Access Lists Workbook - Student Ed

Extended
ACL
Any
Access
0.0.0.0
Lists
Workbook
Version 1.5
permit
deny
access-list
Standard
access-group
Wildcard Mask
Student Name:
Access-List Numbers
IP Standard
IP Extended
Ethernet Type Code
Ethernet Address
DECnet and Extended DECnet
XNS
Extended XNS
Appletalk
48-bit MAC Addresses
IPX Standard
IPX Extended
IPX SAP (service advertisement protocol)
IPX SAP SPX
Extended 48-bit MAC Addresses
IPX NLSP
IP Standard, expanded range
IP Extended, expanded range
SS7 (voice)
Standard Vines
Extended Vines
Simple Vines
Transparent bridging (protocol type)
Transparent bridging (vendor type)
Extended Transparent bridging
Source-route bridging (protocol type)
Source-route bridging (vendor type)
1
100
200
700
300
400
500
600
700
800
900
1000
1000
1100
1200
1300
2000
2700
1
101
201
200
700
1100
200
700
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
to
99
199
299
799
399
499
599
699
799
899
999
1099
1099
1199
1299
1999
2699
2999
100
200
300
299
799
1199
299
799
Produced by: Robb Jones

jonesr@careertech.net and/or Robert.Jones@fcps.org
Frederick County Career & Technology Center
Cisco Networking Academy
Frederick County Public Schools
Frederick, Maryland, USA
Special Thanks to Melvin Baker, Jim Dorsch, and Brent Sieling
for taking the time to check this workbook for errors, and making suggestions for improvements.
Inside Cover
What are Access Control Lists?

ACLs...
...are a sequential list of instructions that tell a router which packets to
permit or deny.
General Access Lists Information

Access Lists...
...are read sequentially.
...are set up so that as soon as the packet matches a statement it
stops comparing and permits or denys the packet.
...need to be written to take care of the most abundant traffic first.
...must be configured on your router before you can deny packets.
...can be written for all supported routed protocols; but each routed
protocol must have a different ACL for each interface.
...must be applied to an interface to work.
How routers use Access Lists

(Outbound Port - Default)
The router checks to see if the packet is routable. If it is it looks up
the route in its routing table.
The router then checks for an ACL on that outbound interface.
If there is no ACL the router switches the packet out that interface to its
destination.
If there is an ACL the router checks the packet against the access list
statements sequentially. Then permits or denys each packet as it is
matched.
If the packet does not match any statement written in the ACL it is
denyed because there is an implicit deny any statement at the end of
every ACL.
Standard Access Lists

Standard Access Lists...
...are numbered from 1 to 99.
...filter (permit or deny) only source addresses.
...do not have any destination information so it must placed as close
to the destination as possible.
...work at layer 3 of the OSI model.
Why standard ACLs are placed close to the

destination.
If you want to block traffic from Juans computer from reaching
Janets computer with a standard access list you would place the
ACL close to the destination on Router D, interface E0. Since
its using only the source address to permit or deny packets the
ACL here will not effect packets reaching Routers B, or C.
Router A
Router B
S0
S1
E0
S0
Router C
S1
E0
S0
E0
Janets
Computer
Matts
Computer
Juans
Computer
Jimmys
Computer
If you place the ACL on router A to block traffic to Router D

it will also block all packets going to Routers B, and C;
because all the packets will have the same source address.
Router D
S1
E0
Standard Access List Placement

Sample Problems
FA0
FA1
Router A
Jans
Computer
Juans
Computer
In order to permit packets from Juans computer to arrive at

Jans computer you would place the standard access list at
router interface ______.
FA1
E0
S0
Router A
Lisas
Computer
E1
S1
Router B
Pauls
Computer
Lisa has been sending unnecessary information to Paul. Where

would you place the standard ACL to deny all traffic from Lisa to Paul?
Router Name ______________
Router B Interface ___________
E1
Where would you place the standard ACL to deny traffic from Paul to
Lisa?
Router Name ______________
Router A Interface ___________
E0

Router B
S0
S1
Router A
E0
S0
S1
Rickys
Computer
FA1
S1
Router C
Jennys
Computer
Amandas
Computer
Carrols
Computer
Georges
Computer
Kathys
Computer
S1
Router D
E0
Jeffs
Computer
S0
Jims
Computer
S1
E0
S0
Router E
Lindas
Computer
Sarahs
Computer
FA1
S1
Router F
Jackies
Computer
Melvins
Computer

1. Where would you place a standard access list to
permit traffic from Rickys computer to reach Jeffs
computer?
deny traffic from Melvins computer from reaching
Jennys computer?
Router D
Router Name_________________
Interface ____________________
E0
Router A
Router Name_________________
Interface ____________________
E0

deny traffic to Carrols computer from Sarahs
computer?
Router Name_________________
Interface ____________________

permit traffic to Rickys computer from Jeffs
computer?
Router Name_________________
Interface ____________________

deny traffic from Amandas computer from reaching
Jeff and Jims computer?
Router Name_________________
Interface ____________________

permit traffic from Jackies computer to reach Lindas
computer?
Router Name_________________
Interface ____________________

permit traffic from Rickys computer to reach Carrol
and Amandas computer?
Router Name_________________
Interface ____________________

deny traffic to Jennys computer from Jackies
computer?
Router Name_________________
Interface ____________________

permit traffic from Georges computer to reach Linda
and Sarahs computer?
Router Name_________________
Interface ____________________
10. Where would you place an ACL to deny traffic from

Jeffs computer from reaching Georges computer?
Router Name_________________
Interface ____________________

deny traffic to Sarahs computer from Rickys
computer?
Router Name_________________
Interface ____________________

Lindas computer from reaching Jackies computer?
Router Name_________________
Interface ____________________
5
Extended Access Lists

Extended Access Lists...
...are numbered from 100 to 199.
...filter (permit or deny) based on the:
source address
destination address
protocol
application / port number
... are placed close to the source.

...work at both layer 3 and 4 of the OSI model.
Why extended ACLs are placed close to the source.

