Access List Tutorial
Named IP Access List
This allows standard and extended ACLs to be given names instead of numbers
Named IP Access List Configuration Syntax
| ip access-list {standard | extended} {name | number} |
Example of Named IP Access List
This is an example of the use of a named ACL in order to block all traffic except the Telnet connection from host 10.0.0.1/8 to host 187.100.1.6.
Define the ACL:
Router(config)#ip access-list extended in_to_out permit tcp host 10.0.0.1 host 187.100.1.6 eq telnet
(notice that we can use ‘telnet’ instead of port 23)
Apply this ACL to an interface:
Router(config)#interface Fa0/0
Router(config-if)#ip access-group in_to_out in
Where to place access list?
Standard IP access list should be placed close to destination.
Extended IP access lists should be placed close to the source.
How many access lists can be used?
You can have one access-list per protocol, per direction and per interface. For example, you can not have two access lists on the inbound direction of Fa0/0 interface. However you can have one inbound and one outbound access list applied on Fa0/0.
How to use the wildcard mask?
Wildcard masks are used with access lists to specify a host, network or part of a network.
The zeros and ones in a wildcard determine whether the corresponding bits in the IP address should be checked or ignored for ACL purposes. For example, we want to create a standard ACL which will only allow network 172.23.16.0/20 to pass through. We need to write an ACL, something like this:
access-list 1 permit 172.23.16.0 255.255.240.0
Of course we can’t write subnet mask in an ACL, we must convert it into wildcard mask by converting all bits 0 to 1 & all bits 1 to 0.
255 = 1111 1111 -> convert into 0000 0000
240 = 1111 0000 -> convert into 0000 1111
0 = 0000 0000 -> convert into 1111 1111
Therefore 255.255.240.0 can be written in wildcard mask as 00000000.00000000.00001111.11111111 = 0.0.15.255
Remember, for the wildcard mask, 1′s are I DON’T CARE, and 0′s are I CARE. Now let’s analyze our wildcard mask.
Two first octets are all 0′s meaning that we care about the network 172.23.x.x. The third octet, 15 (0000 1111 in binary), means that we care about first 4 bits but don’t care about last 4 bits so we allow the third octet in the form of 0001xxxx (minimum:00010000 = 16; maximum: 0001111 = 31).
The fourth octet is 255 (all 1 bits) that means I don’t care.
Therefore network 172.23.16.0 0.0.15.255 ranges from 172.23.16.0 to 172.23.31.255.
Some additional examples:
+ Block TCP packets on port 30 from any source to any destination:
Router(config)#access-list 101 deny tcp any any eq 30
+ Permit any IP packets in network 192.23.130.128 with subnet mask 255.255.255.248 to any network:
Router(config)#access-list 101 permit ip 192.23.130.128 0.0.0.7 any
Apply the access control list to an interface:
Router(config)#interface fastEthernet0/0
Router(config-if)#ip access-group 101 in
kindly send me latest dumps on ahmedelhaw92@gmail.com
i think the extended is suppose to be in interface fa o/o
Hi, please send me latest dump. Appreciated and have a nice day
please send to libtnt4e@gmail.com “Tom”
Give me the example where should I use ip protocol in standard ACL
Hi, could you please send me latest dumps on eliasfotopoulos@yahoo.com thank you
This access list should applied to Fa0/0 to deny only 10.0.0.0/8 network.
currently its deny all networks from accessing FTP in the server
please kind send the latest dump on bashiru56@yahoo.fr
M.Shag,
You are wrong. you could apply it to Fa0/0 and it would still work though. the 1st 2 statements deny the FTP traffic from the 10.0.0.0/8 . The permit ip any any allows all other traffic no matter what interface you apply it to. If that statement were missing then you would be correct
please send me VCE player 1.3 and 1.2 at arsalanafridi90@gmail.com
Hi Everyone;
Actually I have downloaded latest dumps from http://www.examcollection.com but there is problem with VCE simulator. It does not support or compatible with latest dumps version. Could anybody have VCE latest setup. Please share with me. Your help will be appreciated.
I have the working vce.along with the examtut dumps(278 questions) from the examcollection.which works on it.I paid for it..so if u want the vce and the dumps then u have to pay a nominal fee.contact me…….
email:safridi1993@yahoo.com
Is there any explain to wildcard
the explain above not clear
I’m looking for CCNA exam, Kindly suggest me which dumps will be better or study of 9tut is enough to complete the exam.
Please help me, If you have any dumps please send me to my ID- arshada62@gmail.com
Hi 9tut can i have latest dups and VCE
jovialwhisper@hotmail.com
dumps*
Kindly send the latest dumps of ICND1 to salman.abdullahi@alfalah-technology.com
somebody please send dumps to me ahmed-531@hotmail.com
hello all,
i hope all is well.
this is ahmad , , kindly can you share with me the latest dumps , i need them for free if possible , i have the exam in 3 day ,, if somebody read this do not hesitate to send it.
thanks
Dear all,
i hope all are good. Kindly can you share with me the latest dumps , i need them if somebody read this do not hesitate to send it. to shann_daw@hotmail.com
thanks
Technically there are only two types. Named is a subset.
Dear Sir,
Kindly send latest dumps on my email id
please send me latest dumps on my email ID- iftakharjahan05@gmail.com
hi everyone please give the dumps i am going to take the exam next weak please i am not ready with out your help
this is my email aborwdhi@gmail.com
Hi everyone,
Can someone please help with latest version of vce?
I don’t have money to pay for it.
Please help. Am writing CCNA on 30 May.
mawulikplim-aa@yahoo.com
Hi everyone,
Can someone please help with latest version of vce?
I don’t have money to pay for it.
Please help. Am writing CCNA on 26 May
Thank you 9tut for wonderful materials! I like it better than official study guide from Cisco. For example I have a Wendell Odom book /which is nice too/, but to get info from this book I have to read ten times more than here. Your guides are straightforward, clearly explained without any unimportant ballast.