Download pdf - CCNA Access List Workbook With Answers

0.0.0.0

permitE

xtendedA

CL

Standard

access-groupdeny

access-list

ACL

Wildcard Mask

Any

AccessLists

WorkbookVersion 1.0

Instructor’s Edition

Inside Cover

IP StandardIP ExtendedEthernet Type CodeEthernet AddressDECnet and Extended DECnetXNSExtended XNSAppletalk48-bit MAC AddressesIPX StandardIPX ExtendedIPX SAP (service advertisement protocol)

IPX SAP SPXExtended 48-bit MAC AddressesIPX NLSPIP Standard, expanded rangeIP Extended, expanded rangeSS7 (voice)Standard VinesExtended VinesSimple VinesTransparent bridging (protocol type)Transparent bridging (vender type)Extended Transparent bridgingSource-route bridging (protocol type)Source-route bridging (vender type)

Access-List Numbers9919929979939949959969979989999910991099119912991999269929991002003002997991199299799

1100200700300400500600700800900

1000100011001200130020002700

1101201200700

1100200700

totototototototototototototototototototototototototo

Produced by: Robb [email protected]

Frederick County Career & Technology CenterCisco Networking Academy

Frederick County Public SchoolsFrederick, Maryland, USA

Special Thanks to Melvin Baker and Jim Dorschfor taking the time to check this workbook for errors.

Instructors (and anyone else for that matter) please do not post the Instructors version on public websites.When you do this your giving everyone else worldwide the answers. Yes, students look for answers this way.

It also discourages others; myself included, from posting high quality materials.

1

ACLs......are a sequential list of instructions that tell a router which packets to permit or deny.

The router checks to see if the packet is routable. If it is it looks upthe route in its routing table.

The router then checks for an ACL on that outbound interface.

If there is no ACL the router switches the packet out that interface to itsdestination.

If there is an ACL the router checks the packet against the access liststatements sequentially. Then permits or denys each packet as it ismatched.

If the packet does not match any statement written in the ACL it isdenyed because there is an implicit “deny any” statement at the end ofevery ACL.

General Access Lists Information Access Lists...

...are read sequentially.

...are set up so that as soon as the packet matches a statement it stops comparing and permits or denys the packet....need to be written to take care of the most abundant traffic first....must be configured on your router before you can deny packets....can be written for all supported routed protocols; but each routed protocol must have a different ACL for each interface....must be applied to an interface to work.

What are Access Control Lists?

How routers use Access Lists(Outbound Port - Default)

Standard Access ListsStandard Access Lists...

...are numbered from 1 to 99.

...filter (permit or deny) only source addresses.

...do not have any destination information so it must placed as close to the destination as possible....work at layer 3 of the OSI model.

2

Why standard ACLs are placed close to thedestination.

If you want to block traffic from Juan’s computer from reachingJanet’s computer with a standard access list you would place theACL close to the destination on Router D, interface E0. Sinceits using only the source address to permit or deny packets theACL here will not effect packets reaching Routers B, or C.

Router A

Router B

Router C

Router D

If you place the ACL on router A to block traffic to Router Dit will also block all packets going to Routers B, and C;because all the packets will have the same source address.

Juan’sComputer

Janet’sComputer

Jimmy’sComputer

Matt’sComputer

E0

E0 E0

E0

S0

S1 S0

S0S1

S1

3

Lisa’sComputer

Standard Access List PlacementSample Problems

In order to permit packets from Juan’s computer to arrive atJan’s computer you would place the standard access list atrouter interface ______.FA1

Lisa has been sending unnecessary information to Paul. Wherewould you place the standard ACL to deny all traffic from Lisa to Paul?Router Name ______________ Interface ___________

Where would you place the standard ACL to deny traffic from Paul toLisa?Router Name ______________ Interface ___________

Router B E1

Router A E0

Paul’sComputer

FA1FA0

Router A

Juan’sComputer

Jan’sComputer

S0S1

E0 E1

Router BRouter A

S0 S1E0 FA1

S0S1

Router B

Router C

Standard Access List Placement

4

Router A

S0S1

E0 FA1

Sarah’sComputer

Jackie’sComputer

Router FRouter E

Router D

S1

S0

S1

E0

S1

Linda’sComputer

Melvin’sComputer

Jim’sComputer

Jeff’sComputer

George’sComputer

Kathy’sComputer

Carrol’sComputer

Ricky’sComputer

Jenny’sComputer

Amanda’sComputer

5

Router DE0

Standard Access List Placement1. Where would you place a standard access list topermit traffic from Ricky’s computer to reach Jeff’scomputer?

2. Where would you place a standard access list todeny traffic from Melvin’s computer from reachingJenny’s computer?

3. Where would you place a standard access list todeny traffic to Carrol’s computer from Sarah’scomputer?

4. Where would you place a standard access list topermit traffic from Ricky’s computer to reach Jeff’scomputer?

5. Where would you place a standard access list todeny traffic from Amanda’s computer from reachingJeff and Jim’s computer?

6. Where would you place a standard access list topermit traffic from Jackie’s computer to reach Linda’scomputer?

7. Where would you place a standard access list topermit traffic from George’s computer to reach Carroland Amanda’s computer?

8. Where would you place a standard access list todeny traffic to Jenny’s computer from Jackie’scomputer?

9. Where would you place a standard access list topermit traffic from George’s computer to reach Lindaand Sarah’s computer?

10. Where would you place an ACL to deny traffic fromJeff’s computer from reaching George’s computer?

11. Where would you place a standard access list todeny traffic to Sarah’s computer from Ricky’scomputer?

12. Where would you place an ACL to deny traffic fromLinda’s computer from reaching Jackie’s computer?

Router Name_________________Interface ____________________












Router AE0

Router CFA1

Router DE0

Router DE0

Router EE0

Router CFA1

Router AE0

Router EE0

Router CFA1

Router EE0

Router FFA1

Extended Access Lists......are numbered from 100 to 199....filter (permit or deny) based on the: source address

destination addressprotocolport number

... are placed close to the source.

...work at both layer 3 and 4 of the OSI model.

Extended Access Lists

Why extended ACLs are placed close to the source.

If you want to deny traffic from Juan’s computer from reachingJanet’s computer with an extended access list you would placethe ACL close to the source on Router A, interface E0. Since itcan permit or deny based on the destination address it can reducebackbone overhead and not effect traffic to Routers B, or C.

If you place the ACL on Router E to block traffic from RouterA, it will work. However, Routers B, and C will have to routethe packet before it is finally blocked at Router E. Thisincreases the volume of useless network traffic.

6

Router A

Router B

Router C

Router D

Juan’sComputer

Janet’sComputer

Jimmy’sComputer

Matt’sComputer

E0

FA0

E0

E0

S0

S1 S0

S0S1

S1

7

Juan’sComputer

Jan’sComputer

Extended Access List PlacementSample Problems

In order to permit packets from Juan’s computer to arrive atJan’s computer you would place the extended access list atrouter interface ______.E0

Lisa has been sending unnecessary information to Paul. Where wouldyou place the extended ACL to deny all traffic from Lisa to Paul?Router Name ______________ Interface ___________

Where would you place the extended ACL to deny traffic from Paul toLisa?Router Name ______________ Interface ___________

Router A FA0

Router B FA1

E1E0

Router A

S0S1

FA0 FA1

Router BRouter A

Lisa’sComputer

Paul’sComputer

8

S0 S1FA0 E1

S0S1

Router B

Router C

Extended Access List Placement

Router A

S0S1FA0 FA1

Sarah’sComputer

Jackie’sComputer

Router FRouter E

Router D

S1

S0

S1

FA0

S1

Linda’sComputer

Melvin’sComputer

Jim’sComputer

Jeff’sComputer

George’sComputer

Kathy’sComputer

Carrol’sComputer

Ricky’sComputer

Jenny’sComputer Amanda’s

Computer

9

Extended Access List PlacementRouter Name_________________Interface ____________________












1. Where would you place an ACL to deny traffic fromJeff’s computer from reaching George’s computer?

2. Where would you place an extended access list topermit traffic from Jackie’s computer to reach Linda’scomputer?

3. Where would you place an extended access list todeny traffic to Carrol’s computer from Ricky’scomputer?

4. Where would you place an extended access list todeny traffic to Sarah’s computer from Jackie’scomputer?

5. Where would you place an extended access list topermit traffic from Carrol’s computer to reach Jeff’scomputer?

6. Where would you place an extended access list todeny traffic from Melvin’s computer from reaching Jeffand Jim’s computer?

7. Where would you place an extended access list topermit traffic from George’s computer to reach Jeff’scomputer?

8. Where would you place an extended access list topermit traffic from Jim’s computer to reach Carrol andAmanda’s computer?

9. Where would you place an ACL to deny traffic fromLinda’s computer from reaching Kathy’s computer?

10. Where would you place an extended access listto deny traffic to Jenny’s computer from Sarah’scomputer?

11. Where would you place an extended access list topermit traffic from George’s computer to reach Lindaand Sarah’s computer?

12. Where would you place an extended access listto deny traffic from Linda’s computer from reachingJenny’s computer?

Router DFA0

Router FFA1

Router AFA0

Router FFA1

Router CE1

Router FFA1

Router CE1

Router DFA0

Router EFA0

Router EFA0

Router CE1

Router EFA0

Access Lists on your incoming port......requires less CPU processing....filters and denys packets before the router has to make a routing decision.

Access Lists on your outgoing port......are outbound by default unless otherwise specified....increases the CPU processing time because the routing decision is made and the packet switched to the correct outgoing port before it is tested against the ACL.

Choosing to Filter Incoming or Outgoing Packets

Breakdown of a Standard ACL Statement

access-list 1 permit 192.168.90.36 0.0.0.0

permitor

deny

autonomousnumber1 to 99

sourceaddress

wildcardmask

access-list 78 deny host 192.168.90.36 log

permit or deny

autonomousnumber1 to 99

sourceaddress

indicates aspecific host

address

(Optional)generates a logentry on the

router for eachpacket thatmatches thisstatement

10

Breakdown of an Extended ACL Statement

access-list 125 permit ip 192.168.90.36 0.0.0.0 192.175.63.12 0.0.0.0

permit or deny

autonomousnumber

100 to 199

sourcewildcard

mask

destinationaddress

destinationwildcard

mask

access-list 178 deny tcp host 192.168.90.36 host 192.175.63.12 eq 23 log

permitor

deny

autonomousnumber

100 to 199

sourceaddress

indicates aspecific

host

protocolicp,

icmp,tcp, udp,

ip,etc.

destinationaddress

operatoreq for =gt for >lt for <neg for =

portnumber

(23 = telnet)

(Optional)generates a logentry on the

router for eachpacket thatmatches thisstatement

protocolicp,

icmp,tcp, udp,

ip,etc.

11

sourceaddress

Protocols Include:IP IGMP IPINIPTCP GRE OSPFUDP IGRP NOSICMP EIGRP Integer 0-255

To match any internet protocol use IP.

indicates aspecific

host

Named ACLs......are standard or extended ACLs which have an alphanumeric name

instead of a number. (ie. 1-99 or 100-199)

Named Access Lists Information Named Access Lists...

...identify ACLs with an intuutive name instead of a number.

...eliminate the limits imposed by using numbered ACLs. (798 for standard and 799 for extended)...provide the ability to modify your ACLs without deleting and reloading the revised access list. It will only allow you to add statements to the end of the exsisting statements....are not compatable with any IOS prior to Release 11.2....can not repeat the same name on multiple ACLs.

What are Named Access Control Lists?