If you want to deny traffic from Juans computer from reaching
Janets computer with an extended access list you would place
the ACL close to the source on Router A, interface E0. Since it
can permit or deny based on the destination address it can reduce
backbone overhead and not effect traffic to Routers B, or C.
Router B
S0
S1
Router A
E0
FA0
S0
Router C
S1
S0
E0
Janets
Computer
Matts
Computer
Juans
Computer
Router D
S1
E0
Jimmys
Computer
If you place the ACL on Router E to block traffic from Router

A, it will work. However, Routers B, and C will have to route
the packet before it is finally blocked at Router E. This
increases the volume of useless network traffic.
Extended Access List Placement

Sample Problems
E0
E1
Router A
Jans
Computer
Juans
Computer
In order to permit packets from Juans computer to arrive at

Jans computer you would place the extended access list at
router interface ______.
E0
FA0
S0
Router A
Lisas
Computer
FA1
S1
Router B
Pauls
Computer
Lisa has been sending unnecessary information to Paul. Where would

you place the extended ACL to deny all traffic from Lisa to Paul?
Router A Interface ___________
Router Name ______________
FA0
Where would you place the extended ACL to deny traffic from Paul to
Lisa?
Router Name ______________
Router B Interface ___________
FA1

Router B
S0
S1
Router A
FA0
S0
S1
Rickys
Computer
E1
S1
Router C
Jennys
Computer
Amandas
Computer
Carrols
Computer
Georges
Computer
Kathys
Computer
S1
Router D
FA0
Jeffs
Computer
S0
Jims
Computer
S1
FA0
S0
Router E
Lindas
Computer
Sarahs
Computer
FA1
S1
Router F
Jackies
Computer
Melvins
Computer

Jeffs computer from reaching Georges computer?
2. Where would you place an extended access list to
permit traffic from Jackies computer to reach Lindas
computer?
Router D
Router Name_________________
Interface ____________________
FA0
Router F
Router Name_________________
Interface ____________________
FA1

deny traffic to Carrols computer from Rickys
computer?
Router Name_________________
Interface ____________________

deny traffic to Sarahs computer from Jackies
computer?
Router Name_________________
Interface ____________________

permit traffic from Carrols computer to reach Jeffs
computer?
Router Name_________________
Interface ____________________

deny traffic from Melvins computer from reaching Jeff
and Jims computer?
Router Name_________________
Interface ____________________

permit traffic from Georges computer to reach Jeffs
computer?
Router Name_________________
Interface ____________________

permit traffic from Jims computer to reach Carrol and
Amandas computer?
Router Name_________________
Interface ____________________

Lindas computer from reaching Kathys computer?
Router Name_________________
Interface ____________________
10. Where would you place an extended access list

to deny traffic to Jennys computer from Sarahs
computer?
Router Name_________________
Interface ____________________

permit traffic from Georges computer to reach Linda
and Sarahs computer?
Router Name_________________
Interface ____________________
12. Where would you place an extended access list

to deny traffic from Lindas computer from reaching
Jennys computer?
Router Name_________________
Interface ____________________
9
Choosing to Filter Incoming or Outgoing Packets

Access Lists on your incoming port...
...requires less CPU processing.
...filters and denys packets before the router has to make a
routing decision.
Access Lists on your outgoing port...
...are outbound by default unless otherwise specified.
...increases the CPU processing time because the routing decision
is made and the packet switched to the correct outgoing port
before it is tested against the ACL.
Breakdown of a Standard ACL Statement

permit
or
deny
wildcard
mask
access-list 1 permit 192.168.90.36 0.0.0.0

autonomous
number
1 to 99
source
address
permit or deny
source
address
access-list 78 deny host 192.168.90.36 log

autonomous
number
1 to 99
10
indicates a
specific host
address
(Optional)
generates a log
entry on the
router for each
packet that
matches this
statement
Breakdown of an Extended ACL Statement
autonomous
number
100 to 199
protocol
icp,
icmp,
tcp, udp,
ip,
etc.
source
wildcard
mask
destination
wildcard
mask
access-list 125 permit ip 192.168.90.36 0.0.0.0 192.175.63.12 0.0.0.0

permit or deny
autonomous
number
100 to 199
protocol
icp,
icmp,
tcp, udp,
ip,
etc.
source
address
destination
address
port
number
(23 = telnet)
indicates a
specific
host
destination
address
access-list 178 deny tcp host 192.168.90.36 host 192.175.63.12 eq 23 log

permit
or
deny
source
address
indicates a
specific
host
Protocols Include: (Layers 3 and 4)

IP
IGMP
IPINIP
TCP
GRE
OSPF
UDP
IGRP
NOS
ICMP
EIGRP
Integer 0-255
To match any internet protocol use IP.
operator
eq for =
gt for >
lt for <
neg for =
(Optional)
generates a log
entry on the
router for each
packet that
matches this
statement
11
What are Named Access Control Lists?

Named ACLs...
...are standard or extended ACLs which have an alphanumeric name
instead of a number. (ie. 1-99 or 100-199)
Named Access Lists Information

Named Access Lists...
...identify ACLs with an intuutive name instead of a number.
...eliminate the limits imposed by using numbered ACLs.
(798 for standard and 799 for extended)
...provide the ability to modify your ACLs without deleting and
reloading the revised access list. It will only allow you to add
statements to the end of the exsisting statements.
...are not compatable with any IOS prior to Release 11.2.
...can not repeat the same name on multiple ACLs.
Applying a Standard Named Access List

called George
Write a named standard access list called George on Router A, interface E1 to block Melvins
computer from sending information to Kathys computer; but will allow all other traffic.
Place the access list at:
Router Name:
Router A
Interface:
E1
Access-list Name:
George
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)#ip access-list standard George
Router(config-std-nacl)# deny host 72.16.70.35
Router(config-std-nacl)# permit any
Router(config-std-nacl)# interface e1
Router(config-if)# ip access-group George out
Router(config-if)# exit
Router(config)# exit
12
13

Router(config)#ip access-list extended Gracie
Router(config-ext-nacl)# deny tcp any host 192.168.207.27 eq www
Router(config-ext-nacl)# permit tcp any 192.168.207.0 0.0.0.255 eq www
Router(config-ext-nacl)# interface e0
Router(config-if)# ip access-group Gracie in

Router Name:
Router A
Interface:
E0
Access-list Mail:
Gracie
Write a named extended access list called Gracie on Router A, Interface E0 called Gracie to deny HTTP traffic intended for web
server 192.168.207.27, but will permit all other HTTP traffic to reach the only the 192.168.207.0 network. Deny all other IP traffic.
Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.
Applying an extended Named Access List

called Gracie
Choices for Using Wildcard Masks

Wildcard masks are usually set up to do one of four things:
1. Match a specific host.
2. Match an entire subnet.
3. Match a specific range.
4. Match all addresses.
1. Matching a specific host.

