Vous êtes sur la page 1sur 67

CCNA2 Routing

172.16.3.0

172.16.4.0

e0

e1
s0

Non-172.16.0.0

Perrine modified by Brierley

Module 11

Access Control

04/27/15

server

172.16.4.13

Page 1

CCNA2 Routing

172.16.2.0
Computer

Module 11

Access Control

172.16.4.0
e0

e1

172.16.2.2
172.16.3.1

s0
172.16.3.0

s1

172.16.3.2

Computer

172.16.4.3
Server

172.16.4.2

Perrine modified by Brierley

04/27/15

Page 2

CCNA2 Routing

High Level View

Module 11

A HIGH LEVEL VIEW of ACLs

Perrine modified by Brierley

04/27/15

Page 3

CCNA2 Routing

Module 11

Access Control Lists


Standard
Extended

Perrine modified by Brierley

04/27/15

Page 4

CCNA2 Routing

High Level View

Module 11

Standard:

Interface Fa 0/0/0

ip access-group 1 out

access-list 1 deny 172.16.4.13 0.0.0.0

access-list 1 permit any

________________________________________________________________

Extended:

Interface Fa 0/0/0
ip access-group 101 in

access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq www


access-list 101 permit ip any any

Perrine modified by Brierley

04/27/15

Page 5

CCNA2 Routing

Standard Access Control Lists

Module 11

ACLs are instructions that are applied to a router interfaces.


The ACLs describe the kind of packets that are to be permitted or denied.
Permitted or Denial testing can be based on:
source address
destination address
port number
ACLs are configured on the router Interfaces to control access to a network.
ACLs must be defined separately for each protocol; Unique for IP, Unique for
IPX; Unique for AppleTalk, etc.
Some times ACLs are called packet filters.
Perrine modified by Brierley

04/27/15

Page 6

CCNA2 Routing

Perrine modified by Brierley

Standard Access Control Lists

04/27/15

Module 11

Page 7

CCNA2 Routing

Perrine modified by Brierley

Extended ACLs

04/27/15

Module 11

Page 8

CCNA2 Routing

Perrine modified by Brierley

Named ACLs

04/27/15

Module 11

Page 9

CCNA2 Routing

Placing ACLs

Module 11

Standard ACLs should be placed close to the destination.


Extended ACLs should be placed close to the source.
Perrine modified by Brierley

04/27/15

Page 10

CCNA2 Routing

Firewalls

Module 11

A firewall is an architectural structure that


exists between the user and the outside world
to protect the internal network from intruders.
Perrine modified by Brierley

04/27/15

Page 11

CCNA2 Routing

Perrine modified by Brierley

Restricting Virtual Terminal Access

04/27/15

Module 11

Page 12

CCNA2 Routing

Perrine modified by Brierley

Summary

04/27/15

Module 11

Page 13

CCNA2 Routing

ACL - Access Control Lists

Module 11

Reasons to create ACLs:


limit network traffic - hence increase network performance
provide traffic flow - limit traffic through the network
provide for security
ACLs establish
which traffic is blocked
which traffic is not blocked

Perrine modified by Brierley

04/27/15

Page 14

CCNA2 Routing

DETAIL

Module 11

A MORE DETAILED VIEW of ACLs

Perrine modified by Brierley

04/27/15

Page 15

CCNA2 Routing

ACL - Access Control Lists

Module 11

Cisco IOS checks each packet for:


1.

destination address

2.

source address

3.

protocol

4.

port number

access-list 1 deny 192.169.1.0 0.0.255.255


access-list 1 deny 192.168.1.9 0.0.0.0
access-list 1 deny 172.16.4.0 0.0.0.255
access-list 1 permit any

Each ACL statement is checked in a sequential order (first to last) and when
there is a match, no more statements are checked.
If the results are no matches, then the packet (by default) is discarded.
Adding addition ACL statements to the end of an existing list is just a matter of
adding the new statement. BUT, if
deleting an existing ACL statement causes the entire access list to be deleted.

Perrine modified by Brierley

04/27/15

Page 16

CCNA2 Routing

ACL - Access Control Lists

Module 11

When a packet enters a routers interface:


IN (inbound) checking is required. The packet:
1)

Is checked against the ACL list (if one exists)

2)

Here It can be interrogated to permit or deny.

3)

If denied the packet is dropped else,

4)

It is matched against the routing table and passed to an


OUT (outbound interface)

1)

OUT (outbound) checking is required.


