Date post: | 03-Jan-2016 |
Category: |
Documents |
Upload: | ffbugbugger |
View: | 371 times |
Download: | 26 times |
0.0.0.0
permitE
xtendedA
CL
Standard
access-groupdeny
access-list
ACL
Wildcard Mask
Any
AccessLists
WorkbookVersion 1.0
Instructor’s Edition
Inside Cover
IP StandardIP ExtendedEthernet Type CodeEthernet AddressDECnet and Extended DECnetXNSExtended XNSAppletalk48-bit MAC AddressesIPX StandardIPX ExtendedIPX SAP (service advertisement protocol)
IPX SAP SPXExtended 48-bit MAC AddressesIPX NLSPIP Standard, expanded rangeIP Extended, expanded rangeSS7 (voice)Standard VinesExtended VinesSimple VinesTransparent bridging (protocol type)Transparent bridging (vender type)Extended Transparent bridgingSource-route bridging (protocol type)Source-route bridging (vender type)
Access-List Numbers9919929979939949959969979989999910991099119912991999269929991002003002997991199299799
1100200700300400500600700800900
1000100011001200130020002700
1101201200700
1100200700
totototototototototototototototototototototototototo
Produced by: Robb [email protected]
Frederick County Career & Technology CenterCisco Networking Academy
Frederick County Public SchoolsFrederick, Maryland, USA
Special Thanks to Melvin Baker and Jim Dorschfor taking the time to check this workbook for errors.
Instructors (and anyone else for that matter) please do not post the Instructors version on public websites.When you do this your giving everyone else worldwide the answers. Yes, students look for answers this way.
It also discourages others; myself included, from posting high quality materials.
1
ACLs......are a sequential list of instructions that tell a router which packets to permit or deny.
The router checks to see if the packet is routable. If it is it looks upthe route in its routing table.
The router then checks for an ACL on that outbound interface.
If there is no ACL the router switches the packet out that interface to itsdestination.
If there is an ACL the router checks the packet against the access liststatements sequentially. Then permits or denys each packet as it ismatched.
If the packet does not match any statement written in the ACL it isdenyed because there is an implicit “deny any” statement at the end ofevery ACL.
General Access Lists Information Access Lists...
...are read sequentially.
...are set up so that as soon as the packet matches a statement it stops comparing and permits or denys the packet....need to be written to take care of the most abundant traffic first....must be configured on your router before you can deny packets....can be written for all supported routed protocols; but each routed protocol must have a different ACL for each interface....must be applied to an interface to work.
What are Access Control Lists?
How routers use Access Lists(Outbound Port - Default)
Standard Access ListsStandard Access Lists...
...are numbered from 1 to 99.
...filter (permit or deny) only source addresses.
...do not have any destination information so it must placed as close to the destination as possible....work at layer 3 of the OSI model.
2
Why standard ACLs are placed close to thedestination.
If you want to block traffic from Juan’s computer from reachingJanet’s computer with a standard access list you would place theACL close to the destination on Router D, interface E0. Sinceits using only the source address to permit or deny packets theACL here will not effect packets reaching Routers B, or C.
Router A
Router B
Router C
Router D
If you place the ACL on router A to block traffic to Router Dit will also block all packets going to Routers B, and C;because all the packets will have the same source address.
Juan’sComputer
Janet’sComputer
Jimmy’sComputer
Matt’sComputer
E0
E0 E0
E0
S0
S1 S0
S0S1
S1
3
Lisa’sComputer
Standard Access List PlacementSample Problems
In order to permit packets from Juan’s computer to arrive atJan’s computer you would place the standard access list atrouter interface ______.FA1
Lisa has been sending unnecessary information to Paul. Wherewould you place the standard ACL to deny all traffic from Lisa to Paul?Router Name ______________ Interface ___________
Where would you place the standard ACL to deny traffic from Paul toLisa?Router Name ______________ Interface ___________
Router B E1
Router A E0
Paul’sComputer
FA1FA0
Router A
Juan’sComputer
Jan’sComputer
S0S1
E0 E1
Router BRouter A
S0 S1E0 FA1
S0S1
Router B
Router C
Standard Access List Placement
4
Router A
S0S1
E0 FA1
Sarah’sComputer
Jackie’sComputer
Router FRouter E
Router D
S1
S0
S1
E0
S1
Linda’sComputer
Melvin’sComputer
Jim’sComputer
Jeff’sComputer
George’sComputer
Kathy’sComputer
Carrol’sComputer
Ricky’sComputer
Jenny’sComputer
Amanda’sComputer
5
Router DE0
Standard Access List Placement1. Where would you place a standard access list topermit traffic from Ricky’s computer to reach Jeff’scomputer?
2. Where would you place a standard access list todeny traffic from Melvin’s computer from reachingJenny’s computer?
3. Where would you place a standard access list todeny traffic to Carrol’s computer from Sarah’scomputer?
4. Where would you place a standard access list topermit traffic from Ricky’s computer to reach Jeff’scomputer?
5. Where would you place a standard access list todeny traffic from Amanda’s computer from reachingJeff and Jim’s computer?
6. Where would you place a standard access list topermit traffic from Jackie’s computer to reach Linda’scomputer?
7. Where would you place a standard access list topermit traffic from George’s computer to reach Carroland Amanda’s computer?
8. Where would you place a standard access list todeny traffic to Jenny’s computer from Jackie’scomputer?
9. Where would you place a standard access list topermit traffic from George’s computer to reach Lindaand Sarah’s computer?
10. Where would you place an ACL to deny traffic fromJeff’s computer from reaching George’s computer?
11. Where would you place a standard access list todeny traffic to Sarah’s computer from Ricky’scomputer?
12. Where would you place an ACL to deny traffic fromLinda’s computer from reaching Jackie’s computer?
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router AE0
Router CFA1
Router DE0
Router DE0
Router EE0
Router CFA1
Router AE0
Router EE0
Router CFA1
Router EE0
Router FFA1
Extended Access Lists......are numbered from 100 to 199....filter (permit or deny) based on the: source address
destination addressprotocolport number
... are placed close to the source.
...work at both layer 3 and 4 of the OSI model.
Extended Access Lists
Why extended ACLs are placed close to the source.
If you want to deny traffic from Juan’s computer from reachingJanet’s computer with an extended access list you would placethe ACL close to the source on Router A, interface E0. Since itcan permit or deny based on the destination address it can reducebackbone overhead and not effect traffic to Routers B, or C.
If you place the ACL on Router E to block traffic from RouterA, it will work. However, Routers B, and C will have to routethe packet before it is finally blocked at Router E. Thisincreases the volume of useless network traffic.
6
Router A
Router B
Router C
Router D
Juan’sComputer
Janet’sComputer
Jimmy’sComputer
Matt’sComputer
E0
FA0
E0
E0
S0
S1 S0
S0S1
S1
7
Juan’sComputer
Jan’sComputer
Extended Access List PlacementSample Problems
In order to permit packets from Juan’s computer to arrive atJan’s computer you would place the extended access list atrouter interface ______.E0
Lisa has been sending unnecessary information to Paul. Where wouldyou place the extended ACL to deny all traffic from Lisa to Paul?Router Name ______________ Interface ___________
Where would you place the extended ACL to deny traffic from Paul toLisa?Router Name ______________ Interface ___________
Router A FA0
Router B FA1
E1E0
Router A
S0S1
FA0 FA1
Router BRouter A
Lisa’sComputer
Paul’sComputer
8
S0 S1FA0 E1
S0S1
Router B
Router C
Extended Access List Placement
Router A
S0S1FA0 FA1
Sarah’sComputer
Jackie’sComputer
Router FRouter E
Router D
S1
S0
S1
FA0
S1
Linda’sComputer
Melvin’sComputer
Jim’sComputer
Jeff’sComputer
George’sComputer
Kathy’sComputer
Carrol’sComputer
Ricky’sComputer
Jenny’sComputer Amanda’s
Computer
9
Extended Access List PlacementRouter Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
Router Name_________________Interface ____________________
1. Where would you place an ACL to deny traffic fromJeff’s computer from reaching George’s computer?
2. Where would you place an extended access list topermit traffic from Jackie’s computer to reach Linda’scomputer?
3. Where would you place an extended access list todeny traffic to Carrol’s computer from Ricky’scomputer?
4. Where would you place an extended access list todeny traffic to Sarah’s computer from Jackie’scomputer?
5. Where would you place an extended access list topermit traffic from Carrol’s computer to reach Jeff’scomputer?
6. Where would you place an extended access list todeny traffic from Melvin’s computer from reaching Jeffand Jim’s computer?
7. Where would you place an extended access list topermit traffic from George’s computer to reach Jeff’scomputer?
8. Where would you place an extended access list topermit traffic from Jim’s computer to reach Carrol andAmanda’s computer?
9. Where would you place an ACL to deny traffic fromLinda’s computer from reaching Kathy’s computer?
10. Where would you place an extended access listto deny traffic to Jenny’s computer from Sarah’scomputer?
11. Where would you place an extended access list topermit traffic from George’s computer to reach Lindaand Sarah’s computer?
12. Where would you place an extended access listto deny traffic from Linda’s computer from reachingJenny’s computer?
Router DFA0
Router FFA1
Router AFA0
Router FFA1
Router CE1
Router FFA1
Router CE1
Router DFA0
Router EFA0
Router EFA0
Router CE1
Router EFA0
Access Lists on your incoming port......requires less CPU processing....filters and denys packets before the router has to make a routing decision.
Access Lists on your outgoing port......are outbound by default unless otherwise specified....increases the CPU processing time because the routing decision is made and the packet switched to the correct outgoing port before it is tested against the ACL.
Choosing to Filter Incoming or Outgoing Packets
Breakdown of a Standard ACL Statement
access-list 1 permit 192.168.90.36 0.0.0.0
permitor
deny
autonomousnumber1 to 99
sourceaddress
wildcardmask
access-list 78 deny host 192.168.90.36 log
permit or deny
autonomousnumber1 to 99
sourceaddress
indicates aspecific host
address
(Optional)generates a logentry on the
router for eachpacket thatmatches thisstatement
10
Breakdown of an Extended ACL Statement
access-list 125 permit ip 192.168.90.36 0.0.0.0 192.175.63.12 0.0.0.0
permit or deny
autonomousnumber
100 to 199
sourcewildcard
mask
destinationaddress
destinationwildcard
mask
access-list 178 deny tcp host 192.168.90.36 host 192.175.63.12 eq 23 log
permitor
deny
autonomousnumber
100 to 199
sourceaddress
indicates aspecific
host
protocolicp,
icmp,tcp, udp,
ip,etc.
destinationaddress
operatoreq for =gt for >lt for <neg for =
portnumber
(23 = telnet)
(Optional)generates a logentry on the
router for eachpacket thatmatches thisstatement
protocolicp,
icmp,tcp, udp,
ip,etc.
11
sourceaddress
Protocols Include:IP IGMP IPINIPTCP GRE OSPFUDP IGRP NOSICMP EIGRP Integer 0-255
To match any internet protocol use IP.
indicates aspecific
host
Named ACLs......are standard or extended ACLs which have an alphanumeric name
instead of a number. (ie. 1-99 or 100-199)
Named Access Lists Information Named Access Lists...
...identify ACLs with an intuutive name instead of a number.
...eliminate the limits imposed by using numbered ACLs. (798 for standard and 799 for extended)...provide the ability to modify your ACLs without deleting and reloading the revised access list. It will only allow you to add statements to the end of the exsisting statements....are not compatable with any IOS prior to Release 11.2....can not repeat the same name on multiple ACLs.
What are Named Access Control Lists?
Applying a Standard Named Access Listcalled “George”
Write a named standard access list on Router A, interface E1 to block Melvin’s computerfrom sending information to Kathy’s computer; but will allow all other traffic.
