Embed Size (px)
Citation preview
0.0.0.0
permitExtended
AC
LStandard
access-groupdeny
access-list
ACLWildcard Mask
Any
AccessLists
WorkbookVersion 1.2
Instructor’s Edition
Inside Cover
IP StandardIP ExtendedEthernet Type CodeEthernet AddressDECnet and Extended DECnetXNSExtended XNSAppletalk48-bit MAC AddressesIPX StandardIPX ExtendedIPX SAP (service advertisement protocol)IPX SAP SPXExtended 48-bit MAC AddressesIPX NLSPIP Standard, expanded rangeIP Extended, expanded rangeSS7 (voice)Standard VinesExtended VinesSimple VinesTransparent bridging (protocol type)Transparent bridging (vendor type)Extended Transparent bridgingSource-route bridging (protocol type)Source-route bridging (vendor type)
Access-List Numbers9919929979939949959969979989999910991099119912991999269929991002003002997991199299799
1100200700300400500600700800900
1000100011001200130020002700
1101201200700
1100200700
totototototototototototototototototototototototototo
Produced by: Robb [email protected]
Frederick County Career & Technology CenterCisco Networking Academy
Frederick County Public SchoolsFrederick, Maryland, USA
Special Thanks to Melvin Baker and Jim Dorschfor taking the time to check this workbook for errors.
Instructors (and anyone else for that matter) please do not post the Instructors version on public websites.When you do this your giving everyone else worldwide the answers. Yes, students look for answers this way.
It also discourages others; myself included, from posting high quality materials.
1
ACLs......are a sequential list of instructions that tell a router which packets to permit or deny.
The router checks to see if the packet is routable. If it is it looks upthe route in its routing table.
The router then checks for an ACL on that outbound interface.
If there is no ACL the router switches the packet out that interface to itsdestination.
If there is an ACL the router checks the packet against the access liststatements sequentially. Then permits or denys each packet as it ismatched.
If the packet does not match any statement written in the ACL it isdenyed because there is an implicit “deny any” statement at the end ofevery ACL.
General Access Lists Information Access Lists...
...are read sequentially.
...are set up so that as soon as the packet matches a statement it stops comparing and permits or denys the packet....need to be written to take care of the most abundant traffic first....must be configured on your router before you can deny packets....can be written for all supported routed protocols; but each routed protocol must have a different ACL for each interface....must be applied to an interface to work.
What are Access Control Lists?
How routers use Access Lists(Outbound Port - Default)
Standard Access ListsStandard Access Lists...
...are numbered from 1 to 99.
...filter (permit or deny) only source addresses.
...do not have any destination information so it must placed as close to the destination as possible....work at layer 3 of the OSI model.
2
Why standard ACLs are placed close to thedestination.
If you want to block traffic from Juan’s computer from reachingJanet’s computer with a standard access list you would place theACL close to the destination on Router D, interface E0. Sinceits using only the source address to permit or deny packets theACL here will not effect packets reaching Routers B, or C.
Router A
Router B
Router C
Router D
If you place the ACL on router A to block traffic to Router Dit will also block all packets going to Routers B, and C;because all the packets will have the same source address.
Juan’sComputer
Janet’sComputer
Jimmy’sComputer
Matt’sComputer
E0
E0 E0
E0
S0
S1 S0
S0S1
S1
3
Lisa’sComputer
Standard Access List PlacementSample Problems
In order to permit packets from Juan’s computer to arrive atJan’s computer you would place the standard access list atrouter interface ______.FA1
Lisa has been sending unnecessary information to Paul. Wherewould you place the standard ACL to deny all traffic from Lisa to Paul?Router Name ______________ Interface ___________
Where would you place the standard ACL to deny traffic from Paul toLisa?Router Name ______________ Interface ___________
Router B E1
Router A E0
Paul’sComputer
FA1FA0
Router A
Juan’sComputer
Jan’sComputer
S0S1E0 E1
Router BRouter A
S0 S1E0 FA1
S0S1Router B
Router C
Standard Access List Placement
4
Router A
S0S1E0 FA1
Sarah’sComputer
Jackie’sComputer
Router FRouter E
Router D
S1
S0
S1
E0
S1
Linda’sComputer
Melvin’sComputer
Jim’sComputer
Jeff’sComputer
George’sComputer
Kathy’sComputer
Carrol’sComputer
Ricky’sComputer
Jenny’sComputer Amanda’s
Computer
5
Router DE0
Standard Access List Placement1. Where would you place a standard access list topermit traffic from Ricky’s computer to reach Jeff’scomputer?
2. Where would you place a standard access list todeny traffic from Melvin’s computer from reachingJenny’s computer?
3. Where would you place a standard access list todeny traffic to Carrol’s computer from Sarah’scomputer?
4. Where would you place a standard access list topermit traffic from Ricky’s computer to reach Jeff’scomputer?
5. Where would you place a standard access list todeny traffic from Amanda’s computer from reachingJeff and Jim’s computer?
6. Where would you place a standard access list topermit traffic from Jackie’s computer to reach Linda’scomputer?
7. Where would you place a standard access list topermit traffic from Ricky’s computer to reach Carroland Amanda’s computer?
8. Where would you place a standard access list todeny traffic to Jenny’s computer from Jackie’scomputer?
9. Where would you place a standard access list topermit traffic from George’s computer to reach Lindaand Sarah’s computer?
10. Where would you place an ACL to deny traffic fromJeff’s computer from reaching George’s computer?
11. Where would you place a standard access list todeny traffic to Sarah’s computer from Ricky’scomputer?
12. Where would you place an ACL to deny traffic fromLinda’s computer from reaching Jackie’s computer?
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router AE0
Router CFA1
Router DE0
Router DE0
Router EE0
Router CFA1
Router AE0
Router EE0
Router CFA1
Router EE0
Router FFA1
Extended Access Lists......are numbered from 100 to 199....filter (permit or deny) based on the: source address
destination addressprotocolport number
... are placed close to the source.
...work at both layer 3 and 4 of the OSI model.
Extended Access Lists
Why extended ACLs are placed close to the source.
If you want to deny traffic from Juan’s computer from reachingJanet’s computer with an extended access list you would placethe ACL close to the source on Router A, interface E0. Since itcan permit or deny based on the destination address it can reducebackbone overhead and not effect traffic to Routers B, or C.
If you place the ACL on Router E to block traffic from RouterA, it will work. However, Routers B, and C will have to routethe packet before it is finally blocked at Router E. Thisincreases the volume of useless network traffic.
6
Router A
Router B
Router C
Router D
Juan’sComputer
Janet’sComputer
Jimmy’sComputer
Matt’sComputer
E0
FA0
E0
E0
S0
S1 S0
S0S1
S1
7
Juan’sComputer
Jan’sComputer
Extended Access List PlacementSample Problems
In order to permit packets from Juan’s computer to arrive atJan’s computer you would place the extended access list atrouter interface ______.E0
Lisa has been sending unnecessary information to Paul. Where wouldyou place the extended ACL to deny all traffic from Lisa to Paul?Router Name ______________ Interface ___________
Where would you place the extended ACL to deny traffic from Paul toLisa?Router Name ______________ Interface ___________
Router A FA0
Router B FA1
E1E0
Router A
S0S1
FA0 FA1
Router BRouter A
Lisa’sComputer
Paul’sComputer
8
S0 S1FA0 E1
S0S1Router B
Router C
Extended Access List Placement
Router A
S0S1FA0 FA1
Sarah’sComputer
Jackie’sComputer
Router FRouter E
Router D
S1
S0
S1
FA0
S1
Linda’sComputer
Melvin’sComputer
Jim’sComputer
Jeff’sComputer
George’sComputer
Kathy’sComputer
Carrol’sComputer
Ricky’sComputer
Jenny’sComputer Amanda’s
Computer
9
Extended Access List PlacementRouter Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
1. Where would you place an ACL to deny traffic fromJeff’s computer from reaching George’s computer?
2. Where would you place an extended access list topermit traffic from Jackie’s computer to reach Linda’scomputer?
3. Where would you place an extended access list todeny traffic to Carrol’s computer from Ricky’scomputer?
4. Where would you place an extended access list todeny traffic to Sarah’s computer from Jackie’scomputer?
5. Where would you place an extended access list topermit traffic from Carrol’s computer to reach Jeff’scomputer?
6. Where would you place an extended access list todeny traffic from Melvin’s computer from reaching Jeffand Jim’s computer?
7. Where would you place an extended access list topermit traffic from George’s computer to reach Jeff’scomputer?
8. Where would you place an extended access list topermit traffic from Jim’s computer to reach Carrol andAmanda’s computer?
9. Where would you place an ACL to deny traffic fromLinda’s computer from reaching Kathy’s computer?
10. Where would you place an extended access listto deny traffic to Jenny’s computer from Sarah’scomputer?
11. Where would you place an extended access list topermit traffic from George’s computer to reach Lindaand Sarah’s computer?
12. Where would you place an extended access listto deny traffic from Linda’s computer from reachingJenny’s computer?
Router DFA0
Router FFA1
Router AFA0
Router FFA1
Router CE1
Router FFA1
Router CE1
Router DFA0
Router EFA0
Router EFA0
Router CE1
Router EFA0
Access Lists on your incoming port......requires less CPU processing....filters and denys packets before the router has to make a routing decision.
Access Lists on your outgoing port......are outbound by default unless otherwise specified....increases the CPU processing time because the routing decision is made and the packet switched to the correct outgoing port before it is tested against the ACL.
Choosing to Filter Incoming or Outgoing Packets
Breakdown of a Standard ACL Statement
access-list 1 permit 192.168.90.36 0.0.0.0
permitor
deny
autonomousnumber1 to 99
sourceaddress
wildcardmask
access-list 78 deny host 192.168.90.36 log
permit or deny
autonomousnumber1 to 99
sourceaddress
indicates aspecific host
address
(Optional)generates a logentry on the
router for eachpacket thatmatches thisstatement
10
Breakdown of an Extended ACL Statement
access-list 125 permit ip 192.168.90.36 0.0.0.0 192.175.63.12 0.0.0.0
permit or deny
autonomousnumber
100 to 199
sourcewildcard
mask
destinationaddress
destinationwildcard
mask
access-list 178 deny tcp host 192.168.90.36 host 192.175.63.12 eq 23 log
permitor
deny
autonomousnumber
100 to 199
sourceaddress
indicates aspecific
host
protocolicp,
icmp,tcp, udp,
ip,etc.
destinationaddress
operatoreq for =gt for >lt for <neg for =
portnumber
(23 = telnet)
(Optional)generates a logentry on the
router for eachpacket thatmatches thisstatement
protocolicp,
icmp,tcp, udp,
ip,etc.
11
sourceaddress
Protocols Include:IP IGMP IPINIPTCP GRE OSPFUDP IGRP NOSICMP EIGRP Integer 0-255
To match any internet protocol use IP.
indicates aspecific
host
Named ACLs......are standard or extended ACLs which have an alphanumeric name
instead of a number. (ie. 1-99 or 100-199)
Named Access Lists Information Named Access Lists...
...identify ACLs with an intuutive name instead of a number.
...eliminate the limits imposed by using numbered ACLs. (798 for standard and 799 for extended)...provide the ability to modify your ACLs without deleting and reloading the revised access list. It will only allow you to add statements to the end of the exsisting statements....are not compatable with any IOS prior to Release 11.2....can not repeat the same name on multiple ACLs.
What are Named Access Control Lists?
Applying a Standard Named Access Listcalled “George”
Write a named standard access list called “George” on Router A, interface E1 to block Melvin’scomputer from sending information to Kathy’s computer; but will allow all other traffic.