Here It can be interrogated to permit or deny.
2) If denied the packet is dropped
3) If permitted then packet is allowed OUT (outbound).

The Outbound interfaces ACL is a different list from the inbound)


Perrine modified by Brierley

04/27/15

Page 17

CCNA2 Routing

ACL - Access Control Lists

Module 11

ACL statements operate in a logical, sequential order. When a match is made


the rest of the statements are not checked.
If none the ACL statements match, then there is an implicit deny any rule.
access-list 10 { permit | deny } { test conditions }

access-list 10 { permit | deny } { test conditions }


access-list 10 { permit | deny } { test conditions }
access-list 10 { permit | deny } { test conditions }

access-list 10 deny any

access-list 1 deny 192.169.1.0 0.0.255.255


access-list 1 deny 192.168.1.9 0.0.0.0
access-list 1 deny 172.16.4.0 0.0.0.255
access-list 1 permit any

Perrine modified by Brierley

04/27/15

Page 18

CCNA2 Routing

ACL - Access Control Lists

Module 11

Two types of IP ACL :


standard - has access list value of 1- 99
extended - has access list value of 100 - 199
Must be configured in global configuration mode. Router (config) #
Steps in creating ACLs:
1) create the ACL (in config mode)
2) apply the ACL to an interface
ACLs are used to filter:
inbound traffic, or
outbound traffic

Perrine modified by Brierley

04/27/15

Page 19

CCNA2 Routing

Where to place ACLs

Module 11

Standard ACLs are place as close as possible to the destination.

Extended ACLs are place as close as possible to the source.

Perrine modified by Brierley

04/27/15

Page 20

CCNA2 Routing

Where to place ACLs

Module 11

Configuring an Access List:


Router(config)# access-list <ACL number> { permit | deny } { test conditions }
Router(config)# access-list 1 permit { test conditions }
Router(config)# access-list 50 deny { test conditions }
To delete all ACL statements of an access-list
Router(config)# no access-list <ACL number>

Applying the Access List:


At an interface:
Router(config)# int E0
Router(config-if)# { protocol } access-group <ACL number> [IN | OUT]
Out is the default if not mentioned
Router(config-if)# ip access-group 1
Router(config-if)# ip access-group 50
To delete an ACL group statement (this will not delete the associated list):
Router(config)# no access-group <ACL number>
Perrine modified by Brierley

04/27/15

Page 21

CCNA2 Routing

Wildcard

Module 11

A wildcard is matched with an IP address or protocol address.


It is a 32 bit mask divided into 4 octet, each containing 8 bits.
A 0 in the wildcard means to check the bit in the IP you are testing.
A 1 in the wildcard means ignore the bit in the IP you are testing.

NOTE!!!
Do NOT think subnet mask that is a totally different
meaning not related to the WILDCARD

Perrine modified by Brierley

04/27/15

Page 22

CCNA2 Routing

Module 11

Abbreviations

To permit or deny any address:


0.0.0.0

255.255.255.255

Address

Wildcard

Use the abbreviation any


Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255
Router(config)# access-list 1 permit any
Router(config)# access-list 1 deny 0.0.0.0 255.255.255.255
Router(config)# access-list 1 deny any
Perrine modified by Brierley

04/27/15

Page 23

CCNA2 Routing

Abbreviations

Module 11

To match all the bits of IP address use host:


EX: 172. 30.16. 29 0. 0. 0. 0
Router(config)# access-list 1 permit 172.30.16.29 0.0.0.0
Router(config)# access-list 1 permit host 172.30.16.29

Perrine modified by Brierley

04/27/15

Page 24

CCNA2 Routing

Standard ACLs

Module 11

Criteria:
block all traffic from a network
allow all traffic from a network
deny entire protocol suits
Standard ACLs only check the source address.
Router(config)# access-list <ACL number> { deny | permit } source [ source wildcard] [log]

Perrine modified by Brierley

04/27/15

Page 25

CCNA2 Routing

Standard ACLs

Module 11

What does this statement accomplish?


Access-list 33 permit 172.16.0.0 0.0.255.255 log

Permits all traffic from 172.16.0.0 and sends messages to the console every
time the access list is executed.

Perrine modified by Brierley

04/27/15

Page 26

CCNA2 Routing

Standard ACLs

Module 11

What does this statement accomplish?

Access-list 44 deny 172.16.13.7 0.0.0.0 log


Denies traffic from host 172.16.13.7 and sends message to the console every
time the access list is hit.

