Cisco Access Control Lists (ACL)

Cisco Access Control Lists (ACL)
The Cisco access control lists are not only used for packet filtering (a type of firewall) but also
for selecting types of traffic to be analyzed, forwarded, or influenced in some way.
Access Control List Types
As you create ACL’s you assign a number to each list, each type of list is limited to an assigned
range of numbers.
1 - 99 or 1300 - 1999 Standard Access List (Looks at the source IP of a packet.)
100 - 199 or 2000 - 2699 Extended Access List
Able to look at the source IP, destination IP, IP protocol,

source TCP/UDP port and destination TCP/UDP port.
Name Named Access List
Know the principals of where which should be applied
Place IP standard access lists as close to the destination as possible.

Place IP extended access lists as close to the source as possible.
When to use a Standard ACL vs an Extended one

Standard ACL All decisions made are based on the source IP address. Standard access lists
permit or deny an entire suite of protocols. They don’t distinguish between the many types of
traffic such as www, Telnet, UDP etc.
You create a standard IP access list by using the access-list numbers 1-99 or 1300-1999
(expanded range). By using numbers 1-99 or 1300-1999, you’re telling the router that you want
to create a standard IP access list so that the router will expect syntax specifying the source IP
address in the conditional.
Extended ACL Evaluate other fields in the Layer 3 and Layer 4 header of an ip packet. It can
evaluate source and destination IP addresses, extended ACLs are more granular and
configured to filter traffic by criteria such as
• Protocol (Network layer header)

• Port numbers (Transport layer header)
• State of the synchronize sequence number (SYN) bit
Once you create an access list it is inactive until it is applied. You need to apply it to an
interface on the router where the list is to filter traffic and also you need to specify which
direction of traffic you want the access list applied.
You can configure different access lists for inbound and outbound traffic on a single interface.
Standard IP Access Lists
A Standard Access List only allows you to permit or deny traffic from specific IP addresses. The
destination of the packet and the ports involved do not matter.
#access-list 10 permit 192.168.3.0 0.0.0.255
This access list allows traffic from all addresses in the range 192.168.3.0 to 192.168.3.255
You can see how the last entry looks similar to a subnet mask, but with Cisco ACLs they use
inverse subnet masks. Also realize that at the bottom of every access list there is an
implicit deny all which is not shown. For this reason you should always have at least one
permit statement in every Access List (unless you really do want to stop all traffic passing
through an interface).
router#show access-list 10
Output
access-list 10 permit 192.168.3.0 0.0.0.255

access-list 10 deny any
Another Example
router#interface e1
router(config-if)#ip access-group 1 in
router(config-if)#access-list 1 permit 172.16.1.1 0.0.0.0
This is a standard access list because it has an access list number identifier of 1. This access
list has been applied to the e1 interface in the in direction. The access list is looking for packets
matching a source IP address of 172.16.1.1, and permitting the packet to pass all other
packets which do not match will be discarded.
We use the ip access-group command to bind the access list to an interface
router(config-if)#ip access-group number <direction in|out>
For example, to deny Host C from sending traffic to the WAN
router(config)#access-list 10 deny 192.168.23.11

router(config)#access-list 10 permit any
router(config)#interface ethernet 0
router(config-if)#ip access-group 10 in
When traffic is send to the router’s Ethernet interface the rules in access list 10 are processed,
if the traffic is send by Host C the router drops the packets and stops processing the rules. The
rule access-list 10 permit any is included because of the implicit deny. There must be at least
one ‘permit’ rule otherwise the protocol is completely disabled for the interface as soon as you
bind it.
Standard IP Access Lists
Standard IP access lists filter network traffic by examining the source IP address in a packet.
Lab A (config)#access-list 10 This number tells the router it a standard access list.
Lab A (config)#access-list 10 ? We then decide on a create or deny statement
Lab A (config)#access-list 10 deny ?
Hostname or a.b.c.d - address to match

Any – any source host or range
Host – a specific host
Lab A (config)#access-list 10 deny 172.16.30.2
This tells the list to deny packets from host 172.16.30.2

The default command is host the router assumes you mean host 172.16.30.2
Standard Access List Example 1
How to stop specific users from gaining access to the finance LAN
This router has 3 LAN connections and one WAN connection to the Internet. Users on the
Sales LAN should not have access to the Finance LAN but they should be able to access the
Internet and the marketing department. The Marketing LAN needs to access the Finance LAN
for the applications.
On the Acme router, the following standard IP access list is configured.

Acme#config t
Acme(config)#access-list 10 deny 172.16.40.0 0.0.0.255
Acme(config)#access-list 10 permit any
Remember for the last line we could have used wildcard masking instead of the any cmd
Acme(config)#access-list 10 permit any 0.0.0.0 255.255.255.255
Because the wildcard mask says that none of the octets are to be evaluated, every address
matches the mask. So this is the same as using the any keyword.
At this point the access list is configured to deny source addresses from the Sales LAN access
to ? and allow access to everyone else.
No action is taken until the access list is applied on an interface in a specific direction.
But where to place the access list?
If it is placed on E0 all Sales LAN devices will be denied access to all networks attached to the
router. The best place to apply this list is on the E1 interface as an outbound list. So that the
Sales LAN is denied access to the Finance LAN.
Remember place standard access list closest to the destination (target)
Acme(config)#int e1
Acme(config-if)#ip access-group 10 out
This stops traffic from 172.16.40.0 from getting out Ethernet 1. It has no effect on the hosts
from the Sales LAN accessing the Marketing LAN and the Internet, because traffic to those
destinations don’t go through interface E1.
So the full configuration is
Acme#config t
Acme(config)#access-list 10 deny 172.16.40.0 0.0.0.255
Acme(config)#access-list 10 permit any
Acme(config)#int e1
You want to stop the Accounting users from accessing the HR server attached to Lab B router
but allow all other users access to the LAN. What standard access list would you create and
where would you place it?
The real answer is that you should use an extended access list and place it closest to the
source, but the question states you should use a standard access list.
Standard access lists are placed closest to the destination in this example E0 outbound on Lab
B router.
Here is the access list we should use.