Place the access list at:Router Name: Router AInterface: E1Access-list Name: George
[Writing and installing an ACL]
Router# configure terminal (or config t)Router(config)#ip access-list standard GeorgeRouter(config-std-nacl)# deny host 72.16.70.35Router(config-std-nacl)# access-list permit anyRouter(config-std-nacl)# interface e1Router(config-if)# ip access-group George outRouter(config-if)# exitRouter(config)# exit
12
App
lyin
g an
ext
ende
d N
amed
Acc
ess
List
calle
d “G
raci
e”
Writ
e a
nam
ed e
xten
ded
acce
ss lis
t cal
led
“Gra
cie” o
n Ro
uter
A, I
nter
face
E0
calle
d “G
racie
” to
deny
HTT
P tra
ffic
inte
nded
for
web
serv
er 1
92.1
68.2
07.2
7, b
ut w
ill pe
rmit
all o
ther
HTT
P tra
ffic
to re
ach
the
only
the
192.
168.
207.
0 ne
twor
k. D
eny
all o
ther
IP tr
affic
.Ke
ep in
min
d th
at th
ere
may
be
mul
tiple
way
s man
y of t
he in
divid
ual s
tate
men
ts in
an
ACL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e:
R
oute
r A
Inte
rface
:
E0
Acc
ess-
list M
ail:
G
raci
e
[Writ
ing
and
inst
allin
g an
AC
L]
Router# co
nfig
ure
term
inal
(or
con
fig
t)Router(config)#ip
acc
ess-
list
exte
nded
Gra
cie
Router(config-ext-nacl)# d
eny
tcp
any
host
192
.168
.207
.27
eq w
wwRouter(config-ext-nacl)# p
erm
it t
cp a
ny 1
92.1
68.2
07.0
0.0
.0.2
55
eq
www
Router(config-ext-nacl)# in
terf
ace
e0Router(config-if)# i
p ac
cess
-gro
up G
raci
e in
Router(config-if)# e
xit
Router(config)# e
xit
13
14
Choices for Using Wildcard Masks
Wildcard masks are usually set up to do one of four things:1. Match a specific host.2. Match an entire subnet.3. Match a specific range.4. Match all addresses.
1. Matching a specific host.For standard access lists:
Access-List 10 permit 192.168.150.50 0.0.0.0or
Access-List 10 permit 192.168.150.50or
Access-List 10 permit host 192.168.150.50
For extended access lists:Access-list 110 deny ip 192.168.150.50 0.0.0.0 any
orAccess-list 110 deny ip host 192.168.150.50 any
2. Matching an entire subnetExample 1
Address: 192.168.50.0 Subnet Mask: 255.255.255.0
Access-list 25 deny 192.168.50.0 0.0.0.255
Example 2Address: 172.16.0.0 Subnet Mask: 255.255.0.0
Access-list 12 permit 172.16.0.0 0.0.255.255
Example 3Address: 10.0.0.0 Subnet Mask: 255.0.0.0
Access-list 125 deny udp 10.0.0.0 0.255.255.255 any
(standard ACL’sassume a 0.0.0.0 mask)
15
Example 1Address: 10.250.50.112 Subnet Mask: 255.255.255.224
Access-list 125 permit udp 10.250.50.112 0.0.0.31 any
e Example 2Address Range: 192.168.16.0 to 192.168.16.127
Access-list 125 deny ip 192.168.16.0 0.0.0.127 any(This ACL would block the lower half of the subnet.)
Example 3Address: 172.250.16.32 to 172.250.31.63
Access-list 125 permit ip 172.250.16.32 0.0.15.31 any
4. Match everyone.
For standard access lists:Access-List 15 permit any
orAccess-List 15 deny 0.0.0.0 255.255.255.255
For extended access lists:Access-List 175 permit ip any any
orAccess-List 175 deny tcp 0.0.0.0 255.255.255.255 any
3. Match a specific range
192.-192.
Wildcard: 0.
168.168.
0.
16.16.
0.
1270
127
255.-255.
Wildcard: 0.
255.255.
0.
255.255.
0.
255224
31Custom Subnet mask:
172.-172.
0.
250.250.
0.
31.16.15.
633231Wildcard:
16
Just like a subnet mask the wildcard mask tells the router what part of theaddress to check or ignore. Zero (0) must match exactly, one (1) will beignored.
The source address can be a single address, a range of addresses, oran entire subnet.
As a rule of thumb the wildcard mask is the reverse of the subnet mask.
Example #1:IP Address and subnet mask: 204.100.100.0 255.255.255.0IP Address and wildcard mask: 204.100.100.0 0.0.0.255
All zero’s (or 0.0.0.0) means the address must match exactly.
Example #2:10.10.150.95 0.0.0.0 (This address must match exactly.)
One’s will be ignored.
Example #3:10.10.150.95 0.0.0.255 (Any 10.10.150.0 subnet address will match.
10.10.150.0 to 10.10.150.255)
This also works with subnets.
Example #4:IP Address and subnet mask: 192.170.25.30 255.255.255.224IP Address and wildcard mask: 192.170.25.30 0.0.0.31
(Subtract the subnet mask from255.255.255.255 to create the wildcard)
Do the math... 255 - 255 = 0 (This is the inverse of the subnet mask.) 255 - 224 = 31
Example #5:IP Address and subnet mask: 172.24.128.0 255.255.128.0IP Address and wildcard mask: 172.24.128.0 0.0.127.255
Do the math... (This is the inverse of the subnet mask.)
Creating Wildcard Masks
---
255255255
2551280
0127255
===
17
Wildcard Mask Problems1. Create a wildcard mask to match this exact address.
IP Address: 192.168.25.70Subnet Mask: 255.255.255.0 ___________________________________
2. Create a wildcard mask to match this range.IP Address: 210.150.10.0Subnet Mask: 255.255.255.0 ___________________________________
3. Create a wildcard mask to match this host.IP Address: 195.190.10.35Subnet Mask: 255.255.255.0 __________________________________
4. Create a wildcard mask to match this range.IP Address: 172.16.0.0Subnet Mask: 255.255.0.0 __________________________________
5. Create a wildcard mask to match this range.IP Address: 10.0.0.0Subnet Mask: 255.0.0.0 __________________________________
6. Create a wildcard mask to match this exact address.IP Address: 165.100.0.130Subnet Mask: 255.255.255.192 __________________________________
7. Create a wildcard mask to match this range.IP Address: 192.10.10.16Subnet Mask: 255.255.255.224 __________________________________
8. Create a wildcard mask to match this range.IP Address: 171.50.75.128Subnet Mask: 255.255.255.192 __________________________________
9. Create a wildcard mask to match this host.IP Address: 10.250.30.2Subnet Mask: 255.0.0.0 __________________________________
10. Create a wildcard mask to match this range.IP Address: 210.150.28.16Subnet Mask: 255.255.255.248 __________________________________
11. Create a wildcard mask to match this range.IP Address: 172.18.0.0Subnet Mask: 255.255.224.0 __________________________________
12. Create a wildcard mask to match this range.IP Address: 135.35.230.32Subnet Mask: 255.255.255.248 __________________________________
0 . 0 . 0 . 0
0 . 0 . 0 . 255
0 . 0 . 0 . 0
0 . 0 . 255 . 255
0 . 255 . 255 . 255
0 . 0 . 0 . 0
0 . 0 . 0 . 31
0 . 0 . 0 . 63
0 . 0 . 0 . 0
0 . 0 . 0 . 7
0 . 0 . 31 . 255
0 . 0 . 0 . 7
Wildcard Mask ProblemsBased on the given information list the usable source addresses or range ofusable source addresses that would be permitted or denied for each accesslist statement.
1. access-list 10 permit 192.168.150.50 0.0.0.0
Answer: __________________________________________________________________
2. access-list 5 permit any
Answer: __________________________________________________________________
3. access-list 125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1 fragments
Answer: __________________________________________________________________
4. access-list 11 deny 210.10.10.0 0.0.0.255
Answer: __________________________________________________________________
5. access-list 108 deny ip 192.220.10.0 0.0.0.15 172.32.4.0 0.0.0.255
Answer: __________________________________________________________________
6. access-list 171 deny any host 175.18.24.10 fragments
Answer: __________________________________________________________________
7. access-list 105 permit 192.168.15.0 0.0.0.255 any
Answer: __________________________________________________________________
8. access-list 109 permit tcp 172.16.10.0 0.0.0.255 host 192.168.10.1 eq 80
Answer: __________________________________________________________________
9. access-list 111 permit ip any any
Answer: __________________________________________________________________
10. access-list 195 permit udp 172.30.12.0 0.0.0.127 172.50.10.0 0.0.0.255
Answer: __________________________________________________________________
Any address
18
192.168.150.50
195.223.50.1 to 195.223.50.63
210.10.10.1 to 210.10.10.254
192.220.10.1 to 192.220.10.15
Any Address
192.168.15.1 to 192.168.15.254
172.16.10.1 to 172.16.10.254
Any Address
172.30.12.1 to 172.30.12.127
19
11. access-list 110 permit ip 192.168.15.0 0.0.0.3 192.168.30.10 0.0.0.0
Answer: _________________________________________________________________
12. access-list 120 permit ip 192.168.15.0 0.0.0.7 192.168.30.10 0.0.0.0
Answer: _________________________________________________________________
13. access-list 130 permit ip 192.168.15.0 0.0.0.15 192.168.30.10 0.0.0.0
Answer: _________________________________________________________________
14. access-list 140 permit ip 192.168.15.0 0.0.0.31 192.168.30.10 0.0.0.0
Answer: _________________________________________________________________
15. access-list 150 permit ip 192.168.15.0 0.0.0.63 192.168.30.10 0.0.0.0
Answer: _________________________________________________________________
16. access-list 101 Permit ip 192.168.15.0 0.0.0.127 192.168.30.10 0.0.0.0
Answer:__________________________________________________________________
17. access-list 185 permit ip 192.168.15.0 0.0.0.255 192.168.30.0 0.0.0.255
Answer: _________________________________________________________________
18. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 gt 22
Answer: _________________________________________________________________
19. access-list 195 permit icmp 172.85.0.0 0.0.15.255 172.50.10.0 0.0.0.255
Answer: _________________________________________________________________
20. access-list 10 permit 175.15.120.0 0.0.0.255
Answer: _________________________________________________________________
21. access-list 190 permit tcp 172.15.0.0 0.0.15.31 any
Answer: _________________________________________________________________
22. access-list 100 permit ip 10.0.0.0 0.255.255.255 172.50.10.0 0.0.0.255
Answer: _________________________________________________________________
192.168.15.1 to 192.168.15.3
192.168.15.1 to 192.168.15.7
192.168.15.1 to 192.168.15.15
192.168.15.1 to 192.168.15.31
192.168.15.1 to 192.168.15.63
192.168.15.1 to 192.168.15.127
192.168.15.1 to 192.168.15.254
172.16.0.1 to 172.16.1.254
172.85.0.1 to 172.85.15.254
175.15.120.1 to 175.15.120.254
172.15.0.1 to 172.15.15.31
10.0.0.1 to 10.255.255.254
20
Wildcard Mask ProblemsBased on the given information list the usable destination addresses or rangeof usable destination addresses that would be permitted or denied for eachaccess list statement.