Place the access list at:Router Name: Router AInterface: E1Access-list #: George
[Writing and installing an ACL]
Router# configure terminal (or config t)Router(config)# access-list standard GeorgeRouter(config)# access-list deny host 72.16.70.35Router(config)# access-list permit anyRouter(config)# interface e1Router(config-if)# ip access-group George outRouter(config-if)# exitRouter(config)# exit
12
Creating a Named Access Lists
Ap
ply
ing
an
ext
end
ed N
amed
Acc
ess
Lis
tca
lled
“G
raci
e”
Writ
e a
nam
ed e
xten
ded
acce
ss li
st o
n R
oute
r A, I
nter
face
E0
calle
d “G
raci
e” to
den
y H
TT
P tr
affic
inte
nded
for
web
serv
er 1
92.1
68.2
07.2
7, b
ut w
ill p
erm
it al
l ot
her H
TT
P tr
affic
to re
ach
the
only
the
192.
168.
207.
0 ne
twor
k. D
eny
all o
ther
IP tr
affic
. K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: R
oute
r A
Inte
rfac
e: E
0A
cces
s-lis
t #:
G
raci
e
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# co
nfi
gure
term
inal (or c
onfi
g t)
Router(config)# a
cces
s-list
exte
nded
Graci
eRouter(config)# acc
ess-list
den
y t
cp a
ny h
ost
192
.168.2
07.2
7 e
q w
ww
Router(config)# acc
ess-list
per
mit
tcp
any 1
92
.168.2
07.0
0.0
.0.2
55
eq w
ww
Router(config)# i
nte
rface
e0
Router(config-if)# i
p a
cces
s-gr
oup G
raci
e in
Router(config-if)# e
xit
Router(config)# e
xit
13
14
Choices for Using Wildcard Masks
Wildcard masks are usually set up to do one of four things:1. Match a specific host.2. Match an entire subnet.3. Match a specific range.4. Match all addresses.
1. Matching a specific host.For standard access lists:
Access-List 10 permit 192.168.150.50 0.0.0.0or
Access-List 10 permit 192.168.150.50or
Access-List 10 permit host 192.168.150.50
For extended access lists:Access-list 110 deny ip 192.168.150.50 0.0.0.0 any
orAccess-list 110 deny ip host 192.168.150.50 any
2. Matching an entire subnetExample 1
Address: 192.168.50.0 Subnet Mask: 255.255.255.0
Access-list 25 deny 192.168.50.0 0.0.0.255
Example 2Address: 172.16.0.0 Subnet Mask: 255.255.0.0
Access-list 12 permit 172.16.0.0 0.0.255.255
Example 3Address: 10.0.0.0 Subnet Mask: 255.0.0.0
Access-list 125 deny udp 10.0.0.0 0.255.255.255 any
(standard ACL’sassume a 0.0.0.0 mask)
15
Example 1Address: 10.250.50.112 Subnet Mask: 255.255.255.224
Access-list 125 permit udp 10.250.50.112.0.0.0.31 any
e Example 2Address Range: 192.168.16.0 to 192.168.16.127
Access-list 125 deny ip 192.168.16.0 0.0.0.127 any(This ACL would block the lower half of the subnet.)
Example 3Address: 172.250.16.32 to 172.250.31.63
Access-list 125 permit ip 172.250.16.32 0.0.15.31 any
4. Match everyone.
For standard access lists:Access-List 15 permit any
orAccess-List 15 deny 0.0.0.0 255.255.255.255
For extended access lists:Access-List 175 permit ip any any
orAccess-List 175 deny tcp 0.0.0.0 255.255.255.255 any
3. Match a specific range
192.-192.
Wildcard: 0.
168.168.
0.
16.16.
0.
1270
127
255.-255.
Wildcard: 0.
255.255.
0.
255.255.
0.
255224
31Custom Subnet mask:
172.-172.
0.
250.250.
0.
31.16.15.
633231Wildcard:
16
Just like a subnet mask the wildcard mask tells the router what part of theaddress to check or ignore. Zero (0) must match exactly, one (1) will beignored.
The source address can be a single address, a range of addresses, oran entire subnet.
As a rule of thumb the wildcard mask is the reverse of the subnet mask.
Example #1:IP Address and subnet mask: 204.100.100.0 255.255.255.0IP Address and wildcard mask: 204.100.100.0 0.0.0.255
All zero’s (or 0.0.0.0) means the address must match exactly.
Example #2:10.10.150.95 0.0.0.0 (This address must match exactly.)
One’s will be ignored.
Example #3:10.10.150.95 0.0.0.255 (Any 10.10.150.0 subnet address will match.
10.10.150.0 to 10.10.150.255)
This also works with subnets.
Example #4:IP Address and subnet mask: 192.170.25.30 255.255.255.224IP Address and wildcard mask: 192.170.25.30 0.0.0.31
(Subtract the subnet mask from255.255.255.255 to create the wildcard)
Do the math... 255 - 255 = 0 (This is the inverse of the subnet mask.) 255 - 224 = 31
Example #5:IP Address and subnet mask: 172.24.128.0 255.255.128.0IP Address and wildcard mask: 172.24.128.0 0.0.127.255
Do the math... (This is the inverse of the subnet mask.)
Creating Wildcard Masks
---
255255255
2551280
0127255
===
17
Wildcard Mask Problems
1. Create a wildcard mask to match this exact address.IP Address: 192.168.25.70Subnet Mask: 255.255.255.0 ___________________________________
2. Create a wildcard mask to match this range.IP Address: 210.150.10.0Subnet Mask: 255.255.255.0 ___________________________________
3. Create a wildcard mask to match this host.IP Address: 195.190.10.35Subnet Mask: 255.255.255.0 __________________________________
4. Create a wildcard mask to match this range.IP Address: 172.16.0.0Subnet Mask: 255.255.0.0 __________________________________
5. Create a wildcard mask to match this range.IP Address: 10.0.0.0Subnet Mask: 255.0.0.0 __________________________________
6. Create a wildcard mask to match this exact address.IP Address: 165.100.0.130Subnet Mask: 255.255.255.192 __________________________________
7. Create a wildcard mask to match this range.IP Address: 192.10.10.16Subnet Mask: 255.255.255.224 __________________________________
8. Create a wildcard mask to match this range.IP Address: 171.50.75.128Subnet Mask: 255.255.255.192 __________________________________
9. Create a wildcard mask to match this host.IP Address: 10.250.30.2Subnet Mask: 255.0.0.0 __________________________________
10. Create a wildcard mask to match this range.IP Address: 210.150.28.16Subnet Mask: 255.255.255.248 __________________________________
11. Create a wildcard mask to match this range.IP Address: 172.18.0.0Subnet Mask: 255.255.224.0 __________________________________
12. Create a wildcard mask to match this range.IP Address: 135.35.230.32Subnet Mask: 255.255.255.248 __________________________________
0 . 0 . 0 . 0
0 . 0 . 0 . 255
0 . 0 . 0 . 0
0 . 0 . 255 . 255
0 . 255 . 255 . 255
0 . 0 . 0 . 0
0 . 0 . 0 . 31
0 . 0 . 0 . 63
0 . 0 . 0 . 0
0 . 0 . 0 . 7
0 . 0 . 31 . 255
0 . 0 . 0 . 7
Wildcard Mask ProblemsBased on the given information list the usable source addresses or range ofusable source addresses that would be permitted or denied for each accesslist statement.
1. access-list 10 permit 192.168.150.50 0.0.0.0
Answer: __________________________________________________________________
2. access-list 5 permit any
Answer: __________________________________________________________________
3. access-list 125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1 fragments
Answer: __________________________________________________________________
4. access-list 11 deny 210.10.10.0 0.0.0.255
Answer: __________________________________________________________________
5. access-list 108 deny ip 192.220.10.0 0.0.0.15 172.32.4.0 0.0.0.255
Answer: __________________________________________________________________
6. access-list 171 deny any host 175.18.24.10 fragments
Answer: __________________________________________________________________
7. access-list 105 permit 192.168.15.0 0.0.0.255 any
Answer: __________________________________________________________________
8. access-list 109 permit tcp 172.16.10.0 0.0.0.255 host 192.168.10.1 eq 80
Answer: __________________________________________________________________
9. access-list 111 permit ip any any
Answer: __________________________________________________________________
10. access-list 195 permit udp 172.30.12.0 0.0.0.127 172.50.10.0 0.0.0.255
Answer: __________________________________________________________________
Any address
18
192.168.150.50
195.223.50.1 to 195.223.50.63
210.10.10.1 to 210.10.10.254
192.220.10.1 to 192.220.10.15
Any Address
192.168.15.1 to 192.168.15.254
172.16.10.1 to 172.16.10.254
Any Address
172.30.12.1 to 172.30.12.127
19
11. access-list 110 permit ip 192.168.15.0 0.0.0.3 192.168.30.10 0.0.0.0
Answer: _________________________________________________________________
12. access-list 120 permit ip 192.168.15.0 0.0.0.7 192.168.30.10 0.0.0.0
Answer: _________________________________________________________________
13. access-list 130 permit ip 192.168.15.0 0.0.0.15 192.168.30.10 0.0.0.0
Answer: _________________________________________________________________
14. access-list 140 permit ip 192.168.15.0 0.0.0.31 192.168.30.10 0.0.0.0
Answer: _________________________________________________________________
15. access-list 150 permit ip 192.168.15.0 0.0.0.63 192.168.30.10 0.0.0.0
Answer: _________________________________________________________________
16. access-list 101 Permit ip 192.168.15.0 0.0.0.127 192.168.30.10 0.0.0.0
Answer:__________________________________________________________________
17. access-list 185 permit ip 192.168.15.0 0.0.0.255 192.168.30.0 0.0.0.255
Answer: _________________________________________________________________
18. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 gt 22
Answer: _________________________________________________________________
19. access-list 195 permit icmp 172.85.0.0 0.0.15.255 172.50.10.0 0.0.0.255
Answer: _________________________________________________________________
20. access-list 10 permit 175.15.120.0 0.0.0.255
Answer: _________________________________________________________________
21. access-list 190 permit tcp 172.15.0.0 0.0.15.31 any
Answer: _________________________________________________________________
22. access-list 100 permit ip 10.0.0.0 0.255.255.255 172.50.10.0 0.0.0.255
Answer: _________________________________________________________________
192.168.15.1 to 192.168.15.3
192.168.15.1 to 192.168.15.7
192.168.15.1 to 192.168.15.15
192.168.15.1 to 192.168.15.31
192.168.15.1 to 192.168.15.63
192.168.15.1 to 192.168.15.127
192.168.15.1 to 192.168.15.254
172.16.0.1 to 172.16.1.254
172.85.0.1 to 172.85.15.254
175.15.120.1 to 175.15.120.254
172.15.0.1 to 172.15.15.31
10.0.0.1 to 10.255.255.254
20
Wildcard Mask ProblemsBased on the given information list the usable destination addresses or rangeof usable destination addresses that would be permitted or denied for eachaccess list statement.
1.access-list 125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1 fragments
Answer: __________________________________________________________________
2. access-list 5 permit any any
Answer: __________________________________________________________________
3. access-list 150 permit ip 192.168.30.10 0.0.0.0 192.168.15.0 0.0.0.63
Answer: __________________________________________________________________
4. access-list 120 deny tcp 172.32.4.0 0.0.0.255 192.220.10.0 0.0.0.15
Answer: __________________________________________________________________
5. access-list 108 deny ip 192.220.10.0 0.0.0.15 172.32.4.0 0.0.0.255
Answer: __________________________________________________________________
6. access-list 101 deny ip 140.130.110.100 0.0.0.0 0.0.0.0 255.255.255.255
Answer: __________________________________________________________________
7. access-list 105 permit any 192.168.15.0 0.0.0.255
Answer: __________________________________________________________________
8. access-list 120 permit ip 192.168.15.10 0.0.0.0 192.168.30.0 0.0.0.7
Answer: __________________________________________________________________
9. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 eq 21
Answer: __________________________________________________________________
10. access-list 150 permit ip 192.168.15.10 0.0.0.0 192.168.30.0 0.0.0.63
Answer: __________________________________________________________________
Any address
172.168.10.1
195.168.50.1 to 195.223.50.63
192.168.30.1 to 192.168.30.63
172.18.10.18
192.168.30.1 to 192.168.30.7
192.168.15.1 to 192.168.15.254
Any Address
172.32.4.1 to 172.32.4.254
192.220.10.1 to 192.220.10.15
WritingStandard Access Lists...
