Example 1
Configuration
ACL show Commands on R2
Standard Numbered ACL Example 2
Creating Log Messages for ACL Statistics
Example of Checking the Interface and
Direction for an ACL
Building One-Line Standard ACLs: Practice
Problem Criteria
1 Packets from 172.16.5.4
2 Packets from hosts with 192.168.6 as the first three octets
3 Packets from hosts with 192.168 as the first two octets
4 Packets from any host
5 Packets from subnet 10.1.200.0/21
6 Packets from subnet 10.1.200.0/27
7 Packets from subnet 172.20.112.0/23
8 Packets from subnet 172.20.112.0/26
9 Packets from subnet 192.168.9.64/28
10 Packets from subnet 192.168.9.64/30
Reverse Engineering from ACL to Address
Range
• With the command access-list 1 permit
172.16.200.0 0.0.7.255, the low end of the range is
172.16.200.0.
• To find the high end of the range, add this number to
the WC mask, as shown here:
Finding IP Addresses/Ranges Matching by
Existing ACLs
Problem Criteria

1 access-list 1 permit 10.7.6.5

2 access-list 2 permit 192.168.4.0 0.0.0.127

3 access-list 3 permit 192.168.6.0 0.0.0.31

4 access-list 4 permit 172.30.96.0 0.0.3.255

5 access-list 5 permit 172.30.96.0 0.0.0.63

6 access-list 6 permit 10.1.192.0 0.0.0.31

7 access-list 7 permit 10.1.192.0 0.0.1.255

8 access-list 8 permit 10.1.192.0 0.0.63.255


IOS Changing the Address Field in an
access-list Command

You might also like