1.access-list 125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1 fragments
Answer: __________________________________________________________________
2. access-list 115 permit any any
Answer: __________________________________________________________________
3. access-list 150 permit ip 192.168.30.10 0.0.0.0 192.168.15.0 0.0.0.63
Answer: __________________________________________________________________
4. access-list 120 deny tcp 172.32.4.0 0.0.0.255 192.220.10.0 0.0.0.15
Answer: __________________________________________________________________
5. access-list 108 deny ip 192.220.10.0 0.0.0.15 172.32.4.0 0.0.0.255
Answer: __________________________________________________________________
6. access-list 101 deny ip 140.130.110.100 0.0.0.0 0.0.0.0 255.255.255.255
Answer: __________________________________________________________________
7. access-list 105 permit any 192.168.15.0 0.0.0.255
Answer: __________________________________________________________________
8. access-list 120 permit ip 192.168.15.10 0.0.0.0 192.168.30.0 0.0.0.7
Answer: __________________________________________________________________
9. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 eq 21
Answer: __________________________________________________________________
10. access-list 150 permit ip 192.168.15.10 0.0.0.0 192.168.30.0 0.0.0.63
Answer: __________________________________________________________________
Any address
172.168.10.1
192.168.15.1 to 192.168.15.63
192.168.30.1 to 192.168.30.63
172.18.10.18
192.168.30.1 to 192.168.30.7
192.168.15.1 to 192.168.15.254
Any Address
172.32.4.1 to 172.32.4.254
192.220.10.1 to 192.220.10.15
WritingStandard Access Lists...
Melvin’sComputer
172.16.70.35
Kathy’sComputer
192.168.90.38
E0 E1
Router A
Frank’sComputer172.16.70.32
Jim’sComputer
192.168.90.36
22
172.16.70.1 192.168.90.2
Write a standard access list to block Melvin’s computer from sending information to Kathy’scomputer; but will allow all other traffic. Keep in mind that there may be multiple ways many ofthe individual statements in an ACL can be written.
Place the access list at:Router Name: Router AInterface: E1Access-list #: 10
[Writing and installing an ACL]
Router# configure terminal (or config t)Router(config)# access-list 10 deny 172.16.70.35
or access-list 10 deny 172.16.70.35 0.0.0.0
or access-list 10 deny host 172.16.70.35
Router(config)# access-list 10 permit 0.0.0.0 255.255.255.255or
access-list 10 permit anyRouter(config)# interface e1Router(config-if)# ip access-group 10 outRouter(config-if)# exitRouter(config)# exit
[Viewing information about existing ACL’s]
Router# show configuration (This will show which access groups are associatedwith particular interfaces)
Router# show access list 10 (This will show detailed information about this ACL)
Standard Access List Sample #1
210.30.28.0
S0
23
Write a standard access list to block Jim’s computer from sending information to Frank’scomputer; but will allow all other traffic from the 192.168.90.0 network. Permit all traffic from the210.30.28.0 network to reach the 172.16.70.0 network. Deny all other traffic. Keep in mind thatthere may be multiple ways many of the individual statements in an ACL can be written.
Place the access list at:Router Name: Router AInterface: E0Access-list #: 28
[Writing and installing an ACL]
Router# configure terminalRouter(config)# access-list 28 deny 192.168.90.36
oraccess-list 28 deny 192.168.90.36 0.0.0.0
oraccess-list 28 deny host 192.168.90.36
Router(config)# access-list 28 permit 192.168.90.0 0.0.0.255Router(config)# access-list 28 permit 210.30.28.0 0.0.0.255Router(config)# interface e0Router(config-if)# ip access-group 28 outRouter(config-if)# exitRouter(config)# exitRouter# copy run start
[Disabling ACL’s]
Router# configure terminalRouter(config)# interface e0Router(config-if)# no ip access-group 28 outRouter(config-if)# exitRouter(config)# exit
[Removing an ACL]
Router# configure terminalRouter(config)# interface e0Router(config-if)# no ip access-group 28 outRouter(config-if)# exitRouter(config)# no access-list 28Router(config)# exit
Standard Access List Sample #2
Write a standard access list to block Debbie’s computer from receiving information fromMichael’s computer; but will allow all other traffic. List all the command line options for thisproblem. Keep in mind that there may be multiple ways many of the individual statements inan ACL can be written.
Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# ________________________________________________________or
________________________________________________________or
________________________________________________________
Router(config)# ________________________________________________________or
______________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)Router(config-if)# exitRouter(config)# exit
S0
S1
FA0
FA1Router B
Router A223.190.32.1
192.16.32.94
172.16.28.36Michael’sComputer
Debbie’sComputer
223.190.32.16 192.16.32.95
24
Standard Access List Problem #1
FA0
Router BFA135 (1-99)
access-list 35 deny 223.190.32.16
access-list 35 deny host 223.190.32.16
access-list 35 deny 223.190.32.16 0.0.0.0
access-list 35 permit any
access-list 35 permit 0.0.0.0 255.255.255.255
FA1 35
Write a standard access list to permit Debbie’s computer to receive information fromMichael’s computer; but will deny all other traffic from the 224.190.32.0 network. Block alltraffic from the 172.16.0.0 network. Permit all other traffic. List all the command line optionsfor this problem. Keep in mind that there may be multiple ways many of the individualstatements in an ACL can be written.
Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# ________________________________________________________or
________________________________________________________or
________________________________________________________
Router(config)#_________________________________________________________
Router(config)#_________________________________________________________
Router(config)#_________________________________________________________or
_______________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)Router(config-if)# exitRouter(config)# exit
25
Standard Access List Problem #2
Router BFA040 (1-99)
access-list 40 permit 223.190.32.16
access-list 40 permit host 223.190.32.16
access-list 40 permit 223.190.32.16 0.0.0.0
access-list 40 deny 223.190.32.0 0.0.0.255
access-list 40 deny 172.16.0.0 0.0.255.255
access-list 40 permit any
access-list 40 permit 0.0.0.0 255.255.255.255
FA0 40
26
S0
S1
E0
FA1
Router B
Router A204.90.30.124
10.250.30.35
192.168.88.410.250.30.36
Rodney’sComputer
Jim’sComputer
204.90.30.126
192.168.88.5Carol’sComputer
204.90.30.125
Write a standard access list to block Rodney and Carol’s computer from sending informationto Jim’s computer; but will allow all other traffic from the 204.90.30.0 network. Block all othertraffic. Keep in mind that there may be multiple ways many of the individual statements in anACL can be written.
Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)#
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)Router(config-if)# exitRouter(config)# exit
Standard Access List Problem #3
Router BFA145 (1-99)
access-list 45 deny 204.90.30.125access-list 45 deny host 204.90.30.125access-list 45 deny 204.90.30.125 0.0.0.0access-list 45 deny 204.90.30.126access-list 45 deny host 204.90.30.126access-list 45 deny 204.90.30.126 0.0.0.0
access-list 45 permit 204.90.30.0 0.0.0.255
oror
oror
FA145
27
Using a minimum number of commands write a standard access list named “Ralph” to blockCarol’s computer from sending information to Jim’s computer; but will permit Jim to receivedata from Rodney. Block the upper half of the 204.90.30.0 range from reaching Jim’scomputer while permitting the lower half of the range. Block all other traffic. For help withblocking the upper half of the range review page 13 or the wildcard mask problems on pages16 and 17. For help with named ACLs review pages 12 and 13.
Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list Name: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# ________________________________________________________
Router(config-std-nacl)# _______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
Router(config-std-nacl)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)Router(config-if)# exitRouter(config)# exit
Standard Access List Problem #4
Router BFA1Ralph
ip access-list standard Ralph
permit 204.90.30.0 0.0.0.127
FA1 Ralph
28
Write a standard access list to block 172.30.225.2 and 172.30.225.3 from sendinginformation to the 212.180.10.0 network; but will allow all other traffic. Keep in mind thatthere may be multiple ways many of the individual statements in an ACL can be written.
Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)#
________________________________________________________
________________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)Router(config-if)# exitRouter(config)# exit
S0 S1E0 E1
S0S1Router B
Router C
Router A
S1172.30.225.1 212.180.10.5
172.30.225.2
172.30.225.3
212.180.10.6
212.180.10.2
Standard Access List Problem #5
Router CE155 (1-99)
access-list 55 deny 172.30.225.2
access-list 55 deny host 172.30.225.2
access-list 55 deny 172.30.225.2 0.0.0.0
access-list 55 deny 172.30.225.3
access-list 55 deny host 172.30.225.3
access-list 55 deny 172.30.225.3 0.0.0.0
access-list 55 permit any
E1 55
or
or
or
or
29
Write a standard access list to block and log 212.180.10.2 from sending information to the172.30.225.0 network. Permit and log 212.180.10.6 to send data to the 172.30.225.0 network.Deny all other traffic. Keep in mind that there may be multiple ways many of the individualstatements in an ACL can be written. (Check the example on page 10 for help with the loggingoption.)
Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)#
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)Router(config-if)# exitRouter(config)# exit
Standard Access List Problem #6
Router AE060 (1-99)
access-list 60 deny 212.180.10.2 log
access-list 60 deny host 212.180.10.2 log
access-list 60 deny 212.180.10.2 0.0.0.0 log
access-list 60 permit 212.180.10.6 log
access-list 60 permit host 212.180.10.6 log
access-list 60 permit 212.180.10.6 0.0.0.0 log
E0 60
or
or
or
or
30
Write a standard access list to block the addresses 192.168.15.1 to 192.168.15.31 fromsending information to the 210.140.15.0 network. Do not permit any traffic from 198.32.10.25to reach the 210.140.15.0 network. Permit all other traffic. For help with this problem reviewpage 13 or the wildcard mask problems on pages 16 and 17.
Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)Router(config-if)# exitRouter(config)# exit
S0
S1
FA0
S0
Router B
Router CRouter A
S1
192.168.15.3 198.32.10.25210.140.15.8
Standard Access List Problem #7
FA1
FA0
192.168.15.172
210.140.15.1
198.32.10.25
Router BFA165 (1-99)
access-list 65 deny 192.168.15.0 0.0.0.31
access-list 65 deny 198.32.10.25
access-list 65 deny host 198.32.10.25
access-list 65 deny 198.32.10.25 0.0.0.0
access-list 65 permit any
FA1 65
or
or
31
Write a standard named access list called “Cisco_Lab_A” to permit traffic from the lower half ofthe 198.32.10.0 network to reach 192.168.15.0 network; block the upper half of the addresses.Allow host 198.32.10.192 to reach network 192.168.15.0. Permit all other traffic. For help withthis problem review page 13 or the wildcard masks problems on pages 16 and 17. Forassistance with named ACLs review pages 12 and 13.
Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list Name: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# ________________________________________________________
Router(config-std-nacl)# _______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
Router(config-std-nacl)# interface ________
Router(config-if)# ip access-group __________________ in or out (circle one)Router(config-if)# exitRouter(config)# exit
Standard Access List Problem #8
Router AFA0 Cisco_Lab_A
access-list standard Cisco_Lab_A
permit 198.32.10.0 0.0.0.127
deny 198.32.10.0 0.0.0.255
permit any
FA0 Cisco_Lab_A
32
Write a standard access list to block network 192.168.255.0 from receiving information fromthe following addresses: 10.250.1.1, 10.250.2.1, 10.250.4.1, and the entire 10.250.3.0255.255.255.0 network. Allow all other traffic. Keep in mind that there may be multiple waysmany of the individual statements in an ACL can be written.
Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)#
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)Router(config-if)# exitRouter(config)# exit
Standard Access List Problem #9
Router AFA075 (1-99)
access-list 75 deny 10.250.1.1
access-list 75 deny host 10.250.1.1
access-list 75 deny 10.250.1.1 0.0.0.0
access-list 75 deny 10.250.2.1
access-list 75 deny host 10.250.2.1
access-list 75 deny 10.250.2.1 0.0.0.0
access-list 75 deny 10.250.4.1
access-list 75 deny host 10.250.4.1
access-list 75 deny 10.250.4.1 0.0.0.0
access-list 75 deny 10.250.3.0 0.0.0.255
access-list 75 permit any
or
or
or
or
or
or
75
FA0
WritingExtended Access Lists...
