-
8/3/2019 ACL Workbook - Student
1/69
0.0.0.0
permit
Exten
de
d
Standard
access-groudeny
access-list
CLAccess
ListsWorkbook
Version 1.2
Wildcard Mask
Any
-
8/3/2019 ACL Workbook - Student
2/69
Inside Cover
IP Standard
IP Extended
Ethernet Type Code
Ethernet Address
DECnet and Extended DECnetXNS
Extended XNS
Appletalk
48-bit MAC Addresses
IPX Standard
IPX Extended
IPX SAP (service advertisement protocol)
IPX SAP SPXExtended 48-bit MAC Addresses
IPX NLSP
IP Standard, expanded range
IP Extended, expanded range
SS7 (voice)
Standard Vines
Extended Vines
Simple Vines
Transparent bridging (protocol type)
Transparent bridging (vendor type)
Extended Transparent bridging
Source-route bridging (protocol type)
Source-route bridging (vendor type)
Access-List Numbers99
199
299
799
399499
599
699
799
899
999
1099
10991199
1299
1999
2699
2999
100
200
300
299799
1199
299
799
1
100
200
700
300400
500
600
700
800
900
1000
10001100
1200
1300
2000
2700
1
101
201
200700
1100
200
700
to
to
to
to
toto
to
to
to
to
to
to
toto
to
to
to
to
to
to
to
toto
to
to
to
Produced by: Robb [email protected]
Frederick County Career & Technology CenterCisco Networking
Academy
Frederick County Public Schools
Frederick, Maryland, USA
Special Thanks to Melvin Baker and Jim Dorschfor taking the time
to check this workbook for errors.
-
8/3/2019 ACL Workbook - Student
3/69
1
ACLs......are a sequential list of instructions that tell a
router which packets to
permit or deny.
The router checks to see if the packet is routable. If it is it
looks upthe route in its routing table.
The router then checks for an ACL on that outbound
interface.
If there is no ACL the router switches the packet out that
interface to itsdestination.
If there is an ACL the router checks the packet against the
access list
statements sequentially. Then permits or denys each packet as it
ismatched.
If the packet does not match any statement written in the ACL it
isdenyed because there is an implicit deny any statement at the end
ofevery ACL.
General Access Lists Information
Access Lists......are read sequentially....are set up so that as
soon as the packet matches a statement it
stops comparing and permits or denys the packet....need to be
written to take care of the most abundant traffic first....must be
configured on your router before you can deny packets.
...can be written for all supported routed protocols; but each
routedprotocol must have a different ACL for each interface.
...must be applied to an interface to work.
What are Access Control Lists?
How routers use Access Lists(Outbound Port - Default)
-
8/3/2019 ACL Workbook - Student
4/69
Standard Access Lists
Standard Access Lists......are numbered from 1 to 99....filter
(permit or deny) only source addresses....do not have any
destination information so it must placed as close
to the destination as possible....work at layer 3 of the OSI
model.
2
Why standard ACLs are placed close to thedestination.
If you want to block traffic from Juans computer from
reachingJanets computer with a standard access list you would place
theACL close to the destination on Router D, interface E0. Sinceits
using only the source address to permit or deny packets theACL here
will not effect packets reaching Routers B, or C.
Router A
Router B
Router C
Router D
If you place the ACL on router A to block traffic to Router Dit
will also block all packets going to Routers B, and C;because all
the packets will have the same source address.
JuansComputer
JanetsComputer
JimmysComputer
Matts
Computer
E0
E0 E0
E0
S0
S1 S0
S0S1
S1
-
8/3/2019 ACL Workbook - Student
5/69
3
Lisas
Computer
Standard Access List PlacementSample Problems
In order to permit packets from Juans computer to arrive atJans
computer you would place the standard access list atrouter
interface ______.FA1
Lisa has been sending unnecessary information to Paul.
Wherewould you place the standard ACL to deny all traffic from Lisa
to Paul?
Router Name ______________ Interface ___________
Where would you place the standard ACL to deny traffic from Paul
toLisa?Router Name ______________ Interface ___________
Router B E1
Router A E0
PaulsComputer
FA1FA0
Router A
JuansComputer
Jans
Computer
S0S1
E0 E1
Router BRouter A
-
8/3/2019 ACL Workbook - Student
6/69
S0 S1E0 FA1
S0S1
Router B
Router C
Standard Access List Placement
4
Router A
S0S1
E0 FA1
SarahsComputer
JackiesComputer
Router FRouter E
Router D
S1
S0
S1
E0
S1
LindasComputer
MelvinsComputer
Jims
Computer
JeffsComputer
GeorgesComputer
KathysComputer
CarrolsComputer
RickysComputer
JennysComputer
Amandas
Compute
-
8/3/2019 ACL Workbook - Student
7/69
5
Router DE0
Standard Access List Placement
1. Where would you place a standard access list topermit traffic
from Rickys computer to reach Jeffscomputer?
2. Where would you place a standard access list todeny traffic
from Melvins computer from reachingJennys computer?
3. Where would you place a standard access list todeny traffic
to Carrols computer from Sarahscomputer?
4. Where would you place a standard access list topermit traffic
from Rickys computer to reach Jeffscomputer?
5. Where would you place a standard access list todeny traffic
from Amandas computer from reachingJeff and Jims computer?
6. Where would you place a standard access list topermit traffic
from Jackies computer to reach Lindascomputer?
7. Where would you place a standard access list topermit traffic
from Rickys computer to reach Carroland Amandas computer?