RouterB#config t
RouterB(config)#access-list 10 deny 192.168.10.128 0.0.0.31
RouterB(config)#access-list 10 permit any
RouterB(config)#interface Ethernet 0
RouterB(config-if)#ip access-group 10 out
mask /27 = 11111111.11111111.11111111.11100000

inverse mask = 00000000.00000000.00000000.00011111
= 0.0.0.31
192.168.10.129/27 = /24 +3 bits = 11100000 = 224, Block size = 256 – 224 = 32

Net ID’s 0, 32, 64, 96,128, 160
Host 192.168.10.129 is in the 128 subnet so subnet = 192.168.10.128
We have a router with 4 LAN connections and one WAN connection to the internet.
Create an access list that will stop access from each of the 4 LANs to the internet, you will need
to determine the subnet and wildcards used in the access list.
For Network on E0, host 172.16.144.17/19

/16 +3 bits = /19, 3 network bits = 11100000 = 224
Block Size = 256 - 224 = 32
Net ID’s 0, 32, 64, 96, 128, 160, host 172.16.144.17/19 is in the .128 subnet
Subnet 172.16.128.0 wildcard mask = 0.0.31.255
Similarly the other subnet and wildcards are

172.16.48.0 0.0.15.255, 172.16.192.0 0.0.63.255, 172.16.88.0 0.0.7.255
So the access list is

Router(config)#access-list 1 deny 172.16.128.0 0.0.31.255
Router(config)#access-list 1 permit any
Router(config)#interface serial 0
Router(config-if)#ip access-group 1 out
Controlling VTY (Telnet) Access
To stop users telnetting into your routers you could create extended access lists that limit telnet
access to every ip address on the router but this would be need to be applied to every interface
this wouldn’t scale well with large routers with hundreds of interfaces. A much better solution is
to use a standard access list to control access to the VTY lines, this means there is no need to
specify the telnet protocol since access to the VTY implies terminal access.
1. Create a standard IP access list that permits only the host or hosts you want to be able
telnet into the routers
2. Apply the access list to the VTY line with the access-class command
Here we allow only host 172.16.10.3 to telnet into a router
LabA(config)#access-list 50 permit 172.16.10.3

LabA(config)#line vty 0 4
LabA(config-line)#access-class 50 in
Because of the implied deny any at the end of the list, the access list stops any host from
telnetting into the router except the host 172.16.10.3
Extended Access Lists

In the standard access list example, we had to block all access from the Sales LAN to Finance.
If we needed to gain access to a server on the Finance LAN but not to other network
services for security reasons we should use extended access lists as this allows us to
make decisions based on both source and destination addresses, extended access list
also allow us to specify protocol and port number that identify the upper layer protocol
or application.
LabA(config)#access-list ? extended number
LabA(config)#access-list 110 ?
At this point we need to decide the type of list entry
deny a specific packet

dynamic specify a dynamic list of permits or denys
permit specify packets to forward
LabA(config)#access-list 110 deny ?
To filter by application layer protocol, choose the appropriate Layer 4 transport protocol
eigrp, gre, icmp, igmp, igrp, ip, ospf, tcp etc..
here we are going to filter an application layer protocol that uses TCP we will specify the
specific TCP port later
LabA(config)#access-list 110 deny tcp ?
Now choose the source IP address of the host or network we can use the any command to
allow any source address.
a.b.c.d Source address

any Any source host
host A single source host
LabA(config)#access-list 110 deny tcp any ?
After selecting the source address choose the destination address
a.b.c.d Destination address

any Any Destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
In the following example any source IP address that has a destination IP address of
172.16.30.2 has been denied.
LabA(config)#access-list 110 deny tcp any 172.16.30.2 ?
eq This is short for 'equal to' match only packets on a given port number
established Match established connections
fragments Check fragments
gt Greater Than match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Less Than Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with a given precedence value
range To specify an inclusive port range. After the keyword 'range' put in the first port in the
range followed by a space and then the last port in the range. Match only
packets in the range of port numbers
We can press enter here and leave the access list as is this will stop all TCP traffic to host
172.16.30.2 To be more specific choose the type of service ie port number / application or
protocol.
LabA(config)#access-list 110 deny tcp any 172.16.30.2 eq ?
<0-65535> Port number

bgp Border Gateway Protocol (179)
cmd Remote commands (rcmd, 514)
domain Domain Name Service (53)
ftp File Transfer Protocol (21)
irc Internet Relay Chat (194)
telnet Telnet (23)
www Internet (HTTP, 80)
Lets block Telnet (port 23) to host 172.16.30.2 only If the users want to FTP then fine. The log
command is used to log messages every time the access list is hit. This is a cool way to
monitor inappropriate access attempts.
LabA(config)#access-list 110 deny tcp any 172.16.30.2 eq 23 log
You need to keep in mind that the next line is an implicit deny any by default. If you apply this
access list to an interface you might as well shut the interface down you’ve got to follow up the
access list with the following command
LabA(config)#access-list 110 permit ip any any
Remember any any is the same as

(0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)
We now apply the access list to an interface.
LabA(config-if)#access-group 110 in or
LabA(config-if)#access-group 110 out
Extended Access List 1
Now lets deny access to a host at 172.16.30.5 on the Finance LAN for both Telnet and FTP
services. All other services on this and all other hosts are acceptable for the sales and
marketing department to access.
Acme#config t
Acme(config)#access-list 110 deny tcp any host 172.16.30.5 eq 21
Acme(config)#access-list 110 deny tcp any host 172.16.30.5 eq 23
Acme(config)#access-list 110 permit ip any any
Acme(config)#interface Ethernet 1
The access-list 110 tells the router you are creating an extended IP access list. The tcp is the
protocol field in the network layer header. If the list doesn’t say tcp here you cannot filter by port
numbers 21 and 23 (FTP and Telnet, they both use TCP for connection oriented services.) The
any command is the source, which means any IP address, and the host is the destination IP
address.
After the list is created it needs to be applied to the Ethernet 1 interface outbound. This applies
the policy we created to all hosts and effectively blocks all FTP and Telnet access to
172.16.30.5 from outside the local LAN. If this list was created only to block access from the
Sales LAN, then you’d have put this list closer to the source or on Ethernet interface 0. Here,
you’d apply the list to inbound traffic.
Applying the list to interface E1 blocks all outside FTP and Telnet access to the host.
Extended Access List Example 2
Stop telnet access to the networks attached to the E1 and E2 interfaces.
Rtr(config)#access-list 110 deny tcp any 172.16.48.0 0.0.15.255 eq 23

Rtr(config)#access-list 110 deny tcp any 172.16.192.0 0.0.63.255 eq 23
Rtr(config)#access-list 110 permit ip any any
Rtr(config)#interface Ethernet 1
Rtr(config-if)#ip access-group 110 out
Rtr(config-if)#interface Ethernet 2
Rtr(config-if)#ip access-group 110 out
Note
1. Access number used 110 is in the range 100 – 199 this is correct for extended access lists.
2. The protocol parameter is tcp as telnet uses tcp, if tftp was stated then udp would be used.
3. The destination port number matches the application filtered here port 23 for telnet
4. The test statement permit ip any any is important to have at the end of the list to enable all
packets other than telnet packets destined for the Lan’s connected to E1 and E2.
172.16.50.173/20, /20 so 3rd octet is the interesting octet 4 bits borrowed, 11110000 = 240
Block size = 256 - 240 = 16,
0, 16, 32, 48, 64
50 is in the 48 subnet = 172.16.48.0, wildcard mask is 1 less than block size = 0.0.15.255
172.16.198.94/18, /18 so 3rd octet is the interesting one, 2 bits borrowed, 11000000 = 192
Block size = 256 – 192 = 64
0, 64, 128, 192
198 is in the 192 subnet = 172.16.192.0, wildcard mask is 1 less than block size 0.0.63.255
Extended Access List Example 3
You can prevent SMTP traffic originating from the WANs from travelling over link A to an SMTP
server with destination 192.168.115.20 by putting an outbound extended IP access list on the
Serial 0 interface of RouterX and using the following commands on RouterX (or RouterY)
rtr(config)#access-list 105 deny TCP any host 192.168.115.20 eq SMTP

rtr(config)#access-list 105 permit IP any any
rtr(config)#interface serial 0
rtr(config-if)#ip access-group 105 out
Another example using the same diagram, denying the hosts in the ethernet network attached
to RouterY from using ICMP to communicate with hosts on the other side of the router.
RouterY(config)#access-list 102 deny icmp 192.168.115.0 0.0.0.255 any