Exte
nded
Acc
ess
List
Sam
ple
#1D
eny/
Perm
it Sp
ecifi
c A
ddre
sses
John
’sC
ompu
ter
172.
16.7
0.35
Cel
este
’sC
ompu
ter
192.
168.
90.3
8
FA0
FA1
Rou
ter A
Gai
l’sC
ompu
ter
172.
16.7
0.32
Mik
e’s
Com
pute
r19
2.16
8.90
.36
172.
16.7
0.1
192.
168.
90.2
Writ
e an
ext
ende
d ac
cess
list t
o pr
even
t Joh
n’s
com
pute
r fro
m s
endi
ng in
form
atio
n to
Mik
e’s
com
pute
r; bu
t will
allo
w a
ll oth
ertra
ffic.
Kee
p in
min
d th
at th
ere
may
be
mul
tiple
way
s m
any
of th
e in
divi
dual
sta
tem
ents
in a
n AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e:
R
oute
r A
Inte
rface
:
FA0
Acc
ess-
list #
:11
0
[Writ
ing
and
inst
allin
g an
AC
L]
Router# co
nfig
ure
term
inal
(or
con
fig
t)Router(config)# ac
cess
-lis
t 11
0 de
ny i
p 17
2.1
6.70
.35
0.0
.0.0
192
.168
.90.
36 0
.0.0
.0or
acc
ess-
list
110
deny
ip
host
172
.16.
70.3
5 h
ost
192
.168
.90.
36Router(config)# ac
cess
-lis
t 11
0 pe
rmit
ip a
ny a
nyor
acc
ess-
list
110
perm
it i
p 0.
0.0.
0 25
5.25
5.25
5.25
50.0
.0.0
255
.255
.255
.255
Router(config)# in
terf
ace
fa0
Router(config-if)# ip
acc
ess-
grou
p 11
0 in
Router(config-if)# ex
itRouter(config)# ex
it
34
[Vie
win
g in
form
atio
n ab
out e
xist
ing
AC
L’s]
Router# s
how
conf
igur
atio
n(T
his
will
show
whi
ch a
cces
s gr
oups
are
asso
ciat
ed w
ith p
artic
ular
inte
rface
s)
Router# sh
ow a
cces
s lis
t 11
0(T
his
will
show
det
aile
d in
form
atio
nab
out t
his A
CL)
Writ
e an
ext
ende
d ac
cess
list t
o bl
ock
the
172.
16.7
0.0
netw
ork
from
rece
ivin
g in
form
atio
n fro
m M
ike’
s co
mpu
ter a
t 192
.168
.90.
36.
Blo
ck th
e lo
wer
hal
f of t
he ip
add
ress
es fr
om 1
92.1
68.9
0.0
netw
ork
from
reac
hing
Gai
l’s c
ompu
ter a
t 172
.16.
70.3
2. P
erm
it al
l oth
ertra
ffic.
Kee
p in
min
d th
at th
ere
may
be
mul
tiple
way
s m
any
of t
he in
divi
dual
sta
tem
ents
in a
n AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e:
R
oute
r A
Inte
rface
:
FA1
Acc
ess-
list #
:
1
35
[Writ
ing
and
inst
allin
g an
AC
L]
Router# c
onfi
gure
ter
min
alRouter(config)# ac
cess
-lis
t 13
5 d
eny
ip 1
92.1
68.9
0.36
0.0
.0.0
172
.16.
70.0
0.0
.0.2
55
or
ac
cess
-lis
t 13
5 d
eny
ip h
ost
192
.168
.90.
36 1
72.1
6.70
.0 0
.0.0
.25
5Router(config)# ac
cess
-lis
t 13
5 d
eny
ip 1
92.1
68.9
0.0
0.0.
0.12
7 17
2.1
6.70
.32
0.0
.0.0
or a
cces
s-lis
t 13
5 d
eny
ip 1
92.1
68.9
0.0
0.0.
0.12
7 ho
st 1
72.1
6.70
.32
Router(config)# a
cces
s-lis
t 13
5 p
erm
it ip
any
any
or
a
cces
s-lis
t 13
5 pe
rmit
ip 0.
0.0.
0 25
5.25
5.25
5.25
5 0.
0.0.
0 25
5.25
5.25
5.25
5Router(config)# in
terf
ace
fa1
Router(config-if)# i
p ac
cess
-gro
up 1
35 in
Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy
run
star
t
Exte
nded
Acc
ess
List
Sam
ple
#2D
eny/
Perm
it Sp
ecifi
c A
ddre
sses
35
[Dis
ablin
g A
CL’
s]
Router# c
onfi
gure
ter
min
alRouter(config)# i
nter
face
e1
Router(config-if)# n
o ip
acc
ess-
grou
p 13
5 o
utRouter(config-if)# ex
itRouter(config)# e
xit
[Rem
ovin
g an
AC
L]
Router# c
onfi
gure
ter
min
alRouter(config)# in
terf
ace
e1Router(config-if)# n
o ip
acc
ess-
grou
p 13
5 o
utRouter(config-if)# ex
itRouter(config)# n
o ac
cess
-lis
t 13
5Router(config)# e
xit
36
Bob
’sC
ompu
ter
172.
20.7
0.80
Jack
ie’s
Com
pute
r19
2.16
8.12
2.12
9
FA0
FA1
Rou
ter A
Cin
dy’s
Com
pute
r17
2.20
.70.
89
Jay’
sC
ompu
ter
192.
168.
122.
128
172.
20.7
0.15
192.
168.
122.
52
Writ
e an
ext
ende
d ac
cess
list t
o pr
even
t Jay
’s c
ompu
ter f
rom
rece
ivin
g in
form
atio
n fro
m C
indy
’s c
ompu
ter.
Per
mit
all o
ther
traf
fic.
Keep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
ACL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t #: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# co
nfig
ure
term
inal
(or
con
fig
t)
Router(config)#
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
Router(config)# i
nter
face
___
____
___
Router(config-if)# i
p ac
cess
-gro
up _
____
____
in o
r ou
t (c
ircle
one
)Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy
run
star
t
Exte
nded
Acc
ess
List
Pro
blem
#1
Den
y/Pe
rmit
Spec
ific
Add
ress
es
Rou
ter
BS
0S
1
Rou
ter
AF
A010
5(1
00-1
99)
acce
ss-l
ist
105
den
y ip
hos
t 17
2.2
0.70
.89
host
192
.168
.12
2.1
28
acce
ss-l
ist
105
den
y ip
172
.30.
22
5.2
0.0
.0.0
192
.168
.12
2.1
28
0.0.
0.0
acce
ss-l
ist
105
per
mit
ip a
ny a
ny
or
105
FA0
37
Writ
e an
ext
ende
d ac
cess
list t
o bl
ock
the
172.
20.7
0.0
255.
255.
255.
0 ne
twor
k fro
m re
ceiv
ing
info
rmat
ion
from
Jac
kie’
s co
mpu
ter a
t19
2.16
8.12
2.12
9. B
lock
the
low
er h
alf o
f the
ip a
ddre
sses
from
192
.168
.122
.0 n
etw
ork
from
reac
hing
Cin
dy’s
com
pute
r at
172.
20.7
0.89
. Pe
rmit
all o
ther
traf
fic.
Keep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
ACL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t #: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# c
onfi
gure
ter
min
alRouter(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config)# int
erfa
ce _
____
____
_Router(config-if)# i
p ac
cess
-gro
up _
____
____
in o
r ou
t (c
ircle
one
)Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy
run
star
t
Exte
nded
Acc
ess
List
Pro
blem
#2
Den
y/Pe
rmit
Spec
ific
Add
ress
es
Rou
ter
BF
A111
0(1
00-1
99)
acce
ss-l
ist
110
deny
ip
host
192
.168
.12
2.1
29
172
.20.
70.0
0.0
.0.2
55
acce
ss-l
ist
110
deny
ip
192
.168
.12
2.1
29
0.0.
0.0
172
.20.
70.0
0.0
.0.2
55
acce
ss-l
ist
110
deny
ip
192
.168
.12
2.0
0.0
.0.1
27
host
172
.20.
70.8
9
acce
ss-l
ist
110
deny
ip
192
.168
.12
2.0
0.0
.0.1
27
172
.20.
70.8
9 0.
0.0.
0
acce
ss-l
ist
110
perm
it ip
any
any
or
105
E
1
or
Writ
e a
nam
ed e
xten
ded
acce
ss lis
t cal
led
“Lab
_166
” to
perm
it Ja
n’s
com
pute
r at 2
18.3
5.50
.10
to re
ceiv
e pa
cket
s fro
m R
acha
el’s
com
pute
r at 1
72.5
9.2.
18; b
ut n
ot R
ebec
ca’s
com
pute
r at 1
72.5
9.2.
15.
Den
y al
l oth
er p
acke
ts.
Keep
in m
ind
that
ther
e m
ay b
em
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
ACL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t Nam
e: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# co
nfig
ure
term
inal
(or
con
fig
t)
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config-ext-nacl)#
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
___
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
Router(config-ext-nacl)# in
terf
ace
____
____
____
Router(config-if)# ip
acc
ess-
grou
p __
____
___
in o
r ou
t (c
ircle
one
)Router(config-if)# ex
itRouter(config)# ex
it
Jan’
sC
ompu
ter
218.
35.5
0.10
Rac
hael
’sC
ompu
ter
172.
59.2
.18
E0
FA1
Rou
ter A
Juan
’sC
ompu
ter
218.
35.5
0.12
Reb
ecca
’sC
ompu
ter
172.
59.2
.15
218.
35.5
0.1
172.
59.2
.1
Exte
nded
Acc
ess
List
Pro
blem
#3
Den
y/Pe
rmit
Spec
ific
Add
ress
es
Rou
ter
B
S0
S1
38
Rou
ter
BF
A1
Lab
_16
6
acce
ss-l
ist
exte
nded
Lab
_16
6
per
mit
ip
host
172
.59.
2.1
8 ho
st 2
18.3
5.5
0.10
perm
it i
p 17
2.5
9.2
.18
0.0.
0.0
218
.35
.50.
10 0
.0.0
.0or
Lab_
166
FA1
Writ
e an
ext
ende
d ac
cess
list t
o al
low
Jua
n’s
com
pute
r at 2
18.3
5.50
.12
to s
end
info
rmat
ion
to R
ebec
ca’s
com
pute
r at 1
72.5
9.2.
15;
but n
ot R
acha
el’s
com
pute
r at 1
72.5
9.2.
18.
Perm
it al
l oth
er tr
affic
. Ke
ep in
min
d th
at th
ere
may
be
mul
tiple
way
s m
any
of th
ein
divi
dual
sta
tem
ents
in a
n AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t #: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# c
onfi
gure
ter
min
alRouter(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config)# int
erfa
ce _
____
____
_Router(config-if)# i
p ac
cess
-gro
up _
____
____
in o
r ou
t (c
ircle
one
)Router((config-if)# e
xit
Router(config)# e
xit
Router# c
opy
run
star
t
Exte
nded
Acc
ess
List
Pro
blem
#4
Den
y/Pe
rmit
Spec
ific
Add
ress
es
39
Rou
ter
AE
012
0(1
00-1
99)
acce
ss-l
ist
120
deny
ip
host
218
.35
.50.
12 h
ost
172
.59.
2.1
8
acce
ss-l
ist
120
deny
ip
218
.35
.50.
12 0
.0.0
.0 1
72.5
9.2
.18
0.0.
0.0
acce
ss-l
ist
120
perm
it ip
any
any
115
FA1
or
Cin
dy’s
Com
pute
r19
2.16
.20.
6
Bar
bra’
sC
ompu
ter
192.
18.5
0.12
E0
Rou
ter A
Ral
ph’s
Com
pute
r19
2.16
.20.