Melvin’sComputer
172.16.70.35
Kathy’sComputer
192.168.90.38
E0 E1
Router A
Frank’sComputer
172.16.70.32
Jim’sComputer
192.168.90.36
22
172.16.70.1 192.168.90.2
Write a standard access list to block Melvin’s computer from sending information to Kathy’scomputer; but will allow all other traffic. Keep in mind that there may be multiple ways many ofthe individual statements in an ACL can be written.
Place the access list at:Router Name: Router AInterface: E1Access-list #: 10
[Writing and installing an ACL]
Router# configure terminal (or config t)Router(config)# access-list 10 deny 172.16.70.35
or access-list 10 deny 72.16.70.35 0.0.0.0
or access-list 10 deny host 72.16.70.35
Router(config)# access-list 10 permit 0.0.0.0 255.255.255.255or
access-list 10 permit anyRouter(config)# interface e1Router(config-if)# ip access-group 10 outRouter(config-if)# exitRouter(config)# exit
[Viewing information about existing ACL’s]
Router# show configuration (This will show which access groups are associatedwith particular interfaces)
Router# show access list 10 (This will show detailed information about this ACL)
Standard Access List Sample #1
210.30.28.0
S0
23
Write a standard access list to block Jim’s computer from sending information to Frank’scomputer; but will allow all other traffic from the 192.168.90.0 network. Permit all traffic from the210.30.28.0 network to reach the 172.16.70.0 network. Deny all other traffic. Keep in mind thatthere may be multiple ways many of the individual statements in an ACL can be written.
Place the access list at:Router Name: Router AInterface: E0Access-list #: 28
[Writing and installing an ACL]
Router# configure terminalRouter(config)# access-list 28 deny 192.168.90.36
oraccess-list 28 deny 192.168.90.36 0.0.0.0
oraccess-list 28 deny host 192.168.90.36
Router(config)# access-list 28 permit 192.168.90.0 0.0.0.255Router(config)# access-list 28 permit 210.30.28.0 0.0.0.255Router(config)# interface e0Router(config-if)# ip access-group 28 outRouter(config-if)# exitRouter(config)# exitRouter# copy run start
[Disabling ACL’s]
Router# configure terminalRouter(config)# interface e0Router(config-if)# no ip access-group 28 outRouter(config-if)# exitRouter(config)# exit
[Removing an ACL]
Router# configure terminalRouter(config)# interface e0Router(config-if)# no ip access-group 28 outRouter(config-if)# exitRouter(config)# no access-list 28Router(config)# exit
Standard Access List Sample #2
Write a standard access list to block Debbie’s computer from receiving information fromMichael’s computer; but will allow all other traffic from the 224.190.32.0 network. List all thecommand line options for this problem. Keep in mind that there may be multiple ways many ofthe individual statements in an ACL can be written.
Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# ________________________________________________________or
________________________________________________________or
________________________________________________________
Router(config)# ________________________________________________________or
______________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)Router(config-if)# exitRouter(config)# exit
S0
S1
FA0
E1
Router BRouter A
224.190.32.1
192.16.32.94
172.16.28.36Michael’sComputer
Debbie’sComputer
224.190.32.16 192.16.32.95
24
Standard Access List Problem #1
FA0
Router BFA035 (1-99)
access-list 35 deny 224.190.32.16
access-list 35 deny host 224.190.32.16
access-list 35 deny 224.190.32.16 0.0.0.0
access-list 35 permit any
access-list 35 permit 0.0.0.0 255.255.255.255
FA0
35
Write a standard access list to permit Debbie’s computer to receive information fromMichael’s computer; but will deny all other traffic from the 224.190.32.0 network. Block alltraffic from the 172.16.0.0 network. Permit all other traffic. List all the command line optionsfor this problem. Keep in mind that there may be multiple ways many of the individualstatements in an ACL can be written.
Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# ________________________________________________________or
________________________________________________________or
________________________________________________________
Router(config)#_________________________________________________________
Router(config)#_________________________________________________________
Router(config)#_________________________________________________________or
_______________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)Router(config-if)# exitRouter(config)# exit
25
Standard Access List Problem #2
Router BFA040 (1-99)
access-list 40 permit 224.190.32.16
access-list 40 permit host 224.190.32.16
access-list 40 permit 224.190.32.16 0.0.0.0
access-list 40 deny 224.190.32.0 0.0.255.255
access-list 40 deny 172.16.0.0 0.0.255.255
access-list 40 permit any
access-list 40 permit 0.0.0.0 255.255.255.255
FA0
40
26
S0
S1
E0
FA1
Router B
Router A
204.90.30.124
10.250.30.35
192.168.88.410.250.30.36
Rodney’sComputer
Jim’sComputer
204.90.30.126
192.168.88.5Carol’sComputer
204.90.30.125
Write a standard access list to block Rodney and Carol’s computer from sending informationto Jim’s computer; but will allow all other traffic from the 204.90.30.0 network. Block all othertraffic. Keep in mind that there may be multiple ways many of the individual statements in anACL can be written.
Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)#
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)Router(config-if)# exitRouter(config)# exit
Standard Access List Problem #3
Router BFA145 (1-99)
access-list 45 deny 204.90.30.125
access-list 45 deny host 204.90.30.125
access-list 45 deny 204.90.30.125 0.0.0.0
access-list 45 deny 204.90.30.126
access-list 45 deny host 204.90.30.126
access-list 45 deny 204.90.30.126 0.0.0.0
access-list 45 permit 204.90.30.0 0.0.0.255
or
or
or
or
FA1
45
27
Using a minimum number of commands write a standard access list named “Ralph” to blockCarol’s computer from sending information to Jim’s computer; but will permit Jim to receivedata from Rodney. Block the upper half of the 204.90.30.0 range from reaching Jim’scomputer while permitting the lower half of the range. Block all other traffic. For help withblocking the upper half of the range review page 13 or the wildcard mask problems on pages16 and 17. For help with named ACLs review pages 12 and 13.
Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list Name: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)Router(config-if)# exitRouter(config)# exit
Standard Access List Problem #4
Router BFA1Ralph
access-list standard Ralph
access-list permit 204.90.30.0 0.0.0.127
FA1
Ralph
28
Write a standard access list to block 172.30.225.2 and 172.30.225.3 from sendinginformation to the 212.180.10.0 network; but will allow all other traffic. Keep in mind thatthere may be multiple ways many of the individual statements in an ACL can be written.
Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)#
________________________________________________________
________________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)Router(config-if)# exitRouter(config)# exit
S0 S1E0 E1
S0S1Router B
Router C
Router A
S1172.30.225.1 212.180.10.5
172.30.225.2
172.30.225.3
212.180.10.6
212.180.10.2
Standard Access List Problem #5
Router CE155 (1-99)
access-list 55 deny 172.30.225.2
access-list 55 deny host 172.30.225.2
access-list 55 deny 172.30.225.2 0.0.0.0
access-list 55 deny 172.30.225.3
access-list 55 deny host 172.30.225.3
access-list 55 deny 172.30.225.3 0.0.0.0
access-list 55 permit any
E1
55
or
or
or
or
29
Write a standard access list to block and log 212.180.10.2 from sending information to the172.30.225.0 network. Permit and log 212.180.10.6 to send data to the 172.30.225.0 network.Deny all other traffic. Keep in mind that there may be multiple ways many of the individualstatements in an ACL can be written. (Check the example on page 10 for help with the loggingoption.)
Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)#
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)Router(config-if)# exitRouter(config)# exit
Standard Access List Problem #6
Router AE060 (1-99)
access-list 60 deny 212.180.10.2 log
access-list 60 deny host 212.180.10.2 log
access-list 60 deny 212.180.10.2 0.0.0.0 log
access-list 60 permit 212.180.10.6 log
access-list 60 permit host 212.180.10.6 log
access-list 60 permit 212.180.10.6 0.0.0.0 log
E0
60
or
or
or
or
30
Write a standard access list to block the addresses 192.168.15.1 to 192.168.15.31 fromsending information to the 210.140.15.0 network. Do not permit any traffic from 198.32.10.25to reach the 210.140.15.0 network. Permit all other traffic. For help with this problem reviewpage 13 or the wildcard mask problems on pages 16 and 17.
Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)Router(config-if)# exitRouter(config)# exit
S0
S1
FA0
S0
Router B
Router CRouter A
S1
192.168.15.3 198.32.10.25210.140.15.8
Standard Access List Problem #7
FA1
FA0
192.168.15.172
210.140.15.1
198.32.10.25
Router BFA165 (1-99)
access-list 65 deny 192.168.15.0 0.0.0.31
access-list 65 deny 198.32.10.25
access-list 65 deny host 198.32.10.25
access-list 65 deny 198.32.10.25 0.0.0.0
access-list 65 permit any
FA1
65
or
or
31
Write a standard named access list called “Cisco_Lab_A” to permit traffic from the lower half ofthe 198.32.10.0 network to reach 192.168.15.0 network; block the upper half of the addresses.Allow host 198.32.10.192 to reach network 192.168.15.0. Permit all other traffic. For help withthis problem review page 13 or the wildcard masks problems on pages 16 and 17. Forassistance with named ACLs review pages 12 and 13.
Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list Name: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group __________________ in or out (circle one)Router(config-if)# exitRouter(config)# exit
Standard Access List Problem #8
Router AFA0 Cisco_Lab_A
access-list standard Cisco_Lab_A
access-list permit 198.32.10.0 0.0.0.127
access-list deny 198.32.10.0 0.0.0.255
access-list permit any
FA0
Cisco_Lab_A
32
Write a standard access list to block network 192.168.255.0 from receiving information fromthe following addresses: 10.250.1.1, 10.250.2.1, 10.250.4.1, and the entire 10.250.3.0255.255.255.0 network. Allow all other traffic. Keep in mind that there may be multiple waysmany of the individual statements in an ACL can be written.
Place the access list at:Router Name: ___________________________Interface: _______________________________Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)#
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)Router(config-if)# exitRouter(config)# exit
Standard Access List Problem #9
Router AFA075 (1-99)
access-list 75 deny 10.250.1.1
access-list 75 deny host 10.250.1.1
access-list 75 deny 10.250.1.1 0.0.0.0
access-list 75 deny 10.250.2.1
access-list 75 deny host 10.250.2.1
access-list 75 deny 10.250.2.1 0.0.0.0
access-list 75 deny 10.250.4.1
access-list 75 deny host 10.250.4.1
access-list 75 deny 10.250.4.1 0.0.0.0
access-list 75 deny 10.250.3.0 0.0.0.255
access-list 75 permit any
or
or
or
or
or
or
75
FA0
WritingExtended Access Lists...
Ext
end
ed A
cces
s L
ist
Sam
ple
#1
Den
y/P
erm
it S
pec
ific
Ad
dre
sses
Joh
n’s
Co
mp
ute
r
17
2.1
6.7
0.3
5
Ce
lest
e’s
Co
mp
ute
r
19
2.1
68
.90
.38
FA
0F
A1
Rou
ter
A
Ga
il’s
Co
mp
ute
r
17
2.1
6.7
0.3
2
Mik
e’s
Co
mp
ute
r
192.