RouterY(config)#access-list 102 permit IP any any
RouterY(config)#interface serial 1
RouterY(config-if)#ip access-group 102 out
Example 4
Create the ACL to permit http and ssh traffic from one host to another. It should block all other
IP traffic. The ACL will be applied to the fa0/1 interface of the router
Router#config t
Router(config)#access-list 101 permit tcp host 192.168.1.10 host 192.168.2.10 eq 80
Router(config)#access-list 101 permit tcp host 192.168.1.10 host 192.168.2.10 eq 22
(source) (destination)
Router(config)#int fa0/1
Router(config-if)#exit
Deny Telnet Traffic (TCP, Port 23)
For security, you might disable Telnet access to your private network from the public network.
This figure shows how Telnet traffic from Network B (public) destined to Network A (private) is
denied, which permits Network A to initiate and establish a Telnet session with Network B while
all other IP traffic is permitted.
Telnet uses TCP, port 23. This configuration shows that all TCP traffic destined to Network A
for port 23 is blocked, and all other IP traffic is permitted.
hostname R1
!
interface ethernet0
ip access-group 102 in
!
access-list 102 deny tcp any any eq 23
access-list 102 permit ip any any
eq = match only packets on a given port number
Allow Only Internal Networks to Initiate a TCP Session
This figure shows that TCP traffic sourced from NetA destined to NetB is permitted, while TCP
traffic from NetB destined to NetA is denied.
The purpose of the ACL in this example is
To allow hosts in Network A to initiate and establish a TCP session to hosts in Network B. and
deny hosts in Network B from initiating and establishing a TCP session destined to hosts in
Network A.
This configuration allows a datagram to pass through interface Ethernet 0 inbound on R1 when
the datagram has Acknowledged (ACK) or reset (RST) bits set (indicating an established TCP
session)
A destination port value greater than 1023
hostname R1
!
interface ethernet0
!
access-list 102 permit tcp any any gt 1023 established
Since most of the well-known ports for IP services use values less than 1023, any datagram
with a destination port less than 1023 or an ACK/RST bit not set is denied by ACL 102.
Therefore, when a host from Network B initiates a TCP connection by sending the first TCP
packet (without synchronize/start packet (SYN/RST) bit set) for a port number less than 1023, it
is denied and the TCP session fails. The TCP sessions initiated from Network A destined to
Network B are permitted because they have ACK/RST bit set for returning packets and use port
values greater than 1023.
Deny FTP Traffic (TCP, Port 21)
This figure shows that FTP (TCP, port 21) and FTP data (port 20) traffic sourced from Network
B destined to Network A is denied, while all other IP traffic is permitted.
This configuration permits only echo-reply (ping response) packets to come in on interface
Ethernet 0 from Network B toward Network A. However, the configuration blocks all echo-
request ICMP packets when pings are sourced in Network B and destined to Network A.
Therefore, hosts in Network A can ping hosts in Network B, but hosts in Network B cannot ping
hosts in Network A.
hostname R1
!
interface ethernet0
!
access-list 102 permit icmp any any echo-reply
Allow HTTP, Telnet, Mail, POP3, FTP
HTTP, Telnet, Simple Mail Transfer Protocol (SMTP), POP3, and FTP traffic are permitted, and
the rest of the traffic sourced from Network B destined to Network A is denied.
This configuration permits TCP traffic with destination port values matching WWW (port 80),
Telnet (port 23), SMTP (port 25), POP3 (port 110), FTP (port 21), or FTP data (port 20).
Notice an implicit deny all clause at the end of an ACL denies all other traffic, which
does not match the permit clauses.
hostname R1
!
interface ethernet0
!
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq telnet
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any pop3
access-list 102 permit tcp any any eq 21
Allow DNS
This figure shows that only Domain Name System (DNS) traffic is permitted, and the rest of the
traffic sourced from Network B destined to Network A is denied.
T
his configuration permits TCP traffic with destination port value 53. The implicit deny all clause
at the end of an ACL denies all other traffic, which does not match the permit clauses.
hostname R1
!
interface ethernet0
!
access-list 112 permit udp any any eq domain
access-list 112 permit udp any eq domain any
access-list 112 permit tcp any any eq domain
access-list 112 permit tcp any eq domain any
Extended ACLs allow you to permit or deny traffic from specific IP addresses to a specific
destination IP address and port. It also allows you to specify different types of traffic such as
ICMP, TCP, UDP, etc. Needless to say, it is very granular and allows you to be very specific. If
you intend to create a packet filtering firewall to protect your network use an Extended ACL.
Typically you would allow outgoing traffic and incoming initiated traffic. Allowing users to
connect to the web and blocking anyone from the internet connecting to your machines. This
will require 2 ACLs. One to limit our users on the company network to only use a web browser
(this will block outgoing FTP, e-mail, Kazaa, napster, online gaming, etc.) The other access-list
will only allow incoming traffic from the Internet that has been initiated from a machine on the
inside. This is called an established connection. Let's see what our access lists would look like.
Assumptions internal network: 63.36.9.0
access-list 101 - Applied to traffic leaving the office (outgoing)

access-list 102 - Applied to traffic entering the office (incoming)
ACL 101
access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80
ACL 101 says to permit traffic originating from any address on the 63.36.9.0 network. The any
statement means that the traffic is allowed to have any destination address with the limitation of
going to port 80 (which is the web port for HTTP). This is still only half of the solution. If you
only use this access list you have limited your users to browsing the internet. However, you
have taken no action on the incoming traffic.
The Internet still has full access to all the IPs and all the ports leaving you vulnerable.
ACL 102
access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established
Since you only want your users to be able to browse the Internet, you must block all incoming
traffic accept for the established connections in which the websites are replying to a computer.
Therefore use the established command.
ACL 102 simply states to permit established traffic from anywhere to all computers within our
63.36.9.0 network.
You may ask why access-list 102 does not read
access-list 102 permit tcp any any established
In this situation this works just as good, but because it is not as specific, it is considered a hole
or an area of vulnerability (especially if you ever got another block of IP addresses).
Applying Cisco Access Control Lists (ACL’s)
Assumptions internal network: 63.36.9.0
access-list 101 - Applied to traffic leaving the office (outgoing)

access-list 102 - Applied to traffic entering the office (incoming)
ACL 101
access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80
ACL 102
access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established
We will apply our ACLs to the serial interface to protect our network and to limit our user's
Internet access to just web browsing.
Before we do that, we need to add one more entry to access-list 101 to allow HTTPS for web
browsing. Web browsing (HTTP) is done on port 80 and that web browsing securely (HTTPS) is
done on port 443.
access-list 101 tcp permit 63.36.9.0 0.0.0.255 any eq 443
Now that our ACLs are complete, here is how we apply them to an interface.
In or Out
We must decide whether the traffic we are filtering is going in or out.