For standard access lists:
Access-List 10 permit 192.168.150.50 0.0.0.0
or
ACLs
Access-List 10 permit 192.168.150.50 (standard
assume a 0.0.0.0 mask)
or
Access-List 10 permit host 192.168.150.50
For extended access lists:
Access-list 110 deny ip 192.168.150.50 0.0.0.0 any
or
Access-list 110 deny ip host 192.168.150.50 any
2. Matching an entire subnet
Example 1
Address: 192.168.50.0 Subnet Mask: 255.255.255.0
Access-list 25 deny 192.168.50.0 0.0.0.255
Example 2
Access-list 12 permit 172.16.0.0 0.0.255.255
Example 3
Access-list 125 deny udp 10.0.0.0 0.255.255.255 any
14
3. Match a specific range

Example 1
255. 255. 255. 255
Custom Subnet mask: -255. 255. 255. 224
Wildcard:
0. 0. 0. 31
Access-list 125 permit udp 10.250.50.112 0.0.0.31 any
e
Example 2
Address Range: 192.168.16.0 to 192.168.16.127
Wildcard:
192. 168. 16.127

-192. 168. 16. 0
0. 0. 0.127
Access-list 125 deny ip 192.168.16.0 0.0.0.127 any

(This ACL would block the lower half of the subnet.)
Example 3
Address: 172.250.16.32 to 172.250.31.63
Wildcard:
172. 250. 31. 63

-172. 250. 16. 32
0. 0. 15. 31
Access-list 125 permit ip 172.250.16.32 0.0.15.31 any

4. Match everyone.
For standard access lists:
Access-List 15 permit any
or
Access-List 15 deny 0.0.0.0 255.255.255.255
For extended access lists:
Access-List 175 permit ip any any
or
Access-List 175 deny tcp 0.0.0.0 255.255.255.255 any
15
Creating Wildcard Masks

Just like a subnet mask the wildcard mask tells the router what part of the
address to check or ignore. Zero (0) must match exactly, one (1) will be
ignored.
The source address can be a single address, a range of addresses, or
an entire subnet.
As a rule of thumb the wildcard mask is the reverse of the subnet mask.
Example #1:
IP Address and subnet mask:
IP Address and wildcard mask:
204.100.100.0 255.255.255.0
204.100.100.0 0.0.0.255
All zeros (or 0.0.0.0) means the address must match exactly.
Example #2:
10.10.150.95 0.0.0.0
(This address must match exactly.)
Ones will be ignored.

Example #3:
10.10.150.95 0.0.0.255
(Any 10.10.150.0 subnet address will match.

10.10.150.0 to 10.10.150.255)
This also works with subnets.

Example #4:
Do the math... 255 - 255 = 0

255 - 224 = 31
Example #5:
192.170.25.30 255.255.255.224
192.170.25.30 0.0.0.31
(Subtract the subnet mask from
255.255.255.255 to create the wildcard)
(This is the inverse of the subnet mask.)
172.24.128.0 255.255.128.0
172.24.128.0 0.0.127.255
Do the math... 255 - 255 = 0

(This is the inverse of the subnet mask.)
255 - 128 = 127
255 - 0 = 255
16
Wildcard Mask Problems

1.
Create a wildcard mask to match this exact address.

IP Address: 192.168.25.70
0 . 0 . 0 . 0
Subnet Mask: 255.255.255.0
___________________________________
2.
Create a wildcard mask to match this range.

IP Address: 210.150.10.0
0 . 0 . 0 . 255
Subnet Mask: 255.255.255.0
___________________________________
3.
Create a wildcard mask to match this host.

IP Address: 195.190.10.35
Subnet Mask: 255.255.255.0
__________________________________
4.

IP Address: 172.16.0.0
Subnet Mask: 255.255.0.0
__________________________________
5.

__________________________________
6.
Create a wildcard mask to match this exact address.

IP Address: 165.100.0.130
Subnet Mask: 255.255.255.192
__________________________________
7.

IP Address: 192.10.10.16
Subnet Mask: 255.255.255.224
__________________________________
8.

IP Address: 171.50.75.128
Subnet Mask: 255.255.255.192
__________________________________
9.
Create a wildcard mask to match this host.

IP Address: 10.250.30.2
__________________________________
10.

IP Address: 210.150.28.16
Subnet Mask: 255.255.255.240
__________________________________
11.

Subnet Mask: 255.255.224.0
__________________________________
12.

IP Address: 135.35.230.32
Subnet Mask: 255.255.255.248
__________________________________
17

Based on the given information list the total number of source addresses for
each access list statement.
1. access-list 10 permit 192.168.150.50 0.0.0.0
192.168.150.50
Answer: __________________________________________________________________
2. access-list 5 permit any
Any address
Answer: __________________________________________________________________
3. access-list 125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1 fragments
195.223.50.0 to 195.223.50.63
Answer: __________________________________________________________________
4. access-list 11 deny 210.10.10.0 0.0.0.255
Answer: __________________________________________________________________
5. access-list 108 deny ip 192.220.10.0 0.0.0.15 172.32.4.0 0.0.0.255
Answer: __________________________________________________________________
6. access-list 171 deny any host 175.18.24.10 fragments
Answer: __________________________________________________________________
7. access-list 105 permit 192.168.15.0 0.0.0.255 any
Answer: __________________________________________________________________
8. access-list 109 permit tcp 172.16.10.0 0.0.0.255 host 192.168.10.1 eq 80
Answer: __________________________________________________________________
9. access-list 111 permit ip any any
Answer: __________________________________________________________________
10. access-list 195 permit udp 172.30.12.0 0.0.0.127 172.50.10.0 0.0.0.255
Answer: __________________________________________________________________
18
11. access-list 110 permit ip 192.168.15.0 0.0.0.3 192.168.30.10 0.0.0.0

Answer: _________________________________________________________________
Answer: _________________________________________________________________
Answer: _________________________________________________________________
Answer: _________________________________________________________________
Answer: _________________________________________________________________
16. access-list 101 Permit ip 192.168.15.0 0.0.0.127 192.168.30.10 0.0.0.0
Answer:__________________________________________________________________
Answer: _________________________________________________________________
18. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 gt 22
Answer: _________________________________________________________________
19. access-list 195 permit icmp 172.85.0.0 0.0.15.255 172.50.10.0 0.0.0.255
Answer: _________________________________________________________________
20. access-list 10 permit 175.15.120.0 0.0.0.255
Answer: _________________________________________________________________
21. access-list 190 permit tcp 192.15.10.0 0.0.0.31 any
Answer: _________________________________________________________________
Answer: _________________________________________________________________
19

