Professional Documents
Culture Documents
Access List Tutorial
Access List Tutorial
Access List Tutorial
Page 1 of 9
Enviar Consulta
Standard IP Access List Standard IP lists (1-99) only check source addresses of all IP packets. Configuration Syntax access-list access-list-number {permit | deny} source {source-mask} Apply ACL to an interface ip access-group access-list-number {in | out} Example of Standard IP Access List
Configuration: In this example we will define a standard access list that will only allow network 10.0.0.0/8 to access the server (located on the Fa0/1 interface)
http://www.9tut.com/access-list-tutorial
25/07/2011
Page 2 of 9
Define which source is allowed to pass: Router(config)#access-list 1 permit 10.0.0.0 0.255.255.255 (there is always an implicit deny all other traffic at the end of each ACL so we dont need to define forbidden traffic) Apply this ACL to an interface: Router(config)#interface Fa0/1 Router(config-if)#ip access-group 1 out The ACL 1 is applied to permit only packets from 10.0.0.0/8 to go out of Fa0/1 interface while deny all other traffic. So can we apply this ACL to other interface, Fa0/2 for example? Well we can but shouldnt do it because users can access to the server from other interface (s0 interface, for example). So we can understand why an standard access list should be applied close to the destination. Note: The 0.255.255.255 is the wildcard mask part of network 10.0.0.0. We will learn how to use wildcard mask later. Extended IP Access List Extended IP lists (100-199) check both source and destination addresses, specific UDP/TCP/IP protocols, and destination ports. Configuration Syntax access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port] Example of Extended IP Access List
In this example we will create an extended ACL that will deny FTP traffic from network 10.0.0.0/8 but allow other traffic to go through. Note: FTP uses TCP on port 20 & 21. Define which protocol, source, destination and port are denied: Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 21 Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 20 Router(config)#access-list 101 permit ip any any
http://www.9tut.com/access-list-tutorial
25/07/2011
Page 3 of 9
Apply this ACL to an interface: Router(config)#interface Fa0/1 Router(config-if)#ip access-group 101 out Notice that we have to explicit allow other traffic (access-list 101 permit ip any any) as there is an deny all command at the end of each ACL. As we can see, the destination of above access list is 187.100.1.6 0.0.0.0 which specifies a host. We can use host 187.100.1.6 instead. We will discuss wildcard mask later. In summary, below is the range of standard and extended access list Access list type Range Standard 1-99, 1300-1999 Extended 100-199, 2000-2699
Moxa Units for Evaluation Wide selection. Order online and receive unit within 2 days. store.moxa.com Complete CCNA Training Instant access to 900+ hours of Cisco training videos. Only $159/mo www.INE.com/CCNA Cursos Governana em TI ITILV3 - ISO20000 - Cobit 4 - PMBOK Condies Imbatveis.Confira ! www.green.com.br
Pages: 1 2 Comments (37) Comments 1. very well March 9th, 2011 thank for shareing document,its very usefull for me 2. Wildcard March 11th, 2011 172.23.16.0 /28 /28 = 11111111.11111111.11111111.11110000 = 255.255.255.240 255.255.255.240 doesnt convert to 0.0.15.255 11111111.11111111.11111111.11110000 = 255.255.255.240 00000000.00000000.00000000.00001111 = 0.0.0.15 not 00000000.00000000.00001111.11111111 = 0.0.15.255 Unless I missed something 3. oiram March 15th, 2011 Roger tat, althought this tut is bit more screwed up than this wildcard. Sentence Therefore 255.255.255.240 can be written in wildcard mask as 00000000.00000000.00001111.11111111 = 0.0.15.255 should be replaced by
http://www.9tut.com/access-list-tutorial
25/07/2011
Page 4 of 9
Therefore 255.255.240.0 can be written in wildcard mask as 00000000.00000000.00001111.11111111 = 0.0.15.255 (decimal mask is jut typo I suppose, since they talk /28, please fix this 9tut Guys) 4. oiram March 15th, 2011 oops, now I screwed ;) CIDR should be set to /20 5. 9tut March 15th, 2011 Yes, it is a typo. I fixed it. Thanks for your detection! 6. extended March 23rd, 2011 Extended IP access lists should be placed close to the source. in this case why we applied it on interface 0/1 ? i think we should apply it on interface 0/0 also the ACL number is wrong !! Router(config)#interface Fa0/0 Router(config-if)#ip access-group 101 in am I right? Explain pls 7. 9tut March 24th, 2011 @extended: Extended IP access lists should be placed close to the source but it is not always the case. We can apply it to either Fa0/0 (inbound) or Fa0/1 (outbound) 8. gassah April 2nd, 2011 hello guys I will be writing my exam next week. Please can somebody send me the latest dumps at iutl87@yahoo.com 9. CCNA Student April 6th, 2011 hello guys I will be writing my exam after 2 weeks. Please can somebody send me the latest dumps at Sulm1986@gmail.com 10. hello friends April 19th, 2011 i will give my exam in 30 th april so plz give me latest dumps for the exam. my mail id is vir_774@yahoo.co.in 11. Otakking April 21st, 2011 In the first example.