Users accessing the internet is a good example of traffic going OUT from our business.
Receiving e-mails from the Internet is an example of traffic coming IN to our business.
Access List Guidelines
You can only assign one access list per interface, per protocol, or per direction.
This means when creating IP access lists, you can have only one inbound access list
and one outbound access list per interface.
Note any time a new entry is added to the access list, it is placed at the bottom, it is best to
organise your access list so that more specific tests are at the top.
Unfortunately you cannot remove one line from an access list if you try you will remove the
entire list. It is best to copy the access list into a text editor to edit it.
Unless your access list ends with permit any command all packets will be discarded if they do
not meet any of the lists tests. Every list should have at least one permit statement or it will
deny traffic.
Applying Access Lists
conf t
#int ser0/0
#access-group 101 out
#access-group 102 in
Remember that you can only apply ONE ACL in each direction of an Interface.
Inbound access lists

When an access list is applied to inbound packets on an interface those packets are processed
through the access list before being routed to the outbound interface.
Outbound access lists

When an access list is applied to outbound packets on an interface those packets are routed to
the outbound interface and then processed through the access list before they are queued to
be routed.
The IP ACL is a sequential collection of permit and deny conditions that applies to an IP packet.
The router tests packets against the conditions in the ACL one at a time.
The first match determines whether the Cisco IOS accepts or rejects the packet. Because the
Cisco IOS Software stops testing conditions after the first match, the order of the
conditions is critical.
If no conditions match, the router rejects the packet because of an implicit deny all clause.
Standard access list placed close to the destination.
Standard ACLs
This is the command syntax format of a standard ACL.
access-list number {permit|deny} {host|source source-wildcard|any}

In all software releases, the access-list-number can be anything from 1 to 99.
IOS 12.0.1, standard ACLs began to use (1300 to 1999) referred to as expanded IP ACL’s.
After the ACL is defined, it must be applied to the interface (inbound or outbound).
#interface <interface>
#ip access-group number {in|out}
This is a standard ACL blocking all traffic except that from source 10.1.1.x.
#interface Ethernet0/0
#ip address 10.1.1.1 255.255.255.0
#ip access-group 1 in
#access-list 1 permit 10.1.1.0 0.0.0.255
interface <interface>
ip access-group {number|name} {in|out}
Extended access list placed close to the source.
This extended ACL is used to permit traffic on the 10.1.1.x network (inside) and to receive ping
responses from the outside while preventing unsolicited pings from people outside (permitting
all other traffic).
#interface Ethernet0/1
#ip address 172.16.1.2 255.255.255.0
#access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo
#access-list 101 permit ip any 10.1.1.0 0.0.0.255
A wildcard mask of 0.0.0.0 means the address specified in the ACL line must be matched
exactly! A wildcard mask of 255.255.255.255 means that all addresses will match.
Wildcard masks have the option of using the word host to represent a wildcard mask of 0.0.0.0.
Consider a configuration where only packets from IP source 10.1.1.1 should be allowed and all
other packets denied. The following ACLs both do that.
R3#conf t
R3(config)#access-list 6 permit 10.1.1.1 0.0.0.0
R3#conf t
R3(config)#access-list 7 permit host 10.1.1.1
The keyword any can be used to represent a wildcard mask of 255.255.255.255.
R3(config)#access-list 15 permit any
Another often overlooked detail is the order of the lines in an ACL.
Consider a situation where packets sourced from 172.18.18.0 /24 will be denied, but all others
will be permitted. The following ACL would do that.
R3#conf t
R3(config)#access-list 15 deny 172.18.18.0 0.0.0.255
The previous example also illustrates the importance of configuring the ACL with the lines in the
correct order to get the desired results. What would be the result if the lines were reversed?
R3#conf t
R3(config)#access-list 15 deny 172.18.18.0 0.0.0.255
If the lines were reversed, traffic from 172.18.18.0 /24 would be matched against the first line of
the ACL. The first line is "permit any", meaning all traffic is permitted. The traffic from
172.18.18.0/24 matches that line, the traffic is permitted, and the ACL stops running. The
statement denying the traffic from 172.18.18.0 is never run.
Once a packet matches an ACL statement no other checks are made.
Would the following access list permit access to a server on the 192.168.1.18 network and
block access to all other hosts on the same network.
#access-list 110 permit ip any host 192.168.1.18
The answer is Yes the access list will allow any source address access to the host address
192.168.1.18 because of the explicit deny any statement at the end of the access list
(not visible), all other traffic would be denied.
ACL COMMANDS
Standard ACLs - Used to permit or deny an entire protocol suite.

The following two statements have the same effect
Router(config)#access-list 1 permit 0.0.0.0 255.255.255.255

Router(config)#access-list 1 permit any
The following two statements also have the same effect
Router(config)#access-list 1 permit 172.30.16.29 0.0.0.0

Router(config)#access-list 1 permit host 172.30.16.29
Use the following table to permit or deny specific protocols, ports or ranges of port numbers.
lt Less than
gt Greater than
neq Not equal to
eq Equal to
R1(config)#access-list 101 deny tcp 172.16.4.0 0.0.255.255 any eq 23

R1(config)#access-list 101 permit ip any any established
Established keyword is used to connect with a TCP established connection.
Named ACLs
Named access control lists are another way of creating ACL’s.
Router(config)#ip access-list standard Nik

Router(config std-nacl)#deny any log - used to deny log packets.
Viewing ACLs
Router(config)#show access-lists (shows all access lists)

Router(config)#show access-list 101 (shows access list 101)
Router(config)#show ip interface (shows the access lists on the interface)
Removal of ACLs
Router(config)#no access-list 1
Allow a Select Host to Access the Network
All traffic sourced from Host B destined to Network A is permitted, and all other traffic sourced
from Network B destined to Network A is denied.
#hostname R1
#interface ethernet0
#access list 1 permit host 192.168.10.1
This allows only the host with the IP address 192.168.10.1 through E0 interface on R1.
This host has access to the IP services of Network A.
No other host in Network B has access to Network A.
By default, there is an implicit deny all clause at the end of every ACL. Anything that is not
explicitly permitted is denied.
Note The ACL filters IP packets from Network B to Network A, except packets sourced from
Network B. Packets destined to Host B from Network A are still permitted.
Note The ACL access-list 1 permit 192.168.10.1 0.0.0.0 is another way to configure the same
rule.
Deny a Select Host to Access the Network
This figure shows that traffic sourced from Host B destined to Network A is denied, while all
other traffic from the Network B to access Network A is permitted.
Note The order of statements is critical to the operation of an ACL. If the order of the entries is
reversed as this command shows, the first line matches every packet source address.
Therefore, the ACL fails to block host 192.168.10.1/32 from accessing Network A.
access-list 1 permit any

access-list 1 deny host 192.168.10.1
Allow Access to a Range of Contiguous IP Addresses
All hosts in Network B with the network address 192.168.10.0/24 can access network
192.168.200.0/24 in Network A.
This configuration allows the IP packets with an IP header that has a source address in the
network 192.168.10.0/24 and a destination address in the network 192.168.200.0/24 access to
Network A. There is the implicit deny all clause at the end of the ACL which denies all other
traffic through E0 inbound on R1.
hostnameR1
#interface ethernet0
#access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.200.0
0.0.0.255
Note In the command access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.200.0