Applying a Standard Named Access Listcalled “George”

Write a named standard access list on Router A, interface E1 to block Melvin’s computerfrom sending information to Kathy’s computer; but will allow all other traffic.

Place the access list at:Router Name: Router AInterface: E1Access-list #: George

[Writing and installing an ACL]

Router# configure terminal (or config t)Router(config)# access-list standard GeorgeRouter(config)# access-list deny host 72.16.70.35Router(config)# access-list permit anyRouter(config)# interface e1Router(config-if)# ip access-group George outRouter(config-if)# exitRouter(config)# exit

12

Creating a Named Access Lists

Ap

ply

ing

an

ext

end

ed N

amed

Acc

ess

Lis

tca

lled

“G

raci

e”

Writ

e a

nam

ed e

xten

ded

acce

ss li

st o

n R

oute

r A, I

nter

face

E0

calle

d “G

raci

e” to

den

y H

TT

P tr

affic

inte

nded

for

web

serv

er 1

92.1

68.2

07.2

7, b

ut w

ill p

erm

it al

l ot

her H

TT

P tr

affic

to re

ach

the

only

the

192.

168.

207.

0 ne

twor

k. D

eny

all o

ther

IP tr

affic

. K

eep

in m

ind

that

ther

e m

ay b

e m

ultip

le w

ays

man

y of

the

indi

vidu

al s

tate

men

ts in

an

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: R

oute

r A

Inte

rfac

e: E

0A

cces

s-lis

t #:

G

raci

e

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# co

nfi

gure

term

inal (or c

onfi

g t)

Router(config)# a

cces

s-list

exte

nded

Graci

eRouter(config)# acc

ess-list

den

y t

cp a

ny h

ost

192

.168.2

07.2

7 e

q w

ww

Router(config)# acc

ess-list

per

mit

tcp

any 1

92

.168.2

07.0

0.0

.0.2

55

eq w

ww

Router(config)# i

nte

rface

e0

Router(config-if)# i

p a

cces

s-gr

oup G

raci

e in

Router(config-if)# e

xit

Router(config)# e

xit

13

14

Choices for Using Wildcard Masks

Wildcard masks are usually set up to do one of four things:1. Match a specific host.2. Match an entire subnet.3. Match a specific range.4. Match all addresses.

1. Matching a specific host.For standard access lists:

Access-List 10 permit 192.168.150.50 0.0.0.0or

Access-List 10 permit 192.168.150.50or

Access-List 10 permit host 192.168.150.50

For extended access lists:Access-list 110 deny ip 192.168.150.50 0.0.0.0 any

orAccess-list 110 deny ip host 192.168.150.50 any

2. Matching an entire subnetExample 1

Address: 192.168.50.0 Subnet Mask: 255.255.255.0

Access-list 25 deny 192.168.50.0 0.0.0.255

Example 2Address: 172.16.0.0 Subnet Mask: 255.255.0.0

Access-list 12 permit 172.16.0.0 0.0.255.255


Access-list 125 deny udp 10.0.0.0 0.255.255.255 any

(standard ACL’sassume a 0.0.0.0 mask)

15


Access-list 125 permit udp 10.250.50.112.0.0.0.31 any

e Example 2Address Range: 192.168.16.0 to 192.168.16.127

Access-list 125 deny ip 192.168.16.0 0.0.0.127 any(This ACL would block the lower half of the subnet.)

Example 3Address: 172.250.16.32 to 172.250.31.63

Access-list 125 permit ip 172.250.16.32 0.0.15.31 any

4. Match everyone.

For standard access lists:Access-List 15 permit any

orAccess-List 15 deny 0.0.0.0 255.255.255.255

For extended access lists:Access-List 175 permit ip any any

orAccess-List 175 deny tcp 0.0.0.0 255.255.255.255 any

3. Match a specific range

192.-192.

Wildcard: 0.

168.168.

0.

16.16.

0.

1270

127

255.-255.

Wildcard: 0.

255.255.

0.

255.255.

0.

255224

31Custom Subnet mask:

172.-172.

0.

250.250.

0.

31.16.15.

633231Wildcard:

16

Just like a subnet mask the wildcard mask tells the router what part of theaddress to check or ignore. Zero (0) must match exactly, one (1) will beignored.

The source address can be a single address, a range of addresses, oran entire subnet.

As a rule of thumb the wildcard mask is the reverse of the subnet mask.

Example #1:IP Address and subnet mask: 204.100.100.0 255.255.255.0IP Address and wildcard mask: 204.100.100.0 0.0.0.255

All zero’s (or 0.0.0.0) means the address must match exactly.

Example #2:10.10.150.95 0.0.0.0 (This address must match exactly.)

One’s will be ignored.

Example #3:10.10.150.95 0.0.0.255 (Any 10.10.150.0 subnet address will match.

10.10.150.0 to 10.10.150.255)

This also works with subnets.


(Subtract the subnet mask from255.255.255.255 to create the wildcard)

Do the math... 255 - 255 = 0 (This is the inverse of the subnet mask.) 255 - 224 = 31


Do the math... (This is the inverse of the subnet mask.)

Creating Wildcard Masks

---

255255255

2551280

0127255

===

17

Wildcard Mask Problems

1. Create a wildcard mask to match this exact address.IP Address: 192.168.25.70Subnet Mask: 255.255.255.0 ___________________________________

2. Create a wildcard mask to match this range.IP Address: 210.150.10.0Subnet Mask: 255.255.255.0 ___________________________________

3. Create a wildcard mask to match this host.IP Address: 195.190.10.35Subnet Mask: 255.255.255.0 __________________________________

4. Create a wildcard mask to match this range.IP Address: 172.16.0.0Subnet Mask: 255.255.0.0 __________________________________


6. Create a wildcard mask to match this exact address.IP Address: 165.100.0.130Subnet Mask: 255.255.255.192 __________________________________



9. Create a wildcard mask to match this host.IP Address: 10.250.30.2Subnet Mask: 255.0.0.0 __________________________________




0 . 0 . 0 . 0

0 . 0 . 0 . 255

0 . 0 . 0 . 0

0 . 0 . 255 . 255

0 . 255 . 255 . 255

0 . 0 . 0 . 0

0 . 0 . 0 . 31

0 . 0 . 0 . 63

0 . 0 . 0 . 0

0 . 0 . 0 . 7

0 . 0 . 31 . 255

0 . 0 . 0 . 7

Wildcard Mask ProblemsBased on the given information list the usable source addresses or range ofusable source addresses that would be permitted or denied for each accesslist statement.

1. access-list 10 permit 192.168.150.50 0.0.0.0

Answer: __________________________________________________________________

2. access-list 5 permit any

Answer: __________________________________________________________________

3. access-list 125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1 fragments

Answer: __________________________________________________________________

4. access-list 11 deny 210.10.10.0 0.0.0.255

Answer: __________________________________________________________________

5. access-list 108 deny ip 192.220.10.0 0.0.0.15 172.32.4.0 0.0.0.255

Answer: __________________________________________________________________

6. access-list 171 deny any host 175.18.24.10 fragments

Answer: __________________________________________________________________

7. access-list 105 permit 192.168.15.0 0.0.0.255 any

Answer: __________________________________________________________________

8. access-list 109 permit tcp 172.16.10.0 0.0.0.255 host 192.168.10.1 eq 80

Answer: __________________________________________________________________

9. access-list 111 permit ip any any

Answer: __________________________________________________________________

10. access-list 195 permit udp 172.30.12.0 0.0.0.127 172.50.10.0 0.0.0.255

Answer: __________________________________________________________________

Any address

18

192.168.150.50

195.223.50.1 to 195.223.50.63

210.10.10.1 to 210.10.10.254

192.220.10.1 to 192.220.10.15

Any Address

192.168.15.1 to 192.168.15.254

172.16.10.1 to 172.16.10.254

Any Address

172.30.12.1 to 172.30.12.127

19

11. access-list 110 permit ip 192.168.15.0 0.0.0.3 192.168.30.10 0.0.0.0

Answer: _________________________________________________________________


Answer: _________________________________________________________________


Answer: _________________________________________________________________


Answer: _________________________________________________________________


Answer: _________________________________________________________________

16. access-list 101 Permit ip 192.168.15.0 0.0.0.127 192.168.30.10 0.0.0.0

Answer:__________________________________________________________________


Answer: _________________________________________________________________

18. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 gt 22

Answer: _________________________________________________________________

19. access-list 195 permit icmp 172.85.0.0 0.0.15.255 172.50.10.0 0.0.0.255

Answer: _________________________________________________________________

20. access-list 10 permit 175.15.120.0 0.0.0.255

Answer: _________________________________________________________________

21. access-list 190 permit tcp 172.15.0.0 0.0.15.31 any

Answer: _________________________________________________________________


Answer: _________________________________________________________________

192.168.15.1 to 192.168.15.3

192.168.15.1 to 192.168.15.7

192.168.15.1 to 192.168.15.15

192.168.15.1 to 192.168.15.31

192.168.15.1 to 192.168.15.63

192.168.15.1 to 192.168.15.127

192.168.15.1 to 192.168.15.254

172.16.0.1 to 172.16.1.254

172.85.0.1 to 172.85.15.254

175.15.120.1 to 175.15.120.254

172.15.0.1 to 172.15.15.31

10.0.0.1 to 10.255.255.254

20

Wildcard Mask ProblemsBased on the given information list the usable destination addresses or rangeof usable destination addresses that would be permitted or denied for eachaccess list statement.

1.access-list 125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1 fragments

Answer: __________________________________________________________________

2. access-list 5 permit any any

Answer: __________________________________________________________________


Answer: __________________________________________________________________

4. access-list 120 deny tcp 172.32.4.0 0.0.0.255 192.220.10.0 0.0.0.15

Answer: __________________________________________________________________


Answer: __________________________________________________________________


Answer: __________________________________________________________________

7. access-list 105 permit any 192.168.15.0 0.0.0.255

Answer: __________________________________________________________________


Answer: __________________________________________________________________

9. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 eq 21

Answer: __________________________________________________________________


Answer: __________________________________________________________________

Any address

172.168.10.1

195.168.50.1 to 195.223.50.63

192.168.30.1 to 192.168.30.63

172.18.10.18

192.168.30.1 to 192.168.30.7

192.168.15.1 to 192.168.15.254

Any Address

172.32.4.1 to 172.32.4.254

192.220.10.1 to 192.220.10.15

WritingStandard Access Lists...

Melvin’sComputer

172.16.70.35

Kathy’sComputer

192.168.90.38

E0 E1

Router A

Frank’sComputer

172.16.70.32

Jim’sComputer

192.168.90.36

22

172.16.70.1 192.168.90.2

Write a standard access list to block Melvin’s computer from sending information to Kathy’scomputer; but will allow all other traffic. Keep in mind that there may be multiple ways many ofthe individual statements in an ACL can be written.

Place the access list at:Router Name: Router AInterface: E1Access-list #: 10


Router# configure terminal (or config t)Router(config)# access-list 10 deny 172.16.70.35

or access-list 10 deny 72.16.70.35 0.0.0.0

or access-list 10 deny host 72.16.70.35

Router(config)# access-list 10 permit 0.0.0.0 255.255.255.255or

access-list 10 permit anyRouter(config)# interface e1Router(config-if)# ip access-group 10 outRouter(config-if)# exitRouter(config)# exit

[Viewing information about existing ACL’s]

Router# show configuration (This will show which access groups are associatedwith particular interfaces)

Router# show access list 10 (This will show detailed information about this ACL)

Standard Access List Sample #1

210.30.28.0

S0

23

Write a standard access list to block Jim’s computer from sending information to Frank’scomputer; but will allow all other traffic from the 192.168.90.0 network. Permit all traffic from the210.30.28.0 network to reach the 172.16.70.0 network. Deny all other traffic. Keep in mind thatthere may be multiple ways many of the individual statements in an ACL can be written.