Perrine modified by Brierley

04/27/15

Page 27

CCNA2 Routing

Standard ACLs

Module 11

What does this statement accomplish?


Access-list 55 deny 172.16.64.3 0.0.0.255

Denies all traffic from network 172.16.64.0

Perrine modified by Brierley

04/27/15

Page 28

CCNA2 Routing

Standard ACLs

Module 11

The log command:


Prints messages to the console which includes the ACL number, whether
the packet was permitted or denied, the source address, and the number
of packets.
The message is generated for the first packet that matches, and then at
five-minute intervals, including the number of packets permitted or
denied in the prior five-minute interval.
Log is used for debugging only not to be left active on live networks.

Perrine modified by Brierley

04/27/15

Page 29

CCNA2 Routing

Standard ACLs

Module 11

Example of applying the access-list:


Router(config-if)# ip access-group 33 in
Router(config-if)# ip access-group 44 out

Perrine modified by Brierley

04/27/15

Page 30

CCNA2 Routing

Standard ACLs

Module 11

To monitor IP access list: (in EXEC mode)


show access-list
Displays all access lists & their parameters configured on the router.
(Does not show you which interface the list is set on.)

show access-list <ACL number>


Shows only the parameters for the access list <ACL number>. (Does not
show you the interface the list is set on.)

show ip access-list
Shows only the IP access lists configured on the router
show ip interface
Shows which interfaces have access lists set (containing an accessgroup).
show running-config
Shows the routers entire configuration
Perrine modified by Brierley

04/27/15

Page 31

CCNA2 Routing

Module 11

Standard ACLs

172.16.3.0

172.16.4.0

e0

e1
s0

Non-172.16.0.0

server

172.16.4.13

R(config)# Interface e0
R(config-if)# ip access-group 1 out
R(config)# Interface e1
R(config-if)# ip access-group 1 out
R(config)# access-list 1 permit 172.16.0.0 0.0.255.255

What does it do?


Perrine modified by Brierley

04/27/15

Page 32

CCNA2 Routing

Module 11

Standard ACLs

One Access list used by multiple Interfaces


172.16.3.0

172.16.4.0

e0

e1
s0

R(config)# Interface e0

Non-172.16.0.0

server

172.16.4.13

R(config-if)# ip access-group 1 out


R(config)# Interface e1
R(config-if)# ip access-group 1 out
R(config)# access-list 1 permit 172.16.0.0 0.0.255.255
Allows only traffic from source network 172.16.0.0 to be forwarded & and
172.16.0.0 traffic is blocked.
Perrine modified by Brierley

04/27/15

nonPage 33

CCNA2 Routing

Module 11

Standard ACLs

172.16.3.0

172.16.4.0

e0

e1
s0

Non-172.16.0.0

server

172.16.4.13

R(config)# Interface e0
R(config-if)# ip access-group 1 out
R(config)# access-list 1 deny 172.16.4.13 0.0.0.0
R(config)# access-list 1 permit any

What does this do?

Perrine modified by Brierley

04/27/15

Page 34

CCNA2 Routing

Module 11

Standard ACLs

172.16.3.0

172.16.4.0

e0

e1
s0

Non-172.16.0.0

server

172.16.4.13

R(config)# Interface e0
R(config-if)# ip access-group 1 out
R(config)# access-list 1 deny 172.16.4.13 0.0.0.0
R(config)# access-list 1 permit any
Denies traffic from a specific device, 172.16.4.13 & allows all other traffic thru e0 to
network 172.16.3.0.
Perrine modified by Brierley

04/27/15

Page 35

CCNA2 Routing

Module 11

Standard ACLs

172.16.3.0

172.16.4.0

e0

e1
s0

Non-172.16.0.0

server

172.16.4.13

Interface e0
ip access-group 1 out
access-list 1 deny 172.16.4.0 0.0.0.255
access-list 1 permit any

What does this do?