0.0.0.255, the "0.0.0.255" is the inverse mask of network 192.168.10.0 with mask
255.255.255.0. ACLs use the inverse mask to know how many bits in the network address
need to match. In the table, the ACL permits all hosts with source addresses in the
192.168.10.0/24 network and destination addresses in the 192.168.200.0/24 network.
ACL Concepts
Inverse (Wildcard) Masks
Inverse Masks are used with IP addresses in ACLs to specify what should be permitted and
denied. Inverse Masks for ACLs look like 0.0.0.255. When the value of the mask is broken
down into binary the results determine which address bits are to be considered in processing
the traffic.
0 indicates that the address bits are considered an exact match
1 in the mask indicates "any number". This table further explains the concept.
Based on the binary mask, you can see that the first three octets
00001010.00000001.00000001must match exactly.
The last octet is "any number" (.11111111). Therefore, with this mask and network addresses
10.1.1.1 through 10.1.1.255 (10.1.1.x) are processed.
The ACL inverse mask can also be determined by subtracting the normal mask from
255.255.255.255. In this example, the inverse mask is determined for network address
172.16.1.0 with a normal mask of 255.255.255.0.
255.255.255.255 - 255.255.255.0 (normal mask) = 0.0.0.255 (inverse mask)
Note these ACL equivalents.
• 0.0.0.0 255.255.255.255 means any.

• 10.1.1.2 0.0.0.0 is the same as host 10.1.1.2.
If you want to deny access to all hosts in the network 172.16.23.0 with subnet mask
255.255.255.0 you would use 172.168.23.0 0.0.0.255 as the source in the access-list
command.
In situations, where you want to specify a range of addresses that does not have the boundary
exactly between octets, convert to binary to determine the inverse mask.
For example, the network 172.18.16.0 with subnet mask 255.255.240.0.
Converting this mask to binary 11111111.11111111.11110000.00000000 The first 20 bits are

set to 1 so the inverse mask would have the first 20 bits set to zero
00000000.00000000.00001111.11111111 which is 0.0.15.255 in decimal notation.
172.18.16.0 0.0.15.255 specifies the address range 172.18.16.0 to 172.18.31.255.

Using the block size method the wildcard is always one less than the block size
Block size = 16, wildcard = 0.0.15.255
If you want the source or destination to be any host from any network you could use the
address 0.0.0.0 with the inverse mask 255.255.255.255, but for simplicity you can use the
keyword any.
In Extended Access lists the keyword host can be used to replace the 0.0.0.0 inverse mask.
Instead of specifying a single address with 192.168.23.12 0.0.0.0 Use host 192.168.23.12.
Wildcard Masking (block size)
Wildcard masks are used with access lists to specify a host, a network or a range.
When you specify a range of addresses use block sizes
To specify a given range of addresses you choose the next block size for your needs.
Wildcards with the host or network address tell the router the range of available addresses to
filter or specify a host i.e 172.16.30.5 0.0.0.0
Whenever a zero is present, it means that octet in the address must match exactly!
To specify that an octet can be any value 255 is used.
A /24 subnet is specified with a wildcard 172.16.30.0 0.0.0.255

This tells the router to match the first three octets exactly but the fourth can be any value
What if you want to specify only a small range of subnets?
Say we want to block access to part of the network that is in the range
172.16.8.0 to 172.16.15.0 (block size =8)
172.16.8.0 has a wildcard of 0.0.7.255 This tells the router to start at 172.16.8.0 and go up a
block size of 8 addresses to the network 172.16.15.0
Remember the wildcard is always one less than the block size, in this example 7
LabA(config)#access-list 10 deny 172.16.10.0 0.0.0.255

This tells the router to match the first 3 octets exactly but the 4th can be anything.
This configuration tells the router to start at 172.16.16.0 and use a block size of 4.
(one more than the wildcard) The range would then be 172.16.16.0 to 172.16.19.0
This access list starts at 172.16.16.0 going up a block size of 8 to 172.16.23.0
This access list starts at 172.16.32.0 going up a block size of 32 to 172.16.63.0

This last example starts at network 172.16.64.0 and goes up a block size of 64 to 172.16.127.0
The any command is the same as the wildcard 0.0.0.0 255.255.255.255
ACL Summarization
Note Subnet masks can also be represented as a fixed length notation.

For example, 192.168.10.0/24 represents 192.168.10.0 255.255.255.0.
This list describes how to summarize a range of networks into a single network for ACL
optimization. Consider these networks.
192.168.32.0/24
192.168.33.0/24
192.168.34.0/24
192.168.35.0/24
192.168.36.0/24
192.168.37.0/24
192.168.38.0/24
192.168.39.0/24
The first two octets and the last octet are the same for each network
192.168.x.0 This table is an explanation of how to summarize these into a single network.
The third octet for the above networks can be written as seen in this table, according to the octet bit
position and address value for each bit.
Since the first five bits match, the above eight networks can be summarized into one network
(192.168.32.0/21)
Since the decimal 32 = 00100000 ends in all zeros it can go into 32 - 39
or 192.168.32.0 255.255.248.0 11111000 =248
All eight possible combinations of the three low-order bits are relevant for the network ranges in
question. This command defines an ACL that permits this network.
If you subtract 255.255.248.0 (normal mask) from 255.255.255.255, it yields 0.0.7.255.
access-list acl_permit permit ip 192.168.32.0 0.0.7.255
Processing ACLs
Traffic that comes into the router is compared to ACL entries in the order of statements. New
statements are added to the end of the list. The router continues to look until it has a match. If
no matches are found when the router reaches the end of the list, the traffic is denied.
For this reason, you should have the frequently hit entries at the top of the list. There is an
"implied deny" for traffic that is not permitted. A single-entry ACL with only one "deny" entry has
the effect of denying all traffic. You must have at least one "permit" statement in an ACL or all
traffic is blocked. These two ACLs (101 and 102) have the same effect.
access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 102 deny ip any any
In this example, the last entry is sufficient. You do not need the first three entries because TCP
includes Telnet, and IP includes TCP, User Datagram Protocol (UDP), and Internet Control
Message Protocol (ICMP).
access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet

access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1
access-list 101 permit udp host 10.1.1.2 host 172.16.1.1
Applying ACL’s
You can define ACL’s without applying them. The ACL’s have no effect until they are applied to
the router's interface. Apply the ACL on the interface closest to the source of the traffic.
When you try to block traffic from source to destination,