Place the access list at:Router Name: Router AInterface: E0Access-list #: 28


Router# configure terminalRouter(config)# access-list 28 deny 192.168.90.36

oraccess-list 28 deny 192.168.90.36 0.0.0.0

oraccess-list 28 deny host 192.168.90.36

Router(config)# access-list 28 permit 192.168.90.0 0.0.0.255Router(config)# access-list 28 permit 210.30.28.0 0.0.0.255Router(config)# interface e0Router(config-if)# ip access-group 28 outRouter(config-if)# exitRouter(config)# exitRouter# copy run start

[Disabling ACL’s]

Router# configure terminalRouter(config)# interface e0Router(config-if)# no ip access-group 28 outRouter(config-if)# exitRouter(config)# exit

[Removing an ACL]

Router# configure terminalRouter(config)# interface e0Router(config-if)# no ip access-group 28 outRouter(config-if)# exitRouter(config)# no access-list 28Router(config)# exit

Standard Access List Sample #2

Write a standard access list to block Debbie’s computer from receiving information fromMichael’s computer; but will allow all other traffic from the 224.190.32.0 network. List all thecommand line options for this problem. Keep in mind that there may be multiple ways many ofthe individual statements in an ACL can be written.

Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list #: ____________________________


Router# configure terminal (or config t)

Router(config)# ________________________________________________________or

________________________________________________________or

________________________________________________________

Router(config)# ________________________________________________________or

______________________________________________________

Router(config)# interface ________

Router(config-if)# ip access-group ________ in or out (circle one)Router(config-if)# exitRouter(config)# exit

S0

S1

FA0

E1

Router BRouter A

224.190.32.1

192.16.32.94

172.16.28.36Michael’sComputer

Debbie’sComputer

224.190.32.16 192.16.32.95

24

Standard Access List Problem #1

FA0

Router BFA035 (1-99)

access-list 35 deny 224.190.32.16

access-list 35 deny host 224.190.32.16

access-list 35 deny 224.190.32.16 0.0.0.0

access-list 35 permit any


FA0

35

Write a standard access list to permit Debbie’s computer to receive information fromMichael’s computer; but will deny all other traffic from the 224.190.32.0 network. Block alltraffic from the 172.16.0.0 network. Permit all other traffic. List all the command line optionsfor this problem. Keep in mind that there may be multiple ways many of the individualstatements in an ACL can be written.




Router(config)# ________________________________________________________or

________________________________________________________or

________________________________________________________

Router(config)#_________________________________________________________

Router(config)#_________________________________________________________

Router(config)#_________________________________________________________or

_______________________________________________________



25



access-list 40 permit 224.190.32.16

access-list 40 permit host 224.190.32.16


access-list 40 deny 224.190.32.0 0.0.255.255

access-list 40 deny 172.16.0.0 0.0.255.255



FA0

40

26

S0

S1

E0

FA1

Router B

Router A

204.90.30.124

10.250.30.35

192.168.88.410.250.30.36

Rodney’sComputer

Jim’sComputer

204.90.30.126

192.168.88.5Carol’sComputer

204.90.30.125

Write a standard access list to block Rodney and Carol’s computer from sending informationto Jim’s computer; but will allow all other traffic from the 204.90.30.0 network. Block all othertraffic. Keep in mind that there may be multiple ways many of the individual statements in anACL can be written.




Router(config)#







access-list 45 deny 204.90.30.125 0.0.0.0



access-list 45 deny 204.90.30.126 0.0.0.0


or

or

or

or

FA1

45

27

Using a minimum number of commands write a standard access list named “Ralph” to blockCarol’s computer from sending information to Jim’s computer; but will permit Jim to receivedata from Rodney. Block the upper half of the 204.90.30.0 range from reaching Jim’scomputer while permitting the lower half of the range. Block all other traffic. For help withblocking the upper half of the range review page 13 or the wildcard mask problems on pages16 and 17. For help with named ACLs review pages 12 and 13.

Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list Name: ____________________________



Router(config)# ________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________




Router BFA1Ralph

access-list standard Ralph

access-list permit 204.90.30.0 0.0.0.127

FA1

Ralph

28

Write a standard access list to block 172.30.225.2 and 172.30.225.3 from sendinginformation to the 212.180.10.0 network; but will allow all other traffic. Keep in mind thatthere may be multiple ways many of the individual statements in an ACL can be written.




Router(config)#

________________________________________________________

________________________________________________________



S0 S1E0 E1

S0S1Router B

Router C

Router A

S1172.30.225.1 212.180.10.5

172.30.225.2

172.30.225.3

212.180.10.6

212.180.10.2


Router CE155 (1-99)



access-list 55 deny 172.30.225.2 0.0.0.0



access-list 55 deny 172.30.225.3 0.0.0.0


E1

55

or

or

or

or

29

Write a standard access list to block and log 212.180.10.2 from sending information to the172.30.225.0 network. Permit and log 212.180.10.6 to send data to the 172.30.225.0 network.Deny all other traffic. Keep in mind that there may be multiple ways many of the individualstatements in an ACL can be written. (Check the example on page 10 for help with the loggingoption.)




Router(config)#

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________




Router AE060 (1-99)

access-list 60 deny 212.180.10.2 log

access-list 60 deny host 212.180.10.2 log

access-list 60 deny 212.180.10.2 0.0.0.0 log

access-list 60 permit 212.180.10.6 log

access-list 60 permit host 212.180.10.6 log

access-list 60 permit 212.180.10.6 0.0.0.0 log

E0

60

or

or

or

or

30

Write a standard access list to block the addresses 192.168.15.1 to 192.168.15.31 fromsending information to the 210.140.15.0 network. Do not permit any traffic from 198.32.10.25to reach the 210.140.15.0 network. Permit all other traffic. For help with this problem reviewpage 13 or the wildcard mask problems on pages 16 and 17.




Router(config)# ________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________



S0

S1

FA0

S0

Router B

Router CRouter A

S1

192.168.15.3 198.32.10.25210.140.15.8


FA1

FA0

192.168.15.172

210.140.15.1

198.32.10.25


access-list 65 deny 192.168.15.0 0.0.0.31



access-list 65 deny 198.32.10.25 0.0.0.0


FA1

65

or

or

31

Write a standard named access list called “Cisco_Lab_A” to permit traffic from the lower half ofthe 198.32.10.0 network to reach 192.168.15.0 network; block the upper half of the addresses.Allow host 198.32.10.192 to reach network 192.168.15.0. Permit all other traffic. For help withthis problem review page 13 or the wildcard masks problems on pages 16 and 17. Forassistance with named ACLs review pages 12 and 13.

Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list Name: ____________________________



Router(config)# ________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________


Router(config-if)# ip access-group __________________ in or out (circle one)Router(config-if)# exitRouter(config)# exit


Router AFA0 Cisco_Lab_A

access-list standard Cisco_Lab_A

access-list permit 198.32.10.0 0.0.0.127

access-list deny 198.32.10.0 0.0.0.255

access-list permit any

FA0

Cisco_Lab_A

32

Write a standard access list to block network 192.168.255.0 from receiving information fromthe following addresses: 10.250.1.1, 10.250.2.1, 10.250.4.1, and the entire 10.250.3.0255.255.255.0 network. Allow all other traffic. Keep in mind that there may be multiple waysmany of the individual statements in an ACL can be written.




Router(config)#

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________

________________________________________________________




Router AFA075 (1-99)



access-list 75 deny 10.250.1.1 0.0.0.0



access-list 75 deny 10.250.2.1 0.0.0.0



access-list 75 deny 10.250.4.1 0.0.0.0

access-list 75 deny 10.250.3.0 0.0.0.255


or

or

or

or

or

or

75

FA0

WritingExtended Access Lists...

Ext

end

ed A

cces

s L

ist

Sam

ple

#1

Den

y/P

erm

it S

pec

ific

Ad

dre

sses

Joh

n’s

Co

mp

ute

r

17

2.1

6.7

0.3

5

Ce

lest

e’s

Co

mp

ute

r

19

2.1

68

.90

.38

FA

0F

A1

Rou

ter

A

Ga

il’s

Co

mp

ute

r

17

2.1

6.7

0.3

2

Mik

e’s

Co

mp

ute

r

192.

168.

90.3

6

17

2.1

6.7

0.1

19

2.1

68

.90

.2

Writ

e an

ext

ende

d ac

cess

list

to p

reve

nt J

ohn’

s co

mpu

ter f

rom

sen

ding

info

rmat

ion

to M

ike’

s co

mpu

ter;

but

will

allo

w a

ll ot

her

traf

fic.

Kee

p in

min

d th

at th

ere

may

be

mul

tiple

way

s m

any

of th

e in

divi

dual

sta

tem

ents

in a

n A

CL

can

be w

ritte

n.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: R

oute

r A

Inte

rfac

e: F

A0

Acc

ess-

list #

:110

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# co

nfi

gure

term

inal (or c

onfi

g t)

Router(config)# acc

ess-list

110 d

eny i

p 1

72

.16.7

0.3

5 0

.0.0

.0 1

92

.168.9

0.3

6 0

.0.0

.0or

acc

ess-list

110 d

eny i

p h

ost

172

.16.7

0.3

5 h

ost

192

.168.9

0.3

6Router(config)# acc

ess-list

110 p

erm

it ip a

ny a

ny

or

acc

ess-

list

110 p

erm

it i

p 0.0

.0.0

25

5.2

55

.25

5.2

55

0.0

.0.0

25

5.2

55

.25

5.2

55

Router(config)# in

terfa

ce f

a0

Router(config-if)# ip

acc

ess-gr

oup 1

10 i

nRouter(config-if)# ex

itRouter(config)# ex

it

34

[Vie

win

g in

form

atio

n a

bo

ut e

xist

ing

AC

L’s]

Router# s

how c

onfi

gurati

on

(Thi

s w

ill s

how

whi

ch a

cces

s gr

oups

are

asso

ciat

ed w

ith p

artic

ular

inte

rfac

es)

Router# sho

w a

cces

s lis

t 110

(Thi

s w

ill s

how

det

aile

d in

form

atio

nab

out t

his

AC

L)

Writ

e an

ext

ende

d ac

cess

list

to b

lock

the

172.

16.7

0.0

netw

ork

from

rece

ivin

g in

form

atio

n fr

om M

ike’

s co

mpu

ter a

t 192

.168

.90.

36.

Blo

ck th

e lo

wer

hal

f of t

he ip

add

ress

es fr

om 1

92.1

68.9

0.0

netw

ork

from

reac

hing

Gai

l’s c

ompu

ter a

t 172

.16.

