CCNA Training Access List Tutorial

Page 1 of 9

Type text to search here...

Enviar Consulta

Home > Access List Tutorial

Access List Tutorial

February 13th, 2011 Go to comments In this tutorial we will learn about access list. Access control lists (ACLs) provide a means to filter packets by allowing a user to permit or deny IP packets from crossing specified interfaces. Just image you come to a fair and see the guardian checking tickets. He only allows people with suitable tickets to enter. Well, an access lists function is same as that guardian. Access lists filter network traffic by controlling whether packets are forwarded or blocked at the routers interfaces based on the criteria you specified within the access list. To use ACLs, the system administrator must first configure ACLs and then apply them to specific interfaces. There are 3 popular types of ACL: Standard, Extended and Named ACLs.
Promoo Itil Exam Grtis Itil+Cobit+Pmi+Grtis Exame 1990,00 Itil + Cobit 890,00 Ultimas Vagas www.trainning.com.br/pmi_itil_cobit CCIE Labs Solutions Pass CCIE Lab Exam In First Attempt By Studying Real Labs. ccie.passearly.com

Standard IP Access List Standard IP lists (1-99) only check source addresses of all IP packets. Configuration Syntax access-list access-list-number {permit | deny} source {source-mask} Apply ACL to an interface ip access-group access-list-number {in | out} Example of Standard IP Access List

Configuration: In this example we will define a standard access list that will only allow network 10.0.0.0/8 to access the server (located on the Fa0/1 interface)

http://www.9tut.com/access-list-tutorial

25/07/2011

CCNA Training Access List Tutorial

Page 2 of 9

Define which source is allowed to pass: Router(config)#access-list 1 permit 10.0.0.0 0.255.255.255 (there is always an implicit deny all other traffic at the end of each ACL so we dont need to define forbidden traffic) Apply this ACL to an interface: Router(config)#interface Fa0/1 Router(config-if)#ip access-group 1 out The ACL 1 is applied to permit only packets from 10.0.0.0/8 to go out of Fa0/1 interface while deny all other traffic. So can we apply this ACL to other interface, Fa0/2 for example? Well we can but shouldnt do it because users can access to the server from other interface (s0 interface, for example). So we can understand why an standard access list should be applied close to the destination. Note: The 0.255.255.255 is the wildcard mask part of network 10.0.0.0. We will learn how to use wildcard mask later. Extended IP Access List Extended IP lists (100-199) check both source and destination addresses, specific UDP/TCP/IP protocols, and destination ports. Configuration Syntax access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port] Example of Extended IP Access List

In this example we will create an extended ACL that will deny FTP traffic from network 10.0.0.0/8 but allow other traffic to go through. Note: FTP uses TCP on port 20 & 21. Define which protocol, source, destination and port are denied: Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 21 Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 20 Router(config)#access-list 101 permit ip any any

http://www.9tut.com/access-list-tutorial

25/07/2011

CCNA Training Access List Tutorial

Page 3 of 9

Apply this ACL to an interface: Router(config)#interface Fa0/1 Router(config-if)#ip access-group 101 out Notice that we have to explicit allow other traffic (access-list 101 permit ip any any) as there is an deny all command at the end of each ACL. As we can see, the destination of above access list is 187.100.1.6 0.0.0.0 which specifies a host. We can use host 187.100.1.6 instead. We will discuss wildcard mask later. In summary, below is the range of standard and extended access list Access list type Range Standard 1-99, 1300-1999 Extended 100-199, 2000-2699
Moxa Units for Evaluation Wide selection. Order online and receive unit within 2 days. store.moxa.com Complete CCNA Training Instant access to 900+ hours of Cisco training videos. Only $159/mo www.INE.com/CCNA Cursos Governana em TI ITILV3 - ISO20000 - Cobit 4 - PMBOK Condies Imbatveis.Confira ! www.green.com.br

