CCNA 200-301, Volume 2

Chapter 2
Basic IPv4 Access Control Lists
Objectives
• Configure and verify access control lists
IPv4 Access Control List Basics
• IPv4 access control lists give network engineers
a way to identify different types of packets.
• ACL configurations list values that the router can
see in the IP, ICMP, TCP, and UDP (and other)
headers.
• IPv4 ACLs perform many functions in Cisco
routers, including packet filtering and QoS.
Locations to Filter Packets from Hosts A and
B Going Toward Server S1
Pseudocode to Demonstrate ACL Command-
Matching Logic
Comparisons of IP ACL Types
Backdrop for Discussion of List Process with
IP ACLs
ACL Items Compared for Packets from Hosts
A, B, and C on Previous Slide
Logic for WC Masks 0.0.0.255, 0.0.255.255,
and 0.255.255.255
Syntactically Correct ACL Replaces
Pseudocode
Binary Wildcard Mask Example
• For subnet 172.16.8.0 255.255.252.0, use the subnet
number as the address parameter and do the following
math to find the wildcard mask:
Matching Any/All Addresses
• In some cases, one ACL command can be used to
match any and all packets that reach that point
in the ACL using the any keyword.
• Example: access-list 1 permit any.
• All Cisco IP ACLs end with an implicit deny any.
Implementing Standard IP ACLs
• Step 1: Plan the location and direction on that
interface
• Step 2: Configuration one or more access-list
global configuration commands to create the
ACL
• Step 3: Enable the ACL on the chosen router
interface, in the correct direction, using the ip
access-group number {in | out} interface
subcommand.
Standard Numbered ACL Example 1
Configuration
ACL show Commands on R2
Standard Numbered ACL Example 2
Creating Log Messages for ACL Statistics
Example of Checking the Interface and
Direction for an ACL
Building One-Line Standard ACLs: Practice
Problem Criteria
1 Packets from 172.16.5.4
2 Packets from hosts with 192.168.6 as the first three octets
3 Packets from hosts with 192.168 as the first two octets
4 Packets from any host
5 Packets from subnet 10.1.200.0/21
6 Packets from subnet 10.1.200.0/27
7 Packets from subnet 172.20.112.0/23
8 Packets from subnet 172.20.112.0/26
9 Packets from subnet 192.168.9.64/28
10 Packets from subnet 192.168.9.64/30
Reverse Engineering from ACL to Address
Range
• With the command access-list 1 permit
172.16.200.0 0.0.7.255, the low end of the range is
172.16.200.0.
• To find the high end of the range, add this number to
the WC mask, as shown here:
Finding IP Addresses/Ranges Matching by
Existing ACLs
Problem Criteria

1 access-list 1 permit 10.7.6.5

2 access-list 2 permit 192.168.4.0 0.0.0.127

3 access-list 3 permit 192.168.6.0 0.0.0.31

4 access-list 4 permit 172.30.96.0 0.0.3.255

5 access-list 5 permit 172.30.96.0 0.0.0.63

6 access-list 6 permit 10.1.192.0 0.0.0.31

7 access-list 7 permit 10.1.192.0 0.0.1.255

8 access-list 8 permit 10.1.192.0 0.0.63.255

IOS Changing the Address Field in an
access-list Command