7
Bob
’sC
ompu
ter
192.
18.5
0.11
Writ
e an
ext
ende
d ac
cess
list t
o pe
rmit
the
192.
16.2
0.0
netw
ork
to re
ceiv
e pa
cket
s fro
m th
e 19
2.18
.50.
0 ne
twor
k. D
eny
all o
ther
traffi
c. K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
ACL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e:
R
oute
r B
Inte
rface
:
E1
Acc
ess-
list #
:
1
11
[Writ
ing
and
inst
allin
g an
AC
L]
Router# co
nfig
ure
term
inal
(or
con
fig
t)Router(config)# ac
cess
-lis
t 11
1 pe
rmit
ip 1
92.1
8.5
0.0
0.0.
0.2
55
192
.168
.20.
0 0.
0.0.
25
5Router(config)# a
cces
s-lis
t 11
1 de
ny ip
any
any
or
a
cces
s-lis
t 11
1 de
ny i
p 0.
0.0.
0 25
5.25
5.25
5.25
50.0
.0.0
255
.255
.255
.255
Router(config)# int
erfa
ce e
1Router(config-if)# i
p ac
cess
-gro
up 1
11 in
Router(config-if)# e
xit
Router(config)# e
xit
192.
16.2
0.5
S0
S1
192.
18.5
0.10
E1
Rou
ter
B
[Vie
win
g in
form
atio
n ab
out e
xist
ing
AC
L’s]
Router# s
how
conf
igur
atio
n(T
his
will
show
whi
ch a
cces
s gr
oups
are
ass
ocia
ted
with
par
ticul
ar in
terfa
ces)
Router# sh
ow a
cces
s lis
t 11
1(T
his
will
show
det
aile
d in
form
atio
n ab
out t
his A
CL)
40
Exte
nded
Acc
ess
List
Sam
ple
#3D
eny/
Perm
it En
tire
Ran
ges
Writ
e an
ext
ende
d ac
cess
list t
o bl
ock
the
192.
18.5
0.0
netw
ork
from
rece
ivin
g in
form
atio
n fro
m th
e 19
2.16
.20.
0 ne
twor
k. P
erm
it al
lot
her t
raffi
c. K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
ACL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e:
R
oute
r A
Inte
rface
:
E0
Acc
ess-
list #
:
1
88
[Writ
ing
and
inst
allin
g an
AC
L]
Router# c
onfi
gure
ter
min
alRouter(config)# ac
cess
-lis
t 18
8 de
ny ip
192
.16.
20.
0 0.
0.0.
25
5 1
92.1
8.5
0.0
0.0.
0.2
55
Router(config)# a
cces
s-lis
t 18
8 pe
rmit
ip a
ny a
nyor
ac
cess
-list
188
per
mit
ip 0.
0.0.
0 25
5.25
5.25
5.25
5 0.
0.0.
0 25
5.25
5.25
5.25
5Router(config)# int
erfa
ce e
0Router(config-if)# i
p ac
cess
-gro
up 1
88 in
Router(config-if)# exi
tRouter(config)# e
xit
Router# c
opy
run
star
t
Exte
nded
Acc
ess
List
Sam
ple
#4D
eny/
Perm
it En
tire
Ran
ges
[Dis
ablin
g A
CL’
s]
Router# c
onfi
gure
ter
min
alRouter(config)# i
nter
face
e0
Router(config-if)# n
o ip
acc
ess-
grou
p 18
8 ou
tRouter(config-if)# ex
itRouter(config)# e
xit
[Rem
ovin
g an
AC
L]
Router# c
onfi
gure
ter
min
alRouter(config)# i
nter
face
e0
Router(config-if)# n
o ip
acc
ess-
grou
p 18
8 ou
tRouter(config-if)# ex
itRouter(config)# n
o ac
cess
-lis
t 18
8Router(config)# e
xit
41
Writ
e an
ext
ende
d ac
cess
list t
o pe
rmit
netw
ork
204.
95.1
50.0
to s
end
pack
ets
to n
etw
ork
172.
59.0
.0, b
ut n
ot th
e 21
0.25
0.10
.0ne
twor
k. P
erm
it al
l oth
er tr
affic
. Ke
ep in
min
d th
at th
ere
may
be
mul
tiple
way
s m
any
of th
e in
divi
dual
sta
tem
ents
in a
n AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t #: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# co
nfig
ure
term
inal
(or
con
fig
t)
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
Router(config)# int
erfa
ce _
____
____
___
Router(config-if)# i
p ac
cess
-gro
up _
____
____
in o
r ou
t (c
ircle
one
)Router(config-if)# e
xit
Router(config)# e
xit
Rac
hel’s
Com
pute
r20
4.95
.150
.10
Dav
id’s
Com
pute
r17
2.59
.2.1
8
FA0
FA1
Rou
ter A
Todd
’sC
ompu
ter
204.
95.1
50.1
2
Reb
ecca
’sC
ompu
ter
172.
59.2
.15
204.
95.1
50.1
1
172.
59.2
.1
Exte
nded
Acc
ess
List
Pro
blem
#5
Den
y/Pe
rmit
Entir
e R
ange
s
Rou
ter
B
S0
S1
42
210.
250.
10.0
S0
Rou
ter
BF
A112
5(1
00-1
99)
acce
ss-l
ist
125
den
y ip
204
.95
.15
0.0
0.0.
0.2
55
210
.25
0.10
.0 0
.0.0
.25
5
acce
ss-l
ist
125
per
mit
ip a
ny a
ny
125
FA0
Writ
e an
ext
ende
d ac
cess
list t
o al
low
Rac
hel’s
com
pute
r at 2
04.9
5.15
0.10
to re
ceiv
e in
form
atio
n fro
m th
e 17
2.59
.0.0
net
wor
k.D
eny
all o
ther
hos
ts o
n th
e 20
4.95
.150
.0 n
etw
ork
acce
ss fr
om th
e 17
2.59
.2.0
net
wor
k. P
erm
it al
l oth
er tr
affic
. Ke
ep in
min
d th
atth
ere
may
be
mul
tiple
way
s m
any
of th
e in
divi
dual
sta
tem
ents
in a
n AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t #: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# c
onfi
gure
ter
min
alRouter(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config)# int
erfa
ce _
____
____
_Router(config-if)# i
p ac
cess
-gro
up _
____
____
in o
r ou
t (c
ircle
one
)Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy
run
star
t
Exte
nded
Acc
ess
List
Pro
blem
#6
Den
y/Pe
rmit
Entir
e R
ange
s
43
Rou
ter
BF
A113
0(1
00-1
99)
acce
ss-l
ist
130
perm
it i
p 17
2.5
9.0.
0 0.
0.2
55
.25
5 h
ost
204
.95
.15
0.10
acce
ss-l
ist
130
perm
it i
p 17
2.5
9.0.
0 0.
0.2
55
.25
5 2
04.9
5.1
50.
10 0
.0.0
.0
acce
ss-l
ist
130
deny
ip
172
.59.
0.0
0.0.
25
5.2
55
204
.95
.15
0.0
0.0.
025
5
acce
ss-l
ist
130
perm
it a
ny a
ny
130
FA1
or
44
Phy
llis’
sC
ompu
ter
172.
120.
170.
45
Den
ise’
sC
ompu
ter
192.
168.
50.4
E0
E1
Rou
ter A
Tom
my’
sC
ompu
ter
172.
120.
170.
45Ti
m’s
Com
pute
r19
2.16
8.50
.3
172.
120.
170.
4519
2.16
8.50
.2
Writ
e a
nam
ed e
xten
ded
acce
ss lis
t cal
led
“God
zilla
” to
prev
ent t
he 1
72.1
20.0
.0 n
etw
ork
from
sen
ding
info
rmat
ion
to th
e21
0.16
8.70
.0 ,
and
10.2
50.1
.0 2
55.2
55.2
55.0
net
wor
ks; b
ut w
ill pe
rmit
traffi
c to
the
192.
168.
50.0
net
wor
k. P
erm
it al
l oth
er tr
affic
.Ke
ep in
min
d th
at th
ere
may
be
mul
tiple
way
s m
any
of th
e in
divi
dual
sta
tem
ents
in a
n AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t Nam
e: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# co
nfig
ure
term
inal
(or
con
fig
t)
Router(config)#
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
Router(config-ext-nacl)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config-ext-nacl)# int
erfa
ce __
____
____
__Router(config-if)# i
p ac
cess
-gro
up _
____
____
in o
r ou
t (c
ircle
one
)Router(config-if)# e
xit
Router(config)# e
xit
Exte
nded
Acc
ess
List
Pro
blem
#7
Den
y/Pe
rmit
Entir
e R
ange
s
Rou
ter
BS
0S
1
10.2
50.1
.021
0.16
8.70
.0
E1
S0
Rou
ter
A E
0
G
odzi
lla
acce
ss-l
ist
exte
nded
God
zilla
den
y ip
172
120.
0.0
0.0.
25
5.2
55
210
.168
.70.
0 0.
0.0.
25
5
den
y ip
172
.12
0.0.
0 0.
0.2
55
.25
5 1
0.2
50.
1.0
0.0.
0.2
55
per
mit
ip
any
any
God
zilla
E0
45
Ass
umin
g de
faul
t sub
net m
asks
writ
e an
ext
ende
d ac
cess
list t
o pe
rmit
Tim
at 1
92.1
68.5
0.3
to re
ceiv
e da
ta fr
om th
e 17
2.12
0.0.
0ne
twor
k.
Allo
w th
e 19
2.16
8.50
.0 n
etw
ork
to re
ceiv
e in
form
atio
n fro
m P
hyllis
’s c
ompu
ter a
t 172
.120
.170
.45.
Den
y al
l oth
er tr
affic
.Ke
ep in
min
d th
at th
ere
may
be
mul
tiple
way
s m
any
of t
he in
divi
dual
sta
tem
ents
in a
n AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t #: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# c
onfi
gure
ter
min
alRouter(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config)# int
erfa
ce _
____
____
_Router(config-if)# i
p ac
cess
-gro
up _
____
____
in o
r ou
t (c
ircle
one
)Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy
run
star
t
Exte
nded
Acc
ess
List
Pro
blem
#8
Den
y/Pe
rmit
Entir
e R
ange
s
Rou
ter
AE
014
0(1
00-1
99)
acce
ss-l
ist
140
perm
it i
p 17
2.1
20.
0.0
0.0.
25
5.2
55
hos
t 19
2.1
68.5
0.3
acce
ss-l
ist
140
perm
it i
p 17
2.1
20.
0.0
0.0.
25
5.2
55
192
.168
.50.
3 0.
0.0.
0
acce
ss-l
ist
140
perm
it i
p ho
st 1
72.1
20.
170.
45 1
92.1
68.5
0.0
0.0.
0.2
55
acce
ss-l
ist
140
perm
it i
p 17
2.1
20.
170.
45 0
.0.0
.0 1
92.1
68.5
0.0
0.0.
0.2
55
140
E0
or or
Rod
ney’
sC
ompu
ter
192.
168.
15.4
4
Fran
k’s
Com
pute
r17
2.21
.50.
97
FA0R
oute
r A
Jim
’sC
ompu
ter
192.
168.
15.4
3
Car
ol’s
Com
pute
r17
2.21
.50.
96
Writ
e an
ext
ende
d ac
cess
list t
o de
ny th
e fir
st 1
5 us
able
add
ress
es o
f the
192
.168
.15.
0 ne
twor
k fro
m re
achi
ng th
e 17
2.21
.0.0
netw
ork.
Per
mit
all o
ther
traf
fic.