Based on the given information list the total number of destination addresses
for each access list statement.
1.access-list 125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1 fragments
172.168.10.1
Answer: __________________________________________________________________
2. access-list 115 permit any any
Any address
Answer: __________________________________________________________________
192.168.15.0 to 192.168.15.63
Answer: __________________________________________________________________
4. access-list 120 deny tcp 172.32.4.0 0.0.0.255 192.220.10.0 0.0.0.15
Answer: __________________________________________________________________
Answer: __________________________________________________________________
Answer: __________________________________________________________________
7. access-list 105 permit any 192.168.15.0 0.0.0.255
Answer: __________________________________________________________________
Answer: __________________________________________________________________
9. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 eq 21
Answer: __________________________________________________________________
Answer: __________________________________________________________________
20
Writing
Standard Access Lists...
Router A
192.168.90.2
172.16.70.1
E1
E0
S0
210.30.28.0
Jims
Network
Computer
192.168.90.36
172.16.70.32
Franks
Computer
Melvins
Computer
Kathys
Computer
192.168.90.38
172.16.70.35
Standard Access List Sample #1

Write a standard access list to block Melvins computer from sending information to Kathys
computer; but will allow all other traffic. Keep in mind that there may be multiple ways many of
the individual statements in an ACL can be written.
Router Name:
Router A
Interface:
E1
Access-list #:
10
Router(config)# access-list 10 deny 172.16.70.35
or
access-list 10 deny 172.16.70.35 0.0.0.0
or
access-list 10 deny host 172.16.70.35
Router(config)# access-list 10 permit 0.0.0.0 255.255.255.255
or
access-list 10 permit any
Router(config)# interface e1
Router(config-if)# ip access-group 10 out
[Viewing information about existing ACLs]
Router# show configuration
Router# show access list 10
22
(This will show which access groups are associated

with particular interfaces)
(This will show detailed information about this ACL)

Write a standard access list to block Jims computer from sending information to Franks
computer; but will allow all other traffic from the 192.168.90.0 network. Permit all traffic from the
210.30.28.0 network to reach the 172.16.70.0 network. Deny all other traffic. Include a remark
with each statement of your ACL. Keep in mind that there may be multiple ways many of the
individual statements in an ACL can be written.
Router Name:
Router A
Interface:
E0
Access-list #:
28
Router# configure terminal
Router(config)# access-list 28 remark Block Jim from reaching Frank
Router(config)# access-list 28 deny 192.168.90.36
or
access-list 28 deny 192.168.90.36 0.0.0.0
or
access-list 28 deny host 192.168.90.36
Router(config)# access-list 28 remark Allow all other traffic
Router(config)# access-list 28 remark Allow all traffic
Router(config-if)# ip access-group 28 out
Router# copy run start
[Remark Command]
The remark command allows you to place text within the ACL so it can be viewed after it is
inserted on the router. It can be viewed using the show run or any command that lists the ACL.
[Disabling ACLs]
Router(config-if)# no ip access-group 28 out
[Removing an ACL]
Router(config)# no access-list 28
23
FA0
S0
223.190.32.1
Router A
S1
Router B
FA1 192.16.32.94
FA0
172.16.0.0
Network
Michaels
Computer
223.190.32.16
Debbies
Computer
192.16.32.95
Standard Access List Problem #1

Write a standard access list to block Debbies computer from receiving information from
Michaels computer; but will allow all other traffic. List all the command line options for this
problem. Keep in mind that there may be multiple ways many of the individual statements in
an ACL can be written.
Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router(config)# ________________________________________________________
or
________________________________________________________
or
________________________________________________________
Router(config)# ________________________________________________________
or
______________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)
24

Write a standard access list to permit Debbies computer to receive information from
Michaels computer; but will deny all other traffic from the 223.190.32.0 network. Block all
traffic from the 172.16.0.0 network. Permit all other traffic. List all the command line options
for this problem. Keep in mind that there may be multiple ways many of the individual
statements in an ACL can be written.
Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router(config)# ________________________________________________________
or
________________________________________________________
or
________________________________________________________
Router(config)#_________________________________________________________
Router(config)#_________________________________________________________
Router(config)#_________________________________________________________
or
_______________________________________________________
25
Router A
204.90.30.124 E0
S0
10.250.30.35
Carols
Computer
Rodneys
Computer
Router B
S1
10.250.30.36
Jims
Computer
FA1
192.168.88.4
192.168.88.5
204.90.30.130
204.90.30.126

Write a standard access list to block Rodney and Carols computer from sending information
to Jims computer; but will allow all other traffic from the 204.90.30.0 network. Block all other
traffic. Keep in mind that there may be multiple ways many of the individual statements in an
ACL can be written.
Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
26

Using a minimum number of commands write a standard access list named Ralph to block
Carols computer from sending information to Jims computer; but will permit Jim to receive
data from Rodney. Block the upper half of the 204.90.30.0 range from reaching Jims
computer while permitting the lower half of the range. Block all other traffic. Include a remark
with each statement of your ACL. For help with blocking the upper half of the range review
page 13 or the wildcard mask problems on pages 16 and 17. For help with named ACLs
review pages 12 and 13. For help with the remark command review page 23.
Router Name: ___________________________
Interface: _______________________________
Access-list Name: ____________________________
Router(config)# ________________________________________________________
Router(config-std-nacl)# _______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
Router(config-std-nacl)# interface ________
27
Router B
S0
S1
Router A
172.30.225.1 E0
S0
S1
E1 212.180.10.5
S1
Router C
212.180.10.6
172.30.225.2
172.30.225.3
212.180.10.2

Write a standard access list to block 172.30.225.2 and 172.30.225.3 from sending
information to the 212.180.10.0 network; but will allow all other traffic. Keep in mind that
there may be multiple ways many of the individual statements in an ACL can be written.
Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
28

Write a standard access list to block and log 212.180.10.2 from sending information to the
172.30.225.0 network. Permit and log 212.180.10.6 to send data to the 172.30.225.0 network.
Deny all other traffic. Add a remark to each statement explaining its purpose. Keep in mind
that there may be multiple ways many of the individual statements in an ACL can be written.
Check the example on page 10 for help with the logging option. For help with the remark
command review page 23.
Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
29
Router C
Router A
S0
S1
FA0
S1
198.32.10.25
Router B
S0
192.168.15.172
210.140.15.1
FA0
FA1
192.168.15.3
210.140.15.8
198.32.10.25

Write a standard access list to block the addresses 192.168.15.1 to 192.168.15.31 from
sending information to the 210.140.15.0 network. Do not permit any traffic from 198.32.10.25
to reach the 210.140.15.0 network. Permit all other traffic. For help with this problem review
page 13 or the wildcard mask problems on pages 16 and 17.
Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
30

