Access List Tutorial

Home > Access List Tutorial

Access List Tutorial

February 13th, 2011 Go to comments

In this tutorial we will learn about access list.

Access control lists (ACLs) provide a means to filter packets by allowing a user to permit or deny IP packets from crossing specified interfaces. Just image you come to a fair and see the guardian checking tickets. He only allows people with suitable tickets to enter. Well, an access list’s function is same as that guardian.

Access lists filter network traffic by controlling whether packets are forwarded or blocked at the router’s interfaces based on the criteria you specified within the access list.

To use ACLs, the system administrator must first configure ACLs and then apply them to specific interfaces. There are 3 popular types of ACL: Standard, Extended and Named ACLs.

Standard IP Access List

Standard IP lists (1-99) only check source addresses of all IP packets.

Configuration Syntax

Apply ACL to an interface

Example of Standard IP Access List

Configuration:

In this example we will define a standard access list that will only allow network 10.0.0.0/8 to access the server (located on the Fa0/1 interface)

Type text to search here... Enviar Consulta

access-list access-list-number {permit | deny} source {source-mask}

ip access-group access-list-number {in | out}

Promoção Itil Exam Grátis Itil+Cobit+Pmi+Grátis Exame 1990,00 Itil + Cobit 890,00 Ultimas Vagas www.trainning.com.br/pmi_itil_cobit

CCIE Labs Solutions Pass CCIE Lab Exam In First Attempt By Studying Real Labs. ccie.passearly.com

Page 1 of 9CCNA Training » Access List Tutorial

25/07/2011http://www.9tut.com/access-list-tutorial

Define which source is allowed to pass:

Router(config)#access-list 1 permit 10.0.0.0 0.255.255.255

(there is always an implicit deny all other traffic at the end of each ACL so we don’t need to define forbidden traffic)

Apply this ACL to an interface:

Router(config)#interface Fa0/1

Router(config-if)#ip access-group 1 out

The ACL 1 is applied to permit only packets from 10.0.0.0/8 to go out of Fa0/1 interface while deny all other traffic. So can we apply this ACL to other interface, Fa0/2 for example? Well we can but shouldn’t do it because users can access to the server from other interface (s0 interface, for example). So we can understand why an standard access list should be applied close to the destination.

Note: The “0.255.255.255″ is the wildcard mask part of network “10.0.0.0″. We will learn how to use wildcard mask later.

Extended IP Access List

Extended IP lists (100-199) check both source and destination addresses, specific UDP/TCP/IP protocols, and destination ports.

Configuration Syntax

Example of Extended IP Access List

In this example we will create an extended ACL that will deny FTP traffic from network 10.0.0.0/8 but allow other traffic to go through.

Note: FTP uses TCP on port 20 & 21.

Define which protocol, source, destination and port are denied:

Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 21

Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 20

Router(config)#access-list 101 permit ip any any

access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port]



Apply this ACL to an interface:

Router(config)#interface Fa0/1

Router(config-if)#ip access-group 101 out

Notice that we have to explicit allow other traffic (access-list 101 permit ip any any) as there is an “deny all” command at the end of each ACL.

As we can see, the destination of above access list is “187.100.1.6 0.0.0.0″ which specifies a host. We can use “host 187.100.1.6″ instead. We will discuss wildcard mask later.

In summary, below is the range of standard and extended access list

Pages: 1 2 Comments (37) Comments

1. very well March 9th, 2011

thank for shareing document,it’s very usefull for me

2. Wildcard March 11th, 2011

172.23.16.0 /28 /28 = 11111111.11111111.11111111.11110000 = 255.255.255.240

255.255.255.240 doesn’t convert to 0.0.15.255

11111111.11111111.11111111.11110000 = 255.255.255.240 00000000.00000000.00000000.00001111 = 0.0.0.15 not 00000000.00000000.00001111.11111111 = 0.0.15.255

Unless I missed something…

3. oiram March 15th, 2011

Roger tat, althought this tut is bit more screwed up than this wildcard.