168.
90.3
6
17
2.1
6.7
0.1
19
2.1
68
.90
.2
Writ
e an
ext
ende
d ac
cess
list
to p
reve
nt J
ohn’
s co
mpu
ter f
rom
sen
ding
info
rmat
ion
to M
ike’
s co
mpu
ter;
but
will
allo
w a
ll ot
her
traf
fic.
Kee
p in
min
d th
at th
ere
may
be
mul
tiple
way
s m
any
of th
e in
divi
dual
sta
tem
ents
in a
n A
CL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: R
oute
r A
Inte
rfac
e: F
A0
Acc
ess-
list #
:110
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# co
nfi
gure
term
inal (or c
onfi
g t)
Router(config)# acc
ess-list
110 d
eny i
p 1
72
.16.7
0.3
5 0
.0.0
.0 1
92
.168.9
0.3
6 0
.0.0
.0or
acc
ess-list
110 d
eny i
p h
ost
172
.16.7
0.3
5 h
ost
192
.168.9
0.3
6Router(config)# acc
ess-list
110 p
erm
it ip a
ny a
ny
or
acc
ess-
list
110 p
erm
it i
p 0.0
.0.0
25
5.2
55
.25
5.2
55
0.0
.0.0
25
5.2
55
.25
5.2
55
Router(config)# in
terfa
ce f
a0
Router(config-if)# ip
acc
ess-gr
oup 1
10 i
nRouter(config-if)# ex
itRouter(config)# ex
it
34
[Vie
win
g in
form
atio
n a
bo
ut e
xist
ing
AC
L’s]
Router# s
how c
onfi
gurati
on
(Thi
s w
ill s
how
whi
ch a
cces
s gr
oups
are
asso
ciat
ed w
ith p
artic
ular
inte
rfac
es)
Router# sho
w a
cces
s lis
t 110
(Thi
s w
ill s
how
det
aile
d in
form
atio
nab
out t
his
AC
L)
Writ
e an
ext
ende
d ac
cess
list
to b
lock
the
172.
16.7
0.0
netw
ork
from
rece
ivin
g in
form
atio
n fr
om M
ike’
s co
mpu
ter a
t 192
.168
.90.
36.
Blo
ck th
e lo
wer
hal
f of t
he ip
add
ress
es fr
om 1
92.1
68.9
0.0
netw
ork
from
reac
hing
Gai
l’s c
ompu
ter a
t 172
.16.
70.3
2. P
erm
it al
l oth
ertr
affic
. K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: R
oute
r A
Inte
rfac
e: F
A1
Acc
ess-
list #
:
1
35
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# c
onfi
gure
term
inal
Router(config)# acc
ess-list
135
den
y ip 1
92
.168.9
0.3
6 0
.0.0
.0 1
72
.16.7
0.0
0.0
.0.2
55
or
acc
ess-list
135
den
y i
p h
ost
192
.168.9
0.3
6 1
72
.16.7
0.0
0.0
.0.2
55
Router(config)# acc
ess-list
135
den
y ip 1
92
.168.9
0.0
0.0
.0.1
27 1
72
.16.7
0.3
2 0
.0.0
.0or
acc
ess-list
135
den
y i
p 1
92
.168.9
0.0
0.0
.0.1
27 h
ost
172
.16.7
0.3
2Router(config)# a
cces
s-list
135
per
mit
ip a
ny a
ny
or
ac
cess
-lis
t 13
5 p
erm
it i
p 0.0
.0.0
25
5.2
55
.25
5.2
55
0.0
.0.0
25
5.2
55
.25
5.2
55
Router(config)# inte
rface
fa1
Router(config-if)# i
p a
cces
s-gr
oup 1
35
in
Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy r
un s
tart
Ext
end
ed A
cces
s L
ist
Sam
ple
#2
Den
y/P
erm
it S
pec
ific
Ad
dre
sses
35
[Dis
ablin
g A
CL’
s]
Router# c
onfi
gure
term
inal
Router(config)# i
nte
rfa
ce e
1Router(config-if)# n
o ip a
cces
s-gr
oup 1
35
out
Router(config-if)# ex
itRouter(config)# e
xit
[Rem
ovi
ng
an
AC
L]
Router# c
onfi
gure
term
inal
Router(config)# in
terfa
ce e
1Router(config-if)# n
o ip a
cces
s-gr
oup 1
35
out
Router(config-if)# ex
itRouter(config)# n
o a
cces
s-list
135
Router(config)# e
xit
36
Bo
b’s
Co
mp
ute
r
17
2.2
0.7
0.8
0
Jack
ie’s
Co
mp
ute
r
192.
168.
122.
129
FA
0F
A1
Rou
ter
A
Cin
dy’
sC
om
pu
ter
17
2.2
0.7
0.8
9
Jay’
sC
om
pu
ter
192.
168.
122.
128
172.
20.7
0.15
19
2.1
68
.12
2.5
2
Writ
e an
ext
ende
d ac
cess
list
to p
reve
nt J
ay’s
com
pute
r fro
m re
ceiv
ing
info
rmat
ion
from
Cin
dy’s
com
pute
r. P
erm
it al
l oth
er tr
affic
.K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
#: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# co
nfi
gure
term
inal (or c
onfi
g t)
Router(config)#
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
Router(config)# i
nte
rfa
ce
____
____
__Router(config-if)# i
p a
cces
s-gr
oup _
____
____
in o
r o
ut
(circ
le o
ne)
Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy r
un s
tart
Ext
end
ed A
cces
s L
ist
Pro
ble
m #
1D
eny/
Per
mit
Sp
ecif
ic A
dd
ress
es
Rou
ter
BS
0S
1
Route
r A
FA0
105
(100-199)
acc
ess-list
105
den
y i
p h
ost
172
.20.7
0.8
9 h
ost
192
.168.1
22
.12
8
acc
ess-list
105
den
y i
p 1
72
.30.2
25
.2 0
.0.0
.0 1
92
.168.1
22
.12
8 0
.0.0
.0
acc
ess-list
105
per
mit
ip a
ny a
ny
or
10
5F
A0
37
Writ
e an
ext
ende
d ac
cess
list
to b
lock
the
172.
20.7
0.0
255.
255.
255.
0 ne
twor
k fr
om re
ceiv
ing
info
rmat
ion
from
Jac
kie’
s co
mpu
ter a
t19
2.16
8.12
2.12
9. B
lock
the
low
er h
alf o
f the
ip a
ddre
sses
from
192
.168
.122
.0 n
etw
ork
from
reac
hing
Cin
dy’s
com
pute
r at
172.
20.7
0.89
. P
erm
it al
l oth
er tr
affic
. K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
AC
L ca
nbe
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
#: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# c
onfi
gure
term
inal
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config)# i
nte
rfa
ce
____
____
__Router(config-if)# i
p a
cces
s-gr
oup _
____
____
in o
r o
ut
(circ
le o
ne)
Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy r
un s
tart
Ext
end
ed A
cces
s L
ist
Pro
ble
m #
2D
eny/
Per
mit
Sp
ecif
ic A
dd
ress
es
Route
r B
FA1
110
(100-199)
acc
ess-list
110 d
eny i
p h
ost
192
.168.1
22
.12
9 1
72
.20.7
0.0
0.0
.0.2
55
acc
ess-list
110 d
eny i
p 1
92
.168.1
22
.12
9 0
.0.0
.0 1
72
.20.7
0.0
0.0
.0.2
55
acc
ess-list
110 d
eny i
p 1
92
.168.1
22
.0 0
.0.0
.12
7 h
ost
172
.20.7
0.8
9
acc
ess-list
110 d
eny i
p 1
92
.168.1
22
.0 0
.0.0
.12
7 1
72
.20.7
0.8
9 0
.0.0
.0
acc
ess-list
110 p
erm
it ip a
ny a
ny
or
10
5
E1
or
Jan
’sC
om
pu
ter
21
8.3
5.5
0.1
0
Ra
cha
el’s
Co
mp
ute
r
17
2.5
9.2
.18
E0
FA
1
Rou
ter
A
Jua
n’s
Co
mp
ute
r
21
8.3
5.5
0.1
2R
eb
ecc
a’s
Co
mp
ute
r
17
2.5
9.2
.15
21
8.3
5.5
0.1
17
2.5
9.2
.1
Ext
end
ed A
cces
s L
ist
Pro
ble
m #
3D
eny/
Per
mit
Sp
ecif
ic A
dd
ress
es
Rou
ter
B
S0
S1
38
Route
r B
FA1
L
ab_
166
acc
ess-list
exte
nded
Lab_
166
acc
ess-list
per
mit
ip h
ost
172
.59.2
.18 h
ost
218.3
5.5
0.1
0
acc
ess-list
per
mit
ip 1
72
.59.2
.18 0
.0.0
.0 2
18.3
5.5
0.1
0 0
.0.0
.0or
Lab
_16
6F
A1
Writ
e a
nam
ed e
xten
ded
acce
ss li
st c
alle
d “L
ab_1
66” t
o pe
rmit
Jan’
s co
mpu
ter a
t 218
.35.
50.1
0 to
rece
ive
pack
ets
from
Rac
hael
’sco
mpu
ter a
t 172
.59.
2.18
; but
not
Reb
ecca
’s c
ompu
ter a
t 172
.59.
2.15
. D
eny
all o
ther
pac
kets
. K
eep
in m
ind
that
ther
e m
ay b
em
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
Nam
e: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# co
nfi
gure
term
inal (or c
onfi
g t)
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
___
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
___
Router(config)# in
terfa
ce _
____
____
___
Router(config-if)# ip
acc
ess-gr
oup _
____
____
in o
r o
ut
(circ
le o
ne)
Router(config-if)# ex
itRouter(config)# ex
it
Writ
e an
ext
ende
d ac
cess
list
to a
llow
Jua
n’s
com
pute
r at 2
18.3
5.50
.12
to s
end
info
rmat
ion
to R
ebec
ca’s
com
pute
r at 1
72.5
9.2.
15;
but n
ot R
acha
el’s
com
pute
r at 1
72.5
9.2.
18.
Per
mit
all o
ther
traf
fic.
Kee
p in
min
d th
at th
ere
may
be
mul
tiple
way
s m
any
of th
ein
divi
dual
sta
tem
ents
in a
n A
CL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
#: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# c
onfi
gure
term
inal
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config)# i
nte
rfa
ce
____
____
__Router(config-if)# i
p a
cces
s-gr
oup _
____
____
in o
r o
ut
(circ
le o
ne)
Router((config-if)# e
xit
Router(config)# e
xit
Router# c
opy r
un s
tart
Ext
end
ed A
cces
s L
ist
Pro
ble
m #
4D
eny/
Per
mit
Sp
ecif
ic A
dd
ress
es
39
Route
r A
E0
12
0(100-199)
acc
ess-list
12
0 d
eny i
p h
ost
218.3
5.5
0.1
2 h
ost
172
.59.2
.18
acc
ess-list
12
0 d
eny i
p 2
18.3
5.5
0.1
2 0
.0.0
.0 1
72
.59.2
.18 0
.0.0
.0
acc
ess-list
12
0 p
erm
it ip a
ny a
ny
115
FA1
or
Cin
dy’
sC
om
pu
ter
19
2.1
6.2
0.6
Ba
rbra
’sC
om
pu
ter
19
2.1
8.5
0.1
2
E0
Rou
ter
A
Ra
lph
’sC
om
pu
ter
19
2.1
6.2
0.7
Bo
b’s
Co
mp
ute
r
19
2.1
8.5
0.1
1
Writ
e an
ext
ende
d ac
cess
list
to p
erm
it th
e 19
2.16
.20.
0 ne
twor
k to
rece
ive
pack
ets
from
the
192.
18.5
0.0
netw
ork.