Write a standard named access list called Cisco_Lab_A to permit traffic from the lower half of
the 198.32.10.0 network to reach 192.168.15.0 network; block the upper half of the addresses.
Allow host 198.32.10.192 to reach network 192.168.15.0. Permit all other traffic. For help with
this problem review page 13 or the wildcard masks problems on pages 16 and 17. For
assistance with named ACLs review pages 12 and 13.
Router Name: ___________________________
Interface: _______________________________
Access-list Name: ____________________________
Router(config)# ________________________________________________________
Router(config-std-nacl)# _______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
Router(config-std-nacl)# interface ________
Router(config-if)# ip access-group __________________ in or out (circle one)
31

Write a standard access list to block network 192.168.255.0 from receiving information from
the following addresses: 10.250.1.1, 10.250.2.1, 10.250.4.1, and the entire 10.250.3.0
255.255.255.0 network. Allow all other traffic. Keep in mind that there may be multiple ways
many of the individual statements in an ACL can be written.
Router A
Router Name: ___________________________
FA0
Interface: _______________________________
Access-list #: ____________________________
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
FA0
32
Writing
Extended Access Lists...
34
172.16.70.32
192.168.90.38
Celestes
Computer
Deny/Permit Specific Addresses
192.168.90.36
Mikes
Computer
(This will show detailed information

about this ACL)
or
access-list 110 deny ip host 172.16.70.35 host 192.168.90.36
Router(config)# access-list 110 permit ip any any
or
Router(config)# interface fa0
Router(config-if)# ip access-group 110 in [Viewing information about existing ACLs]
(This will show which access groups
are associated with particular interfaces)

Router(config)# access-list 110 deny ip 172.16.70.35 0.0.0.0 192.168.90.36 0.0.0.0

Router Name:
Router A
Interface:
FA0
Access-list #:
110
Write an extended access list to prevent Johns computer from sending information to Mikes computer; but will allow all other
traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.
Extended Access List Sample #1
172.16.70.35
Johns
Computer
Gails
Computer
Router A
192.168.90.2
172.16.70.1
FA1
FA0
35
[Removing an ACL]
[Disabling ACLs]


or
access-list 135 deny ip host 192.168.90.36 172.16.70.0 0.0.0.255
or
access-list 135 deny ip 192.168.90.0 0.0.0.127 host 172.16.70.32
or
Router(config-if)# ip access-group 135 in

Router Name:
Router A
Interface:
FA1
Access-list #:
135
Write an extended access list to block the 172.16.70.0 network from receiving information from Mikes computer at 192.168.90.36.
Block the lower half of the ip addresses from 192.168.90.0 network from reaching Gails computer at 172.16.70.32. Permit all other
172.20.70.89
Extended Access List Problem #1
172.20.70.80
Bobs
Computer
Cindys
Computer
172.20.70.15
Router A
S0
FA0
192.168.122.129
Jackies
Computer
192.168.122.128
Jays
Computer
Router B
FA1
S1
192.168.122.52
Router(config)# interface __________

Router(config-if)# ip access-group _________ in or out (circle one)
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Router(config)#______________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Write an extended access list to prevent Jays computer from receiving information from Cindys computer. Permit all other traffic.
36
37

____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Router(config)#

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Write an extended access list to block the 172.20.70.0 255.255.255.0 network from receiving information from Jackies computer at
192.168.122.129. Block the lower half of the ip addresses from 192.168.122.0 network from reaching Cindys computer at
172.20.70.89. Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can
be written.
38
Router B
S0
FA1
172.59.2.1
172.59.2.15
Rebeccas
Computer
172.59.2.18
Rachaels
Computer
S1
__________________________________________________________________________
__________________________________________________________________________
___________________________________________________________________________
Router(config-ext-nacl)# interface ____________

Router(config-ext-nacl)
Router(config)#_____________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list Name: ____________________________
Write a named extended access list called Lab_166 to permit Jans computer at 218.35.50.10 to receive packets from Rachaels
computer at 172.59.2.18; but not Rebeccas computer at 172.59.2.15. Deny all other packets. Keep in mind that there may be
multiple ways many of the individual statements in an ACL can be written.
218.35.50.10
Jans
Computer
218.35.50.12
Juans
Computer
E0
218.35.50.1
Router A
39

Router((config-if)# exit
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Router(config)# _____________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Write an extended access list to allow Juans computer at 218.35.50.12 to send information to Rebeccas computer at 172.59.2.15;
but not Rachaels computer at 172.59.2.18. Permit all other traffic. Keep in mind that there may be multiple ways many of the
individual statements in an ACL can be written.
40
192.16.20.7
192.16.20.0
Network
E0
192.18.50.11
Bobs
Computer
Deny/Permit Entire Ranges
192.17.40.0
Network
E1
Router B
S1
192.18.50.12
Barbras
Computer


Router(config)# access-list 111 permit ip 192.18.50.0 0.0.0.255 192.168.20.0 0.0.0.255
Router(config)# access-list 111 deny ip any any
or
access-list 111 deny ip 0.0.0.0 255.255.255.2550.0.0.0 255.255.255.255

Router Name:
Router B
Interface:
E1
Access-list #:
111
Write an extended access list to permit the 192.16.20.0 network to receive packets from the 192.18.50.0 network. Deny all other
192.16.20.6
Cindys
Computer
Ralphs
Computer
Router A
S0
41
The remark command allows you to place text within the ACL so it
can be viewed after it is inserted on the router. It can be viewed
using the show run or any command that lists the ACL.
[Remark Command]
[Removing an ACL]
[Disabling ACLs]


Router(config)# access-list 188 remark block all traffic from the Science lab
Router(config)# access-list 188 remark allow everyone else unrestricted access
or

Router Name:
Router A
Interface:
E0
Access-list #:
188
Write an extended access list to block the 192.18.50.0 network from receiving information from the 192.16.20.0 network. Permit all
other traffic. Add a remark to each statement. Keep in mind that there may be multiple ways many of the individual statements in an
ACL can be written.
42
204.95.150.12
S1
FA1
172.59.2.1
S0
210.250.10.0
Network
172.59.2.15
Rebeccas
Computer
172.59.2.18
Davids
Computer
Router(config)# interface ____________

______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Router(config)#______________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Write an extended access list to permit network 204.95.150.0 to send packets to network 172.59.0.0, but not to the 210.250.10.0
network. Permit all other traffic. Include a remark with each statement of your ACL. For help with the remark command review
page 41. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.
Router B
204.95.150.10
Rachels
Computer
Todds
Computer
204.95.150.11
Router A
S0
FA0
43

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Router(config)#______________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Write an extended access list to allow Rachels computer at 204.95.150.10 to receive information from the 172.59.2.0 network.
Deny all other hosts on the 204.95.150.0 network access from the 172.59.2.0 network. Permit all other traffic. Keep in mind that
there may be multiple ways many of the individual statements in an ACL can be written.
44
172.120.170.46
210.168.70.0
Network
E1
192.168.50.3
Tims
Computer
10.250.1.0
Network
S1
E1
192.168.50.2
S0
Router B
192.168.50.4
Denises
Computer
Router(config-ext-nacl)# interface ____________