Apply an inbound ACL to E0 on router A rather than an outbound list to E1 on router C.
Router traffic meanings
Out - Traffic that has already been through the router and is leaving the interface. The
source is where it has been (on the other side of the router) and the destination is where it
goes.
In - Traffic that arrives on the interface and then goes through the router. The source is
where it has been and the destination is where it goes (on the other side of the router).
Editing ACL’s
Editing an ACL requires special attention. For example, if you intend to delete a specific line
from an existing numbered ACL as shown here, the entire ACL is deleted.
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#access-list 101 deny icmp any any
router(config)#access-list 101 permit ip any any
router(config)#^Z
router#show access-list
Extended IP access list 101
deny icmp any any
permit ip any any
router#
*Mar 9 00:43:12.784: %SYS-5-CONFIG_I: Configured from console by
console
router#configure terminal
router(config)#no access-list 101 deny icmp any any
router(config)#^Z
router#show access-list
router#
*Mar 9 00:43:29.832: %SYS-5-CONFIG_I: Configured from console by
console
Troubleshooting ACLs
How do I remove an ACL from an interface?
To remove an ACL from an interface, go into configuration mode and enter no in front of the
access-group command, as shown in this example.
interface <interface>
no ip access-group # in|out
What do I do when too much traffic is being denied?
If too much traffic is denied, study the logic of your list or try to define and apply an additional
broader list. The show ip access-lists command provides a packet count that shows which ACL
entry is being hit.
The log keyword at the end of the individual ACL entries shows the ACL number and whether the
packet was permitted or denied, in addition to port-specific information.
Note The log-input keyword. Use of this keyword includes the input interface and source MAC
address where applicable.
How do I debug at the packet level using a Cisco router?
Before you begin, be certain that there are no currently applied ACLs, that there is an ACL, and
that fast switching is not disabled.
Note Use extreme caution when you debug a system with heavy traffic. You can debug specific
traffic using an ACL. However, be sure of the process and the traffic flow.
1. Capture the desired data using the access-list command.
In this example, the data capture is set for the destination address of 10.2.6.6 or the
source address of 10.2.6.6.
access-list 101 permit ip any host 10.2.6.6

access-list 101 permit ip host 10.2.6.6 any
2. Disable fast switching on the interfaces involved. You will only see the first packet if fast
switching is not disabled.
3. config interface
4. no ip route-cache
5. To display debug command output and system error messages for the current terminal
and session, use the terminal monitor command in enable mode.
6. Begin the debug process using the debug ip packet 101 or debug ip packet 101
detail command.
7. To stop the debug process, execute the no debug all command in enable mode, and
the interface configuration command.
8. Restart caching.
9. config interface
10. ip route-cache
Permit Routing Updates
When you apply an in-bound ACL on to an interface, ensure that routing updates are not
filtered out. Use the relevant ACL from this list to permit routing protocol packets:
Issue this command to permit Routing Information Protocol (RIP)
access-list 102 permit udp any any eq rip
Issue this command to permit Interior Gateway Routing Protocol (IGRP)
access-list 102 permit igrp any any
Issue this command to permit Enhanced IGRP (EIGRP)
access-list 102 permit eigrp any any
Issue this command to permit Open Shortest Path First (OSPF)
access-list 102 permit ospf any any
Issue this command to permit Border Gateway Protocol (BGP)

access-list 102 permit tcp any eq 179 any
Named Access Lists
Using named access lists is just another way to create standard and extended access lists. In
enterprises, managing access lists can become a real hassle. For example when you need to
make a change to an access list, frequently we copy the access list to a text editor, change the
number edit the list and then paste the new list back into the router. With this done you can
simply change the access list number on the interface from the old to the new access list. There
is never a time on the network where an access list isn’t in place.
Over time old access lists that are kept but unapplied on a router also currently running access
list ie 177 what does this mean? Better to have a description ie Finance LAN.
Named access lists allow you to use names to both create and apply either standard or
extended access lists. But there are some subtle changes to the syntax lets re-create the
standard access list earlier.
Acme#config t
Enter configuration commands, one per line. End with CNTL/Z
Acme(config)#ip access-list ?
Extended Extended Access List
Logging Control access list logging
Standard Standard Access List
Note we type ip access-list, not access-list. This allows us to enter a named access list.
Next specify that its to be a standard access list.
Acme(config)#ip access-list standard ?
<1-99> Standard IP access-list number

WORD Access list name
Acme(config)#ip access-list standard BlockSales

Acme(config-std-nacl)#
So we specified a standard access list and then added the name BlockSales we could have
used a number for a standard access list but instead we chose a descriptive name. After
pressing Enter the router prompt changed. We are now in named access list mode lets go!
Acme(config-std-nacl)# ?
Standard access list commands

default set a command to its defaults
deny specify packets to reject
exit exit from access-list mode
no negate a command or set its defaults
permit specify packets to forward
Acme(config-std-nacl)#deny 172.16.40.0 0.0.0.255

Acme(config-std-nacl)#permit any
Acme(config-std-nacl)#exit
Acme(config-std-nacl)# ^Z
Acme#
Here we entered the access list and then exited out of configuration mode.
Now lets take a look at the running configuration to verify the access list is in the router.
Acme#show running-config
!
ip access-list standard BlockSales
deny 172.16.40.0 0.0.0.255
permit any
!
Ok this shows BlockSales access list is running

Now we need to apply the list to an interface
Acme#config t
Enter configuration commands one per line end with CNTRL/Z
Acme(config)#int e1
Acme(config-if)#ip access-group BlockSales out
Acme(config-if)# ^Z
Acme#
Done, we re-created the previous example but using named access lists.
To create a named access list, use the following command in global configuration mode
router(config)#ip access-list {standard | extended} name
This command will take you into access-list configuration mode where you can define the deny
and permit rules. For example to create a named access list with the name wwwfilter and
permit only access from the networks 192.168.132.0, 172.17.0.0 and 10.0.0.0 use the following
commands
router(config)#ip access-list standard wwwfilter

router(config-std-nacl)#permit 192.168.132.0 0.0.0.255
Use the exit command to exit access-list configuration mode.
A named list is applied to an interface in the same way as with numbered lists:
router(config-if)#ip access-group wwwfilter out
Another Named Example
Configure an extended access list name it secure_LAN to allow pings from loopback 0 Router B
to loopback 0 Router A and also an access list to allow anyone to telnet into loopback 1 on
Router A only.
RouterA>enable
RouterA#config t
RouterA(config)#ip access-list extended secure_LAN
RouterA(config-ext-nacl)#permit icmp host 172.30.1.1 host 172.16.1.1
RouterA(config-ext-nacl)#permit tcp any host 172.20.1.1 eq telnet
RouterA(config-ext-nacl)#exit
RouterA(config)#int s0
RouterA(config-if)#ip access-group secure_LAN in
RouterA(config-if)#exit
RouterA(config)#exit
Confirm with the show ip access-lists command
RouterA#show ip access-lists
Extended ip access list secure_LAN
Permit icmp host 172.30.1.1 host 172.16.1.1
Permit tcp any host 172.20.1.1 eq telnet
ACL SIM
A network associate is adding security to the configuration of the Corp1 router. The user on
host C should be able to use a web browser to access financial information from the Finance
Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to
access this server. Since there are multiple resources at this location including on the Finance
Web Server all other traffic should be allowed.
The task is to create and apply an access-list with no more than three statements that will allow
ONLY host C web access to the Finance Web Server. No other hosts will have web access to
the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords are set to “Cisco”

The Core connection uses an ip address of 198.18.196.65
The computers in the hosts LAN have been assigned addresses of 192.168.33.1 –
192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 –
172.22.242.30
The Finance Web Server is assigned an ip address of 172.22.242.23

Answer
Select the console on Corp1 router
Corp1>enable
Corp1#configure terminal
To permit only Host C (192.168.33.3){source addr} to access finance server address

(172.22.242.23) {destination addr} on port number 80 (web)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host

172.22.242.23 eq 80
To deny any source to access finance server address (172.22.242.23) {destination addr} on
port number 80 (web)
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
To permit ip protocol from any source to access any destination because of the implicit deny
any any statement at the end of ACL.
Corp1(config)#access-list 100 permit ip any any
Note the difference between access-list 100 permit any any

and
access-list 100 permit ip any any
The difference is that if you do not specify protocol type (eg. IP) then the entry
access-list 100 permit any any applies to all protocols.
So far we have
3rd line allows just host c to get to the http server
4th line blocks all hosts from that LAN to the http server
Now use the show ip interface brief command to give the interface on which to apply the
access list
Corp1(config)#interface fa 0/1
If the ip address configured already is incorrect as well as the subnet mask.