Perrine modified by Brierley

04/27/15

Page 36

CCNA2 Routing

Module 11

Standard ACLs

172.16.3.0

172.16.4.0

e0

e1
s0

Non-172.16.0.0

server

172.16.4.13

Interface e0
ip access-group 1 out
access-list 1 deny 172.16.4.0 0.0.0.255
access-list 1 permit any
Denies traffic from the subnet, 172.16.4.0 & allows all other traffic thru e0 to
network 172.16.3.0.
Perrine modified by Brierley

04/27/15

Page 37

CCNA2 Routing

Extended ACLs

Module 11

Criteria:
checks both the packets source & destination addresses
check for specific protocol
check for specific port numbers
permit or denied applications pings, telnets, FTP, etc.
ACL values range between 100 199 (for IP)

Perrine modified by Brierley

04/27/15

Page 38

CCNA2 Routing

Extended ACLs

Port Numbers (decimal)

Module 11

IP Protocol

20

FTP data [TCP]

21

FTP program (control) [TCP]

23

Telnet [TCP]

25

Simple Mail Transport Protocol


[TCP] (SMTP)

53

DNS [TCP, UDP]

69

TFTP [UDP]

80

HTTP [TCP]

Perrine modified by Brierley

04/27/15

Page 39

CCNA2 Routing

Module 11

Extended ACLs

Router(config)# access-list <ACL number> { permit | deny } protocol source source-mask


destination destination-mask operator operand {established}

ACL number
100 199

permit | deny
Packet is allowed or blocked

protocol
IP, TCP, UDP, ICMP, GRE or IGRP

source -- Source address source-wildcard mask


destination -- Destination address destination-wildcard mask
Continued
Perrine modified by Brierley

04/27/15

Page 40

CCNA2 Routing

Extended ACLs

Module 11

Router(config)# access-list <ACL number> { permit | deny } protocol source source-mask


destination destination-mask operator
operand {established}

operator
lt, gt, eq, neq

Operand
Port number

established
Allows TCP traffic to pass if the packet uses an established connection ( for example, has
ACK bits set ).

access-list 101 permit tcp 172.16.4.0 0.0.0.255 any eq 25

Perrine modified by Brierley

04/27/15

Page 41

CCNA2 Routing

Extended ACLs

Module 11

Configuring an extended ACL to an interface:


Router(config-if)# ip access-group <ACL number> { in | out }
Router(config)# int E0
Router(config-if)# ip access-group 101 in

Perrine modified by Brierley

04/27/15

Page 42

CCNA2 Routing

Module 11

Extended ACLs

172.16.3.0

172.16.4.0

e0

e1
s0

Non-172.16.0.0

server

172.16.4.13

Interface e0
ip access-group 101
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 permit ip any any

What does this do?


Perrine modified by Brierley

04/27/15

Page 43

CCNA2 Routing

Module 11

Extended ACLs

172.16.3.0

172.16.4.0

e0

e1
s0

Non-172.16.0.0

server

172.16.4.13

Interface e0
ip access-group 101
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 permit ip any any
Blocks FTP traffic from all hosts on 172.16.4.0 to any device on 172.16.3.0 & allows
all other traffic.
Perrine modified by Brierley

04/27/15

Page 44

CCNA2 Routing

Module 11

Extended ACLs

172.16.3.0

172.16.4.0

e0

e1
s0

Non-172.16.0.0

server

172.16.4.13

Interface e0
ip access-group 101
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 23
access-list 101 permit ip any any

What does this do?


Perrine modified by Brierley

04/27/15

Page 45

CCNA2 Routing

Module 11

Extended ACLs

172.16.3.0

172.16.4.0

e0

e1
s0

Non-172.16.0.0

server

172.16.4.13

Interface e0
ip access-group 101
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 23
access-list 101 permit ip any any
Denies only telnet traffic from 172.16.4.0 to 172.16.3.0 network, and permits all
other traffic thru e0 to any address.
Perrine modified by Brierley

04/27/15

Page 46

CCNA2 Routing

Extended/Standard ACL numbers for IP

Module 11

NOTE:
Standard ACL numbers: 1-99;

1300-1999

Extended ACL numbers: 100-199;

Perrine modified by Brierley

04/27/15

2000-2699

Page 47

CCNA2 Routing

Standard/Extended ACL

Module 11

You can not add ACL statements into the body of the access-list
(ONLY at the end of the list).
Otherwise the access list must be deleted first, and then rewritten.
Therefore it is prudent to write your access-list in text format using
notepad, and then transfer it to your router.