Den
y al
l oth
ertr
affic
. K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: R
oute
r B
Inte
rfac
e: E
1A
cces
s-lis
t #:
111
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# co
nfi
gure
term
inal (or c
onfi
g t)
Router(config)# acc
ess-list
111 p
erm
it ip 1
92
.18.5
0.0
0.0
.0.2
55
192
.168.2
0.0
0.0
.0.2
55
Router(config)# a
cces
s-list
111 d
eny ip a
ny a
ny
or
acc
ess-
list
111 d
eny i
p 0.0
.0.0
25
5.2
55
.25
5.2
55
0.0
.0.0
25
5.2
55
.25
5.2
55
Router(config)# inte
rface
e1
Router(config-if)# i
p a
cces
s-gr
oup 1
11 in
Router(config-if)# e
xit
Router(config)# e
xit
19
2.1
6.2
0.5
S0
S1
192.
18.5
0.10
E1
Rou
ter
B
[Vie
win
g in
form
atio
n a
bo
ut e
xist
ing
AC
L’s]
Router# s
how c
onfi
gurati
on
(Thi
s w
ill s
how
whi
ch a
cces
s gr
oups
are
ass
ocia
ted
with
par
ticul
ar in
terf
aces
)
Router# sho
w a
cces
s lis
t 111
(Thi
s w
ill s
how
det
aile
d in
form
atio
n ab
out t
his
AC
L)
40
Ext
end
ed A
cces
s L
ist
Sam
ple
#3
Den
y/P
erm
it E
nti
re R
ang
es
Writ
e an
ext
ende
d ac
cess
list
to b
lock
the
192.
18.5
0.0
netw
ork
from
rece
ivin
g in
form
atio
n fr
om th
e 19
2.16
.20.
0 ne
twor
k. P
erm
it al
lot
her t
raffi
c. K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: R
oute
r A
Inte
rfac
e: E
0A
cces
s-lis
t #:
188
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# c
onfi
gure
term
inal
Router(config)# acc
ess-list
188 d
eny ip 1
92
.16.2
0.0
0.0
.0.2
55
192
.18.5
0.0
0.0
.0.2
55
Router(config)# a
cces
s-list
188 p
erm
it ip a
ny a
ny
or
a
cces
s-list
188
per
mit
ip
0.0
.0.0
25
5.2
55
.25
5.2
55
0.0
.0.0
25
5.2
55
.25
5.2
55
Router(config)# i
nte
rface
e0
Router(config-if)# i
p a
cces
s-gr
oup 1
88 in
Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy r
un s
tart
Ext
end
ed A
cces
s L
ist
Sam
ple
#4
Den
y/P
erm
it E
nti
re R
ang
es
[Dis
ablin
g A
CL’
s]
Router# c
onfi
gure
term
inal
Router(config)# i
nte
rfa
ce e
0Router(config-if)# n
o ip a
cces
s-gr
oup 1
88 o
ut
Router(config-if)# ex
itRouter(config)# e
xit
[Rem
ovi
ng
an
AC
L]
Router# c
onfi
gure
term
inal
Router(config)# i
nte
rfa
ce e
0Router(config-if)# n
o ip a
cces
s-gr
oup 1
88 o
ut
Router(config-if)# ex
itRouter(config)# n
o a
cces
s-list
188
Router(config)# e
xit
41
Writ
e an
ext
ende
d ac
cess
list
to p
erm
it ne
twor
k 20
4.95
.150
.0 to
sen
d pa
cket
s to
net
wor
k 17
2.59
.0.0
, but
not
the
210.
250.
10.0
netw
ork.
Per
mit
all o
ther
traf
fic.
Kee
p in
min
d th
at th
ere
may
be
mul
tiple
way
s m
any
of th
e in
divi
dual
sta
tem
ents
in a
n A
CL
can
bew
ritte
n.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
#: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# co
nfi
gure
term
inal (or c
onfi
g t)
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
Router(config)# inte
rfa
ce _
____
____
___
Router(config-if)# i
p a
cces
s-gr
oup _
____
____
in o
r o
ut
(circ
le o
ne)
Router(config-if)# e
xit
Router(config)# e
xit
Ra
che
l’sC
om
pu
ter
204.
95.1
50.1
0
Da
vid
’sC
om
pu
ter
17
2.5
9.2
.18
FA
0
FA
1
Rou
ter
A
Tod
d’s
Co
mp
ute
r
204.
95.1
50.1
2
Re
be
cca
’sC
om
pu
ter
17
2.5
9.2
.15
204.
95.1
50.1
1
17
2.5
9.2
.1
Ext
end
ed A
cces
s L
ist
Pro
ble
m #
5
D
eny/
Per
mit
En
tire
Ran
ges
Rou
ter
B
S0
S1
42
21
0.2
50
.10
.0
S0
Route
r B
FA1
125
(100-199)
acc
ess-list
12
5 d
eny i
p 2
04.9
5.1
50.0
0.0
.0.2
55
210.2
50.1
0.0
0.0
.0.2
55
acc
ess-list
12
5 p
erm
it ip a
ny a
ny
125
FA0
Writ
e an
ext
ende
d ac
cess
list
to a
llow
Rac
hel’s
com
pute
r at 2
04.9
5.15
0.10
to re
ceiv
e in
form
atio
n fr
om th
e 17
2.59
.0.0
net
wor
k.D
eny
all o
ther
hos
ts o
n th
e 20
4.95
.150
.0 n
etw
ork
acce
ss fr
om th
e 17
2.59
.2.0
net
wor
k. P
erm
it al
l oth
er tr
affic
. K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
#: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# c
onfi
gure
term
inal
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config)# i
nte
rfa
ce
____
____
__Router(config-if)# i
p a
cces
s-gr
oup _
____
____
in o
r o
ut
(circ
le o
ne)
Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy r
un s
tart
Ext
end
ed A
cces
s L
ist
Pro
ble
m #
6
D
eny/
Per
mit
En
tire
Ran
ges
43
Route
r B
FA1
130
(100-199)
acc
ess-list
130 p
erm
it i
p 1
72
.59.0
.0 0
.0.2
55
.25
5 h
ost
204.9
5.1
50.1
0
acc
ess-list
130 p
erm
it i
p 1
72
.59.0
.0 0
.0.2
55
.25
5 2
04.9
5.1
50.1
0 0
.0.0
.0
acc
ess-list
130 d
eny i
p 1
72
.59.0
.0 0
.0.2
55
.25
5 2
04.9
5.1
50.0
0.0
.02
55
acc
ess-list
130 p
erm
it a
ny a
ny
130
FA1
or
44
Ph
yllis
’sC
om
pu
ter
17
2.1
20
.17
0.4
5
De
nis
e’s
Co
mp
ute
r
19
2.1
68
.50
.4
E0
E1
Rou
ter
A
Tom
my’
sC
om
pu
ter
172.
120.
170.
45T
im’s
Co
mp
ute
r
19
2.1
68
.50
.3
172.
120.
170.
451
92
.16
8.5
0.2
Writ
e a
nam
ed e
xten
ded
acce
ss li
st c
alle
d “G
odzi
lla” t
o pr
even
t the
172
.120
.0.0
net
wor
k fr
om s
endi
ng in
form
atio
n to
the
210.
168.
70.0
, an
d 10
.250
.1.0
255
.255
.255
.0 n
etw
orks
; but
will
per
mit
traf
fic to
the
192.
168.
50.0
net
wor
k. P
erm
it al
l oth
er tr
affic
.K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
Nam
e: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# co
nfi
gure
term
inal (or c
onfi
g t)
Router(config)#
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
___
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config)# i
nte
rfa
ce _
____
____
___
Router(config-if)# i
p a
cces
s-gr
oup _
____
____
in o
r o
ut
(circ
le o
ne)
Router(config-if)# e
xit
Router(config)# e
xit
Ext
end
ed A
cces
s L
ist
Pro
ble
m #
7D
eny/
Per
mit
En
tire
Ran
ges
Rou
ter
BS
0S
1
10
.25
0.1
.02
10
.16
8.7
0.0
E1
S0
Route
r A
E
0 G
odzi
lla
acc
ess-list
exte
nded
Godzi
lla
acc
ess-list
den
y i
p 1
72
12
0.0
.0 0
.0.2
55
.25
5 2
10.1
68.7
0.0
0.0
.0.2
55
acc
ess-list
den
y i
p 1
72
.12
0.0
.0 0
.0.2
55
.25
5 1
0.2
50.1
.0 0
.0.0
.25
5
acc
ess-list
per
mit
ip a
ny a
ny
Godzilla
E0
45
Ass
umin
g de
faul
t sub
net m
asks
writ
e an
ext
ende
d ac
cess
list
to p
erm
it T
im a
t 192
.168
.50.
3 to
rece
ive
data
from
the
172.
120.
0.0
netw
ork.
A
llow
the
192.
168.
50.0
net
wor
k to
rece
ive
info
rmat
ion
from
Phy
llis’
s co
mpu
ter a
t 172
.120
.170
.45.
Den
y al
l oth
er tr
affic
.K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
#: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# c
onfi
gure
term
inal
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config)# i
nte
rfa
ce
____
____
__Router(config-if)# i
p a
cces
s-gr
oup _
____
____
in o
r o
ut
(circ
le o
ne)
Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy r
un s
tart
Ext
end
ed A
cces
s L
ist
Pro
ble
m #
8D
eny/
Per
mit
En
tire
Ran
ges
Route
r A
E0
140
(100-199)
acc
ess-list
140 p
erm
it i
p 1
72
.12
0.0
.0 0
.0.2
55
.25
5 h
ost
192
.168.5
0.3
acc
ess-list
140 p
erm
it i
p 1
72
.12
0.0
.0 0
.0.2
55
.25
5 1
92
.168.5
0.3
0.0
.0.0
acc
ess-list
140 p
erm
it i
p h
ost
172
.12
0.1
70.4
5 1
92
.168.5
0.0
0.0
.0.2
55
acc
ess-list
140 p
erm
it i
p 1
72
.12
0.1
70.4
5 0
.0.0
.0 1
92
.168.5
0.0
0.0
.0.2
55
140
E0
or
or
Ro
dn
ey’
sC
om
pu
ter
192.
168.
15.4
4
Fra
nk’
sC
om
pu
ter
17
2.2
1.5
0.9
7
FA
0Rou
ter
A
Jim
’sC
om
pu
ter
192.
168.
15.4
3
Ca
rol’s
Co
mp
ute
r
17
2.2
1.5
0.9
6
Writ
e an
ext
ende
d ac
cess
list
to d
eny
the
first
15
usab
le a
ddre
sses
of t
he 1
92.1
68.1
5.0
netw
ork
from
reac
hing
the
172.
21.0
.0ne
twor
k. P
erm
it a
ll ot
her t
raffi
c. K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: R
oute
r A
Inte
rfac
e: F
A0
Acc
ess-
list #
:
1
85
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# co
nfi
gure
term
inal (or c
onfi
g t)
Router(config)# acc
ess-list
185
den
y ip 1
92
.168.1
5.0
0.0
.0.1
5 1
72
.21.5
0.0
0.0
.25
5.2
55
Router(config)# a
cces
s-list
185
per
mit
ip a
ny a
ny
or
acc
ess-
list
185
per
mit
ip
0.0
.0.0
25
5.2
55
.25
5.2
55
0.0
.0.0
25
5.2
55
.25
5.2
55
Router(config)# inte
rface
fa1
Router(config-if)# i
p a
cces
s-gr
oup 1
85
in
Router(config-if)# e
xit
Router(config)# e
xit
Ext
end
ed A
cces
s L
ist
Sam
ple
#5
Den
y/P
erm
it a
Ran
ge
of A
dd
ress
es
192.
168.
15.2
0
S0
S1
172.