You need to corrected this in order ACL to work
Type this command at interface mode to remove the incorrect ip address and subnet mask
Corp1(config-if)#no ip address 192.x.x.x 255.x.x.x
Now configure the correct ip address and subnet mask
range of address specified going to server is given as 172.22.242.17 - 172.22.242.30
Block size = 16, mask on 4th octet is 256 – 16 = 240
Corp1(config-if)#ip address 172.22.242.30 255.255.255.240
Place the ACL to check for packets going outside the interface towards the finance web server.
Corp1(config-if)#ip access-group 100 out
Corp1(config-if)#end
To save your running config to startup before exit.

Corp1#copy running-config startup-config
Verifying the Configuration
Step1: show ip interface brief command

identifies the interface on which to apply access list.
Step2: Click on each host A, B, C & D. Host opens a web browser page, Select address box of
the web browser and type the ip address of finance web server(172.22.242.23) to test whether
it permits /deny access to the finance web Server .
Step 3: Only Host C (192.168.33.3) has access to the server. If the other host can also access
then maybe something went wrong in your configuration. check whether you configured
correctly and in order.
Step 4: If only Host C (192.168.33.3) can access the Finance Web Server you can click on
NEXT button to successfully submit the ACL SIM.
Creating ACL’s with SDM Cisco Security Device Manager
Open SDM click Configure > Firewall and ACL
Click on the Edit Firewall Policy/ACL tab

Here we have chosen s0/0/0 as the From interface and s0/2/0 as the To interface.
In the middle of the page click +Add
In the screen that appears we have configured the list that’s denying telnet (23) to Wireless
Host C (WHC) from any host coming in the s0/0/0 interface and to log matches. Click ok and
then create a permit statement so we don’t shut the routers interface down.
A useful thing about creating lists with the SDM is that the +Add menu asks if you want to
create a new statement and place it before or after the line already in the list.
Next create the permit statement
Now the main screen shows the list enabling easy access to edit and manage the ACL.
Exam Questions
Question
Access-list 122 permit ip 131.107.30.0 0.0.0.255 any
You apply the access-list above. What is the effect?
A. Permit all packets matching the first three octets of the source address to all destinations.
B. Permit all packets matching the last of the destination address and accept all source
address.
C. Permit all packets from the third subnet of the network address to all destinations.
D. Permit all packets matching the host bits in the source address to all destinations.
E. Permit all packets to destination matching the first three octets in the destination address.
Answer A
Explanation
This is an extended access list that permits source packets matching the first three octets of the
131.107.30.0 address. Furthermore, the any keyword specifies that all destinations will be
accepted.
Note
Syntax for an extended access list access-list access-list-number {deny | permit} protocol
source source-wildcard destination destination-wildcard [precedence precedence] [tos tos]
Incorrect Answers
B. The source-wildcard is specified first before the destination wildcard.

C. All source addresses matching the first three octets of 131.107.30.0 will be permitted.
D. The mask used in access-list does not work as a subnet masks.
E. The first three octets in the source, not destination, address must match. All destination
addresses are allowed with the any keyword.
Question
Given the following criteria for granting access from a remote site to your LAN.
Restrict access on interface E1, E1=207.87.81.173
Deny access to telnet, FTP, SNMP
Allow all other types of operations.
Which line should come last in configuring your access list?
A. Access-List 101
B. Access-List 101 deny E0 telnet FTP
C. Access list 101 allow all except FTP telnet
D. Access list 101 permit IP 0.0.0.0 255.255.255.255 any
E. Access List 101 deny IP 207.87.81.173 TCP EQ 20 21 23
Answer D
Explanation
D is correct; it will permit all other traffic and protocols to pass. This question seems to lack
some information. Usually you want to deny access to functions on an IP address and allow
other data to pass. One thing to remember is that when using an access list, anything that is
not matched is denied. That means that if we restrict this one entry, and do NOTHING else, all
other data will NOT pass through the router. So, does ALL other types of operations in the
question imply allow all other operations and traffic? Assuming so, we need a entry that allows
all other operations and traffic.
Incorrect Answers
A. This is an incomplete command.
B. The interface is not used in the access list; the access list will be binded later.
C. The command is not even in the correct format. And it is permit or deny, not allow.
E. We are doing the last line and want remaining traffic to pass.
Question
Management has reported that they cannot access the corporate files on the company's ftp
server from home. They were able to do this in the past. You feel that somebody has changed
an access list that is preventing those managers from accessing the corporate data. The
access list number is 131. Which command displays access list 131?
A. Show access-list 131

B. Show IP access list 131
C. Display IP address list 131
D. Display access-list 131 details
Answer A
Explanation
To display the contents of access list 131 the show access-list 131 command would need to be
used.
Incorrect Answers
B. To show the contents of all ip access lists the show ip access-lists command is required.
There is no need to specify the specific access list
C and D. With a Cisco device whenever you want to display something a show command will
be used.
Question
To configure and apply a standard access list on an interface which two of the following are
required? (Choose two)
A. Define an access list number and its parameter.

B. Enable an interface to become part of the access list group.
C. Define the number of access list to be supported on an interface.
D. Copy the access list definition to each interface that will support it.
Answer A, B
Explanation
Adding an access list to a router, as a packet filter is a two-step process. First, you create the
list. Then, you apply that list to any interface that you want to filter the selected traffic.
Incorrect Answers
C. An existing access list is bound to the interface
D. There is no need to copy an access list, an access list can be bound to multiple interfaces.
Question
Your access list has one statement;
access-list 131 permit ip any 131.107.7.0 0.0.0.255 eq tcp
What does the word "any" mean in the following extended access list statement?
A. Check any of the bits in the source address.