Sentence

Therefore 255.255.255.240 can be written in wildcard mask as 00000000.00000000.00001111.11111111 = 0.0.15.255

should be replaced by

Access list type Range

Standard 1-99, 1300-1999

Extended 100-199, 2000-2699

Moxa Units for Evaluation Wide selection. Order online and receive unit within 2 days. store.moxa.com

Complete CCNA Training Instant access to 900+ hours of Cisco training videos. Only $159/mo www.INE.com/CCNA

Cursos Governança em TI ITILV3 - ISO20000 - Cobit 4 - PMBOK Condições Imbatíveis.Confira ! www.green.com.br



Therefore 255.255.240.0 can be written in wildcard mask as 00000000.00000000.00001111.11111111 = 0.0.15.255

(decimal mask is jut typo I suppose, since they talk /28, please fix this 9tut Guys)

4. oiram March 15th, 2011

oops, now I screwed ;) CIDR should be set to /20

5. 9tut March 15th, 2011

Yes, it is a typo. I fixed it. Thanks for your detection!

6. extended March 23rd, 2011

Extended IP access lists should be placed close to the source. in this case why we applied it on interface 0/1 ? i think we should apply it on interface 0/0 also the ACL number is wrong !!

Router(config)#interface Fa0/0 Router(config-if)#ip access-group 101 in am I right? Explain pls

7. 9tut March 24th, 2011

@extended: “Extended IP access lists should be placed close to the source” but it is not always the case. We can apply it to either Fa0/0 (inbound) or Fa0/1 (outbound)

8. gassah April 2nd, 2011

hello guys I will be writing my exam next week. Please can somebody send me the latest dumps at [email protected]

9. CCNA Student April 6th, 2011

hello guys I will be writing my exam after 2 weeks. Please can somebody send me the latest dumps at

[email protected]

10. hello friends April 19th, 2011

i will give my exam in 30 th april so plz give me latest dumps for the exam…….

my mail id is [email protected]

11. Otakking April 21st, 2011

In the first example.



access-list 1 permit 10.0.0.0 0.0.0.255

should be

access-list 1 permit 10.0.0.0 0.255.255.255

as the example says 10.0.0.0/8 network.

Please fix it to avoid further confusion.

12. abraham April 25th, 2011

hey guys i will be writing my exam after 2 weeks. Please can somebody send me the latest dumps my email is [email protected]

13. 9tut April 27th, 2011

@Otakking: Yes, I fixed it. Thanks for your detection!

14. CiscoCisco April 30th, 2011

blog.ine.com/2008/09/15/binary-math-part-i/

blog.ine.com/2008/09/16/binary-math-part-i-answers/

blog.ine.com/2008/11/03/binary-math-part-ii/

blog.ine.com/2008/11/05/binary-math-part-ii-answers/

15. hadezproj May 3rd, 2011

Hi 9tut,

for Extended ACL example, kindly edit the wildcard mask to 0.255.255.255 and also to apply ACL, it should be “ip access-group 101 out” . hope this is helpful.

thanks for the great tutorials.

16. sinesio May 3rd, 2011

Yes, @hadezproj is right..

17. 9tut May 7th, 2011

Yes, I updated it. Thanks for your detection!

18. ppower May 15th, 2011

Thanks for excellent tutorial, im sitting the CCNA in 2 weeks, if anyone has the latest dumps could you send them to [email protected]

thanks



19. Tee May 18th, 2011

Hi 9tut, Thanks for the tutorials. Can you please provide a situation where an ‘IN’ statement is use. Both examples only used the ‘OUT’ statements

20. Tee May 18th, 2011

just realize there is an “inbound” example on the next page.

21. liv May 20th, 2011

Can u pls send me the new dumps, I’m trying to sit for the ccna exams. Thanks………..my email is [email protected]

22. David May 25th, 2011

Very handy!

23. David May 25th, 2011

What are dumps?

24. Jose May 26th, 2011

Hi beautiful pple. I am sitting for my exam this weekend on 28 th of may. Can sam1 send me the most valid dumps at [email protected]. ASAP. Thanx in advance.