70.3

2. P

erm

it al

l oth

ertr

affic

. K

eep

in m

ind

that

ther

e m

ay b

e m

ultip

le w

ays

man

y of

the

indi

vidu

al s

tate

men

ts in

an

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: R

oute

r A

Inte

rfac

e: F

A1

Acc

ess-

list #

:

1

35

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# c

onfi

gure

term

inal

Router(config)# acc

ess-list

135

den

y ip 1

92

.168.9

0.3

6 0

.0.0

.0 1

72

.16.7

0.0

0.0

.0.2

55

or

acc

ess-list

135

den

y i

p h

ost

192

.168.9

0.3

6 1

72

.16.7

0.0

0.0

.0.2

55

Router(config)# acc

ess-list

135

den

y ip 1

92

.168.9

0.0

0.0

.0.1

27 1

72

.16.7

0.3

2 0

.0.0

.0or

acc

ess-list

135

den

y i

p 1

92

.168.9

0.0

0.0

.0.1

27 h

ost

172

.16.7

0.3

2Router(config)# a

cces

s-list

135

per

mit

ip a

ny a

ny

or

ac

cess

-lis

t 13

5 p

erm

it i

p 0.0

.0.0

25

5.2

55

.25

5.2

55

0.0

.0.0

25

5.2

55

.25

5.2

55

Router(config)# inte

rface

fa1


p a

cces

s-gr

oup 1

35

in


xit

Router(config)# e

xit

Router# c

opy r

un s

tart

Ext

end

ed A

cces

s L

ist

Sam

ple

#2

Den

y/P

erm

it S

pec

ific

Ad

dre

sses

35

[Dis

ablin

g A

CL’

s]

Router# c

onfi

gure

term

inal

Router(config)# i

nte

rfa

ce e

1Router(config-if)# n

o ip a

cces

s-gr

oup 1

35

out

Router(config-if)# ex

itRouter(config)# e

xit

[Rem

ovi

ng

an

AC

L]

Router# c

onfi

gure

term

inal

Router(config)# in

terfa

ce e


o ip a

cces

s-gr

oup 1

35

out


itRouter(config)# n

o a

cces

s-list

135

Router(config)# e

xit

36

Bo

b’s

Co

mp

ute

r

17

2.2

0.7

0.8

0

Jack

ie’s

Co

mp

ute

r

192.

168.

122.

129

FA

0F

A1

Rou

ter

A

Cin

dy’

sC

om

pu

ter

17

2.2

0.7

0.8

9

Jay’

sC

om

pu

ter

192.

168.

122.

128

172.

20.7

0.15

19

2.1

68

.12

2.5

2

Writ

e an

ext

ende

d ac

cess

list

to p

reve

nt J

ay’s

com

pute

r fro

m re

ceiv

ing

info

rmat

ion

from

Cin

dy’s

com

pute

r. P

erm

it al

l oth

er tr

affic

.K

eep

in m

ind

that

ther

e m

ay b

e m

ultip

le w

ays

man

y of

the

indi

vidu

al s

tate

men

ts in

an

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

#: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# co

nfi

gure

term

inal (or c

onfi

g t)

Router(config)#

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

Router(config)# i

nte

rfa

ce

____

____

__Router(config-if)# i

p a

cces

s-gr

oup _

____

____

in o

r o

ut

(circ

le o

ne)


xit

Router(config)# e

xit

Router# c

opy r

un s

tart

Ext

end

ed A

cces

s L

ist

Pro

ble

m #

1D

eny/

Per

mit

Sp

ecif

ic A

dd

ress

es

Rou

ter

BS

0S

1

Route

r A

FA0

105

(100-199)

acc

ess-list

105

den

y i

p h

ost

172

.20.7

0.8

9 h

ost

192

.168.1

22

.12

8

acc

ess-list

105

den

y i

p 1

72

.30.2

25

.2 0

.0.0

.0 1

92

.168.1

22

.12

8 0

.0.0

.0

acc

ess-list

105

per

mit

ip a

ny a

ny

or

10

5F

A0

37

Writ

e an

ext

ende

d ac

cess

list

to b

lock

the

172.

20.7

0.0

255.

255.

255.

0 ne

twor

k fr

om re

ceiv

ing

info

rmat

ion

from

Jac

kie’

s co

mpu

ter a

t19

2.16

8.12

2.12

9. B

lock

the

low

er h

alf o

f the

ip a

ddre

sses

from

192

.168

.122

.0 n

etw

ork

from

reac

hing

Cin

dy’s

com

pute

r at

172.

20.7

0.89

. P

erm

it al

l oth

er tr

affic

. K

eep

in m

ind

that

ther

e m

ay b

e m

ultip

le w

ays

man

y of

the

indi

vidu

al s

tate

men

ts in

an

AC

L ca

nbe

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

#: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# c

onfi

gure

term

inal

Router(config)#

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

Router(config)# i

nte

rfa

ce

____

____


p a

cces

s-gr

oup _

____

____

in o

r o

ut

(circ

le o

ne)


xit

Router(config)# e

xit

Router# c

opy r

un s

tart

Ext

end

ed A

cces

s L

ist

Pro

ble

m #

2D

eny/

Per

mit

Sp

ecif

ic A

dd

ress

es

Route

r B

FA1

110

(100-199)

acc

ess-list

110 d

eny i

p h

ost

192

.168.1

22

.12

9 1

72

.20.7

0.0

0.0

.0.2

55

acc

ess-list

110 d

eny i

p 1

92

.168.1

22

.12

9 0

.0.0

.0 1

72

.20.7

0.0

0.0

.0.2

55

acc

ess-list

110 d

eny i

p 1

92

.168.1

22

.0 0

.0.0

.12

7 h

ost

172

.20.7

0.8

9

acc

ess-list

110 d

eny i

p 1

92

.168.1

22

.0 0

.0.0

.12

7 1

72

.20.7

0.8

9 0

.0.0

.0

acc

ess-list

110 p

erm

it ip a

ny a

ny

or

10

5

E1

or

Jan

’sC

om

pu

ter

21

8.3

5.5

0.1

0

Ra

cha

el’s

Co

mp

ute

r

17

2.5

9.2

.18

E0

FA

1

Rou

ter

A

Jua

n’s

Co

mp

ute

r

21

8.3

5.5

0.1

2R

eb

ecc

a’s

Co

mp

ute

r

17

2.5

9.2

.15

21

8.3

5.5

0.1

17

2.5

9.2

.1

Ext

end

ed A

cces

s L

ist

Pro

ble

m #

3D

eny/

Per

mit

Sp

ecif

ic A

dd

ress

es

Rou

ter

B

S0

S1

38

Route

r B

FA1

L

ab_

166

acc

ess-list

exte

nded

Lab_

166

acc

ess-list

per

mit

ip h

ost

172

.59.2

.18 h

ost

218.3

5.5

0.1

0

acc

ess-list

per

mit

ip 1

72

.59.2

.18 0

.0.0

.0 2

18.3

5.5

0.1

0 0

.0.0

.0or

Lab

_16

6F

A1

Writ

e a

nam

ed e

xten

ded

acce

ss li

st c

alle

d “L

ab_1

66” t

o pe

rmit

Jan’

s co

mpu

ter a

t 218

.35.

50.1

0 to

rece

ive

pack

ets

from

Rac

hael

’sco

mpu

ter a

t 172

.59.

2.18

; but

not

Reb

ecca

’s c

ompu

ter a

t 172

.59.

2.15

. D

eny

all o

ther

pac

kets

. K

eep

in m

ind

that

ther

e m

ay b

em

ultip

le w

ays

man

y of

the

indi

vidu

al s

tate

men

ts in

an

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

Nam

e: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# co

nfi

gure

term

inal (or c

onfi

g t)

Router(config)#

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

___

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

___

Router(config)# in

terfa

ce _

____

____

___


acc

ess-gr

oup _

____

____

in o

r o

ut

(circ

le o

ne)


itRouter(config)# ex

it

Writ

e an

ext

ende

d ac

cess

list

to a

llow

Jua

n’s

com

pute

r at 2

18.3

5.50

.12

to s

end

info

rmat

ion

to R

ebec

ca’s

com

pute

r at 1

72.5

9.2.

15;

but n

ot R

acha

el’s

com

pute

r at 1

72.5

9.2.

18.

Per

mit

all o

ther

traf

fic.

Kee

p in

min

d th

at th

ere

may

be

mul

tiple

way

s m

any

of th

ein

divi

dual

sta

tem

ents

in a

n A

CL

can

be w

ritte

n.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

#: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# c

onfi

gure

term

inal

Router(config)#

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

Router(config)# i

nte

rfa

ce

____

____


p a

cces

s-gr

oup _

____

____

in o

r o

ut

(circ

le o

ne)

Router((config-if)# e

xit

Router(config)# e

xit

Router# c

opy r

un s

tart

Ext

end

ed A

cces

s L

ist

Pro

ble

m #

4D

eny/

Per

mit

Sp

ecif

ic A

dd

ress

es

39

Route

r A

E0

12

0(100-199)

acc

ess-list

12

0 d

eny i

p h

ost

218.3

5.5

0.1

2 h

ost

172

.59.2

.18

acc

ess-list

12

0 d

eny i

p 2

18.3

5.5

0.1

2 0

.0.0

.0 1

72

.59.2

.18 0

.0.0

.0

acc

ess-list

12

0 p

erm

it ip a

ny a

ny

115

FA1

or

Cin

dy’

sC

om

pu

ter

19

2.1

6.2

0.6

Ba

rbra

’sC

om

pu

ter

19

2.1

8.5

0.1

2

E0

Rou

ter

A

Ra

lph

’sC

om

pu

ter

19

2.1

6.2

0.7

Bo

b’s

Co

mp

ute

r

19

2.1

8.5

0.1

1

Writ

e an

ext

ende

d ac

cess

list

to p

erm

it th

e 19

2.16

.20.

0 ne

twor

k to

rece

ive

pack

ets

from

the

192.

18.5

0.0

netw

ork.

Den

y al

l oth

ertr

affic

. K

eep

in m

ind

that

ther

e m

ay b

e m

ultip

le w

ays

man

y of

the

indi

vidu

al s

tate

men

ts in

an

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: R

oute

r B

Inte

rfac

e: E

1A

cces

s-lis

t #:

111

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# co

nfi

gure

term

inal (or c

onfi

g t)

Router(config)# acc

ess-list

111 p

erm

it ip 1

92

.18.5

0.0

0.0

.0.2

55

192

.168.2

0.0

0.0

.0.2

55

Router(config)# a

cces

s-list

111 d

eny ip a

ny a

ny

or

acc

ess-

list

111 d

eny i

p 0.0

.0.0

25

5.2

55

.25

5.2

55

0.0

.0.0

25

5.2

55

.25

5.2

55


rface

e1


p a

cces

s-gr

oup 1

11 in


xit

Router(config)# e

xit

19

2.1

6.2

0.5

S0

S1

192.

18.5

0.10

E1

Rou

ter

B

[Vie

win

g in

form

atio

n a

bo

ut e

xist

ing

AC

L’s]

Router# s

how c

onfi

gurati

on

(Thi

s w

ill s

how

whi

ch a

cces

s gr

oups

are

ass

ocia

ted

with

par

ticul

ar in

terf

aces

)

Router# sho

w a

cces

s lis

t 111

(Thi

s w

ill s

how

det

aile

d in

form

atio

n ab

out t

his

AC

L)

40

Ext

end

ed A

cces

s L

ist

Sam

ple

#3

Den

y/P

erm

it E

nti

re R

ang

es

Writ

e an

ext

ende

d ac

cess

list

to b

lock

the

192.

18.5

0.0

netw

ork

from

rece

ivin

g in

form

atio

n fr

om th

e 19

2.16

.20.