21.5
0.95
E1
Rou
ter
B
46
[Vie
win
g in
form
atio
n a
bo
ut e
xist
ing
AC
L’s]
Router# s
how c
onfi
gurati
on
(Thi
s w
ill s
how
whi
ch a
cces
s gr
oups
are
ass
ocia
ted
with
par
ticul
ar in
terf
aces
)
Router# s
how a
cces
s lis
t 185
(Thi
s w
ill s
how
det
aile
d in
form
atio
n ab
out t
his
AC
L)
Writ
e an
ext
ende
d ac
cess
list
whi
ch w
ill a
llow
the
low
er h
alf o
f 192
.168
.15.
0 ne
twor
k ac
cess
to th
e 17
2.21
.50.
0 ne
twor
k. D
eny
all
othe
r tra
ffic.
Kee
p in
min
d th
at th
ere
may
be
mul
tiple
way
s m
any
of t
he in
divi
dual
sta
tem
ents
in a
n A
CL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: R
oute
r A
Inte
rfac
e: F
A0
Acc
ess-
list #
:
1
21
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# c
onfi
gure
term
inal
Router(config)# acc
ess-list
12
1 p
erm
it ip 1
92
.168.1
5.0
0.0
.0.1
27 1
72
.21.5
0.0
0.0
.0.2
55
Router(config)# a
cces
s-list
12
1 d
eny ip a
ny a
ny
or
ac
cess
-lis
t 12
1 den
y ip
0.0
.0.0
25
5.2
55
.25
5.2
55
0.0
.0.0
25
5.2
55
.25
5.2
55
Router(config)# inte
rface
fa0
Router(config-if)# ip a
cces
s-gr
oup 1
21 in
Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy r
un s
tart
Ext
end
ed A
cces
s L
ist
Sam
ple
#6
Den
y/P
erm
it a
Ran
ge
of A
dd
ress
es
[Dis
ablin
g A
CL’
s]
Router# c
onfi
gure
term
inal
Router(config)# i
nte
rfa
ce f
a0
Router(config-if)# no ip a
cces
s-gr
oup 1
21 in
Router(config-if)# ex
itRouter(config)# e
xit
[Rem
ovi
ng
an
AC
L]
Router# c
onfi
gure
term
inal
Router(config)# i
nte
rfa
ce f
a0
Router(config-if)# no ip a
cces
s-gr
oup 1
21 in
Router(config-if)# ex
itRouter(config)# n
o a
cces
s-list
121
Router(config)# e
xit
47
Writ
e an
ext
ende
d ac
cess
list
to p
reve
nt th
e fir
st 3
1 us
able
add
ress
es in
the
192
.168
.125
.0 n
etw
ork
from
reac
hing
the
192.
168.
195.
0 ne
twor
k. P
erm
it al
l oth
er tr
affic
. K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
#: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# co
nfi
gure
term
inal (or c
onfi
g t)
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
Router(config)# i
nte
rfa
ce _
____
____
___
Router(config-if)# i
p a
cces
s-gr
oup _
____
____
in o
r o
ut
(circ
le o
ne)
Router(config-if)# e
xit
Ext
end
ed A
cces
s L
ist
Pro
ble
m #
9D
eny/
Per
mit
a R
ang
e o
f Ad
dre
sses
Joh
n’s
Co
mp
ute
r
192.
168.
195.
88
Ce
lest
e’s
Co
mp
ute
r
192.
168.
125.
108
E0
E1
Rou
ter
A
Ga
il’s
Co
mp
ute
r
192.
168.
195.
145
Mik
e’s
Co
mp
ute
r
192.
168.
125.
17
192.
168.
195.
9019
2.16
8.12
5.25
4
48
172.
31.1
95.0
S0
Route
r A
E1
145
(100-199)
acc
ess-list
145
den
y i
p 1
92
.168.1
25
.0 0
.0.0
.31 1
92
.168.1
95
.0 0
.0.0
.25
5
acc
ess-list
145
per
mit
ip a
ny a
ny
145
E1
49
Writ
e a
nam
ed e
xten
ded
acce
ss li
st c
alle
d “M
edia
_Cen
ter”
to p
erm
it th
e ra
nge
of a
ddre
sses
from
172
.31.
195.
1 th
roug
h17
2.31
.195
.7 t
o se
nd d
ate
to th
e 19
2.16
8.12
5.0
netw
ork.
Den
y al
l oth
er tr
affic
. K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
yof
the
indi
vidu
al s
tate
men
ts in
an
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
Nam
e: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# c
onfi
gure
term
inal
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config)# i
nte
rfa
ce
____
____
__Router(config-if)# i
p a
cces
s-gr
oup _
____
____
____
___
in o
r o
ut
(circ
le o
ne)
Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy r
un s
tart
Ext
end
ed A
cces
s L
ist
Pro
ble
m #
10D
eny/
Per
mit
a R
ang
e o
f Ad
dre
sses
Route
r A
S
0
M
edia
_C
ente
r
acc
ess-list
exte
nded
Med
ia_
Cen
ter
acc
ess-list
per
mit
ip 1
72
.31.1
95
.0 0
.0.0
.7 1
92
.168.1
25
.0 0
.0.0
.25
5
Med
ia_
Cen
ter
S0
Cin
dy’
sC
om
pu
ter
19
2.1
6.2
0.6
Ba
rbra
’sC
om
pu
ter
17
2.1
8.5
0.1
2
FA
0R
oute
r A
Ra
lph
’sC
om
pu
ter
19
2.1
6.2
0.7
Bo
b’s
Co
mp
ute
r
17
2.1
8.5
0.1
1B
rad
’sC
om
pu
ter
17
2.2
2.7
5.1
0Jill’
sC
om
pu
ter
17
2.2
2.7
5.9
19
2.1
6.2
0.5
E1
S0
17
2.2
2.7
5.8
S1
S0
S1
172.
18.5
0.10
FA
1
Rou
ter
B
Rou
ter
C
Writ
e an
ext
ende
d ac
cess
list
to p
erm
it th
e fir
st 3
usa
ble
addr
esse
s in
the
192
.16.
20.0
net
wor
k to
reac
h th
e 17
2.22
.75.
0 ne
twor
k.D
eny
the
addr
esse
s fr
om 1
92.1
6.20
.4 th
roug
h 19
2.16
.20.
31 fr
om re
achi
ng th
e 17
2.22
.75.
0 ne
twor
k. P
erm
it al
l oth
er tr
affic
. K
eep
inm
ind
that
ther
e ar
e m
ultip
le w
ays
this
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
#: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# co
nfi
gure
term
inal (or c
onfi
g t)
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
Router(config)# in
terfa
ce _
____
____
___
Router(config-if)# ip
acc
ess-gr
oup _
____
____
in o
r o
ut
(circ
le o
ne)
Router(config-if)# ex
it
Ext
end
ed A
cces
s L
ist
Pro
ble
m #
11D
eny/
Per
mit
a R
ang
e o
f Ad
dre
sses
50
Route
r A
FA0
15
5(100-199)
acc
ess-list
15
5 p
erm
it i
p 1
92
.16.2
0.0
0.0
.0.3
172
.22
.75
.0 0
.0.0
.25
5
acc
ess-list
15
5 d
eny i
p 1
92
.16.2
.0 0
.0.0
.31 1
72
.22
.75
.0 0
.0.0
.25
5
acc
ess-list
15
5 p
erm
it ip a
ny a
ny
15
5F
A0
51
Writ
e an
ext
ende
d ac
cess
list
to d
eny
the
addr
esse
s fr
om 1
72.2
2.75
.8 th
roug
h 17
2.22
.75.
127
from
sen
ding
dat
a to
the
172.
18.5
0.0
netw
ork.
Den
y th
e fir
st h
alf o
f the
add
ress
es fr
om th
e 17
2.22
.75.
0 ne
twor
k fr
om re
achi
ng th
e 19
2.16
.20.
0 ne
twor
k. P
erm
it al
l oth
ertr
affic
. K
eep
in m
ind
that
ther
e ar
e m
ultip
le w
ays
this
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
#: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# c
onfi
gure
term
inal
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config)# i
nte
rfa
ce
____
____
__Router(config-if)# i
p a
cces
s-gr
oup _
____
____
in o
r o
ut
(circ
le o
ne)
Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy r
un s
tart
Ext
end
ed A
cces
s L
ist
Pro
ble
m #
12D
eny/
Per
mit
a R
ang
e o
f Ad
dre
sses
Route
r B
E1
160
(100-199)
acc
ess-list
160 p
erm
it i
p 1
72
.22
.75
.0 0
.0.0
.7 1
72
.18.5
0.0
0.0
.0.2
55
acc
ess-list
160 d
eny i
p 1
72
.22
.75
.0 0
.0.0
.12
7 1
72
.18.5
0.0
0.0
.0.2
55
acc
ess-list
160 p
erm
it ip a
ny a
ny
160
E1
52
Ce
lest
e’s
Co
mp
ute
r
17
2.1
6.7
0.1
45
De
nis
e’s
Co
mp
ute
r
19
2.1
68
.88
.20
4
FA
0F
A1
Rou
ter
A
Bo
b’s
Co
mp
ute
r
17
2.1
6.7
0.1
55
Peg
gy’s
Co
mp
ute
r
19
2.1
68
.88
.20
0
17
2.1
6.7
0.1
19
2.1
68
.88
.1
Rou
ter
BS
0S
1
10
.25
0.4
.01
0.2
50
.1.0
FA
1F
A0
Writ
e an
ext
ende
d ac
cess
list
to p
erm
it th
e fir
st 6
3 us
able
add
ress
es in
the
192.
168.
88.0
net
wor
k to
reac
h th
e lo
wer
hal
f of t
head
dres
ses
in th
e 17
2.16
.70.
0 ne
twor
k; b
ut n
ot th
e up
per h
alf.
Den
y al
l oth
er tr
affic
. K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
#: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# co
nfi
gure
term
inal (or c
onfi
g t)
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
Router(config)# in
terfa
ce _
____
____
___
Router(config-if)# ip
acc
ess-gr
oup _
____
____
in o
r o
ut
(circ
le o
ne)
Router(config-if)# ex
it
Ext
end
ed A
cces
s L
ist
Pro
ble
m #
13D
eny/
Per
mit
a R
ang
e o
f Ad
dre
sses
Route
r B
FA1
165
(100-199)
acc
ess-list
165
per
mit
ip 1
92
.168.8
8.0
0.0
.0.6
3 1
72
.16.7
0.0
0.0
.0.1
27
165
FA1
53
Writ
e an
ext
ende
d ac
cess
list
to d
eny
the
addr
esse
s fr
om 1
0.25
0.1.
0 th
roug
h 10
.250
.1.6
3 fr
om s
endi
ng d
ata
to D
enis
e’s
com
pute
r.P
erm
it al
l oth
er tr
affic
. K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
#: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# c
onfi
gure
term
inal
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config)# i
nte
rfa
ce
____
____
__Router(config-if)# i
p a
cces
s-gr
oup _
____
____
in o
r o
ut
(circ
le o
ne)
Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy r
un s
tart
Ext
end
ed A
cces
s L
ist
Pro
ble
m #
14D
eny/
Per
mit
a R
ang
e o
f Ad
dre
sses
Route
r A
FA1
170
(100-199)
acc
ess-list
170 d
eny i
p 1
0.2
50.1
.0 0
.0.0
.63 h
ost
192
.168.8
8.2
04
acc
ess-list
170 d
eny i
p 1
0.2
50.1
.0 0
.0.0
.63 1
92
.168.8
8.2
04 0
.0.0
.0
acc
ess-list
170 p
erm
it ip a
ny a
ny
170
FA1
or
19
2.1
68
.20
7.2
6
E0R
oute
r A
Web
Ser
ver
19
2.1
68
.20
7.2
7W
eb S
erve
r
210.
128.