8. Where would you place a standard access list todeny traffic
to Jennys computer from Jackiescomputer?
9. Where would you place a standard access list topermit traffic
from Georges computer to reach Lindaand Sarahs computer?
10. Where would you place an ACL to deny traffic fromJeffs
computer from reaching Georges computer?
11. Where would you place a standard access list todeny traffic
to Sarahs computer from Rickyscomputer?
12. Where would you place an ACL to deny traffic fromLindas
computer from reaching Jackies computer?
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router AE0
-
8/3/2019 ACL Workbook - Student
8/69
Extended Access Lists......are numbered from 100 to
199....filter (permit or deny) based on the: source address
destination addressprotocolport number
... are placed close to the source.
...work at both layer 3 and 4 of the OSI model.
Extended Access Lists
Why extended ACLs are placed close to the source.
If you want to deny traffic from Juans computer from
reachingJanets computer with an extended access list you would
placethe ACL close to the source on Router A, interface E0. Since
itcan permit or deny based on the destination address it can
reducebackbone overhead and not effect traffic to Routers B, or
C.
If you place the ACL on Router E to block traffic from RouterA,
it will work. However, Routers B, and C will have to routethe
packet before it is finally blocked at Router E. Thisincreases the
volume of useless network traffic.
6
Router A
Router B
Router C
Router D
JuansComputer
JanetsComputer
JimmysComputer
Matts
Computer
E0
FA0
E0
E0
S0
S1S0
S0S1
S1
-
8/3/2019 ACL Workbook - Student
9/69
7
Juans
Computer
JansComputer
Extended Access List PlacementSample Problems
In order to permit packets from Juans computer to arrive atJans
computer you would place the extended access list atrouter
interface ______.E0
Lisa has been sending unnecessary information to Paul. Where
wouldyou place the extended ACL to deny all traffic from Lisa to
Paul?Router Name ______________ Interface ___________
Where would you place the extended ACL to deny traffic from Paul
toLisa?Router Name ______________ Interface ___________
Router A FA0
Router B FA1
E1E0
Router A
S0S1
FA0 FA1
Router BRouter A
LisasComputer
PaulsComputer
-
8/3/2019 ACL Workbook - Student
10/69
8
S0 S1FA0 E1
S0S1
Router B
Router C
Extended Access List Placement
Router A
S0S1
FA0 FA1
SarahsComputer
JackiesComputer
Router FRouter E
Router D
S1
S0
S1
FA0
S1
LindasComputer
MelvinsComputer
Jims
Computer
JeffsComputer
GeorgesComputer
KathysComputer
CarrolsComputer
RickysComputer
JennysComputer Amanda
Compute
-
8/3/2019 ACL Workbook - Student
11/69
9
Extended Access List Placement
Router Name_________________Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
1. Where would you place an ACL to deny traffic fromJeffs
computer from reaching Georges computer?
2. Where would you place an extended access list to
permit traffic from Jackies computer to reach
Lindascomputer?
3. Where would you place an extended access list todeny traffic
to Carrols computer from Rickyscomputer?
4. Where would you place an extended access list todeny traffic
to Sarahs computer from Jackiescomputer?
5. Where would you place an extended access list topermit
traffic from Carrols computer to reach Jeffscomputer?
6. Where would you place an extended access list todeny traffic
from Melvins computer from reaching Jeffand Jims computer?
7. Where would you place an extended access list topermit
traffic from Georges computer to reach Jeffscomputer?
8. Where would you place an extended access list topermit
traffic from Jims computer to reach Carrol andAmandas computer?
9. Where would you place an ACL to deny traffic fromLindas
computer from reaching Kathys computer?
10. Where would you place an extended access listto deny traffic
to Jennys computer from Sarahs
computer?
11. Where would you place an extended access list topermit
traffic from Georges computer to reach Lindaand Sarahs
computer?
12. Where would you place an extended access listto deny traffic
from Lindas computer from reachingJennys computer?
Router DFA0
Router F
FA1
-
8/3/2019 ACL Workbook - Student
12/69
Access Lists on your incoming port......requires less CPU
processing....filters and denys packets before the router has to
make a
routing decision.
Access Lists on your outgoing port......are outbound by default
unless otherwise specified....increases the CPU processing time
because the routing decision
is made and the packet switched to the correct outgoing
portbefore it is tested against the ACL.
Choosing to Filter Incoming or Outgoing Packets
Breakdown of a Standard ACL Statement
access-list 1 permit 192.168.90.36 0.0.0.0
permitor
deny
autonomousnumber1 to 99
sourceaddress
wildcardmask
access-list 78 deny host 192.168.90.36 log
permit or deny
autonomousnumber1 to 99
sourceaddress
indicates aspecific host
address
(Optional)generates a log
entry on therouter for eachpacket thatmatches thisstatement
10
-
8/3/2019 ACL Workbook - Student
13/69
Breakdown of an Extended ACL Statement
access-list 125 permit ip 192.168.90.36 0.0.0.0 192.175.63.12
0.0.0.0
permit or deny
autonomousnumber
100 to 199
sourcewildcardmask
destinationaddress
destinationwildcardmask
access-list 178 deny tcp host 192.168.90.36 host 192.175.63.12
eq 23 log
permitor
deny
autonomousnumber
100 to 199
sourceaddress
indicates aspecific
host
protocolicp,
icmp,tcp, udp,
ip,etc.
destinationaddress
operatoreq for =gt for >lt for