_____________________________________________________________________________
_____________________________________________________________________________
Router(config-ext-nacl)#_____________________________________________________________________________
Router(config)# _____________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list Name: ____________________________
Write a named extended access list called Godzilla to prevent the 172.120.0.0 network from sending information to the
210.168.70.0 , and 10.250.1.0 255.255.255.0 networks; but will permit traffic to the 192.168.50.0 network. Permit all other traffic.
172.120.170.45
Phylliss
Computer
Tommys
Computer
172.120.170.47
Router A
S0
E0
45

____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Router(config)#

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Assuming default subnet masks write an extended access list to permit Tim at 192.168.50.3 to receive data from the 172.120.0.0
network. Allow the 192.168.50.0 network to receive information from Phylliss computer at 172.120.170.45. Deny all other traffic.
46
192.168.15.43
E1
172.21.50.95
Router B
172.21.50.96
Carols
Computer
172.21.50.97
Franks
Computer
Deny/Permit a Range of Addresses
S1


or

Router Name:
Router A
Interface:
FA0
Access-list #:
185
Write an extended access list to deny the first 15 usable addresses of the 192.168.15.0 network from reaching the 172.21.0.0
network. Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be
written.
192.168.15.44
Rodneys
Computer
Jims
Computer
Router A
S0
FA0
192.168.15.20
47
[Removing an ACL]
Router(config-if)# no ip access-group 121 in
[Disabling ACLs]

Router(config-if)# no ip access-group 121 in

Router(config)# access-list 121 permit ip 192.168.15.0 0.0.0.127 172.21.50.0 0.0.0.255
Router(config)# access-list 121 deny ip any any
or
access-list 121 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

Router Name:
Router A
Interface:
FA0
Access-list #:
121
Write an extended access list which will allow the lower half of 192.168.15.0 network access to the 172.21.50.0 network. Deny all
other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.
192.168.195.145
S0
Mikes
Computer
192.168.125.108
Celestes
Computer
192.168.125.17
192.168.125.254
E1
172.31.195.0
Network
192.168.195.88
Johns
Computer
Gails
Computer
192.168.195.90
E0
Router A

______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Router(config)#______________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Write an extended access list to prevent the first 31 usable addresses in the 192.168.125.0 network from reaching the
192.168.195.0 network. Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an
ACL can be written.
48
49
Router(config-ext-nacl)# interface __________

Router(config-if)# ip access-group ________________ in or out (circle one)
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Router(config-ext-nacl)#_____________________________________________________________________________

Router(config)#______________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list Name: ____________________________
Write a named extended access list called Media_Center to permit the range of addresses from 172.31.195.1 through
172.31.195.7 to send data to the 192.168.125.0 network. Deny all other traffic. Include a remark with each statement of your ACL.
For help with the remark command review page 41. Keep in mind that there may be multiple ways many of the individual statements
in an ACL can be written.
50
192.16.20.7
S1
S0
S0
E1
172.22.75.8
Router B
Router A
Barbras
Computer
172.18.50.12
172.22.75.10
Brads
Computer
FA1
172.18.50.10
Bobs
172.22.75.9
Computer
172.18.50.11
Jills
Computer
S1
Router C

______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Router(config)#______________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Write an extended access list to permit the first 3 usable addresses in the 192.16.20.0 network to reach the 172.22.75.0 network.
Deny the addresses from 192.16.20.4 through 192.16.20.31 from reaching the 172.22.75.0 network. Permit all other traffic. Keep in
mind that there are multiple ways this ACL can be written.
192.16.20.6
Cindys
Computer
Ralphs
Computer
192.16.20.5
FA0
51

____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Router(config)#______________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Write an extended access list to deny the addresses from 172.22.75.8 through 172.22.75.127 from sending data to the 172.18.50.0
network. Deny the first half of the addresses from the 172.22.75.0 network from reaching the 192.16.20.0 network. Permit all other
traffic. Keep in mind that there are multiple ways this ACL can be written.
52
172.16.70.155
10.250.1.0
Network
FA1
Peggys
Computer
Denises
Computer
192.168.88.204
10.250.4.0 192.168.88.200
Network
Router B
FA1
S1
192.168.88.1
FA0

______________________________________________________________________________________
______________________________________________________________________________________
Router(config)#______________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Write an extended access list to permit the first 63 usable addresses in the 192.168.88.0 network to reach the lower half of the
addresses in the 172.16.70.0 network; but not the upper half. Deny all other traffic. Include a remark with each statement of your
ACL. For help with the remark command review page 41. Keep in mind that there may be multiple ways many of the individual
172.16.70.145
Celestes
Computer
Bobs
Computer
172.16.70.1
Router A
S0
FA0
53

____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Router(config)#______________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Write an extended access list to deny the addresses from 10.250.1.0 through 10.250.1.63 from sending data to Denises computer.
Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.
54
210.128.50.12
210.128.50.11
Web Server
Deny/Permit Port Numbers
Router B
S1
E1
210.128.50.10


Router(config)# access-list 198 deny tcp any 192.168.207.27 0.0.0.0 eq www
or
access-list 198 deny tcp any host 192.168.207.27 eq www
Router(config)# access-list 198 permit tcp any 192.168.207.0 0.0.0.255 eq www
Router(config)# interface e 0

Router Name:
Router A
Interface:
E0
Access-list #:
198
Write an extended access list to deny HTTP traffic intended for web server 192.168.207.27 from all other networks, but will permit all
other HTTP traffic to reach the 192.168.207.0 network. Deny all other IP traffic. Keep in mind that there may be multiple ways many
of the individual statements in an ACL can be written.
192.168.207.26
Router A
S0
E0
192.168.207.25
Web Server
192.168.207.27
[Removing an ACL]
[Disabling ACLs]


Router(config)# access-list 134 deny icmp 210.128.50.0 0.0.0.255 192.168.207.0 0.0.0.255
Router(config)# access-list 134 permit icmp any any

Router Name:
Router B
Interface:
E1
Access-list #:
134
Write an extended access list to deny pings from hosts on the 210.128.50.0 network from reaching the 192.168.207.0 network.
55
56
192.30.76.155
Router A
E1
S0
Peggys
Computer
Denises
Computer
192.168.33.214
172.16.16.0 192.168.33.210
Network
Router B
E1
S1
192.168.33.1
E0