0 ne

twor

k. P

erm

it al

lot

her t

raffi

c. K

eep

in m

ind

that

ther

e m

ay b

e m

ultip

le w

ays

man

y of

the

indi

vidu

al s

tate

men

ts in

an

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: R

oute

r A

Inte

rfac

e: E

0A

cces

s-lis

t #:

188

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# c

onfi

gure

term

inal

Router(config)# acc

ess-list

188 d

eny ip 1

92

.16.2

0.0

0.0

.0.2

55

192

.18.5

0.0

0.0

.0.2

55

Router(config)# a

cces

s-list

188 p

erm

it ip a

ny a

ny

or

a

cces

s-list

188

per

mit

ip

0.0

.0.0

25

5.2

55

.25

5.2

55

0.0

.0.0

25

5.2

55

.25

5.2

55

Router(config)# i

nte

rface

e0


p a

cces

s-gr

oup 1

88 in


xit

Router(config)# e

xit

Router# c

opy r

un s

tart

Ext

end

ed A

cces

s L

ist

Sam

ple

#4

Den

y/P

erm

it E

nti

re R

ang

es

[Dis

ablin

g A

CL’

s]

Router# c

onfi

gure

term

inal

Router(config)# i

nte

rfa

ce e


o ip a

cces

s-gr

oup 1

88 o

ut


itRouter(config)# e

xit

[Rem

ovi

ng

an

AC

L]

Router# c

onfi

gure

term

inal

Router(config)# i

nte

rfa

ce e


o ip a

cces

s-gr

oup 1

88 o

ut


itRouter(config)# n

o a

cces

s-list

188

Router(config)# e

xit

41

Writ

e an

ext

ende

d ac

cess

list

to p

erm

it ne

twor

k 20

4.95

.150

.0 to

sen

d pa

cket

s to

net

wor

k 17

2.59

.0.0

, but

not

the

210.

250.

10.0

netw

ork.

Per

mit

all o

ther

traf

fic.

Kee

p in

min

d th

at th

ere

may

be

mul

tiple

way

s m

any

of th

e in

divi

dual

sta

tem

ents

in a

n A

CL

can

bew

ritte

n.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

#: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# co

nfi

gure

term

inal (or c

onfi

g t)

Router(config)#

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____


rfa

ce _

____

____

___


p a

cces

s-gr

oup _

____

____

in o

r o

ut

(circ

le o

ne)


xit

Router(config)# e

xit

Ra

che

l’sC

om

pu

ter

204.

95.1

50.1

0

Da

vid

’sC

om

pu

ter

17

2.5

9.2

.18

FA

0

FA

1

Rou

ter

A

Tod

d’s

Co

mp

ute

r

204.

95.1

50.1

2

Re

be

cca

’sC

om

pu

ter

17

2.5

9.2

.15

204.

95.1

50.1

1

17

2.5

9.2

.1

Ext

end

ed A

cces

s L

ist

Pro

ble

m #

5

D

eny/

Per

mit

En

tire

Ran

ges

Rou

ter

B

S0

S1

42

21

0.2

50

.10

.0

S0

Route

r B

FA1

125

(100-199)

acc

ess-list

12

5 d

eny i

p 2

04.9

5.1

50.0

0.0

.0.2

55

210.2

50.1

0.0

0.0

.0.2

55

acc

ess-list

12

5 p

erm

it ip a

ny a

ny

125

FA0

Writ

e an

ext

ende

d ac

cess

list

to a

llow

Rac

hel’s

com

pute

r at 2

04.9

5.15

0.10

to re

ceiv

e in

form

atio

n fr

om th

e 17

2.59

.0.0

net

wor

k.D

eny

all o

ther

hos

ts o

n th

e 20

4.95

.150

.0 n

etw

ork

acce

ss fr

om th

e 17

2.59

.2.0

net

wor

k. P

erm

it al

l oth

er tr

affic

. K

eep

in m

ind

that

ther

e m

ay b

e m

ultip

le w

ays

man

y of

the

indi

vidu

al s

tate

men

ts in

an

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

#: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# c

onfi

gure

term

inal

Router(config)#

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

Router(config)# i

nte

rfa

ce

____

____


p a

cces

s-gr

oup _

____

____

in o

r o

ut

(circ

le o

ne)


xit

Router(config)# e

xit

Router# c

opy r

un s

tart

Ext

end

ed A

cces

s L

ist

Pro

ble

m #

6

D

eny/

Per

mit

En

tire

Ran

ges

43

Route

r B

FA1

130

(100-199)

acc

ess-list

130 p

erm

it i

p 1

72

.59.0

.0 0

.0.2

55

.25

5 h

ost

204.9

5.1

50.1

0

acc

ess-list

130 p

erm

it i

p 1

72

.59.0

.0 0

.0.2

55

.25

5 2

04.9

5.1

50.1

0 0

.0.0

.0

acc

ess-list

130 d

eny i

p 1

72

.59.0

.0 0

.0.2

55

.25

5 2

04.9

5.1

50.0

0.0

.02

55

acc

ess-list

130 p

erm

it a

ny a

ny

130

FA1

or

44

Ph

yllis

’sC

om

pu

ter

17

2.1

20

.17

0.4

5

De

nis

e’s

Co

mp

ute

r

19

2.1

68

.50

.4

E0

E1

Rou

ter

A

Tom

my’

sC

om

pu

ter

172.

120.

170.

45T

im’s

Co

mp

ute

r

19

2.1

68

.50

.3

172.

120.

170.

451

92

.16

8.5

0.2

Writ

e a

nam

ed e

xten

ded

acce

ss li

st c

alle

d “G

odzi

lla” t

o pr

even

t the

172

.120

.0.0

net

wor

k fr

om s

endi

ng in

form

atio

n to

the

210.

168.

70.0

, an

d 10

.250

.1.0

255

.255

.255

.0 n

etw

orks

; but

will

per

mit

traf

fic to

the

192.

168.

50.0

net

wor

k. P

erm

it al

l oth

er tr

affic

.K

eep

in m

ind

that

ther

e m

ay b

e m

ultip

le w

ays

man

y of

the

indi

vidu

al s

tate

men

ts in

an

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

Nam

e: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# co

nfi

gure

term

inal (or c

onfi

g t)

Router(config)#

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

___

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

Router(config)# i

nte

rfa

ce _

____

____

___


p a

cces

s-gr

oup _

____

____

in o

r o

ut

(circ

le o

ne)


xit

Router(config)# e

xit

Ext

end

ed A

cces

s L

ist

Pro

ble

m #

7D

eny/

Per

mit

En

tire

Ran

ges

Rou

ter

BS

0S

1

10

.25

0.1

.02

10

.16

8.7

0.0

E1

S0

Route

r A

E

0 G

odzi

lla

acc

ess-list

exte

nded

Godzi

lla

acc

ess-list

den

y i

p 1

72

12

0.0

.0 0

.0.2

55

.25

5 2

10.1

68.7

0.0

0.0

.0.2

55

acc

ess-list

den

y i

p 1

72

.12

0.0

.0 0

.0.2

55

.25

5 1

0.2

50.1

.0 0

.0.0

.25

5

acc

ess-list

per

mit

ip a

ny a

ny

Godzilla

E0

45

Ass

umin

g de

faul

t sub

net m

asks

writ

e an

ext

ende

d ac

cess

list

to p

erm

it T

im a

t 192

.168

.50.

3 to

rece

ive

data

from

the

172.

120.

0.0

netw

ork.

A

llow

the

192.

168.

50.0

net

wor

k to

rece

ive

info

rmat

ion

from

Phy

llis’

s co

mpu

ter a

t 172

.120

.170

.45.

Den

y al

l oth

er tr

affic

.K

eep

in m

ind

that

ther

e m

ay b

e m

ultip

le w

ays

man

y of

the

indi

vidu

al s

tate

men

ts in

an

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

#: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# c

onfi

gure

term

inal

Router(config)#

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

Router(config)# i

nte

rfa

ce

____

____


p a

cces

s-gr

oup _

____

____

in o

r o

ut

(circ

le o

ne)


xit

Router(config)# e

xit

Router# c

opy r

un s

tart

Ext

end

ed A

cces

s L

ist

Pro

ble

m #

8D

eny/

Per

mit

En

tire

Ran

ges

Route

r A

E0

140

(100-199)

acc

ess-list

140 p

erm

it i

p 1

72

.12

0.0

.0 0

.0.2

55

.25

5 h

ost

192

.168.5

0.3

acc

ess-list

140 p

erm

it i

p 1

72

.12

0.0

.0 0

.0.2

55

.25

5 1

92

.168.5

0.3

0.0

.0.0

acc

ess-list

140 p

erm

it i

p h

ost

172

.12

0.1

70.4

5 1

92

.168.5

0.0

0.0

.0.2

55

acc

ess-list

140 p

erm

it i

p 1

72

.12

0.1

70.4

5 0

.0.0

.0 1

92

.168.5

0.0

0.0

.0.2

55

140

E0

or

or

Ro

dn

ey’

sC

om

pu

ter

192.

168.

15.4

4

Fra

nk’

sC

om

pu

ter

17

2.2

1.5

0.9

7

FA

0Rou

ter

A

Jim

’sC

om

pu

ter

192.

168.

15.4

3

Ca

rol’s

Co

mp

ute

r

17

2.2

1.5

0.9

6

Writ

e an

ext

ende

d ac

cess

list

to d

eny

the

first

15

usab

le a

ddre

sses

of t

he 1

92.1

68.1

5.0

netw

ork

from

reac

hing

the

172.

21.0

.0ne

twor

k. P

erm

it a

ll ot

her t

raffi

c. K

eep

in m

ind

that

ther

e m

ay b

e m

ultip

le w

ays

man

y of

the

indi

vidu

al s

tate

men

ts in

an

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: R

oute

r A

Inte

rfac

e: F

A0

Acc

ess-

list #

:

1

85

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# co

nfi

gure

term

inal (or c

onfi

g t)

Router(config)# acc

ess-list

185

den

y ip 1

92

.168.1

5.0

0.0

.0.1

5 1

72

.21.5

0.0

0.0

.25

5.2

55

Router(config)# a

cces

s-list

185

per

mit

ip a

ny a

ny

or

acc

ess-

list

185

per

mit

ip

0.0

.0.0

25

5.2

55

.25

5.2

55

0.0

.0.0

25

5.2

55

.25

5.2

55


rface

fa1


p a

cces

s-gr

oup 1

85

in


xit

Router(config)# e

xit

Ext

end

ed A

cces

s L

ist

Sam

ple

#5

Den

y/P

erm

it a

Ran

ge

of A

dd

ress

es

192.

168.

15.2

0

S0

S1

172.

21.5

0.95

E1

Rou

ter

B

46

[Vie

win

g in

form

atio

n a

bo

ut e

xist

ing

AC

L’s]

Router# s

how c

onfi

gurati

on

(Thi

s w

ill s

how

whi

ch a

cces

s gr

oups

are

ass

ocia

ted

with

par

ticul

ar in

terf

aces

)

Router# s

how a

cces

s lis

t 185

(Thi

s w

ill s

how

det

aile

d in

form

atio

n ab

out t

his

AC

L)

Writ

e an

ext

ende

d ac

cess

list

whi

ch w

ill a

llow

the

low

er h

alf o

f 192

.168

.15.

0 ne

twor

k ac

cess

to th

e 17

2.21

.50.

0 ne

twor

k. D

eny

all

othe

r tra

ffic.