50.1
1
Writ
e an
ext
ende
d ac
cess
list
to d
eny
HT
TP
traf
fic in
tend
ed fo
r w
eb s
erve
r 19
2.16
8.20
7.27
, but
will
per
mit
all
othe
r HT
TP
traf
fic to
reac
h th
e on
ly th
e 19
2.16
8.20
7.0
netw
ork.
Den
y al
l oth
er IP
traf
fic.
Kee
p in
min
d th
at th
ere
may
be
mul
tiple
way
s m
any
of th
ein
divi
dual
sta
tem
ents
in a
n A
CL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: R
oute
r A
Inte
rfac
e: E
0A
cces
s-lis
t #:
198
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# co
nfi
gure
term
inal (or c
onfi
g t)
Router(config)# acc
ess-list
198 d
eny t
cp a
ny 1
92
.168.2
07.2
7 0
.0.0
.0 e
q w
ww
or
a
cces
s-list
198 d
eny t
cp a
ny h
ost
192
.168.2
07.2
7 e
q w
ww
Router(config)# acc
ess-list
198 p
erm
it t
cp a
ny 1
92
.168.2
07.0
0.0
.0.2
55
eq w
ww
Router(config)# i
nte
rface
e0
Router(config-if)# i
p a
cces
s-gr
oup 1
98 in
Router(config-if)# e
xit
Router(config)# e
xit
19
2.1
68
.20
7.2
5
S0
S1 21
0.12
8.50
.10
E1
Rou
ter
B
[Vie
win
g in
form
atio
n a
bo
ut e
xist
ing
AC
L’s]
Router# s
how c
onfi
gurati
on
(Thi
s w
ill s
how
whi
ch a
cces
s gr
oups
are
ass
ocia
ted
with
par
ticul
ar in
terf
aces
)
Router# s
how a
cces
s lis
t 198
(Thi
s w
ill s
how
det
aile
d in
form
atio
n ab
out t
his
AC
L)
54
Ext
end
ed A
cces
s L
ist
Sam
ple
#7
Den
y/P
erm
it P
ort
Nu
mb
ers
210.
128.
50.1
2
Writ
e an
ext
ende
d ac
cess
list
to p
erm
it pi
ngs
in e
ither
dire
ctio
n be
twee
n ho
sts
on th
e 21
0.12
8.50
.0 a
nd 1
92.1
68.2
07.0
net
wor
ks.
Den
y al
l oth
er tr
affic
. K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: R
oute
r A
Inte
rfac
e: E
0A
cces
s-lis
t #:
134
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# c
onfi
gure
term
inal
Router(config)# acc
ess-
list
134 p
erm
it i
cmp
210.1
28.5
0.0
0.0
.0.2
55
192
.168.2
07.0
0.0
.0.2
55
ech
o-re
ply
Router(config)# inte
rface
e0
Router(config-if)# i
p a
cces
s-gr
oup 1
34 in
Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy r
un s
tart
Ext
end
ed A
cces
s L
ist
Sam
ple
#8
Den
y/P
erm
it P
ort
Nu
mb
ers
[Dis
ablin
g A
CL’
s]
Router# c
onfi
gure
term
inal
Router(config)# i
nte
rfa
ce e
0Router(config-if)# n
o ip a
cces
s-gr
oup 1
34 o
ut
Router(config-if)# ex
itRouter(config)# e
xit
[Rem
ovi
ng
an
AC
L]
Router# c
onfi
gure
term
inal
Router(config)# i
nte
rfa
ce e
0Router(config-if)# n
o ip a
cces
s-gr
oup 1
34 o
ut
Router(config-if)# ex
itRouter(config)# n
o a
cces
s-list
134
Router(config)# e
xit
55
Writ
e an
ext
ende
d ac
cess
list
to p
erm
it D
enis
e’s
and
Bob
’s c
ompu
ters
to te
lnet
into
Rou
ter B
. D
eny
all o
ther
teln
et tr
affic
Kee
p in
min
d th
at th
ere
may
be
mul
tiple
way
s m
any
of th
e in
divi
dual
sta
tem
ents
in a
n A
CL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: R
oute
r B
Inte
rfac
e: line
VTY
0 4
Acc
ess-
list #
:
4
5
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# co
nfi
gure
term
inal (or c
onfi
g t)
Router(config)# a
cces
s-list
45
per
mit
192
.168.3
3.2
14 0
.0.0
.0or
a
cces
s-list
45
per
mit
host
192
.168.3
3.2
14
Router(config)# a
cces
s-list
45
per
mit
192
.30.7
6.1
55
0.0
.0.0
or
a
cces
s-list
45
per
mit
host
92
.30.7
6.1
55
Router(config)# lin
e vty
0 4
Router(config-if)# i
p a
cces
s-cl
ass 4
5 in
Router(config-if)# e
xit
Router(config)# e
xit
[Vie
win
g in
form
atio
n a
bo
ut e
xist
ing
AC
L’s]
Router# s
how c
onfi
gurati
on
(Thi
s w
ill s
how
whi
ch a
cces
s gr
oups
are
ass
ocia
ted
with
par
ticul
ar in
terf
aces
)
Router# s
how a
cces
s lis
t 45
(Thi
s w
ill s
how
det
aile
d in
form
atio
n ab
out t
his
AC
L)
Sta
nd
ard
Acc
ess
Lis
t S
amp
le #
9D
eny/
Per
mit
Tel
net
56
Ce
lest
e’s
Co
mp
ute
r
19
2.3
0.7
6.1
45
De
nis
e’s
Co
mp
ute
r
19
2.1
68
.33
.21
4
E0
E1
Rou
ter
A
Bo
b’s
Co
mp
ute
r
19
2.3
0.7
6.1
55
Peg
gy’s
Co
mp
ute
r
19
2.1
68
.33
.21
0
17
2.2
0.7
0.1
19
2.1
68
.33
.1
Rou
ter
BS
0S
1
17
2.1
6.1
6.0
10
.25
0.4
.0
E1
E0
(usin
g line
VTY
0 4
inste
ad o
f an inte
rfa
ce lik
e E
1 a
llows y
ou
to a
pply
thi
s a
cces
s lis
t to
all V
TY
lin
es w
ith
one
sta
tem
ent)
Writ
e an
ext
ende
d ac
cess
list
to d
eny
FT
P to
ip a
ddre
sses
192
.30.
76.0
thro
ugh
192.
30.7
6.13
.P
erm
it al
l oth
er tr
affic
. K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: R
oute
r A
Inte
rfac
e: E
0A
cces
s-lis
t #:
15
5
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# c
onfi
gure
term
inal
Router(config)# acc
ess-
list
15
5 d
eny t
cp a
ny 1
92
.30.7
6.0
0.0
.0.1
3 e
q f
tpRouter(config)# a
cces
s-list
15
5 p
erm
it t
cp a
ny a
ny
or
a
cces
s-list
15
5 d
eny
tcp
0.0
.0.0
25
5.2
55
.25
5.2
55
0.0
.0.0
25
5.2
55
.25
5.2
55
Router(config)# inte
rface
e0
Router(config-if)# i
p a
cces
s-gr
oup 1
55
in
Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy r
un s
tart
Ext
end
ed A
cces
s L
ist
Sam
ple
#10
Den
y/P
erm
it P
ort
Nu
mb
ers
[Dis
ablin
g A
CL’
s]
Router# c
onfi
gure
term
inal
Router(config)# i
nte
rfa
ce e
0Router(config-if)# n
o ip a
cces
s-gr
oup 1
55
out
Router(config-if)# ex
itRouter(config)# e
xit
[Rem
ovi
ng
an
AC
L]
Router# c
onfi
gure
term
inal
Router(config)# i
nte
rfa
ce e
0Router(config-if)# n
o ip a
cces
s-gr
oup 1
55
out
Router(config-if)# ex
itRouter(config)# n
o a
cces
s-list
15
5Router(config)# e
xit
57
58
Jack
ie’s
Co
mp
ute
r
17
2.1
6.1
25
.1
Jen
nife
r’s
Co
mp
ute
r
19
2.1
28
.45
.35
E0
FA
1
Rou
ter
A
Bill
’sC
om
pu
ter
19
2.1
28
.45
.33
17
2.1
6.7
0.1
19
2.1
28
.45
.8
Rou
ter
B
S0S
1
10
.25
0.8
.0
10
.25
0.2
.0
E1
FA
0
Writ
e an
ext
ende
d ac
cess
list
to p
erm
it IC
MP
traf
fic fr
om th
e 19
2.12
8.45
.0 n
etw
ork
to re
ach
the
172.
16.1
25.0
255
.255
.255
.0 a
nd10
.250
.2.0
255
.255
.255
.0 n
etw
orks
. D
eny
all o
ther
traf
fic.
Kee
p in
min
d th
at th
ere
may
be
mul
tiple
way
s m
any
of th
e in
divi
dual
stat
emen
ts in
an
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
#: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# co
nfi
gure
term
inal (or c
onfi
g t)
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
Router(config)# in
terfa
ce _
____
____
___
Router(config-if)# ip
acc
ess-gr
oup _
____
____
in o
r o
ut
(circ
le o
ne)
Router(config-if)# ex
it
Ext
end
ed A
cces
s L
ist
Pro
ble
m #
15D
eny/
Per
mit
a P
ort
Nu
mb
ers
Route
r B
FA1
175
(100-199)
acc
ess-list
175
per
mit
icm
p 1
92
.12
8.4
5.0
0.0
.0.2
55
172
.16.1
25
.0 0
.0.0
.25
5
acc
ess-list
175
per
mit
icm
p 1
92
.12
8.4
5.0
0.0
.0.2
55
10.2
50.2
.0 0
.0.0
.25
5
175
FA1
59
Writ
e a
nam
ed e
xten
ded
acce
ss li
st c
alle
d “P
eggy
s_La
b” to
den
y te
lnet
fro
m 1
0.25
0.8.
0 th
roug
h 10
.250
.8.1
27 f
rom
reac
hing
the
192.
128.
45.0
net
wor
k.
Per
mit
all o
ther
traf
fic.
Kee
p in
min
d th
at th
ere
may
be
mul
tiple
way
s m
any
of t
he in
divi
dual
sta
tem
ents
in a
nA
CL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
Nam
e: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# c
onfi
gure
term
inal
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config)# i
nte
rfa
ce
____
____
__Router(config-if)# i
p a
cces
s-gr
oup _
____
____
____
____
in o
r o
ut
(circ
le o
ne)
Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy r
un s
tart
Ext
end
ed A
cces
s L
ist
Pro
ble
m #
16D
eny/
Per
mit
a P
ort
Nu
mb
ers
Route
r B
FA0
Peg
gys_
Lab
acc
ess-list
exte
nded
Peg
gys_
Lab
acc
ess-list
den
y t
cp 1
0.2
50.8
.0 0
.0.0
.12
7 1
92
.12
8.4
5.0
0.0
.0.2
55
eq 2
3
acc
ess-list
per
mit
tcp
any a
ny
FA0
Peg
gys_
Lab
Writ
e an
acc
ess
list t
o pe
rmit
Bec
ky a
nd M
ary’
s co
mpu
ter t
o te
lnet
into
Rou
ter B
. Den
y al
l oth
er te
lnet
traf
fic fr
om th
e 17
2.60
.18.
0ne
twor
k. K
eep
in m
ind
that
ther
e m
ay b
e m
ultip
le w
ays
man
y of
the
indi
vidu
al s
tate
men
ts in
an
AC
L ca
n be
writ
ten.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
#: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# co
nfi
gure
term
inal (or c
onfi
g t)
Router(config)#
Router(config)# inte
rfa
ce _
____
____
___
Router(config-if)# i
p a
cces
s-gr
oup _
____
____
in o
r o
ut
(circ
le o
ne)
Router(config-if)# e
xit
Router(config)# e
xit
Web
Ser
ver
#2
203.