25. dhana June 7th, 2011

hi some 1 plz send me dumps 2011 bcoz i wnna workout plz send to vs.dhananjay89 @gmail.com

26. nikhil June 13th, 2011

i think subnet mask of /28 will be 255.255.255.240 and so wild card mask should be 0.0.0.15……….is it right????plzzz explain reply…..

27. Rick29 June 15th, 2011

planning on taking the exam tomorrow, any new dumps avalible please send to [email protected] thanks….

28. 9tut June 17th, 2011

@nikhil: Yes, first convert subnet mask 255.255.255.240 into binary form, then replace all “1″ with “0″ and all “0″ with “1″ and convert back to decimal you will get 0.0.0.15.

29. fidel



June 27th, 2011

I will be sitting for CCNA exam next week. Please can somebody send me the latest dumps at [email protected] .thanks

30. A. Moiz July 2nd, 2011

Easy way to find a wild card mask from given network address is to do minus last or interested octet of subnet mask from 256 remaing will be the block size and 1 minus from it U’ll have a wild card mask

Eg

192.168.5.1 /28 Its means that the subnet mask will be 255.255.255.240

256-240=16(16 will be the block size means that netowrk will be 192.168.5.0 OR 192.165.5.16 or .32 OR .48 muliple of 16′s)

do 1 minus from it

15..

this means that u’ll have 15 inyour last octet of the MCM 0.0.0.15

Do inform me if i m wrong

31. A. Moiz July 2nd, 2011

Can any one send me the latest Dumbs plz plz plz

[email protected]

32. Michael July 13th, 2011

Hi Moiz, Yes that is correct and is the easiest way to figure out VLSM for me anyway!!!

33. Ephraim July 20th, 2011

Can someone send me the latest CCNA dump for appearing in exam

34. Ephraim July 20th, 2011

my id [email protected]

35. bright July 20th, 2011

Could someone kindly send me the latest CCNA dump please my mail is [email protected] I wish to take the examination soon but this forum as really help build my morals…Thanks guys

36. Brad July 20th, 2011

hi everyone i am sitting for CCNA exam next week can someone send me the latest dump my id



[email protected] thanks

37. vhick July 21st, 2011

Hello All, I love what’s goin on here, my exam comes up tomorrow friday 22-07-2011. can you all please send the latest dumps that you have to me, plz i need you help urgently. send to [email protected]. i also need any advice and clues

Vhick

Add a Comment

Name

Subscribe to comments feed

CCNA – VTP Questions CCNA – Hotspot

CCNA 640-802

� CCNA Lab Sim � CCNA – Access List Questions � CCNA – WAN � CCNA – RIP Questions � CCNA – OSPF Questions � CCNA – EIGRP Questions � DHCP Group of Four Questions � CCNA – Drag and Drop 1 � CCNA – Drag and Drop 2 � CCNA – Drag and Drop 3 � CCNA – Drag and Drop 4 � CCNA – Drag and Drop 5 � CCNA – VTP Questions � CCNA – Hotspot � CCNA – STP Questions � CCNA – IPv6 Questions � CCNA – Subnetting � CCNA – Operations 1 � CCNA – Operations 2 � CCNA – Operations 3 � CCNA – Troubleshooting 1 � CCNA – Troubleshooting 2 � CCNA – Wireless � CCNA FAQs & Tips � Share your CCNA Experience

CCNA Self-Study

� Practice CCNA GNS3 Labs

Submit Comment



� CCNA Knowledge

Network Resources

� Free Router Simulators

� ICND1/ICND2 Website

� CCNP - ROUTE Website

� CCNP - SWITCH Website

� CCNP - TSHOOT Website

� CCNA Voice Website

� CCNA Wireless Website

� CCNA Security Website

� CCDA Website

� CCIP Website

� CCIE Written Website

Support 9tut

Your contribution will help keep this site updated!

Top Copyright © 2010-2011 CCNA Training Privacy Policy. Valid XHTML 1.1 and CSS 3.

Ads by Google

Tutorial

CCNA Exam Download

CCNA Certification

CCNA Practice Tests



Documents

Access List Tutorial