Kee

p in

min

d th

at th

ere

may

be

mul

tiple

way

s m

any

of t

he in

divi

dual

sta

tem

ents

in a

n A

CL

can

be w

ritte

n.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: R

oute

r A

Inte

rfac

e: F

A0

Acc

ess-

list #

:

1

21

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# c

onfi

gure

term

inal

Router(config)# acc

ess-list

12

1 p

erm

it ip 1

92

.168.1

5.0

0.0

.0.1

27 1

72

.21.5

0.0

0.0

.0.2

55

Router(config)# a

cces

s-list

12

1 d

eny ip a

ny a

ny

or

ac

cess

-lis

t 12

1 den

y ip

0.0

.0.0

25

5.2

55

.25

5.2

55

0.0

.0.0

25

5.2

55

.25

5.2

55


rface

fa0

Router(config-if)# ip a

cces

s-gr

oup 1

21 in


xit

Router(config)# e

xit

Router# c

opy r

un s

tart

Ext

end

ed A

cces

s L

ist

Sam

ple

#6

Den

y/P

erm

it a

Ran

ge

of A

dd

ress

es

[Dis

ablin

g A

CL’

s]

Router# c

onfi

gure

term

inal

Router(config)# i

nte

rfa

ce f

a0

Router(config-if)# no ip a

cces

s-gr

oup 1

21 in


itRouter(config)# e

xit

[Rem

ovi

ng

an

AC

L]

Router# c

onfi

gure

term

inal

Router(config)# i

nte

rfa

ce f

a0

Router(config-if)# no ip a

cces

s-gr

oup 1

21 in


itRouter(config)# n

o a

cces

s-list

121

Router(config)# e

xit

47

Writ

e an

ext

ende

d ac

cess

list

to p

reve

nt th

e fir

st 3

1 us

able

add

ress

es in

the

192

.168

.125

.0 n

etw

ork

from

reac

hing

the

192.

168.

195.

0 ne

twor

k. P

erm

it al

l oth

er tr

affic

. K

eep

in m

ind

that

ther

e m

ay b

e m

ultip

le w

ays

man

y of

the

indi

vidu

al s

tate

men

ts in

an

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

#: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# co

nfi

gure

term

inal (or c

onfi

g t)

Router(config)#

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

Router(config)# i

nte

rfa

ce _

____

____

___


p a

cces

s-gr

oup _

____

____

in o

r o

ut

(circ

le o

ne)


xit

Ext

end

ed A

cces

s L

ist

Pro

ble

m #

9D

eny/

Per

mit

a R

ang

e o

f Ad

dre

sses

Joh

n’s

Co

mp

ute

r

192.

168.

195.

88

Ce

lest

e’s

Co

mp

ute

r

192.

168.

125.

108

E0

E1

Rou

ter

A

Ga

il’s

Co

mp

ute

r

192.

168.

195.

145

Mik

e’s

Co

mp

ute

r

192.

168.

125.

17

192.

168.

195.

9019

2.16

8.12

5.25

4

48

172.

31.1

95.0

S0

Route

r A

E1

145

(100-199)

acc

ess-list

145

den

y i

p 1

92

.168.1

25

.0 0

.0.0

.31 1

92

.168.1

95

.0 0

.0.0

.25

5

acc

ess-list

145

per

mit

ip a

ny a

ny

145

E1

49

Writ

e a

nam

ed e

xten

ded

acce

ss li

st c

alle

d “M

edia

_Cen

ter”

to p

erm

it th

e ra

nge

of a

ddre

sses

from

172

.31.

195.

1 th

roug

h17

2.31

.195

.7 t

o se

nd d

ate

to th

e 19

2.16

8.12

5.0

netw

ork.

Den

y al

l oth

er tr

affic

. K

eep

in m

ind

that

ther

e m

ay b

e m

ultip

le w

ays

man

yof

the

indi

vidu

al s

tate

men

ts in

an

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

Nam

e: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# c

onfi

gure

term

inal

Router(config)#

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

Router(config)# i

nte

rfa

ce

____

____


p a

cces

s-gr

oup _

____

____

____

___

in o

r o

ut

(circ

le o

ne)


xit

Router(config)# e

xit

Router# c

opy r

un s

tart

Ext

end

ed A

cces

s L

ist

Pro

ble

m #

10D

eny/

Per

mit

a R

ang

e o

f Ad

dre

sses

Route

r A

S

0

M

edia

_C

ente

r

acc

ess-list

exte

nded

Med

ia_

Cen

ter

acc

ess-list

per

mit

ip 1

72

.31.1

95

.0 0

.0.0

.7 1

92

.168.1

25

.0 0

.0.0

.25

5

Med

ia_

Cen

ter

S0

Cin

dy’

sC

om

pu

ter

19

2.1

6.2

0.6

Ba

rbra

’sC

om

pu

ter

17

2.1

8.5

0.1

2

FA

0R

oute

r A

Ra

lph

’sC

om

pu

ter

19

2.1

6.2

0.7

Bo

b’s

Co

mp

ute

r

17

2.1

8.5

0.1

1B

rad

’sC

om

pu

ter

17

2.2

2.7

5.1

0Jill’

sC

om

pu

ter

17

2.2

2.7

5.9

19

2.1

6.2

0.5

E1

S0

17

2.2

2.7

5.8

S1

S0

S1

172.

18.5

0.10

FA

1

Rou

ter

B

Rou

ter

C

Writ

e an

ext

ende

d ac

cess

list

to p

erm

it th

e fir

st 3

usa

ble

addr

esse

s in

the

192

.16.

20.0

net

wor

k to

reac

h th

e 17

2.22

.75.

0 ne

twor

k.D

eny

the

addr

esse

s fr

om 1

92.1

6.20

.4 th

roug

h 19

2.16

.20.

31 fr

om re

achi

ng th

e 17

2.22

.75.

0 ne

twor

k. P

erm

it al

l oth

er tr

affic

. K

eep

inm

ind

that

ther

e ar

e m

ultip

le w

ays

this

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

#: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# co

nfi

gure

term

inal (or c

onfi

g t)

Router(config)#

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

Router(config)# in

terfa

ce _

____

____

___


acc

ess-gr

oup _

____

____

in o

r o

ut

(circ

le o

ne)


it

Ext

end

ed A

cces

s L

ist

Pro

ble

m #

11D

eny/

Per

mit

a R

ang

e o

f Ad

dre

sses

50

Route

r A

FA0

15

5(100-199)

acc

ess-list

15

5 p

erm

it i

p 1

92

.16.2

0.0

0.0

.0.3

172

.22

.75

.0 0

.0.0

.25

5

acc

ess-list

15

5 d

eny i

p 1

92

.16.2

.0 0

.0.0

.31 1

72

.22

.75

.0 0

.0.0

.25

5

acc

ess-list

15

5 p

erm

it ip a

ny a

ny

15

5F

A0

51

Writ

e an

ext

ende

d ac

cess

list

to d

eny

the

addr

esse

s fr

om 1

72.2

2.75

.8 th

roug

h 17

2.22

.75.

127

from

sen

ding

dat

a to

the

172.

18.5

0.0

netw

ork.

Den

y th

e fir

st h

alf o

f the

add

ress

es fr

om th

e 17

2.22

.75.

0 ne

twor

k fr

om re

achi

ng th

e 19

2.16

.20.

0 ne

twor

k. P

erm

it al

l oth

ertr

affic

. K

eep

in m

ind

that

ther

e ar

e m

ultip

le w

ays

this

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

#: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# c

onfi

gure

term

inal

Router(config)#

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

Router(config)# i

nte

rfa

ce

____

____


p a

cces

s-gr

oup _

____

____

in o

r o

ut

(circ

le o

ne)


xit

Router(config)# e

xit

Router# c

opy r

un s

tart

Ext

end

ed A

cces

s L

ist

Pro

ble

m #

12D

eny/

Per

mit

a R

ang

e o

f Ad

dre

sses

Route

r B

E1

160

(100-199)

acc

ess-list

160 p

erm

it i

p 1

72

.22

.75

.0 0

.0.0

.7 1

72

.18.5

0.0

0.0

.0.2

55

acc

ess-list

160 d

eny i

p 1

72

.22

.75

.0 0

.0.0

.12

7 1

72

.18.5

0.0

0.0

.0.2

55

acc

ess-list

160 p

erm

it ip a

ny a

ny

160

E1

52

Ce

lest

e’s

Co

mp

ute

r

17

2.1

6.7

0.1

45

De

nis

e’s

Co

mp

ute

r

19

2.1

68

.88

.20

4

FA

0F

A1

Rou

ter

A

Bo

b’s

Co

mp

ute

r

17

2.1

6.7

0.1

55

Peg

gy’s

Co

mp

ute

r

19

2.1

68

.88

.20

0

17

2.1

6.7

0.1

19

2.1

68

.88

.1

Rou

ter

BS

0S

1

10

.25

0.4

.01

0.2

50

.1.0

FA

1F

A0

Writ

e an

ext

ende

d ac

cess

list

to p

erm

it th

e fir

st 6

3 us

able

add

ress

es in

the

192.

168.

88.0

net

wor

k to

reac

h th

e lo

wer

hal

f of t

head

dres

ses

in th

e 17

2.16

.70.

0 ne

twor

k; b

ut n

ot th

e up

per h

alf.

Den

y al

l oth

er tr

affic

. K

eep

in m

ind

that

ther

e m

ay b

e m

ultip

le w

ays

man

y of

the

indi

vidu

al s

tate

men

ts in

an

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

#: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# co

nfi

gure

term

inal (or c

onfi

g t)

Router(config)#

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

Router(config)# in

terfa

ce _

____

____

___


acc

ess-gr

oup _

____

____

in o

r o

ut

(circ

le o

ne)


it

Ext

end

ed A

cces

s L

ist

Pro

ble

m #

13D

eny/

Per

mit

a R

ang

e o

f Ad

dre

sses

Route

r B

FA1

165

(100-199)

acc

ess-list

165

per

mit

ip 1

92

.168.8

8.0

0.0

.0.6

3 1

72

.16.7

0.0

0.0

.0.1

27

165

FA1

53

Writ

e an

ext

ende

d ac

cess

list

to d

eny

the

addr

esse

s fr

om 1

0.25

0.1.

0 th

roug

h 10

.250

.1.6

3 fr

om s

endi

ng d

ata

to D

enis

e’s

com

pute

r.P

erm

it al

l oth

er tr

affic

. K

eep

in m

ind

that

ther

e m

ay b

e m

ultip

le w

ays

man

y of

the

indi

vidu

al s

tate

men

ts in

an

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

#: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# c

onfi

gure

term

inal

Router(config)#

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

Router(config)# i

nte

rfa

ce

____

____


p a

cces

s-gr

oup _

____

____

in o

r o

ut

(circ

le o

ne)


xit

Router(config)# e

xit

Router# c

opy r

un s

tart

Ext

end

ed A

cces

s L

ist

Pro

ble

m #

14D

eny/

Per

mit

a R

ang

e o

f Ad

dre

sses

Route

r A

FA1

170

(100-199)

acc

ess-list

170 d

eny i

p 1

0.2

50.1

.0 0

.0.0

.63 h

ost

192

.168.8

8.2

04

acc

ess-list

170 d

eny i

p 1

0.2

50.1

.0 0

.0.0

.63 1

92

.168.8

8.2

04 0

.0.0

.0

acc

ess-list

170 p

erm

it ip a

ny a

ny

170

FA1

or

19

2.1

68

.20

7.2

6

E0R

oute

r A

Web

Ser

ver

19

2.1

68

.20

7.2

7W

eb S

erve

r

210.

128.

50.1

1

Writ

e an

ext

ende

d ac

cess

list

to d

eny

HT

TP

traf

fic in

tend

ed fo

r w

eb s

erve

r 19

2.16

8.20

7.27

, but

will

per

mit

all

othe

r HT

TP

traf

fic to

reac

h th

e on

ly th

e 19

2.16

8.20

7.0

netw

ork.

Den

y al

l oth

er IP

traf

fic.

