6/1/2016

CCNATrainingAccessListTutorial

Access List Tutorial

February13th,2011

Gotocomments

Inthistutorialwewilllearnaboutaccesslist.
Accesscontrollists(ACLs)provideameanstofilterpacketsbyallowingausertopermitordenyIPpacketsfrom
crossingspecifiedinterfaces.Justimagineyoucometoafairandseetheguardiancheckingtickets.Heonly
allowspeoplewithsuitableticketstoenter.Well,anaccesslistsfunctionissameasthatguardian.
Accesslistsfilternetworktrafficbycontrollingwhetherpacketsareforwardedorblockedattherouters
interfacesbasedonthecriteriayouspecifiedwithintheaccesslist.
TouseACLs,thesystemadministratormustfirstconfigureACLsandthenapplythemtospecificinterfaces.
Thereare3populartypesofACL:Standard,ExtendedandNamedACLs.
StandardIPAccessList
StandardIPlists(199)onlychecksourceaddressesofallIPpackets.
ConfigurationSyntax

accesslistaccesslistnumber{permit|deny}source{sourcemask}
ApplyACLtoaninterface

ipaccessgroupaccesslistnumber{in|out}
ExampleofStandardIPAccessList

Configuration:
Inthisexamplewewilldefineastandardaccesslistthatwillonlyallownetwork10.0.0.0/8toaccesstheserver
(locatedontheFa0/1interface)
Definewhichsourceisallowedtopass:
Router(config)#accesslist1permit10.0.0.00.255.255.255
(thereisalwaysanimplicitdenyallothertrafficattheendofeachACLsowedontneedtodefineforbidden
traffic)
ApplythisACLtoaninterface:
http://www.9tut.com/accesslisttutorial#more458

1/3

6/1/2016

CCNATrainingAccessListTutorial

Router(config)#interfaceFa0/1
Router(configif)#ipaccessgroup1out
TheACL1isappliedtopermitonlypacketsfrom10.0.0.0/8togooutofFa0/1interfacewhiledenyallother
traffic.SocanweapplythisACLtootherinterface,Fa0/2forexample?Wellwecanbutshouldntdoitbecause
userscanaccesstotheserverfromotherinterface(s0interface,forexample).Sowecanunderstandwhyan
standardaccesslistshouldbeappliedclosetothedestination.
Note:The0.255.255.255isthewildcardmaskpartofnetwork10.0.0.0.Wewilllearnhowtousewildcard
masklater.
ExtendedIPAccessList
ExtendedIPlists(100199)checkbothsourceanddestinationaddresses,specificUDP/TCP/IPprotocols,and
destinationports.
ConfigurationSyntax

accesslistaccesslistnumber{permit|deny}protocolsource{sourcemask}
destination{destinationmask}[eqdestinationport]
ExampleofExtendedIPAccessList

InthisexamplewewillcreateanextendedACLthatwilldenyFTPtrafficfromnetwork10.0.0.0/8butallow
othertraffictogothrough.
Note:FTPusesTCPonport20&21.
Definewhichprotocol,source,destinationandportaredenied:
Router(config)#accesslist101denytcp10.0.0.00.255.255.255187.100.1.60.0.0.0eq21
Router(config)#accesslist101denytcp10.0.0.00.255.255.255187.100.1.60.0.0.0eq20
Router(config)#accesslist101permitipanyany
ApplythisACLtoaninterface:
Router(config)#interfaceFa0/1
Router(configif)#ipaccessgroup101out
Noticethatwehavetoexplicitallowothertraffic(accesslist101permitipanyany)asthereisandenyall
commandattheendofeachACL.

http://www.9tut.com/accesslisttutorial#more458

2/3

6/1/2016

CCNATrainingAccessListTutorial

Aswecansee,thedestinationofaboveaccesslistis187.100.1.60.0.0.0whichspecifiesahost.Wecanuse
host187.100.1.6instead.Wewilldiscusswildcardmasklater.
Insummary,belowistherangeofstandardandextendedaccesslist

Accesslisttype

Range

Standard

199,13001999

Extended

100199,20002699

http://www.9tut.com/accesslisttutorial#more458

3/3