Access List Tutorial
In this tutorial we will learn about access list.
Access control lists (ACLs) provide a means to filter packets by allowing a user to permit or deny IP packets from crossing specified interfaces. Just imagine you come to a fair and see the guardian checking tickets. He only allows people with suitable tickets to enter. Well, an access list’s function is same as that guardian.
Access lists filter network traffic by controlling whether packets are forwarded or blocked at the router’s interfaces based on the criteria you specified within the access list.
To use ACLs, the system administrator must first configure ACLs and then apply them to specific interfaces. There are 3 popular types of ACL: Standard, Extended and Named ACLs.
Standard IP Access List
Standard IP lists (1-99) only check source addresses of all IP packets.
Configuration Syntax
| access-list access-list-number {permit | deny} source {source-mask} |
Apply ACL to an interface
| ip access-group access-list-number {in | out} |
Example of Standard IP Access List
Configuration:
In this example we will define a standard access list that will only allow network 10.0.0.0/8 to access the server (located on the Fa0/1 interface)
Define which source is allowed to pass:
Router(config)#access-list 1 permit 10.0.0.0 0.255.255.255
(there is always an implicit deny all other traffic at the end of each ACL so we don’t need to define forbidden traffic)
Apply this ACL to an interface:
Router(config)#interface Fa0/1
Router(config-if)#ip access-group 1 out
The ACL 1 is applied to permit only packets from 10.0.0.0/8 to go out of Fa0/1 interface while deny all other traffic. So can we apply this ACL to other interface, Fa0/2 for example? Well we can but shouldn’t do it because users can access to the server from other interface (s0 interface, for example). So we can understand why an standard access list should be applied close to the destination.
Note: The “0.255.255.255″ is the wildcard mask part of network “10.0.0.0″. We will learn how to use wildcard mask later.
Extended IP Access List
Extended IP lists (100-199) check both source and destination addresses, specific UDP/TCP/IP protocols, and destination ports.
Configuration Syntax
| access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port] |
Example of Extended IP Access List
In this example we will create an extended ACL that will deny FTP traffic from network 10.0.0.0/8 but allow other traffic to go through.
Note: FTP uses TCP on port 20 & 21.
Define which protocol, source, destination and port are denied:
Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 21
Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 20
Router(config)#access-list 101 permit ip any any
Apply this ACL to an interface:
Router(config)#interface Fa0/1
Router(config-if)#ip access-group 101 out
Notice that we have to explicit allow other traffic (access-list 101 permit ip any any) as there is an “deny all” command at the end of each ACL.
As we can see, the destination of above access list is “187.100.1.6 0.0.0.0″ which specifies a host. We can use “host 187.100.1.6″ instead. We will discuss wildcard mask later.
In summary, below is the range of standard and extended access list
| Access list type | Range |
| Standard | 1-99, 1300-1999 |
| Extended | 100-199, 2000-2699 |
kindly send me latest dumps on ahmedelhaw92@gmail.com
i think the extended is suppose to be in interface fa o/o
Hi, please send me latest dump. Appreciated and have a nice day
please send to libtnt4e@gmail.com “Tom”
Give me the example where should I use ip protocol in standard ACL
Hi, could you please send me latest dumps on eliasfotopoulos@yahoo.com thank you
This access list should applied to Fa0/0 to deny only 10.0.0.0/8 network.
currently its deny all networks from accessing FTP in the server
please kind send the latest dump on bashiru56@yahoo.fr
M.Shag,
You are wrong. you could apply it to Fa0/0 and it would still work though. the 1st 2 statements deny the FTP traffic from the 10.0.0.0/8 . The permit ip any any allows all other traffic no matter what interface you apply it to. If that statement were missing then you would be correct
please send me VCE player 1.3 and 1.2 at arsalanafridi90@gmail.com
Hi Everyone;
Actually I have downloaded latest dumps from http://www.examcollection.com but there is problem with VCE simulator. It does not support or compatible with latest dumps version. Could anybody have VCE latest setup. Please share with me. Your help will be appreciated.
I have the working vce.along with the examtut dumps(278 questions) from the examcollection.which works on it.I paid for it..so if u want the vce and the dumps then u have to pay a nominal fee.contact me…….
email:safridi1993@yahoo.com
Is there any explain to wildcard
the explain above not clear
I’m looking for CCNA exam, Kindly suggest me which dumps will be better or study of 9tut is enough to complete the exam.
Please help me, If you have any dumps please send me to my ID- arshada62@gmail.com
Hi 9tut can i have latest dups and VCE
jovialwhisper@hotmail.com
dumps*
Kindly send the latest dumps of ICND1 to salman.abdullahi@alfalah-technology.com
somebody please send dumps to me ahmed-531@hotmail.com
hello all,
i hope all is well.
this is ahmad , , kindly can you share with me the latest dumps , i need them for free if possible , i have the exam in 3 day ,, if somebody read this do not hesitate to send it.
thanks
Dear all,
i hope all are good. Kindly can you share with me the latest dumps , i need them if somebody read this do not hesitate to send it. to shann_daw@hotmail.com
thanks
Technically there are only two types. Named is a subset.
Dear Sir,
Kindly send latest dumps on my email id
please send me latest dumps on my email ID- iftakharjahan05@gmail.com
hi everyone please give the dumps i am going to take the exam next weak please i am not ready with out your help
this is my email aborwdhi@gmail.com
Hi everyone,
Can someone please help with latest version of vce?
I don’t have money to pay for it.
Please help. Am writing CCNA on 30 May.
mawulikplim-aa@yahoo.com
Hi everyone,
Can someone please help with latest version of vce?
I don’t have money to pay for it.
Please help. Am writing CCNA on 26 May
Thank you 9tut for wonderful materials! I like it better than official study guide from Cisco. For example I have a Wendell Odom book /which is nice too/, but to get info from this book I have to read ten times more than here. Your guides are straightforward, clearly explained without any unimportant ballast.