Perrine modified by Brierley

04/27/15

Page 48

CCNA2 Routing

Configuring Named ACLs

Module 11

NOTE:
A NAMED ACL is an alphanumeric string instead of the ACL
number (1 - 199 )
NAMED ACLs are not compatible with Cisco IOS release prior to
Release 11.2
Named ACLs can be used for either standard & extended
You cannot configure the same name for multiple ACLs.
use Name ACL when you want to intuitively identify ACLs
use Name ACL when you have more than 99 standard & 100
extended ACLs have been configured on a router for a given protocol

Perrine modified by Brierley

04/27/15

Page 49

CCNA2 Routing

Configuring Named ACLs

Module 11

Router(config)# ip access-list { standard | extended } name { deny | permit } { commands }

ip access-list standard internetfilter


deny 172.10.15.0 0.0.0.255
permit 128.88.0.0 0.0.255.255
permit 36.0.0.0 0.0.255.255
ip access-list extended marketing-group
permit tcp any 171.69.0.0 0.255.255.255 eq telnet
deny udp any 171.69.0.0 0.255.255.255 lt 1024

Perrine modified by Brierley

04/27/15

Page 50

CCNA2 Routing

Named ACL

Module 11

A named ACL will allow the deletion of statements, but will only allow
for the statements to be inserted a the end of the list.

Perrine modified by Brierley

04/27/15

Page 51

CCNA2 Routing

Module 11

More Details

access-list 1 permit 172.16.0.0 0.0.255.255


10101100.00010000.00000000.00000000
00000000.00000000.xxxxxxxx. xxxxxxxx
10101100.00010000.xxxxxxxx. xxxxxxxx

Matched value

Incoming packet with address of 172.18.4.2. Will it be permitted?


Source :

10101100.00010010.00000100.00000010

Wildcard mask: 00000000.00000000.xxxxxxxx. xxxxxxxx


10101100.00010010.xxxxxxxx. xxxxxxxx Result

Perrine modified by Brierley

04/27/15

Page 52

CCNA2 Routing

Module 11

access-list 1 permit 172.16.0.0 0.0.255.255


10101100.00010000.00000000.00000000
00000000.00000000.xxxxxxxx. xxxxxxxx
10101100.00010000.xxxxxxxx. xxxxxxxx

Match value

Incoming packet with address of 172.18.4.2. Will it be permitted?


Source :

10101100.00010010.00000100.00000010

Wildcard mask: 00000000.00000000.xxxxxxxx. xxxxxxxx


10101100.00010010.xxxxxxxx. xxxxxxxx Result
Does the result equal the match value?
No! Hence the incoming packet will not be permitted.
Perrine modified by Brierley

04/27/15

Page 53

CCNA2 Routing

Module 11

access-list 1 permit 172.16.0.0 0.0.255.255


10101100.00010000.00000000.00000000
00000000.00000000.xxxxxxxx. xxxxxxxx
10101100.00010000.xxxxxxxx. xxxxxxxx

Match value

Incoming packet with address of 172.16.4.2. Will it be permitted?


Source :

10101100.00010000.00000100.00000010

Wildcard mask: 00000000.00000000.xxxxxxxx. xxxxxxxx


10101100.00010000.xxxxxxxx. xxxxxxxx Result
Does the result equal the match value?
Yes! Hence the incoming packet will be permitted.
Perrine modified by Brierley

04/27/15

Page 54

CCNA2 Routing

Module 11

access-list 1 permit 172.16.0.0 0.0.255.254


10101100.00010000.00000000.00000000
00000000.00000000.xxxxxxxx. xxxxxxx0
10101100.00010000.xxxxxxxx. xxxxxxx0

Matched value

Incoming packet with address of 172.16.4.1. Will it be permitted?


Source :

10101100.00010000.00000100.00000001

Wildcard mask: 00000000.00000000. xxxxxxxx. xxxxxxx0


10101100.00010000.xxxxxxxx. xxxxxxx1 Result
Incoming packet with address of 172.16.4.4. Will it be permitted?
Source :

10101100.00010000.00000100.00000100

Wildcard mask: 00000000.00000000. xxxxxxxx. xxxxxxx0


10101100.00010000. xxxxxxxx. xxxxxxx0 Result
Perrine modified by Brierley

04/27/15

Page 55

CCNA2 Routing

Module 11

access-list 1 permit 172.16.0.0 0.0.255.254


10101100.00010000.00000000.00000000
00000000.00000000.xxxxxxxx. xxxxxxx0
10101100.00010000.xxxxxxxx. xxxxxxx0

Matched value

Incoming packet with address of 172.16.4.5. Will it be permitted?