194.
100.
101
Mar
y’s
Co
mp
ute
r
17
2.6
0.1
8.1
42
FA
0
FA
1
Rou
ter
A
Web
Ser
ver
#1
203.
194.
100.
102
Bec
ky’s
Co
mp
ute
r
172.
60.1
8.14
0
203.
194.
100.
1
17
2.6
0.1
8.1
Acc
ess
Lis
t P
rob
lem
#17
Den
y/P
erm
it P
ort
Nu
mb
ers
Rou
ter
B
S0
S1
60
20
4.2
50
.10
.0
S0
Route
r B
line
vty
04
50
(1-99)
acc
ess-list
50 p
erm
it 1
72
.60.1
8.1
40
acc
ess-list
50 p
erm
it h
ost
172
.60.1
8.1
40
acc
ess-list
50 p
erm
it 1
72
.60.1
8.1
40 0
.0.0
.0acc
ess-list
50 p
erm
it 1
72
.60.1
8.1
42
acc
ess-list
50 p
erm
it h
ost
172
.60.1
8.1
42
acc
ess-list
50 p
erm
it 1
72
.60.1
8.1
42
0.0
.0.0
50
line
vty
04
or
or
or
or
Writ
e an
ext
ende
d ac
cess
list
to d
eny
all H
TT
P tr
affic
inte
nded
for t
he w
eb s
erve
r at 2
03.1
94.1
00.1
02.
Per
mit
HT
TP
traf
fic to
any
othe
r web
ser
vers
. D
eny
all o
ther
IP tr
affic
to th
e 20
3.19
4.10
0.0
netw
ork.
Kee
p in
min
d th
at th
ere
may
be
mul
tiple
way
s m
any
of th
ein
divi
dual
sta
tem
ents
in a
n A
CL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
#: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# co
nfi
gure
term
inal (or c
onfi
g t)
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config)# i
nte
rfa
ce
____
____
__Router(config-if)# i
p a
cces
s-gr
oup _
____
____
in o
r o
ut
(circ
le o
ne)
Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy r
un s
tart
Ext
end
ed A
cces
s L
ist
Pro
ble
m #
18
D
eny/
Per
mit
Po
rt N
um
ber
s
61
Route
r A
FA0
185
(100-199)
acc
ess-list
185
den
y t
cp a
ny h
ost
203.1
94.1
00.1
02
eq 8
0
acc
ess-list
185
den
y t
cp a
ny 2
03.1
94.1
00.1
02
0.0
.0.0
eq 8
0
acc
ess-list
185
per
mit
tcp
any a
ny e
q 8
0
185
FA0
or
Writ
e an
acc
ess
list t
o pe
rmit
TF
TP
traf
fic to
all
host
s on
the
192.
168.
15.0
net
wor
k. D
eny
all o
ther
TF
TP
traf
fic.
Kee
p in
min
d th
atth
ere
may
be
mul
tiple
way
s m
any
of th
e in
divi
dual
sta
tem
ents
in a
n A
CL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
#: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# co
nfi
gure
term
inal (or c
onfi
g t)
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
Router(config)# inte
rfa
ce _
____
____
___
Router(config-if)# i
p a
cces
s-gr
oup _
____
____
in o
r o
ut
(circ
le o
ne)
Router(config-if)# e
xit
Router(config)# e
xit
62
Acc
ess
Lis
t P
rob
lem
#19
Den
y/P
erm
it P
ort
Nu
mb
ers
Web
Ser
ver
#1
192.
168.
15.1
25G
ail’
sC
om
pu
ter
17
2.2
3.5
0.1
97
E0R
oute
r A
Bo
bb
ie’s
Co
mp
ute
r
192.
168.
15.8
2
Web
Ser
ver
#2
172.
23.5
0.19
6
192.
168.
15.2
5
S0
S1 17
2.23
.50.
195
E1
Rou
ter
B
E1
19
2.1
72
.10
.0
Route
r A
E0
190
(100-199)
acc
ess-list
175
per
mit
tcp
any 1
92
.168.1
5.0
0.0
.0.2
55
eq f
tp
190
E0
Writ
e an
ext
ende
d ac
cess
list
that
per
mits
web
traf
fic fr
om w
eb s
erve
r #2
at 1
72.2
3.50
.196
to re
ach
ever
yone
on
the
192.
168.
15.0
netw
ork.
Den
y a
ll ot
her I
P tr
affic
goi
ng to
the
192.
172.
10.0
, and
192
.168
.15.
0 ne
twor
ks.
Kee
p in
min
d th
at th
ere
may
be
mul
tiple
way
s m
any
of th
e in
divi
dual
sta
tem
ents
in a
n A
CL
can
be w
ritte
n.
Pla
ce th
e ac
cess
list
at:
Rou
ter
Nam
e: _
____
____
____
____
____
____
__In
terf
ace:
___
____
____
____
____
____
____
____
Acc
ess-
list
#: _
____
____
____
____
____
____
___
[Wri
tin
g a
nd
inst
allin
g a
n A
CL
]
Router# c
onfi
gure
term
inal
Router(config)#
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_
Router(config)# i
nte
rfa
ce
____
____
__Router(config-if)# i
p a
cces
s-gr
oup _
____
____
in o
r o
ut
(circ
le o
ne)
Router(config-if)# e
xit
Router(config)# e
xit
Router# c
opy r
un s
tart
63
Ext
end
ed A
cces
s L
ist
Pro
ble
m #
20
D
eny/
Per
mit
Po
rt N
um
ber
s
Route
r B
E1
195
(100-199)
acc
ess-list
195
den
y t
cp h
ost
172
.23.5
0.1
96 1
92
.168.1
5.0
0.0
.0.2
55
eq 8
0
acc
ess-list
195
den
y t
cp 1
72
.23.5
0.1
96 0
.0.0
.0 1
92
.168.1
5.0
0.0
.0.2
55
eq 8
0
195
E1
or
Optional ACL Commands& Other Network Security Ideas
In order to reduce the chance of spoofing from outside your network consider adding thefollowing statements to your network’s inbound access list.
router# config trouter(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 anyrouter(config)# access-list 100 deny ip 172.16.0.0 0.0.255.255 anyrouter(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 anyrouter(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 anyrouter(config)# access-list 100 deny ip 224.0.0.0 31.255.255.255 anyrouter(config)# access-list 100 deny ip your-subnet-# your-subnet-mask-# anyrouter(config)# access-list 100 deny igmp any anyrouter(config)# access-list 100 deny icmp any any redirectrouter(config)# access-list 100 permit any anyrouter(config)# interface e0 (or whatever your inbound port is)router(config-if)# ip access-group inrouter(config-if)# exitrouter(config)# exit
Another handy security tool is to only allow ip packets out of your network with your sourceaddress.
router# config trouter(config)# access-list 100 permit ip your-subnet-# your-subnet-mask-# anyrouter(config)# interface e0 (or whatever your outbound port is)router(config-if)# ip access-group outrouter(config-if)# exitrouter(config)# exit
To keep packets with unreachable destinations from entering your network add this command:
ip route 0.0.0.0 0.0.0.0 null 0 255
To protect against smurf and other attacks add the following commands to every externalinterface:
no ip directed-broadcastno ip source-routefair-queuescheduler interval 500
64
Index / Table of Contents
Access-List Numbers.......................................................................Inside CoverWhat are Access Control Lists?..........................................................................1General Access Lists Information.......................................................................1How routers use Access Lists.............................................................................1Standard Access Lists.........................................................................................2Why Standard ACLs must be placed close to the destination..........................2Standard Access List Placement Sample Problems.........................................3Standard Access List Placement Problems....................................................4-5Extended Access Lists........................................................................................6Why Extended ACLs must be placed close to the destination.........................6Extended Access List Placement Sample Problems........................................7Extended Access List Placement Problems..................................................8-9Choosing to Filter Incoming or Outgoing Packets...........................................10Breakdown of a Standard ACL Statement........................................................10Breakdown of a Extended ACL Statement.......................................................11What are Named Access Control Lists..................................................................12Named Access Lists Information..........................................................................12Applying a Standard Named Access List called “George”...............................12Applying an Extended Named Access List called “Gracie”.............................13Choices for Using Wildcard Masks..............................................................14-15Creating Wildcard Masks...................................................................................16Wildcard Mask Problems.............................................................................18-20Writing Standard Access Lists.....................................................................21-32Writing Extended Access Lists.....................................................................33-63
Deny/Permit Specific Addresses.......................................................33-39Deny/Permit Entire Ranges................................................................40-45Deny/Permit a Range of Addresses..................................................46-53Deny/Permit Port Numbers.................................................................54-63
Optional ACL Commands...................................................................................64Index / Table of Contents...................................................................................65Port Numbers...............................................................................66-Inside Cover
65
Port Numbers
Some commonly used port numbers:
0 Reserved1 TCPMUX (TCP Port Service Multiplexer)5 RJE (Remote Job Entry)7 ECHO9 DISCARD11 SYSTAT (Active users)13 DAYTIME17 QUOTE (Quote of the day)18 MSP (Message Send Protocol)19 CHARGEN (Character generator)20 FTP-DATA (File Transfer Protocol - Data)21 FTP (File Transfer Protocol - Control)22 SSH (Remote Login Protocol)23 Telnet (Terminal Connection)25 SMTP (Simple Mail Transfer Protocol)29 MSG ICP37 TIME39 RLP (Resource Location Protocol42 NAMESERV (Host Name Server)
Port numbers are now assigned by the ICANN (Internet Corporation forAssigned Names and Numbers). Commonly used TCP and UDPapplications are assigned a port number; such as: HTTP - 80, POP3 - 110,FTP - 20. When an application communicates with another application onanother node on the internet, it specifies that application in each datatransmission by using its port number. You can also type the name (ie. Telnet)instead of the port number (ie. 23). Port numbers range from 0 to 65536 andare divided into three ranges:
Below is a short list of some commonly used ports. For a complete list ofport numbers go to http://www.iana.org/assignments/port-numbers.
01,024
49,152
tototo
1,02349,15165,535
Well Known PortsRegistered PortsDynamic and/or Private Ports
66
Inside Cover
43 NICNAME (Who Is)49 LOGIN (Login Host Protocol)53 DNS (Domain Name Server)67 BOOTP (Bootstrap Protocol Server)68 BOOTPS (Bootstrap Protocol Client)69 TFTP (Trivial File Transfer Protocol)70 GOPHER (Gopher Services )75 (Any Privite Dial-out Service)79 FINGER80 HTTP (Hypertext Transfer Protocol)95 SUPDUP (SUPDUP Protocol)101 HOSTNAME (NIC Host Name Server)108 SNAGAS (SNA Gateway Access Server)109 POP2 (Post Office Protocol - Version 2)110 POP3 (Post Office Protocol - Version 3)113 AUTH (Authentication Service)115 SFTP (Simple File Transfer Protocol)117 UUCP-PATH (UUCP Path Service)118 SQLSERV (SQL Services)119 NNTP (Newsgroup)123 NTP (Network Tim Protocol)137 NetBIOS-NS (NetBIOS Name Service)139 NetBIOS-SSN (NetBIOS Session Service )143 IMAP (Interim Mail Access Protocol)150 SQL-NET (NetBIOS Session Service)156 SQLSRV (SQL Service)161 SNMP (Simple Network Management Protocol)179 BGP (Border Gateway Protocol)190 GACP (Gateway Access Control Protocol)194 IRC (Internet Relay Chat)197 DLS (Directory Location Service)389 LDAP (Lightweight Directory Access Protocol)396 NETWARE-IP (Novell Netware over IP )443 HTTPS (HTTP MCom)444 SNPP (Simple Network Paging Protocol)445 Microsoft-DS458 Apple QuickTime546 DHCP Client547 DHCP Server563 SNEWS569 MSN