http://www.9tut.com/access-list-tutorial
25/07/2011
Page 5 of 9
access-list 1 permit 10.0.0.0 0.0.0.255 should be access-list 1 permit 10.0.0.0 0.255.255.255 as the example says 10.0.0.0/8 network. Please fix it to avoid further confusion. 12. abraham April 25th, 2011 hey guys i will be writing my exam after 2 weeks. Please can somebody send me the latest dumps my email is ermela4u2004@yahoo.com 13. 9tut April 27th, 2011 @Otakking: Yes, I fixed it. Thanks for your detection! 14. CiscoCisco April 30th, 2011 blog.ine.com/2008/09/15/binary-math-part-i/ blog.ine.com/2008/09/16/binary-math-part-i-answers/ blog.ine.com/2008/11/03/binary-math-part-ii/ blog.ine.com/2008/11/05/binary-math-part-ii-answers/ 15. hadezproj May 3rd, 2011 Hi 9tut, for Extended ACL example, kindly edit the wildcard mask to 0.255.255.255 and also to apply ACL, it should be ip access-group 101 out . hope this is helpful. thanks for the great tutorials. 16. sinesio May 3rd, 2011 Yes, @hadezproj is right.. 17. 9tut May 7th, 2011 Yes, I updated it. Thanks for your detection! 18. ppower May 15th, 2011 Thanks for excellent tutorial, im sitting the CCNA in 2 weeks, if anyone has the latest dumps could you send them to paddypower365@gmail.com thanks
http://www.9tut.com/access-list-tutorial
25/07/2011
Page 6 of 9
19. Tee May 18th, 2011 Hi 9tut, Thanks for the tutorials. Can you please provide a situation where an IN statement is use. Both examples only used the OUT statements 20. Tee May 18th, 2011 just realize there is an inbound example on the next page. 21. liv May 20th, 2011 Can u pls send me the new dumps, Im trying to sit for the ccna exams. Thanks..my email is oanim7@gmail.com 22. David May 25th, 2011 Very handy! 23. David May 25th, 2011 What are dumps? 24. Jose May 26th, 2011 Hi beautiful pple. I am sitting for my exam this weekend on 28 th of may. Can sam1 send me the most valid dumps at chegeh_07@yahoo.com. ASAP. Thanx in advance. 25. dhana June 7th, 2011 hi some 1 plz send me dumps 2011 bcoz i wnna workout plz send to vs.dhananjay89 @gmail.com 26. nikhil June 13th, 2011 i think subnet mask of /28 will be 255.255.255.240 and so wild card mask should be 0.0.0.15.is it right????plzzz explain reply.. 27. Rick29 June 15th, 2011 planning on taking the exam tomorrow, any new dumps avalible please send to philroger10@gmail.com thanks. 28. 9tut June 17th, 2011 @nikhil: Yes, first convert subnet mask 255.255.255.240 into binary form, then replace all 1 with 0 and all 0 with 1 and convert back to decimal you will get 0.0.0.15. 29. fidel
http://www.9tut.com/access-list-tutorial
25/07/2011
Page 7 of 9
June 27th, 2011 I will be sitting for CCNA exam next week. Please can somebody send me the latest dumps at buleonfi@yahoo.com .thanks 30. A. Moiz July 2nd, 2011 Easy way to find a wild card mask from given network address is to do minus last or interested octet of subnet mask from 256 remaing will be the block size and 1 minus from it Ull have a wild card mask Eg 192.168.5.1 /28 Its means that the subnet mask will be 255.255.255.240 256-240=16(16 will be the block size means that netowrk will be 192.168.5.0 OR 192.165.5.16 or .32 OR .48 muliple of 16s) do 1 minus from it 15.. this means that ull have 15 inyour last octet of the MCM 0.0.0.15 Do inform me if i m wrong 31. A. Moiz July 2nd, 2011 Can any one send me the latest Dumbs plz plz plz Amoiz.nu@hotmail.com 32. Michael July 13th, 2011 Hi Moiz, Yes that is correct and is the easiest way to figure out VLSM for me anyway!!! 33. Ephraim July 20th, 2011 Can someone send me the latest CCNA dump for appearing in exam 34. Ephraim July 20th, 2011 my id ephraimmani@gmail.com 35. bright July 20th, 2011 Could someone kindly send me the latest CCNA dump please my mail is unslush2008@yahoo.com I wish to take the examination soon but this forum as really help build my moralsThanks guys 36. Brad July 20th, 2011 hi everyone i am sitting for CCNA exam next week can someone send me the latest dump my id
http://www.9tut.com/access-list-tutorial
25/07/2011
Page 8 of 9
braddycm@yahoo.fr thanks 37. vhick July 21st, 2011 Hello All, I love whats goin on here, my exam comes up tomorrow friday 22-07-2011. can you all please send the latest dumps that you have to me, plz i need you help urgently. send to keziemi@gmail.com. i also need any advice and clues Vhick Add a Comment Name
Submit Comment
CCNA 640-802
CCNA Lab Sim CCNA Access List Questions CCNA WAN CCNA RIP Questions CCNA OSPF Questions CCNA EIGRP Questions DHCP Group of Four Questions CCNA Drag and Drop 1 CCNA Drag and Drop 2 CCNA Drag and Drop 3 CCNA Drag and Drop 4 CCNA Drag and Drop 5 CCNA VTP Questions CCNA Hotspot CCNA STP Questions CCNA IPv6 Questions CCNA Subnetting CCNA Operations 1 CCNA Operations 2 CCNA Operations 3 CCNA Troubleshooting 1 CCNA Troubleshooting 2 CCNA Wireless CCNA FAQs & Tips Share your CCNA Experience
CCNA Self-Study
Practice CCNA GNS3 Labs
http://www.9tut.com/access-list-tutorial
25/07/2011
Page 9 of 9
CCNA Knowledge
Network Resources
Free Router Simulators ICND1/ICND2 Website CCNP - ROUTE Website CCNP - SWITCH Website CCNP - TSHOOT Website CCNA Voice Website CCNA Wireless Website CCNA Security Website CCDA Website CCIP Website CCIE Written Website Support 9tut
Top Copyright 2010-2011 CCNA Training Privacy Policy. Valid XHTML 1.1 and CSS 3.
http://www.9tut.com/access-list-tutorial
25/07/2011