Kee

p in

min

d th

at th

ere

may

be

mul

tiple

way

s m

any

of th

ein

divi

dual

sta

tem

ents

in a

n A

CL

can

be w

ritte

n.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: R

oute

r A

Inte

rfac

e: E

0A

cces

s-lis

t #:

198

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# co

nfi

gure

term

inal (or c

onfi

g t)

Router(config)# acc

ess-list

198 d

eny t

cp a

ny 1

92

.168.2

07.2

7 0

.0.0

.0 e

q w

ww

or

a

cces

s-list

198 d

eny t

cp a

ny h

ost

192

.168.2

07.2

7 e

q w

ww

Router(config)# acc

ess-list

198 p

erm

it t

cp a

ny 1

92

.168.2

07.0

0.0

.0.2

55

eq w

ww

Router(config)# i

nte

rface

e0


p a

cces

s-gr

oup 1

98 in


xit

Router(config)# e

xit

19

2.1

68

.20

7.2

5

S0

S1 21

0.12

8.50

.10

E1

Rou

ter

B

[Vie

win

g in

form

atio

n a

bo

ut e

xist

ing

AC

L’s]

Router# s

how c

onfi

gurati

on

(Thi

s w

ill s

how

whi

ch a

cces

s gr

oups

are

ass

ocia

ted

with

par

ticul

ar in

terf

aces

)

Router# s

how a

cces

s lis

t 198

(Thi

s w

ill s

how

det

aile

d in

form

atio

n ab

out t

his

AC

L)

54

Ext

end

ed A

cces

s L

ist

Sam

ple

#7

Den

y/P

erm

it P

ort

Nu

mb

ers

210.

128.

50.1

2

Writ

e an

ext

ende

d ac

cess

list

to p

erm

it pi

ngs

in e

ither

dire

ctio

n be

twee

n ho

sts

on th

e 21

0.12

8.50

.0 a

nd 1

92.1

68.2

07.0

net

wor

ks.

Den

y al

l oth

er tr

affic

. K

eep

in m

ind

that

ther

e m

ay b

e m

ultip

le w

ays

man

y of

the

indi

vidu

al s

tate

men

ts in

an

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: R

oute

r A

Inte

rfac

e: E

0A

cces

s-lis

t #:

134

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# c

onfi

gure

term

inal

Router(config)# acc

ess-

list

134 p

erm

it i

cmp

210.1

28.5

0.0

0.0

.0.2

55

192

.168.2

07.0

0.0

.0.2

55

ech

o-re

ply


rface

e0


p a

cces

s-gr

oup 1

34 in


xit

Router(config)# e

xit

Router# c

opy r

un s

tart

Ext

end

ed A

cces

s L

ist

Sam

ple

#8

Den

y/P

erm

it P

ort

Nu

mb

ers

[Dis

ablin

g A

CL’

s]

Router# c

onfi

gure

term

inal

Router(config)# i

nte

rfa

ce e


o ip a

cces

s-gr

oup 1

34 o

ut


itRouter(config)# e

xit

[Rem

ovi

ng

an

AC

L]

Router# c

onfi

gure

term

inal

Router(config)# i

nte

rfa

ce e


o ip a

cces

s-gr

oup 1

34 o

ut


itRouter(config)# n

o a

cces

s-list

134

Router(config)# e

xit

55

Writ

e an

ext

ende

d ac

cess

list

to p

erm

it D

enis

e’s

and

Bob

’s c

ompu

ters

to te

lnet

into

Rou

ter B

. D

eny

all o

ther

teln

et tr

affic

Kee

p in

min

d th

at th

ere

may

be

mul

tiple

way

s m

any

of th

e in

divi

dual

sta

tem

ents

in a

n A

CL

can

be w

ritte

n.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: R

oute

r B

Inte

rfac

e: line

VTY

0 4

Acc

ess-

list #

:

4

5

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# co

nfi

gure

term

inal (or c

onfi

g t)

Router(config)# a

cces

s-list

45

per

mit

192

.168.3

3.2

14 0

.0.0

.0or

a

cces

s-list

45

per

mit

host

192

.168.3

3.2

14

Router(config)# a

cces

s-list

45

per

mit

192

.30.7

6.1

55

0.0

.0.0

or

a

cces

s-list

45

per

mit

host

92

.30.7

6.1

55

Router(config)# lin

e vty

0 4


p a

cces

s-cl

ass 4

5 in


xit

Router(config)# e

xit

[Vie

win

g in

form

atio

n a

bo

ut e

xist

ing

AC

L’s]

Router# s

how c

onfi

gurati

on

(Thi

s w

ill s

how

whi

ch a

cces

s gr

oups

are

ass

ocia

ted

with

par

ticul

ar in

terf

aces

)

Router# s

how a

cces

s lis

t 45

(Thi

s w

ill s

how

det

aile

d in

form

atio

n ab

out t

his

AC

L)

Sta

nd

ard

Acc

ess

Lis

t S

amp

le #

9D

eny/

Per

mit

Tel

net

56

Ce

lest

e’s

Co

mp

ute

r

19

2.3

0.7

6.1

45

De

nis

e’s

Co

mp

ute

r

19

2.1

68

.33

.21

4

E0

E1

Rou

ter

A

Bo

b’s

Co

mp

ute

r

19

2.3

0.7

6.1

55

Peg

gy’s

Co

mp

ute

r

19

2.1

68

.33

.21

0

17

2.2

0.7

0.1

19

2.1

68

.33

.1

Rou

ter

BS

0S

1

17

2.1

6.1

6.0

10

.25

0.4

.0

E1

E0

(usin

g line

VTY

0 4

inste

ad o

f an inte

rfa

ce lik

e E

1 a

llows y

ou

to a

pply

thi

s a

cces

s lis

t to

all V

TY

lin

es w

ith

one

sta

tem

ent)

Writ

e an

ext

ende

d ac

cess

list

to d

eny

FT

P to

ip a

ddre

sses

192

.30.

76.0

thro

ugh

192.

30.7

6.13

.P

erm

it al

l oth

er tr

affic

. K

eep

in m

ind

that

ther

e m

ay b

e m

ultip

le w

ays

man

y of

the

indi

vidu

al s

tate

men

ts in

an

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: R

oute

r A

Inte

rfac

e: E

0A

cces

s-lis

t #:

15

5

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# c

onfi

gure

term

inal

Router(config)# acc

ess-

list

15

5 d

eny t

cp a

ny 1

92

.30.7

6.0

0.0

.0.1

3 e

q f

tpRouter(config)# a

cces

s-list

15

5 p

erm

it t

cp a

ny a

ny

or

a

cces

s-list

15

5 d

eny

tcp

0.0

.0.0

25

5.2

55

.25

5.2

55

0.0

.0.0

25

5.2

55

.25

5.2

55


rface

e0


p a

cces

s-gr

oup 1

55

in


xit

Router(config)# e

xit

Router# c

opy r

un s

tart

Ext

end

ed A

cces

s L

ist

Sam

ple

#10

Den

y/P

erm

it P

ort

Nu

mb

ers

[Dis

ablin

g A

CL’

s]

Router# c

onfi

gure

term

inal

Router(config)# i

nte

rfa

ce e


o ip a

cces

s-gr

oup 1

55

out


itRouter(config)# e

xit

[Rem

ovi

ng

an

AC

L]

Router# c

onfi

gure

term

inal

Router(config)# i

nte

rfa

ce e


o ip a

cces

s-gr

oup 1

55

out


itRouter(config)# n

o a

cces

s-list

15

5Router(config)# e

xit

57

58

Jack

ie’s

Co

mp

ute

r

17

2.1

6.1

25

.1

Jen

nife

r’s

Co

mp

ute

r

19

2.1

28

.45

.35

E0

FA

1

Rou

ter

A

Bill

’sC

om

pu

ter

19

2.1

28

.45

.33

17

2.1

6.7

0.1

19

2.1

28

.45

.8

Rou

ter

B

S0S

1

10

.25

0.8

.0

10

.25

0.2

.0

E1

FA

0

Writ

e an

ext

ende

d ac

cess

list

to p

erm

it IC

MP

traf

fic fr

om th

e 19

2.12

8.45

.0 n

etw

ork

to re

ach

the

172.

16.1

25.0

255

.255

.255

.0 a

nd10

.250

.2.0

255

.255

.255

.0 n

etw

orks

. D

eny

all o

ther

traf

fic.

Kee

p in

min

d th

at th

ere

may

be

mul

tiple

way

s m

any

of th

e in

divi

dual

stat

emen

ts in

an

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

#: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# co

nfi

gure

term

inal (or c

onfi

g t)

Router(config)#

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

Router(config)# in

terfa

ce _

____

____

___


acc

ess-gr

oup _

____

____

in o

r o

ut

(circ

le o

ne)


it

Ext

end

ed A

cces

s L

ist

Pro

ble

m #

15D

eny/

Per

mit

a P

ort

Nu

mb

ers

Route

r B

FA1

175

(100-199)

acc

ess-list

175

per

mit

icm

p 1

92

.12

8.4

5.0

0.0

.0.2

55

172

.16.1

25

.0 0

.0.0

.25

5

acc

ess-list

175

per

mit

icm

p 1

92

.12

8.4

5.0

0.0

.0.2

55

10.2

50.2

.0 0

.0.0

.25

5

175

FA1

59

Writ

e a

nam

ed e

xten

ded

acce

ss li

st c

alle

d “P

eggy

s_La

b” to

den

y te

lnet

fro

m 1

0.25

0.8.

0 th

roug

h 10

.250

.8.1

27 f

rom

reac

hing

the

192.

128.

45.0

net

wor

k.

Per

mit

all o

ther

traf

fic.

Kee

p in

min

d th

at th

ere

may

be

mul

tiple

way

s m

any

of t

he in

divi

dual

sta

tem

ents

in a

nA

CL

can

be w

ritte

n.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

Nam

e: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# c

onfi

gure

term

inal

Router(config)#

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

Router(config)# i

nte

rfa

ce

____

____


p a

cces

s-gr

oup _

____

____

____

____

in o

r o

ut

(circ

le o

ne)


xit

Router(config)# e

xit

Router# c

opy r

un s

tart

Ext

end

ed A

cces

s L

ist

Pro

ble

m #

16D

eny/

Per

mit

a P

ort

Nu

mb

ers

Route

r B

FA0

Peg

gys_

Lab

acc

ess-list

exte

nded

Peg

gys_

Lab

acc

ess-list

den

y t

cp 1

0.2

50.8

.0 0

.0.0

.12

7 1

92

.12

8.4

5.0

0.0

.0.2

55

eq 2

3

acc

ess-list

per

mit

tcp

any a

ny

FA0

Peg

gys_

Lab

Writ

e an

acc

ess

list t

o pe

rmit

Bec

ky a

nd M

ary’

s co

mpu

ter t

o te

lnet

into

Rou

ter B

. Den

y al

l oth

er te

lnet

traf

fic fr

om th

e 17

2.60

.18.

0ne

twor

k. K

eep

in m

ind

that

ther

e m

ay b

e m

ultip

le w

ays

man

y of

the

indi

vidu

al s

tate

men

ts in

an

AC

L ca

n be

writ

ten.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

#: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# co

nfi

gure

term

inal (or c

onfi

g t)

Router(config)#


rfa

ce _

____

____

___


p a

cces

s-gr

oup _

____

____

in o

r o

ut

(circ

le o

ne)


xit

Router(config)# e

xit

Web

Ser

ver

#2

203.

194.

100.

101

Mar

y’s

Co

mp

ute

r

17

2.6

0.1

8.1

42

FA

0

FA

1

Rou

ter

A

Web

Ser

ver

#1

203.

194.

100.