Router(config)# access-list 145 permit udp192.168.33.214 0.0.0.0 192.30.76.155 0.0.0.0 eq tftp
or
access-list 145 permit udp host 192.168.33.214 host 192.30.76.155 eq tftp
Router(config)# interface E1

Router Name:
Router B
Interface:
E1
Access-list #:
145
Write an Extended access list to permit Denises computer to use TFTP with Bobs computer. Deny all other traffic from the 192.168.33.0
network to the 192.30.76.0 network. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be
written.
192.30.76.145
Celestes
Computer
Bobs
Computer
172.20.70.1
E0
10.250.4.0
Network
57
[Removing an ACL]
[Disabling ACLs]


Router(config)# access-list 155 deny tcp 192.30.76.0 0.0.0.8 any eq ftp (Covers 0 to 7)
Router(config)# access-list 155 permit tcp any any
or
access-list 155 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

Router Name:
Router A
Interface:
E0
Access-list #:
155
Write an extended access list to deny FTP traffic from ip addresses 192.30.76.0 through 192.30.76.13.
E0
172.16.70.1
192.128.45.33
Bills
Computer
Deny/Permit a Port Numbers
10.250.8.0
Network
Router B
FA1
S1
192.128.45.8
FA0
S0
Router A
172.16.125.1
Jackies
Computer
E1
10.250.2.0
Network
192.128.45.35
Jennifers
Computer

______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Router(config)#______________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Write an extended access list to permit ICMP traffic from the 192.128.45.0 network to reach the 172.16.125.0 255.255.255.0 and
10.250.2.0 255.255.255.0 networks. Deny all other traffic. Keep in mind that there may be multiple ways many of the individual
58
59
Deny/Permit a Port Numbers
Router(config-ext-nacl)# interface __________

Router(config-if)# ip access-group _________________ in or out (circle one)
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
Router(config-std-nacl)# ____________________________________________________________________________
Router(config-std-nacl)# ____________________________________________________________________________
Router(config)#______________________________________________________________________________________


Router Name: ___________________________
Interface: _______________________________
Access-list Name: ____________________________
Write a named extended access list called Peggys_Lab to deny telnet from 10.250.8.0 through 10.250.8.127 from reaching the
192.128.45.0 network. Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an
ACL can be written.
60
203.194.100.102
S1
Router B
Jimmys
Computer
Jos
Computer
172.60.18.142
172.60.18.140
FA1
172.60.18.1
S0
204.250.10.0
Network

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Router(config)#______________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Write an access list to deny Jimmys computer from sending ftp packets to Web Server 1, but permit ftp to Web Server #2. Permit all
other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.
203.194.100.101
Web Server #2
Web Server #1
203.194.100.1
Router A
S0
FA0
61

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Router(config)# _____________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Write an extended access list to deny all HTTP traffic intended for the web server at 203.194.100.102 from the 172.66.0.0 network.
Permit all other HTTP traffic from the 204.250.10.0 and 172.60.0.0 networks to any other web servers. Deny all other IP traffic to the
203.194.100.0 network. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.
62
192.168.15.82
192.172.10.0
Network
Router B
E1
Web Server #2
172.23.50.195 172.23.50.196
S1
172.23.50.197
Gails
Computer

______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Router(config)#______________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Write an extended access list to permit TFTP traffic from all hosts on the 192.168.15.0 network. Deny all other traffic. Include a
remark with each statement of your ACL. For help with the remark command review page 41.Keep in mind that there may be
multiple ways many of the individual statements in an ACL can be written.
192.168.15.125
Web Server #1
Bobbies
Computer
Router A
S0
E0
E1
192.168.15.25
63

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Router(config)#______________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Write an extended access list that permits web traffic from web server #2 at 172.23.50.196 to reach everyone on the 192.168.15.0
network. Deny all other IP traffic going to the 192.172.10.0, and 192.168.15.0 networks from the 172.25.50.0 network. Keep in
mind that there may be multiple ways many of the individual statements in an ACL can be written.
Writing Access Lists

to Restrict Telnet Access...
Restricting access to telnet can be a very usefull option. Telnet is
considered a very insecure protocol because it sends passwords
through the network in clear-text. By switching from the access-group
command to the access-class command you can increase your
security by allowing only those users through that you want to use
telnet. The access-class command also allows you to apply this
access list to the vty connections.
65
192.30.76.155
10.250.4.0
Network
E1
Peggys
Computer
Deny/Permit Telnet
172.16.16.0
192.168.33.210
Network
Router B
E1
S1
192.168.33.1
E0
192.168.33.214
Denises
Computer

(using line VTY 0 4 instead of an interface like E1 allows you

to apply this access list to all VTY lines with one statement)

or
access-list 45 permit host 192.168.33.214
or
access-list 45 permit host 192.30.76.155
Router(config)# line vty 0 4
Router(config-line)#access-class 45 in
Router(config-line)# exit

Router Name:
Router B
Interface:
line VTY 0 4
Access-list #:
45
Write a standard access list to permit Denises and Bobs computers to telnet into Router B. Deny all other telnet traffic Keep in
mind that there may be multiple ways many of the individual statements in an ACL can be written.
192.30.76.145
Celestes
Computer
Bobs
Computer
172.20.70.1
Router A
S0
E0
66
203.194.100.102
Deny/Permit Telnet
204.250.10.0
Network
S0
172.60.18.140
Beckys
Computer
FA1
172.60.18.1
Router B
S1
172.60.18.142
Marys
Computer
Router(config)# ___________________
Router(config-line)# access-class _________ in or out (circle one)
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Router(config)#______________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Write a standard access list to permit Becky and Marys computer to telnet into Router B. Deny all other telnet traffic from the
Access List Problem #21
203.194.100.101
Web Server #2
Web Server #1
203.194.100.1
Router A
S0
FA0
67
Deny/Permit Telnet
Router(config)# ___________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Router(config)#______________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Write a standard access list to permit which will permit Web Server #1 to telnet into Router A. Log the telnet attempts. Deny all other
telnet access. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written.
68
FA1
FA0
192.60.18.61
Brents
Computer
192.60.18.62
Bobs
Computer
Router(config)# ___________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Router(config)#______________________________________________________________________________________

Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
Write a standard access list to deny Brent and Bobs computer telnet access to into Router A. Permit all other telnet traffic from the
Deny/Permit Telnet
172.32.0.0
Network
204.250.10.0
Network
S0/0
Router A
Optional ACL Commands