Pages: 1 2 Comments (37) Comments 1. very well March 9th, 2011 thank for shareing document,its very usefull for me 2. Wildcard March 11th, 2011 172.23.16.0 /28 /28 = 11111111.11111111.11111111.11110000 = 255.255.255.240 255.255.255.240 doesnt convert to 0.0.15.255 11111111.11111111.11111111.11110000 = 255.255.255.240 00000000.00000000.00000000.00001111 = 0.0.0.15 not 00000000.00000000.00001111.11111111 = 0.0.15.255 Unless I missed something 3. oiram March 15th, 2011 Roger tat, althought this tut is bit more screwed up than this wildcard. Sentence Therefore 255.255.255.240 can be written in wildcard mask as 00000000.00000000.00001111.11111111 = 0.0.15.255 should be replaced by

http://www.9tut.com/access-list-tutorial

25/07/2011

CCNA Training Access List Tutorial

Page 4 of 9

Therefore 255.255.240.0 can be written in wildcard mask as 00000000.00000000.00001111.11111111 = 0.0.15.255 (decimal mask is jut typo I suppose, since they talk /28, please fix this 9tut Guys) 4. oiram March 15th, 2011 oops, now I screwed ;) CIDR should be set to /20 5. 9tut March 15th, 2011 Yes, it is a typo. I fixed it. Thanks for your detection! 6. extended March 23rd, 2011 Extended IP access lists should be placed close to the source. in this case why we applied it on interface 0/1 ? i think we should apply it on interface 0/0 also the ACL number is wrong !! Router(config)#interface Fa0/0 Router(config-if)#ip access-group 101 in am I right? Explain pls 7. 9tut March 24th, 2011 @extended: Extended IP access lists should be placed close to the source but it is not always the case. We can apply it to either Fa0/0 (inbound) or Fa0/1 (outbound) 8. gassah April 2nd, 2011 hello guys I will be writing my exam next week. Please can somebody send me the latest dumps at iutl87@yahoo.com 9. CCNA Student April 6th, 2011 hello guys I will be writing my exam after 2 weeks. Please can somebody send me the latest dumps at Sulm1986@gmail.com 10. hello friends April 19th, 2011 i will give my exam in 30 th april so plz give me latest dumps for the exam. my mail id is vir_774@yahoo.co.in 11. Otakking April 21st, 2011 In the first example.

http://www.9tut.com/access-list-tutorial

25/07/2011

CCNA Training Access List Tutorial

Page 5 of 9

access-list 1 permit 10.0.0.0 0.0.0.255 should be access-list 1 permit 10.0.0.0 0.255.255.255 as the example says 10.0.0.0/8 network. Please fix it to avoid further confusion. 12. abraham April 25th, 2011 hey guys i will be writing my exam after 2 weeks. Please can somebody send me the latest dumps my email is ermela4u2004@yahoo.com 13. 9tut April 27th, 2011 @Otakking: Yes, I fixed it. Thanks for your detection! 14. CiscoCisco April 30th, 2011 blog.ine.com/2008/09/15/binary-math-part-i/ blog.ine.com/2008/09/16/binary-math-part-i-answers/ blog.ine.com/2008/11/03/binary-math-part-ii/ blog.ine.com/2008/11/05/binary-math-part-ii-answers/ 15. hadezproj May 3rd, 2011 Hi 9tut, for Extended ACL example, kindly edit the wildcard mask to 0.255.255.255 and also to apply ACL, it should be ip access-group 101 out . hope this is helpful. thanks for the great tutorials. 16. sinesio May 3rd, 2011 Yes, @hadezproj is right.. 17. 9tut May 7th, 2011 Yes, I updated it. Thanks for your detection! 18. ppower May 15th, 2011 Thanks for excellent tutorial, im sitting the CCNA in 2 weeks, if anyone has the latest dumps could you send them to paddypower365@gmail.com thanks

http://www.9tut.com/access-list-tutorial

25/07/2011

CCNA Training Access List Tutorial

Page 6 of 9

19. Tee May 18th, 2011 Hi 9tut, Thanks for the tutorials. Can you please provide a situation where an IN statement is use. Both examples only used the OUT statements 20. Tee May 18th, 2011 just realize there is an inbound example on the next page. 21. liv May 20th, 2011 Can u pls send me the new dumps, Im trying to sit for the ccna exams. Thanks..my email is oanim7@gmail.com 22. David May 25th, 2011 Very handy! 23. David May 25th, 2011 What are dumps? 24. Jose May 26th, 2011 Hi beautiful pple. I am sitting for my exam this weekend on 28 th of may. Can sam1 send me the most valid dumps at chegeh_07@yahoo.com. ASAP. Thanx in advance. 25. dhana June 7th, 2011 hi some 1 plz send me dumps 2011 bcoz i wnna workout plz send to vs.dhananjay89 @gmail.com 26. nikhil June 13th, 2011 i think subnet mask of /28 will be 255.255.255.240 and so wild card mask should be 0.0.0.15.is it right????plzzz explain reply.. 27. Rick29 June 15th, 2011 planning on taking the exam tomorrow, any new dumps avalible please send to philroger10@gmail.com thanks. 28. 9tut June 17th, 2011 @nikhil: Yes, first convert subnet mask 255.255.255.240 into binary form, then replace all 1 with 0 and all 0 with 1 and convert back to decimal you will get 0.0.0.15. 29. fidel