102

Bec

ky’s

Co

mp

ute

r

172.

60.1

8.14

0

203.

194.

100.

1

17

2.6

0.1

8.1

Acc

ess

Lis

t P

rob

lem

#17

Den

y/P

erm

it P

ort

Nu

mb

ers

Rou

ter

B

S0

S1

60

20

4.2

50

.10

.0

S0

Route

r B

line

vty

04

50

(1-99)

acc

ess-list

50 p

erm

it 1

72

.60.1

8.1

40

acc

ess-list

50 p

erm

it h

ost

172

.60.1

8.1

40

acc

ess-list

50 p

erm

it 1

72

.60.1

8.1

40 0

.0.0

.0acc

ess-list

50 p

erm

it 1

72

.60.1

8.1

42

acc

ess-list

50 p

erm

it h

ost

172

.60.1

8.1

42

acc

ess-list

50 p

erm

it 1

72

.60.1

8.1

42

0.0

.0.0

50

line

vty

04

or

or

or

or

Writ

e an

ext

ende

d ac

cess

list

to d

eny

all H

TT

P tr

affic

inte

nded

for t

he w

eb s

erve

r at 2

03.1

94.1

00.1

02.

Per

mit

HT

TP

traf

fic to

any

othe

r web

ser

vers

. D

eny

all o

ther

IP tr

affic

to th

e 20

3.19

4.10

0.0

netw

ork.

Kee

p in

min

d th

at th

ere

may

be

mul

tiple

way

s m

any

of th

ein

divi

dual

sta

tem

ents

in a

n A

CL

can

be w

ritte

n.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

#: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# co

nfi

gure

term

inal (or c

onfi

g t)

Router(config)#

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

Router(config)# i

nte

rfa

ce

____

____


p a

cces

s-gr

oup _

____

____

in o

r o

ut

(circ

le o

ne)


xit

Router(config)# e

xit

Router# c

opy r

un s

tart

Ext

end

ed A

cces

s L

ist

Pro

ble

m #

18

D

eny/

Per

mit

Po

rt N

um

ber

s

61

Route

r A

FA0

185

(100-199)

acc

ess-list

185

den

y t

cp a

ny h

ost

203.1

94.1

00.1

02

eq 8

0

acc

ess-list

185

den

y t

cp a

ny 2

03.1

94.1

00.1

02

0.0

.0.0

eq 8

0

acc

ess-list

185

per

mit

tcp

any a

ny e

q 8

0

185

FA0

or

Writ

e an

acc

ess

list t

o pe

rmit

TF

TP

traf

fic to

all

host

s on

the

192.

168.

15.0

net

wor

k. D

eny

all o

ther

TF

TP

traf

fic.

Kee

p in

min

d th

atth

ere

may

be

mul

tiple

way

s m

any

of th

e in

divi

dual

sta

tem

ents

in a

n A

CL

can

be w

ritte

n.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

#: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# co

nfi

gure

term

inal (or c

onfi

g t)

Router(config)#

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____


rfa

ce _

____

____

___


p a

cces

s-gr

oup _

____

____

in o

r o

ut

(circ

le o

ne)


xit

Router(config)# e

xit

62

Acc

ess

Lis

t P

rob

lem

#19

Den

y/P

erm

it P

ort

Nu

mb

ers

Web

Ser

ver

#1

192.

168.

15.1

25G

ail’

sC

om

pu

ter

17

2.2

3.5

0.1

97

E0R

oute

r A

Bo

bb

ie’s

Co

mp

ute

r

192.

168.

15.8

2

Web

Ser

ver

#2

172.

23.5

0.19

6

192.

168.

15.2

5

S0

S1 17

2.23

.50.

195

E1

Rou

ter

B

E1

19

2.1

72

.10

.0

Route

r A

E0

190

(100-199)

acc

ess-list

175

per

mit

tcp

any 1

92

.168.1

5.0

0.0

.0.2

55

eq f

tp

190

E0

Writ

e an

ext

ende

d ac

cess

list

that

per

mits

web

traf

fic fr

om w

eb s

erve

r #2

at 1

72.2

3.50

.196

to re

ach

ever

yone

on

the

192.

168.

15.0

netw

ork.

Den

y a

ll ot

her I

P tr

affic

goi

ng to

the

192.

172.

10.0

, and

192

.168

.15.

0 ne

twor

ks.

Kee

p in

min

d th

at th

ere

may

be

mul

tiple

way

s m

any

of th

e in

divi

dual

sta

tem

ents

in a

n A

CL

can

be w

ritte

n.

Pla

ce th

e ac

cess

list

at:

Rou

ter

Nam

e: _

____

____

____

____

____

____

__In

terf

ace:

___

____

____

____

____

____

____

____

Acc

ess-

list

#: _

____

____

____

____

____

____

___

[Wri

tin

g a

nd

inst

allin

g a

n A

CL

]

Router# c

onfi

gure

term

inal

Router(config)#

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_

Router(config)# i

nte

rfa

ce

____

____


p a

cces

s-gr

oup _

____

____

in o

r o

ut

(circ

le o

ne)


xit

Router(config)# e

xit

Router# c

opy r

un s

tart

63

Ext

end

ed A

cces

s L

ist

Pro

ble

m #

20

D

eny/

Per

mit

Po

rt N

um

ber

s

Route

r B

E1

195

(100-199)

acc

ess-list

195

den

y t

cp h

ost

172

.23.5

0.1

96 1

92

.168.1

5.0

0.0

.0.2

55

eq 8

0

acc

ess-list

195

den

y t

cp 1

72

.23.5

0.1

96 0

.0.0

.0 1

92

.168.1

5.0

0.0

.0.2

55

eq 8

0

195

E1

or

Optional ACL Commands& Other Network Security Ideas

In order to reduce the chance of spoofing from outside your network consider adding thefollowing statements to your network’s inbound access list.

router# config trouter(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 anyrouter(config)# access-list 100 deny ip 172.16.0.0 0.0.255.255 anyrouter(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 anyrouter(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 anyrouter(config)# access-list 100 deny ip 224.0.0.0 31.255.255.255 anyrouter(config)# access-list 100 deny ip your-subnet-# your-subnet-mask-# anyrouter(config)# access-list 100 deny igmp any anyrouter(config)# access-list 100 deny icmp any any redirectrouter(config)# access-list 100 permit any anyrouter(config)# interface e0 (or whatever your inbound port is)router(config-if)# ip access-group inrouter(config-if)# exitrouter(config)# exit

Another handy security tool is to only allow ip packets out of your network with your sourceaddress.

router# config trouter(config)# access-list 100 permit ip your-subnet-# your-subnet-mask-# anyrouter(config)# interface e0 (or whatever your outbound port is)router(config-if)# ip access-group outrouter(config-if)# exitrouter(config)# exit

To keep packets with unreachable destinations from entering your network add this command:

ip route 0.0.0.0 0.0.0.0 null 0 255

To protect against smurf and other attacks add the following commands to every externalinterface:

no ip directed-broadcastno ip source-routefair-queuescheduler interval 500

64

Index / Table of Contents

Access-List Numbers.......................................................................Inside CoverWhat are Access Control Lists?..........................................................................1General Access Lists Information.......................................................................1How routers use Access Lists.............................................................................1Standard Access Lists.........................................................................................2Why Standard ACLs must be placed close to the destination..........................2Standard Access List Placement Sample Problems.........................................3Standard Access List Placement Problems....................................................4-5Extended Access Lists........................................................................................6Why Extended ACLs must be placed close to the destination.........................6Extended Access List Placement Sample Problems........................................7Extended Access List Placement Problems..................................................8-9Choosing to Filter Incoming or Outgoing Packets...........................................10Breakdown of a Standard ACL Statement........................................................10Breakdown of a Extended ACL Statement.......................................................11What are Named Access Control Lists..................................................................12Named Access Lists Information..........................................................................12Applying a Standard Named Access List called “George”...............................12Applying an Extended Named Access List called “Gracie”.............................13Choices for Using Wildcard Masks..............................................................14-15Creating Wildcard Masks...................................................................................16Wildcard Mask Problems.............................................................................18-20Writing Standard Access Lists.....................................................................21-32Writing Extended Access Lists.....................................................................33-63

Deny/Permit Specific Addresses.......................................................33-39Deny/Permit Entire Ranges................................................................40-45Deny/Permit a Range of Addresses..................................................46-53Deny/Permit Port Numbers.................................................................54-63

Optional ACL Commands...................................................................................64Index / Table of Contents...................................................................................65Port Numbers...............................................................................66-Inside Cover

65

Port Numbers

Some commonly used port numbers:

0 Reserved1 TCPMUX (TCP Port Service Multiplexer)5 RJE (Remote Job Entry)7 ECHO9 DISCARD11 SYSTAT (Active users)13 DAYTIME17 QUOTE (Quote of the day)18 MSP (Message Send Protocol)19 CHARGEN (Character generator)20 FTP-DATA (File Transfer Protocol - Data)21 FTP (File Transfer Protocol - Control)22 SSH (Remote Login Protocol)23 Telnet (Terminal Connection)25 SMTP (Simple Mail Transfer Protocol)29 MSG ICP37 TIME39 RLP (Resource Location Protocol42 NAMESERV (Host Name Server)

Port numbers are now assigned by the ICANN (Internet Corporation forAssigned Names and Numbers). Commonly used TCP and UDPapplications are assigned a port number; such as: HTTP - 80, POP3 - 110,FTP - 20. When an application communicates with another application onanother node on the internet, it specifies that application in each datatransmission by using its port number. You can also type the name (ie. Telnet)instead of the port number (ie. 23). Port numbers range from 0 to 65536 andare divided into three ranges:

Below is a short list of some commonly used ports. For a complete list ofport numbers go to http://www.iana.org/assignments/port-numbers.

01,024

49,152

tototo

1,02349,15165,535

Well Known PortsRegistered PortsDynamic and/or Private Ports

66

Inside Cover

43 NICNAME (Who Is)49 LOGIN (Login Host Protocol)53 DNS (Domain Name Server)67 BOOTP (Bootstrap Protocol Server)68 BOOTPS (Bootstrap Protocol Client)69 TFTP (Trivial File Transfer Protocol)70 GOPHER (Gopher Services )75 (Any Privite Dial-out Service)79 FINGER80 HTTP (Hypertext Transfer Protocol)95 SUPDUP (SUPDUP Protocol)101 HOSTNAME (NIC Host Name Server)108 SNAGAS (SNA Gateway Access Server)109 POP2 (Post Office Protocol - Version 2)110 POP3 (Post Office Protocol - Version 3)113 AUTH (Authentication Service)115 SFTP (Simple File Transfer Protocol)117 UUCP-PATH (UUCP Path Service)118 SQLSERV (SQL Services)119 NNTP (Newsgroup)123 NTP (Network Tim Protocol)137 NetBIOS-NS (NetBIOS Name Service)139 NetBIOS-SSN (NetBIOS Session Service )143 IMAP (Interim Mail Access Protocol)150 SQL-NET (NetBIOS Session Service)156 SQLSRV (SQL Service)161 SNMP (Simple Network Management Protocol)179 BGP (Border Gateway Protocol)190 GACP (Gateway Access Control Protocol)194 IRC (Internet Relay Chat)197 DLS (Directory Location Service)389 LDAP (Lightweight Directory Access Protocol)396 NETWARE-IP (Novell Netware over IP )443 HTTPS (HTTP MCom)444 SNPP (Simple Network Paging Protocol)445 Microsoft-DS458 Apple QuickTime546 DHCP Client547 DHCP Server563 SNEWS569 MSN