Source :

10101100.00010000.00000100.00000101

Wildcard mask: 00000000.00000000.xxxxxxxx. xxxxxxx0


10101100.00010000.xxxxxxxx. xxxxxxx1 Result
So the access list perform what operation? Permits 172.16.4.4, and denies
172.16.4.1 and 172.16.4.5
Permits all even addresses from the network 172.16.0.0
Perrine modified by Brierley

04/27/15

Page 56

CCNA2 Routing

Permit/Deny BLOCKS of addresses

Module 11

One can permit or deny a block of addresses. However, the blocks must be
a power of 2! (Example, 2, 4, 8, 16, 32, 64, 128, etc.)
When you need to specify a range of addresses, you choose the closet
block size for your needs.
You want to block access to part of network that is in the range from
198.16.99.0 through 198.16.99.7. This is a block size of 8. Hence:
198.16.99.0 0.0.0.7
Also in this case for a block of 8, the beginning address must either start at
0, 8, 16, etc.

Perrine modified by Brierley

04/27/15

Page 57

CCNA2 Routing

Permit/Deny BLOCKS of addresses

Module 11

One has a subnet whose addresses range from 200.17.2.128 to 200.17.2.191.


One wants to divide this network so the top half are permitted and the
bottom half is denied to any other network. What is the access lists?
The block range
is:

64
What is the access-list for the bottom?

access-list 101 deny ip 200.17.2.128 0.0.0.31 any


What is the access-list for the top?
access-list 101 permit ip 200.17.2.160 0.0.0.31 any

Perrine modified by Brierley

04/27/15

Page 58

CCNA2 Routing

Permit/Deny BLOCKS of addresses

Module 11

What does this do?


access-list 10 deny 200.16.88.64 0.0.0.63

Denies a block of 64 address starting at 200.16.88.64

Perrine modified by Brierley

04/27/15

Page 59

CCNA2 Routing

Virtual Terminal ACL

Module 11

You can control access via the VTY ports controlling telnet sessions
coming into the router.
You write the ACL as usual, but use access-class to apply it.
As an example:
Router(config t)# access-list 1 permit 172.16.1.0 0.0.0.255
Router(config t)# line vty 0 4
Router(config-line)# login
Router(config-line)# password cisco
Router(config-line)# access-class 1 in

Note: only numbered access lists can be applied to VTY virtual lines!
Perrine modified by Brierley

04/27/15

Page 60

CCNA2 Routing

Module 11

Established option

The establish option in an access-list used only with TCP datagrams.


There are cases when you want to stop host B from initiating a
connection with a host A while permitting A to initiate connections with
B.
establish
MacintoshSE
MacintoshSE

response

establish

Perrine modified by Brierley

04/27/15

Page 61

CCNA2 Routing

Established option

Module 11

As a practical example:

172.16.3.0

e1

e0

INTERNET

172.16.4.0

172.16.3.13

Allow host 172.16.3.13 with Internet connection, but dont allow the
internet to initialize any sessions.

Perrine modified by Brierley

04/27/15

Page 62

CCNA2 Routing

Established option

Module 11

172.16.3.0

e1

e0

INTERNET

172.16.4.0

172.16.3.13

Router(config)# int e1
Router(config-if)# ip access-group 101 in
Router(config)# access-list 101 permit tcp any 172.16.3.0 0.0.255.255
established

Perrine modified by Brierley

04/27/15

Page 63

CCNA2 Routing

Established option

Module 11

172.16.3.0

e1

e0

INTERNET

172.16.4.0

172.16.3.13

Router(config)# int e1
Router(config-if)# ip access-group 101 in
Router(config)# access-list 101 permit tcp any host 172.16.3.13 eq www established

Perrine modified by Brierley

04/27/15

Page 64

CCNA2 Routing

Established option

Module 11

172.16.3.0

e1

e0

INTERNET

172.16.4.0

172.16.3.13

Note: established argument is limited to tcp which means UDP, ICMP and all
other IP protocols will not match, and will be denied, unless specifically
allowed. Hence
Router(config)# int e1
Router(config-if)# ip access-group 101 in
Router(config)# access-list 101 permit tcp any 172.16.3.0 0.0.0.255 eq www established
Router(config)# access-list 101 permit icmp any any
Router(config)# access-list 101 permit udp any any eq 53
Perrine modified by Brierley

04/27/15

Page 65

CCNA2 Routing

Where to Place ACLs?

Module 11

ACL Rules:
Standard ACL
Place the ACL as near the destination as possible.
Extended ACL
Put the ACL as close as possible to the source

Perrine modified by Brierley

04/27/15

Page 66

CCNA2 Routing

Module 11

Access Lists
Standard
Extended
End of Session
Perrine modified by Brierley

04/27/15

Page 67