http://www.9tut.com/access-list-tutorial

25/07/2011

CCNA Training Access List Tutorial

Page 7 of 9

June 27th, 2011 I will be sitting for CCNA exam next week. Please can somebody send me the latest dumps at buleonfi@yahoo.com .thanks 30. A. Moiz July 2nd, 2011 Easy way to find a wild card mask from given network address is to do minus last or interested octet of subnet mask from 256 remaing will be the block size and 1 minus from it Ull have a wild card mask Eg 192.168.5.1 /28 Its means that the subnet mask will be 255.255.255.240 256-240=16(16 will be the block size means that netowrk will be 192.168.5.0 OR 192.165.5.16 or .32 OR .48 muliple of 16s) do 1 minus from it 15.. this means that ull have 15 inyour last octet of the MCM 0.0.0.15 Do inform me if i m wrong 31. A. Moiz July 2nd, 2011 Can any one send me the latest Dumbs plz plz plz Amoiz.nu@hotmail.com 32. Michael July 13th, 2011 Hi Moiz, Yes that is correct and is the easiest way to figure out VLSM for me anyway!!! 33. Ephraim July 20th, 2011 Can someone send me the latest CCNA dump for appearing in exam 34. Ephraim July 20th, 2011 my id ephraimmani@gmail.com 35. bright July 20th, 2011 Could someone kindly send me the latest CCNA dump please my mail is unslush2008@yahoo.com I wish to take the examination soon but this forum as really help build my moralsThanks guys 36. Brad July 20th, 2011 hi everyone i am sitting for CCNA exam next week can someone send me the latest dump my id

http://www.9tut.com/access-list-tutorial

25/07/2011

CCNA Training Access List Tutorial

Page 8 of 9

braddycm@yahoo.fr thanks 37. vhick July 21st, 2011 Hello All, I love whats goin on here, my exam comes up tomorrow friday 22-07-2011. can you all please send the latest dumps that you have to me, plz i need you help urgently. send to keziemi@gmail.com. i also need any advice and clues Vhick Add a Comment Name

Submit Comment

Subscribe to comments feed CCNA VTP Questions CCNA Hotspot

CCNA 640-802
CCNA Lab Sim CCNA Access List Questions CCNA WAN CCNA RIP Questions CCNA OSPF Questions CCNA EIGRP Questions DHCP Group of Four Questions CCNA Drag and Drop 1 CCNA Drag and Drop 2 CCNA Drag and Drop 3 CCNA Drag and Drop 4 CCNA Drag and Drop 5 CCNA VTP Questions CCNA Hotspot CCNA STP Questions CCNA IPv6 Questions CCNA Subnetting CCNA Operations 1 CCNA Operations 2 CCNA Operations 3 CCNA Troubleshooting 1 CCNA Troubleshooting 2 CCNA Wireless CCNA FAQs & Tips Share your CCNA Experience

CCNA Self-Study
Practice CCNA GNS3 Labs

http://www.9tut.com/access-list-tutorial

25/07/2011

CCNA Training Access List Tutorial

Page 9 of 9

CCNA Knowledge

Network Resources
Free Router Simulators ICND1/ICND2 Website CCNP - ROUTE Website CCNP - SWITCH Website CCNP - TSHOOT Website CCNA Voice Website CCNA Wireless Website CCNA Security Website CCDA Website CCIP Website CCIE Written Website Support 9tut

Your contribution will help keep this site updated!

Ads by Google Tutorial CCNA Exam Download CCNA Certification CCNA Practice Tests

Top Copyright 2010-2011 CCNA Training Privacy Policy. Valid XHTML 1.1 and CSS 3.

http://www.9tut.com/access-list-tutorial

25/07/2011