Keep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
ACL
can
bew
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e:
R
oute
r A
Inte
rface
:
FA0
Acc
ess-
list #
:
1
85
[Writ
ing
and
inst
allin
g an
AC
L]
Router# co
nfig
ure
term
inal
(or
con
fig
t)Router(config)# ac
cess
-lis
t 18
5 d
eny
ip 1
92.1
68.1
5.0
0.0
.0.1
5 1
72.2
1.5
0.0
0.0.
25
5.2
55
Router(config)# a
cces
s-lis
t 18
5 p
erm
it ip
any
any
or
acce
ss-l
ist
185
perm
it i
p 0.
0.0.
0 25
5.25
5.25
5.25
5 0.
0.0.
0 25
5.25
5.25
5.25
5Router(config)# in
terf
ace
fa1
Router(config-if)# i
p ac
cess
-gro
up 1
85 in
Router(config-if)# e
xit
Router(config)# e
xit
Exte
nded
Acc
ess
List
Sam
ple
#5D
eny/
Perm
it a
Ran
ge o
f Add
ress
es
192.
168.
15.2
0
S0
S1
172.
21.5
0.95
E1
Rou
ter
B
46
[Vie
win
g in
form
atio
n ab
out e
xist
ing
AC
L’s]
Router# s
how
conf
igur
atio
n(T
his
will
show
whi
ch a
cces
s gr
oups
are
ass
ocia
ted
with
par
ticul
ar in
terfa
ces)
Router# s
how
acce
ss li
st 1
85(T
his
will
show
det
aile
d in
form
atio
n ab
out t
his A
CL)
Writ
e an
ext
ende
d ac
cess
list w
hich
will
allo
w th
e lo
wer
hal
f of 1
92.1
68.1
5.0
netw
ork
acce
ss to
the
172.
21.5
0.0
netw
ork.
Den
y al
lot
her t
raffi
c. K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
ACL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e:
R
oute
r A
Inte
rface
:
FA0
Acc
ess-
list #
:
1
21
[Writ
ing
and
inst
allin
g an
AC
L]
Router# c
onfi
gure
ter
min
alRouter(config)# ac
cess
-lis
t 12
1 pe
rmit
ip 1
92.1
68.1
5.0
0.0
.0.1
27
172
.21.
50.
0 0.
0.0.
25
5Router(config)# a
cces
s-lis
t 12
1 de
ny ip
any
any
or
acc
ess-
list
121
deny
ip
0.0.
0.0
255.
255.
255.
255
0.0.
0.0
255.
255.
255.
255
Router(config)# int
erfa
ce f
a0Router(config-if)# ip
acce
ss-g
roup
121
inRouter(config-if)# e
xit
Router(config)# e
xit
Router# c
opy
run
star
t
Exte
nded
Acc
ess
List
Sam
ple
#6D
eny/
Perm
it a
Ran
ge o
f Add
ress
es
[Dis
ablin
g A
CL’
s]
Router# c
onfi
gure
ter
min
alRouter(config)# i
nter
face
fa0
Router(config-if)# no
ip a
cces
s-gr
oup
121
inRouter(config-if)# ex
itRouter(config)# e
xit
[Rem
ovin
g an
AC
L]
Router# c
onfi
gure
ter
min
alRouter(config)# i
nter
face
fa0
Router(config-if)# no
ip a
cces
s-gr
oup
121
inRouter(config-if)# ex
itRouter(config)# n
o ac
cess
-lis
t 12
1Router(config)# e
xit
47
Writ
e an
ext
ende
d ac
cess
list t
o pr
even
t the
firs
t 31
usab
le a
ddre
sses
in th
e 1
92.1
68.1
25.0
net
wor
k fr
om re
achi
ng th
e19
2.16
8.19
5.0
netw
ork.
Per
mit
all o
ther
traf
fic.
Keep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
ACL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t #: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# co
nfig
ure
term
inal
(or
con
fig
t)
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
Router(config)# int
erfa
ce _
____
____
___
Router(config-if)# i
p ac
cess
-gro
up _
____
____
in o
r ou
t (c
ircle
one
)Router(config-if)# e
xit
Exte
nded
Acc
ess
List
Pro
blem
#9
Den
y/Pe
rmit
a R
ange
of A
ddre
sses
John
’sC
ompu
ter
192.
168.
195.
88
Cel
este
’sC
ompu
ter
192.
168.
125.
108
E0
E1
Rou
ter A
Gai
l’sC
ompu
ter
192.
168.
195.
145
Mik
e’s
Com
pute
r19
2.16
8.12
5.17
192.1
68.19
5.90
192.
168.
125.
254
48
172.
31.1
95.0
S0
Rou
ter
AE
114
5(1
00-1
99)
acce
ss-l
ist
145
den
y ip
192
.168
.12
5.0
0.0
.0.3
1 19
2.1
68.1
95.0
0.0
.0.2
55
acce
ss-l
ist
145
per
mit
ip a
ny a
ny
145
E1
49
Writ
e a
nam
ed e
xten
ded
acce
ss lis
t cal
led
“Med
ia_C
ente
r” to
per
mit
the
rang
e of
add
ress
es fr
om 1
72.3
1.19
5.1
thro
ugh
172.
31.1
95.7
to
send
dat
e to
the
192.
168.
125.
0 ne
twor
k. D
eny
all o
ther
traf
fic.
Keep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
yof
the
indi
vidu
al s
tate
men
ts in
an
ACL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t Nam
e: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# c
onfi
gure
ter
min
alRouter(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
Router(config-ext-nacl)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config-ext-nacl)# in
terf
ace
____
____
__Router(config-if)# i
p ac
cess
-gro
up _
____
____
____
___
in o
r ou
t (c
ircle
one
)Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy
run
star
t
Exte
nded
Acc
ess
List
Pro
blem
#10
Den
y/Pe
rmit
a R
ange
of A
ddre
sses
Rou
ter
A S
0
M
edia
_C
ente
r
acce
ss-l
ist
exte
nded
Med
ia_
Cen
ter
pe
rmit
ip
172
.31.
195
.0 0
.0.0
.7 1
92.1
68.1
25
.0 0
.0.0
.25
5
Med
ia_
Cen
ter
S0
Cin
dy’s
Com
pute
r19
2.16
.20.
6
Bar
bra’
sC
ompu
ter
172.
18.5
0.12
FA0
Rou
ter A
Ral
ph’s
Com
pute
r19
2.16
.20.
7B
ob’s
Com
pute
r17
2.18
.50.
11B
rad’
sC
ompu
ter
172.
22.7
5.10
Jill’
sC
ompu
ter
172.
22.7
5.9
192.
16.2
0.5
E1
S0
172.
22.7
5.8
S1
S0
S1
172.
18.5
0.10
FA1
Rou
ter
B
Rou
ter
C
Writ
e an
ext
ende
d ac
cess
list t
o pe
rmit
the
first
3 u
sabl
e ad
dres
ses
in th
e 1
92.1
6.20
.0 n
etw
ork
to re
ach
the
172.
22.7
5.0
netw
ork.
Den
y th
e ad
dres
ses
from
192
.16.
20.4
thro
ugh
192.
16.2
0.31
from
reac
hing
the
172.
22.7
5.0
netw
ork.
Per
mit
all o
ther
traf
fic.
Keep
inm
ind
that
ther
e ar
e m
ultip
le w
ays
this
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t #: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# co
nfig
ure
term
inal
(or
con
fig
t)
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
Router(config)# in
terf
ace
____
____
____
Router(config-if)# ip
acc
ess-
grou
p __
____
___
in o
r ou
t (c
ircle
one
)Router(config-if)# ex
it
Exte
nded
Acc
ess
List
Pro
blem
#11
Den
y/Pe
rmit
a R
ange
of A
ddre
sses
50
Rou
ter
AF
A015
5(1
00-1
99)
acce
ss-l
ist
155
per
mit
ip
192
.16.
20.
0 0.
0.0.
3 17
2.2
2.7
5.0
0.0
.0.2
55
acce
ss-l
ist
155
den
y ip
192
.16.
2.0
0.0
.0.3
1 17
2.2
2.7
5.0
0.0
.0.2
55
acce
ss-l
ist
155
per
mit
ip a
ny a
ny
155
FA0
51
Writ
e an
ext
ende
d ac
cess
list t
o de
ny t
he a
ddre
sses
from
172
.22.
75.8
thro
ugh
172.
22.7
5.12
7 fr
om s
endi
ng d
ata
to th
e 17
2.18
.50.
0ne
twor
k. D
eny
the
first
hal
f of t
he a
ddre
sses
from
the
172.
22.7
5.0
netw
ork
from
reac
hing
the
192.
16.2
0.0
netw
ork.
Per
mit
all o
ther
traffi
c. K
eep
in m
ind
that
ther
e ar
e m
ultip
le w
ays
this
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t #: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# c
onfi
gure
ter
min
alRouter(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config)# int
erfa
ce _
____
____
_Router(config-if)# i
p ac
cess
-gro
up _
____
____
in o
r ou
t (c
ircle
one
)Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy
run
star
t
Exte
nded
Acc
ess
List
Pro
blem
#12
Den
y/Pe
rmit
a R
ange
of A
ddre
sses
Rou
ter
BE
116
0(1
00-1
99)
acce
ss-l
ist
160
perm
it i
p 17
2.2
2.7
5.0
0.0
.0.7
172
.18.
50.
0 0.
0.0.
25
5
acce
ss-l
ist
160
deny
ip
172
.22
.75
.0 0
.0.0
.12
7 17
2.1
8.5
0.0
0.0.
0.2
55
acce
ss-l
ist
160
perm
it ip
any
any
160
E1
52
Cel
este
’sC
ompu
ter
172.
16.7
0.14
5
Den
ise’
sC
ompu
ter
192.
168.
88.2
04
FA0
FA1
Rou
ter A
Bob
’sC
ompu
ter
172.
16.7
0.15
5
Peg
gy’s
Com
pute
r19
2.16
8.88
.200
172.
16.7
0.1
192.
168.
88.1
Rou
ter
BS
0S
1
10.2
50.4
.010
.250
.1.0
FA1
FA0
Writ
e an
ext
ende
d ac
cess
list t
o pe
rmit
the
first
63
usab
le a
ddre
sses
in th
e 19
2.16
8.88
.0 n
etw
ork
to re
ach
the
low
er h
alf o
f the
addr
esse
s in
the
172.
16.7
0.0
netw
ork;
but
not
the
uppe
r hal
f. D
eny
all o
ther
traf
fic.
Keep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
ACL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t #: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# co
nfig
ure
term
inal
(or
con
fig
t)
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
Router(config)# in
terf
ace
____
____
____
Router(config-if)# ip
acc
ess-
grou
p __
____
___
in o
r ou
t (c
ircle
one
)Router(config-if)# ex
it
Exte
nded
Acc
ess
List
Pro
blem
#13
Den
y/Pe
rmit
a R
ange
of A
ddre
sses
Rou
ter
BF
A116
5(1
00-1
99)
acce
ss-l
ist
165
per
mit
ip
192
.168
.88.
0 0.
0.0.
63 1
72.1
6.70
.0 0
.0.0
.12
7
165
FA1
53
Writ
e an
ext
ende
d ac
cess
list t
o de
ny t
he a
ddre
sses
from
10.
250.
1.0
thro
ugh
10.2
50.1
.63
from
sen
ding
dat
a to
Den
ise’
s co
mpu
ter.
Perm
it al
l oth
er tr
affic
. Ke
ep in
min
d th
at th
ere
may
be
mul
tiple
way
s m
any
of t
he in
divi
dual
sta
tem
ents
in a
n AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t #: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# c
onfi
gure
ter
min
alRouter(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config)# int
erfa
ce _
____
____
_Router(config-if)# i
p ac
cess
-gro
up _
____
____
in o
r ou
t (c
ircle
one
)Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy
run
star
t
Exte
nded
Acc
ess
List
Pro
blem
#14
Den
y/Pe
rmit
a R
ange
of A
ddre
sses
Rou
ter
AF
A117
0(1
00-1
99)
acce
ss-l
ist
170
deny
ip
10.2
50.