& Other Network Security Ideas
In order to reduce the chance of spoofing from outside your network consider adding the following
statements to your networks inbound access list.
router# config t
router(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any
router(config)# access-list 100 deny ip your-subnet-# your-subnet-mask-# any
router(config)# access-list 100 deny igmp any any
router(config)# access-list 100 deny icmp any any redirect
router(config)# access-list 100 permit any any
router(config)# interface e0 (or whatever your inbound port is)
router(config-if)# ip access-group in
router(config-if)# exit
router(config)# exit
Another handy security tool is to only allow ip packets out of your network with your source
address.
router# config t
router(config)# access-list 100 permit ip your-subnet-# your-subnet-mask-# any
router(config)# interface e0 (or whatever your outbound port is)
router(config-if)# ip access-group out
router(config-if)# exit
router(config)# exit
To keep packets with unreachable destinations from entering your network add this command:
ip route 0.0.0.0 0.0.0.0 null 0 255
To protect against smurf and other attacks add the following commands to every external
interface:
no ip directed-broadcast
no ip source-route
fair-queue
scheduler interval 500
69
Port Numbers
Port numbers are now assigned by the ICANN (Internet Corporation for
Assigned Names and Numbers). Commonly used TCP and UDP
applications are assigned a port number; such as: HTTP - 80, POP3 - 110,
FTP - 20. When an application communicates with another application on
another node on the internet, it specifies that application in each data
transmission by using its port number. You can also type the name (ie. Telnet)
instead of the port number (ie. 23). Port numbers range from 0 to 65536 and
are divided into three ranges:
Well Known Ports
Registered Ports
Dynamic and/or Private Ports
0 to 1,023
1,024 to 49,151
49,152 to 65,535
Below is a short list of some commonly used ports. For a complete list of
port numbers go to http://www.iana.org/assignments/port-numbers.
Some commonly used port numbers:

0
1
5
7
9
11
13
17
18
19
20
21
22
23
25
29
37
39
42
70
Reserved
TCPMUX
RJE
ECHO
DISCARD
SYSTAT
DAYTIME
QUOTE
MSP
CHARGEN
FTP-DATA
FTP
SSH
Telnet
SMTP
MSG ICP
TIME
RLP
NAMESERV
(TCP Port Service Multiplexer)

(Remote Job Entry)
(Active users)
(Quote of the day)
(Message Send Protocol)
(Character generator)
(File Transfer Protocol - Data)
(File Transfer Protocol - Control)
(Remote Login Protocol)
(Terminal Connection)
(Simple Mail Transfer Protocol)
(Resource Location Protocol

(Host Name Server)
43
49
53
67
68
69
70
75
79
80
95
101
108
109
110
113
115
117
118
119
123
137
139
143
150
156
161
179
190
194
197
389
396
443
444
445
458
546
547
563
569
NICNAME
LOGIN
DNS
BOOTP
BOOTPS
TFTP
GOPHER
(Who Is)
(Login Host Protocol)
(Domain Name Server)
(Bootstrap Protocol Server)
(Bootstrap Protocol Client)
(Trivial File Transfer Protocol)
(Gopher Services )
(Any Privite Dial-out Service)
FINGER
HTTP
(Hypertext Transfer Protocol)
SUPDUP
(SUPDUP Protocol)
HOSTNAME
(NIC Host Name Server)
SNAGAS
(SNA Gateway Access Server)
POP2
(Post Office Protocol - Version 2)
POP3
(Post Office Protocol - Version 3)
AUTH
(Authentication Service)
SFTP
(Simple File Transfer Protocol)
UUCP-PATH
(UUCP Path Service)
SQLSERV
(SQL Services)
NNTP
(Newsgroup)
NTP
(Network Tim Protocol)
NetBIOS-NS
(NetBIOS Name Service)
NetBIOS-SSN (NetBIOS Session Service )
IMAP
(Interim Mail Access Protocol)
SQL-NET
(NetBIOS Session Service)
SQLSRV
(SQL Service)
SNMP
(Simple Network Management Protocol)
BGP
(Border Gateway Protocol)
GACP
(Gateway Access Control Protocol)
IRC
(Internet Relay Chat)
DLS
(Directory Location Service)
LDAP
(Lightweight Directory Access Protocol)
NETWARE-IP (Novell Netware over IP )
HTTPS
(HTTP MCom)
SNPP
(Simple Network Paging Protocol)
Microsoft-DS
Apple QuickTime
DHCP Client
DHCP Server
SNEWS
MSN
Inside Cover

Access Lists Workbook - Student Ed

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

Access Lists Workbook - Student Ed

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Access Lists Workbook - Student Ed

Uploaded by

Copyright:

Available Formats

Extended

Produced by: Robb Jones

What are Access Control Lists?

General Access Lists Information

How routers use Access Lists

Standard Access Lists

Why standard ACLs are placed close to the

If you place the ACL on router A to block traffic to Router D

Standard Access List Placement

In order to permit packets from Juans computer to arrive at

Lisa has been sending unnecessary information to Paul. Where

Standard Access List Placement

Standard Access List Placement

3. Where would you place a standard access list to

4. Where would you place a standard access list to

5. Where would you place a standard access list to

6. Where would you place a standard access list to

7. Where would you place a standard access list to

8. Where would you place a standard access list to

9. Where would you place a standard access list to

10. Where would you place an ACL to deny traffic from

11. Where would you place a standard access list to

12. Where would you place an ACL to deny traffic from

Extended Access Lists

... are placed close to the source.

Why extended ACLs are placed close to the source.

If you place the ACL on Router E to block traffic from Router

Extended Access List Placement

In order to permit packets from Juans computer to arrive at

Lisa has been sending unnecessary information to Paul. Where would

Extended Access List Placement

Extended Access List Placement

3. Where would you place an extended access list to

4. Where would you place an extended access list to

5. Where would you place an extended access list to

6. Where would you place an extended access list to

7. Where would you place an extended access list to

8. Where would you place an extended access list to

9. Where would you place an ACL to deny traffic from

10. Where would you place an extended access list

11. Where would you place an extended access list to

12. Where would you place an extended access list

Choosing to Filter Incoming or Outgoing Packets

Breakdown of a Standard ACL Statement

access-list 1 permit 192.168.90.36 0.0.0.0

access-list 78 deny host 192.168.90.36 log

Breakdown of an Extended ACL Statement

access-list 125 permit ip 192.168.90.36 0.0.0.0 192.175.63.12 0.0.0.0

access-list 178 deny tcp host 192.168.90.36 host 192.175.63.12 eq 23 log

Protocols Include: (Layers 3 and 4)

What are Named Access Control Lists?

Named Access Lists Information

Applying a Standard Named Access List

Router# configure terminal (or config t)

[Writing and installing an ACL]

Place the access list at:

Applying an extended Named Access List

Choices for Using Wildcard Masks

1. Matching a specific host.