1.0
0.0.
0.63
hos
t 19
2.1
68.8
8.2
04
acce
ss-l
ist
170
deny
ip
10.2
50.
1.0
0.0.
0.63
192
.168
.88.
204
0.0
.0.0
acce
ss-l
ist
170
perm
it ip
any
any
170
FA1
or
192.
168.
207.
26
E0R
oute
r A
Web
Ser
ver
192.
168.
207.
27W
eb S
erve
r21
0.12
8.50
.11
Writ
e an
ext
ende
d ac
cess
list t
o de
ny H
TTP
traffi
c in
tend
ed fo
r w
eb s
erve
r 19
2.16
8.20
7.27
, but
will
perm
it al
l oth
er H
TTP
traffi
c to
reac
h th
e on
ly th
e 19
2.16
8.20
7.0
netw
ork.
Den
y al
l oth
er IP
traf
fic.
Keep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
ACL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e:
R
oute
r A
Inte
rface
:
E0
Acc
ess-
list #
:
1
98
[Writ
ing
and
inst
allin
g an
AC
L]
Router# co
nfig
ure
term
inal
(or
con
fig
t)Router(config)# ac
cess
-lis
t 19
8 de
ny t
cp a
ny 1
92.1
68.2
07.2
7 0.
0.0.
0 eq
www
or
acc
ess-
list
198
deny
tcp
any
hos
t 19
2.1
68.2
07.2
7 eq
www
Router(config)# ac
cess
-lis
t 19
8 pe
rmit
tcp
any
192
.168
.207
.0 0
.0.0
.25
5 e
q ww
wRouter(config)# int
erfa
ce e
0Router(config-if)# ip
acce
ss-g
roup
198
inRouter(config-if)# e
xit
Router(config)# e
xit
192.
168.
207.
25
S0
S1 21
0.12
8.50
.10
E1
Rou
ter
B
[Vie
win
g in
form
atio
n ab
out e
xist
ing
AC
L’s]
Router# s
how
conf
igur
atio
n(T
his
will
show
whi
ch a
cces
s gr
oups
are
ass
ocia
ted
with
par
ticul
ar in
terfa
ces)
Router# s
how
acce
ss li
st 1
98(T
his
will
show
det
aile
d in
form
atio
n ab
out t
his A
CL)
54
Exte
nded
Acc
ess
List
Sam
ple
#7D
eny/
Perm
it Po
rt N
umbe
rs
210.
128.
50.1
2
Writ
e an
ext
ende
d ac
cess
list t
o pe
rmit
ping
s in
eith
er d
irect
ion
betw
een
host
s on
the
210.
128.
50.0
and
192
.168
.207
.0 n
etw
orks
.D
eny
all o
ther
traf
fic.
Keep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
ACL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e:
R
oute
r A
Inte
rface
:
E0
Acc
ess-
list #
:
1
34
[Writ
ing
and
inst
allin
g an
AC
L]
Router# c
onfi
gure
ter
min
alRouter(config)# ac
cess
-lis
t 13
4 pe
rmit
icm
p 21
0.12
8.50
.0 0
.0.0
.255
192
.168
.207
.0 0
.0.0
.255
ech
o-re
ply
Router(config)# int
erfa
ce e
0Router(config-if)# ip
acce
ss-g
roup
134
inRouter(config-if)# exi
tRouter(config)# e
xit
Router# c
opy
run
star
t
Exte
nded
Acc
ess
List
Sam
ple
#8D
eny/
Perm
it Po
rt N
umbe
rs
[Dis
ablin
g A
CL’
s]
Router# c
onfi
gure
ter
min
alRouter(config)# i
nter
face
e0
Router(config-if)# n
o ip
acc
ess-
grou
p 13
4 ou
tRouter(config-if)# ex
itRouter(config)# e
xit
[Rem
ovin
g an
AC
L]
Router# c
onfi
gure
ter
min
alRouter(config)# i
nter
face
e0
Router(config-if)# n
o ip
acc
ess-
grou
p 13
4 ou
tRouter(config-if)# ex
itRouter(config)# n
o ac
cess
-lis
t 13
4Router(config)# e
xit
55
Writ
e an
ext
ende
d ac
cess
list t
o pe
rmit
Den
ise’
s an
d B
ob’s
com
pute
rs to
teln
et in
to R
oute
r B.
Den
y al
l oth
er te
lnet
traf
fic K
eep
inm
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
ACL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e:
R
oute
r B
Inte
rface
:
l
ine
VTY
0 4
Acc
ess-
list #
:
4
5
[Writ
ing
and
inst
allin
g an
AC
L]
Router# co
nfig
ure
term
inal
(or
con
fig
t)Router(config)# a
cces
s-lis
t 45
per
mit
192
.168
.33.
214
0.0
.0.0
or
acc
ess-
list
45 p
erm
it h
ost
192
.168
.33.
214
Router(config)# a
cces
s-lis
t 45
per
mit
192
.30.
76.1
55
0.0
.0.0
or
acc
ess-
list
45 p
erm
it h
ost
92.3
0.76
.15
5Router(config)# li
ne v
ty 0
4Router(config-if)# ip
acce
ss-c
lass
45
inRouter(config-if)# e
xit
Router(config)# e
xit
[Vie
win
g in
form
atio
n ab
out e
xist
ing
AC
L’s]
Router# s
how
conf
igur
atio
n(T
his
will
show
whi
ch a
cces
s gr
oups
are
ass
ocia
ted
with
par
ticul
ar in
terfa
ces)
Router# s
how
acce
ss li
st 4
5(T
his
will
show
det
aile
d in
form
atio
n ab
out t
his A
CL)
Stan
dard
Acc
ess
List
Sam
ple
#9D
eny/
Perm
it Te
lnet
56
Cel
este
’sC
ompu
ter
192.
30.7
6.14
5
Den
ise’
sC
ompu
ter
192.
168.
33.2
14
E0
E1
Rou
ter A
Bob
’sC
ompu
ter
192.
30.7
6.15
5
Peg
gy’s
Com
pute
r19
2.16
8.33
.210
172.
20.7
0.1
192.
168.
33.1
Rou
ter
BS
0S
1
172.
16.1
6.0
10.2
50.4
.0
E1
E0
(usi
ng li
ne V
TY 0
4 in
stea
d of
an
inte
rfac
e lik
e E
1 al
lows
you
to a
pply
thi
s ac
cess
list
to
all V
TY li
nes
with
one
sta
tem
ent)
Writ
e an
ext
ende
d ac
cess
list t
o de
ny F
TP to
ip a
ddre
sses
192
.30.
76.0
thro
ugh
192.
30.7
6.13
.Pe
rmit
all o
ther
traf
fic.
Keep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
ACL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e:
R
oute
r A
Inte
rface
:
E0
Acc
ess-
list #
:
1
55
[Writ
ing
and
inst
allin
g an
AC
L]
Router# c
onfi
gure
ter
min
alRouter(config)# ac
cess
-lis
t 15
5 de
ny t
cp a
ny 1
92.3
0.76
.0 0
.0.0
.13
eq f
tpRouter(config)# a
cces
s-lis
t 155
per
mit
tcp
any
any
or
ac
cess
-list
155
den
y tc
p 0.
0.0.
0 25
5.25
5.25
5.25
5 0.
0.0.
0 25
5.25
5.25
5.25
5Router(config)# int
erfa
ce e
0Router(config-if)# i
p ac
cess
-gro
up 1
55
inRouter(config-if)# exi
tRouter(config)# e
xit
Router# c
opy
run
star
t
Exte
nded
Acc
ess
List
Sam
ple
#10
Den
y/Pe
rmit
Port
Num
bers
[Dis
ablin
g A
CL’
s]
Router# c
onfi
gure
ter
min
alRouter(config)# i
nter
face
e0
Router(config-if)# n
o ip
acc
ess-
grou
p 15
5 o
utRouter(config-if)# ex
itRouter(config)# e
xit
[Rem
ovin
g an
AC
L]
Router# c
onfi
gure
ter
min
alRouter(config)# i
nter
face
e0
Router(config-if)# n
o ip
acc
ess-
grou
p 15
5 o
utRouter(config-if)# ex
itRouter(config)# n
o ac
cess
-lis
t 15
5Router(config)# e
xit
57
58
Jack
ie’s
Com
pute
r17
2.16
.125
.1
Jenn
ifer’s
Com
pute
r19
2.12
8.45
.35
E0
FA1
Rou
ter A
Bill
’sC
ompu
ter
192.
128.
45.3
317
2.16
.70.
1
192.
128.
45.8
Rou
ter
B
S0S
1
10.2
50.8
.0
10.2
50.2
.0
E1
FA0
Writ
e an
ext
ende
d ac
cess
list t
o pe
rmit
ICM
P tr
affic
from
the
192.
128.
45.0
net
wor
k to
reac
h th
e 17
2.16
.125
.0 2
55.2
55.2
55.0
and
10.2
50.2
.0 2
55.2
55.2
55.0
net
wor
ks.
Den
y al
l oth
er tr
affic
. Ke
ep in
min
d th
at th
ere
may
be
mul
tiple
way
s m
any
of th
e in
divi
dual
stat
emen
ts in
an
ACL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t #: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# co
nfig
ure
term
inal
(or
con
fig
t)
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
Router(config)# in
terf
ace
____
____
____
Router(config-if)# ip
acc
ess-
grou
p __
____
___
in o
r ou
t (c
ircle
one
)Router(config-if)# ex
it
Exte
nded
Acc
ess
List
Pro
blem
#15
Den
y/Pe
rmit
a Po
rt N
umbe
rs
Rou
ter
BF
A117
5(1
00-1
99)
acce
ss-l
ist
175
per
mit
icm
p 19
2.1
28.
45.0
0.0
.0.2
55
172
.16.
125
.0 0
.0.0
.25
5
acce
ss-l
ist
175
per
mit
icm
p 19
2.1
28.
45.0
0.0
.0.2
55
10.
25
0.2
.0 0
.0.0
.25
5
175
FA1
59
Writ
e a
nam
ed e
xten
ded
acce
ss lis
t cal
led
“Peg
gys_
Lab”
to d
eny
teln
et f
rom
10.
250.
8.0
thro
ugh
10.2
50.8
.127
fro
m re
achi
ng th
e19
2.12
8.45
.0 n
etw
ork.
Per
mit
all o
ther
traf
fic.
Keep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
ACL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t Nam
e: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# c
onfi
gure
ter
min
alRouter(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
Router(config-ext-nacl
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
___
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config-ext-nacl)# in
terf
ace
____
____
__Router(config-if)# i
p ac
cess
-gro
up _
____
____
____
____
in o
r ou
t (c
ircle
one
)Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy
run
star
t
Exte
nded
Acc
ess
List
Pro
blem
#16
Den
y/Pe
rmit
a Po
rt N
umbe
rs
Rou
ter
BF
A0P
eggy
s_La
b
acce
ss-l
ist
exte
nded
Peg
gys_
Lab
deny
tcp
10.
25
0.8.
0 0.
0.0.
127
192
.12
8.45
.0 0
.0.0
.25
5 e
q 2
3
pe
rmit
tcp
any
any
FA0
Peg
gys_
Lab
Writ
e an
acc
ess
list t
o pe
rmit
Beck
y an
d M
ary’
s co
mpu
ter t
o te
lnet
into
Rou
ter B
. Den
y al
l oth
er te
lnet
traf
fic fr
om th
e 17
2.60
.18.
0ne
twor
k. K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
ACL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t #: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# co
nfig
ure
term
inal
(or
con
fig
t)
Router(config)#
Router(config)# int
erfa
ce _
____
____
___
Router(config-if)# i
p ac
cess
-gro
up _
____
____
in o
r ou
t (c
ircle
one
)Router(config-if)# e
xit
Router(config)# e
xit
Web
Ser
ver #
220
3.19
4.10
0.10
1M
ary’
sC
ompu
ter
172.
60.1
8.14
2
FA0
FA1
Rou
ter A
Web
Ser
ver #
120
3.19
4.10
0.10
2B
ecky
’sC
ompu
ter
172.
60.1
8.14
0
203.
194.
100.
1
172.
60.1
8.1
Acc
ess
List
Pro
blem
#17
Den
y/Pe
rmit
Port
Num
bers
Rou
ter
B
S0
S1
60
204.
250.
10.0
S0
Rou
ter
Blin
e vt
y 04
50
(1-9
9)
acce
ss-l
ist
50
perm
it 1
72.6
0.18
.140
acce
ss-l
ist
50
perm
it h
ost
172
.60.
18.1
40ac
cess
-lis
t 5
0 pe
rmit
172
.60.
18.1
40 0
.0.0
.0ac
cess
-lis
t 5
0 pe
rmit
172
.60.
18.1
42ac
cess
-lis
t 5
0 pe
rmit
hos
t 17
2.6
0.18
.142
acce
ss-l
ist
50
perm
it 1
72.6
0.18
.142
0.0
.0.0
50
line
vty
04
or or or or
Writ
e an
ext
ende
d ac
cess
list t
o de
ny a
ll HTT
P tra
ffic
inte
nded
for t
he w
eb s
erve
r at 2
03.1
94.1
00.1
02.
Perm
it H
TTP
traffi
c to
any
othe
r web
ser
vers
. D
eny
all o
ther
IP tr
affic
to th
e 20
3.19
4.10
0.0
netw
ork.
Kee
p in
min
d th
at th
ere
may
be
mul
tiple
way
s m
any
of th
ein
divi
dual
sta
tem
ents
in a
n AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t #: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# co
nfig
ure
term
inal
(or
con
fig
t)Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config)# int
erfa
ce _
____
____
_Router(config-if)# i
p ac
cess
-gro
up _
____
____
in o
r ou
t (c
ircle
one
)Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy
run
star
t
Exte
nded
Acc
ess
List
Pro
blem
#18
Den
y/Pe
rmit
Port
Num
bers
61
Rou
ter
AF
A018
5(1
00-1
99)
acce
ss-l
ist
185
den
y tc
p an
y ho
st 2
03.1
94.1
00.1
02 e
q 80
acce
ss-l
ist
185
den
y tc
p an
y 2
03.1
94.1
00.1
02 0
.0.0
.0 e
q 80
acce
ss-l
ist
185
per
mit
tcp
any
any
eq
80
185
FA0
or
Writ
e an
acc
ess
list t
o pe
rmit
TFTP
traf
fic to
all h
osts
on
the
192.
168.
15.0
net
wor
k. D
eny
all o
ther
TFT
P tr
affic
. K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
ACL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t #: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# co
nfig
ure
term
inal
(or
con
fig
t)
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
Router(config)# int
erfa
ce _
____
____
___
Router(config-if)# i
p ac
cess
-gro
up _
____
____
in o
r ou
t (c
ircle
one
)Router(config-if)# e
xit
Router(config)# e
xit
62
Acc
ess
List
Pro
blem
#19
Den
y/Pe
rmit
Port
Num
bers
Web
Ser
ver #
119
2.16
8.15
.125
Gai
l’sC
ompu
ter
172.
23.5
0.19
7
E0R
oute
r A
Bob
bie’
sC
ompu
ter
192.
168.
15.8
2
Web
Ser
ver #
217
2.23
.50.
196
192.
168.
15.2
5
S0
S1 17
2.23
.50.
195
E1
Rou
ter
BE
1
192.
172.
10.0
Rou
ter
AE
019
0(1
00-1
99)
acce
ss-l
ist
175
per
mit
tcp
any
192
.168
.15
.0 0
.0.0
.25
5 e
q ft
p
190
E0
Writ
e an
ext
ende
d ac
cess
list t
hat p
erm
its w
eb tr
affic
from
web
ser
ver #
2 at
172
.23.
50.1
96 to
reac
h ev
eryo
ne o
n th
e 19
2.16
8.15
.0ne
twor
k. D
eny
all o
ther
IP tr
affic
goi
ng to
the
192.
172.
10.0
, and
192
.168
.15.
0 ne
twor
ks.
Keep
in m
ind
that
ther
e m
ay b
e m
ultip
lew
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
ACL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list a
t:R
oute
r Nam
e: _
____
____
____
____
____
____
__In
terfa
ce: _
____
____
____
____
____
____
____
__A
cces
s-lis
t #: _
____
____
____
____
____
____
___
[Writ
ing
and
inst
allin
g an
AC
L]
Router# c
onfi
gure
ter
min
alRouter(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config)# int
erfa
ce _
____
____
_Router(config-if)# i
p ac
cess
-gro
up _
____
____
in o
r ou
t (c
ircle
one
)Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy
run
star
t
63
Exte
nded
Acc
ess
List
Pro
blem
#20
Den
y/Pe
rmit
Port
Num
bers
Rou
ter
BE
119
5(1
00-1
99)
acce
ss-l
ist
195
den
y tc
p ho
st 1
72.2
3.5
0.19
6 19
2.1
68.1
5.0
0.0
.0.2
55
eq
80
acce
ss-l
ist
195
den
y tc
p 17
2.2
3.5
0.19
6 0.
0.0.
0 19
2.1
68.1
5.0
0.0
.0.2
55
eq
80
195
E1
or
Optional ACL Commands& Other Network Security Ideas
In order to reduce the chance of spoofing from outside your network consider adding thefollowing statements to your network’s inbound access list.
router# config trouter(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 anyrouter(config)# access-list 100 deny ip 172.16.0.0 0.0.255.255 anyrouter(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 anyrouter(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 anyrouter(config)# access-list 100 deny ip 224.0.0.0 31.255.255.255 anyrouter(config)# access-list 100 deny ip your-subnet-# your-subnet-mask-# anyrouter(config)# access-list 100 deny igmp any anyrouter(config)# access-list 100 deny icmp any any redirectrouter(config)# access-list 100 permit any anyrouter(config)# interface e0 (or whatever your inbound port is)router(config-if)# ip access-group inrouter(config-if)# exitrouter(config)# exit
Another handy security tool is to only allow ip packets out of your network with your sourceaddress.
router# config trouter(config)# access-list 100 permit ip your-subnet-# your-subnet-mask-# anyrouter(config)# interface e0 (or whatever your outbound port is)router(config-if)# ip access-group outrouter(config-if)# exitrouter(config)# exit
To keep packets with unreachable destinations from entering your network add this command:
ip route 0.0.0.0 0.0.0.0 null 0 255
To protect against smurf and other attacks add the following commands to every externalinterface:
no ip directed-broadcastno ip source-routefair-queuescheduler interval 500
64
Index / Table of Contents
Access-List Numbers.......................................................................Inside CoverWhat are Access Control Lists?..........................................................................1General Access Lists Information.......................................................................1How routers use Access Lists.............................................................................1Standard Access Lists.........................................................................................2Why Standard ACLs must be placed close to the destination..........................2Standard Access List Placement Sample Problems.........................................3Standard Access List Placement Problems....................................................4-5Extended Access Lists........................................................................................6Why Extended ACLs must be placed close to the destination.........................6Extended Access List Placement Sample Problems........................................7Extended Access List Placement Problems..................................................8-9Choosing to Filter Incoming or Outgoing Packets...........................................10Breakdown of a Standard ACL Statement........................................................10Breakdown of a Extended ACL Statement.......................................................11What are Named Access Control Lists..................................................................12Named Access Lists Information..........................................................................12Applying a Standard Named Access List called “George”...............................12Applying an Extended Named Access List called “Gracie”.............................13Choices for Using Wildcard Masks..............................................................14-15Creating Wildcard Masks...................................................................................16Wildcard Mask Problems.............................................................................18-20Writing Standard Access Lists.....................................................................21-32Writing Extended Access Lists.....................................................................33-63
Deny/Permit Specific Addresses.......................................................33-39Deny/Permit Entire Ranges................................................................40-45Deny/Permit a Range of Addresses..................................................46-53Deny/Permit Port Numbers.................................................................54-63
Optional ACL Commands...................................................................................64Index / Table of Contents...................................................................................65Port Numbers...............................................................................66-Inside Cover
65
Port Numbers
Some commonly used port numbers:
0 Reserved1 TCPMUX (TCP Port Service Multiplexer)5 RJE (Remote Job Entry)7 ECHO9 DISCARD11 SYSTAT (Active users)13 DAYTIME17 QUOTE (Quote of the day)18 MSP (Message Send Protocol)19 CHARGEN (Character generator)20 FTP-DATA (File Transfer Protocol - Data)21 FTP (File Transfer Protocol - Control)22 SSH (Remote Login Protocol)23 Telnet (Terminal Connection)25 SMTP (Simple Mail Transfer Protocol)29 MSG ICP37 TIME39 RLP (Resource Location Protocol42 NAMESERV (Host Name Server)
Port numbers are now assigned by the ICANN (Internet Corporation forAssigned Names and Numbers). Commonly used TCP and UDPapplications are assigned a port number; such as: HTTP - 80, POP3 - 110,FTP - 20. When an application communicates with another application onanother node on the internet, it specifies that application in each datatransmission by using its port number. You can also type the name (ie. Telnet)instead of the port number (ie. 23). Port numbers range from 0 to 65536 andare divided into three ranges:
Below is a short list of some commonly used ports. For a complete list ofport numbers go to http://www.iana.org/assignments/port-numbers.
01,024
49,152
tototo
1,02349,15165,535
Well Known PortsRegistered PortsDynamic and/or Private Ports
66
Inside Cover
43 NICNAME (Who Is)49 LOGIN (Login Host Protocol)53 DNS (Domain Name Server)67 BOOTP (Bootstrap Protocol Server)68 BOOTPS (Bootstrap Protocol Client)69 TFTP (Trivial File Transfer Protocol)70 GOPHER (Gopher Services )75 (Any Privite Dial-out Service)79 FINGER80 HTTP (Hypertext Transfer Protocol)95 SUPDUP (SUPDUP Protocol)101 HOSTNAME (NIC Host Name Server)108 SNAGAS (SNA Gateway Access Server)109 POP2 (Post Office Protocol - Version 2)110 POP3 (Post Office Protocol - Version 3)113 AUTH (Authentication Service)115 SFTP (Simple File Transfer Protocol)117 UUCP-PATH (UUCP Path Service)118 SQLSERV (SQL Services)119 NNTP (Newsgroup)123 NTP (Network Tim Protocol)137 NetBIOS-NS (NetBIOS Name Service)139 NetBIOS-SSN (NetBIOS Session Service )143 IMAP (Interim Mail Access Protocol)150 SQL-NET (NetBIOS Session Service)156 SQLSRV (SQL Service)161 SNMP (Simple Network Management Protocol)179 BGP (Border Gateway Protocol)190 GACP (Gateway Access Control Protocol)194 IRC (Internet Relay Chat)197 DLS (Directory Location Service)389 LDAP (Lightweight Directory Access Protocol)396 NETWARE-IP (Novell Netware over IP )443 HTTPS (HTTP MCom)444 SNPP (Simple Network Paging Protocol)445 Microsoft-DS458 Apple QuickTime546 DHCP Client547 DHCP Server563 SNEWS569 MSN