B. Permit any wildcard mask for the address.
C. Accept any source address.
D. Check any bit in the destination address.
E. Permit 255.255.255 0.0.0.0.
F. Accept any destination address.
Answer C
Explanation
The permit keyword permits traffic. The any< keyword implies that any address is allowed. Here
any is used as the source and source-wildcard parameter (see note below). Therefore the
access-list permits any source address.
Note: Syntax for an extended access list:access-list access-list-number {deny | permit} protocol
source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] The
access-list-number must be in the 100 to 199 or the 2000 to 2699 range.
Question
You have been called in to fix a router that is having security issues. The router has an access
list configured on it but the list does not seem to be working. What command can you use to
see if the access list has been applied to an interface?
A. Show access-list.
B. Show ip route.
C. Show ip interface.
D. Show interface.
E. Show interface list.
Answer C
Explanation
The show ip interface command display IP interface information and indicates whether any
access list are set for a specific interface and it also indicates if the access list is inbound or
outbound.
Incorrect Answers
A. This is not a valid command.
B. The show ip route command displays the contents of the ip routing table.
D. The show interface command displays the serial interface configuration.
F. This is not a valid command.
Question
You have just created an IP extended access list and now wish to apply this to an interface.
Which command will allow you to apply the list to an interface?
A. Permit access-list 101 out

B. Ip access-group 101 out
C. Apply access-list 101 out
D. Access-class 101 out
E. Ip access-list e0 out
Answer B
Explanation
In order for an access list to be activated the ip-access group command must be used. This
command activates the ip access list on an interface. Before you use the ip-access group
command you must take care to ensure that you have configured an access list. If you do not
the result will be permit any.
Incorrect Answers
A, C-E. Are not valid commands.
Question
TestK#show access-list
Extended IP access list 135
.....deny tcp any 131.107.0.0 0.0.255.255 eq 53
.....deny tcp any any eq telnet
TestK#show ip interface e0
Ethernet0 is up, line protocol is up
Internet address is 172.17.9.60/24
Broad address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is enabled
Outgoing access list is 135
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
Rest of configuration omitted.

You have created an Extended IP access list. Now you apply the access list to Ethernet 0.
What is the result of this action?
A. Only e-mail and telnet access will be permitted out of Ethernet 0.

B. All hosts on the 172.30.24.64 network will be permitted e-mail and telnet access.
C. All TCP protocols will be permitted out of Ethernet 0 except e-mail and telnet.
D. All IP traffic out of Ethernet 0 will be denied.
E. The access-list is numbered incorrectly and will fail.
Answer D
Explanation
The exhibit is showing an extended IP access-list configuration. For this access list to have the
desired effect it will require a permit statement at the end as there is an implicit deny statement
otherwise. The statement should be: access-list 135 permit ip any any.
Incorrect Answers
A, B and C. All traffic out will be denied without a permit statement.
E. The access-list is correctly numbered.
Question
Which of the following ranges are used for IPX standard access lists?
A. 100 - 199
B. 600 - 699
C. 800 - 899
D. 1000 - 1099
Answer C
Explanation
Access list exist for IPX traffic, just like they do with IP traffic. Like IP there are ranges for IPX
access list
The IPX access list ranges are:
800 to 899 - standard access lists
900 to 999 - extended access lists
1000 to 1099 - SAP filter access lists.
Incorrect Answers.
A. 100-199 is the range for an extended ip access address.
C. This is not a defined access list range.
D. The range 1000-1099 is for SAP filter access list.
Question
You want to make sure that access-list you just created does not conflict with an existing
access-list. Which router command allows you to view all of the access-lists created and the
contents of all access lists?
A. Router# show interface.

B. Router> show IP interface.
C. Router# show access-lists.
D. Router> show all access list.
Answer C
Explanation
The show access-lists command will display the contents of all access lists.
Incorrect Answers
A. Only access lists bound to that interface would be displayed
B. Show ip interface command must be given in the privilege EXEC mode.
D. This is not a valid command.
Question
AJ has just created an IP access-list and you will like to see if he has applied this access-list to
an interface. Which one of following commands will allow you to see if an access-list has been
applied to an interface?
A. Router# show ip interface

B. Router> show access-list
C. Router# show ip access-list
D. Router> show interface ip access-list
Answer A
Explanation: The show ip interface command displays IP interface information and indicates
whether any access lists are set for a specific interface.
Incorrect Answers
B. The show access-lists command must be given in the privileged EXEC mode.
C. Even if the proper command was used the end result would the displaying of all IP access
lists running in the router, not for a particular interface.
D. This is not a valid command.
Question
One of the security mechanisms used in securing a router is access-lists. You have decided to
use Standard IP access lists in your company which of the following is an example of a
Standard IP access lists?
A. Access-list standard 172.16.4.13

B. Access-list 2 deny 172.16.4.13 0.0.0.0
C. Access-list 101 deny 172.16.4.13 0.0.0.0
D. Access-list 199 deny 172.16.4.13 255.255.255.255
Answer B
Explanation
A standard access list is in the range of 1-99 and the proper command syntax is:
access-list {access-list number} {permit or deny} {test conditions}
In this case the test condition is an ip address.
Incorrect Answers
A. The access command must contain a number and whether the action is to be permitted or
denied.
C. Is an extended access-list number and not a standard number.
D. 199 is also an extended access-list number and not a standard number.
Question
You are concerned about security on your network. You have a router that is connected to the
Internet and do not want your RIP updates being sent out this interface that is connected to the
Internet. Which command will prevent these updates from going out the interface without using
access-lists?
A. Passive route.
B. Default routes.
C. Passive interface.
D. Route update filtering.
Answer C
Explanation: The passive interface command will prevent the sending of RIP updates.
Incorrect Answers
A. Passive routes as used with IGRP and not RIP.
B. Default/static routes will not prevent RIP updates.
D. Filtering is most often achieved on a router with an access list.
Question
Which statement should you use to deny telnet access only from Network 210.93.105.0 to
Network 223.8.151.0?
A. Access-list one deny 210.93.105.0.0.0.0.0.0 any eq 23 access-list one permit any.

B. Access-list 100 deny tcp 210.93.105.0 0.0.0.255 223.8.151.0 0.0.0.255 eq 23
C. Access-list 100 deny ip 223.8.151.0 0.0.0.255 any eq 23
Access-list 100 permit ip any any
D. Access-list 100 deny tcp 210.93.105.0 0.0.0.255 223.8.151.0 0.0.0.255 eq telnet
Access-list 100 permit ip any any
Answer D
Explanation: Great care must be taken whenever an access list is configure as there is an
assumption of deny all when they do not match the access list. The proper command for
configuring an extended access to deny telnet traffic is: access-list 100 deny tcp source
address destination address eq telnet. When configured this way the access list will deny ftp
traffic and permit all other.
Incorrect Answers
A. The entire statement has syntax problems. You use a number, not a word (one) for the
access list, and the access list for this problem needs to be an extended address list in the
range of 100-199.
B. This access list will deny access, but then any non-match falls through and will be denied.
C. This access list denies access from 223.8.151.0 to anywhere else this is not what the
problem asked. 223.8.151.0 is supposed to be the destination, not the source.
Question
Given the configuration example
interface ethernet0
ipx network 100
ipx access-group 800 out
interface ethernet1
ipx network 200
interface ethernet2
ipx network 300
access-list 800 permit 200 100
Which two actions result from implementing this configuration? (Choose two.)
A. IPX network 400 will not receive any traffic.

B. Traffic from network 200 for network 100 will be forwarded out e0.
C. Traffic from network 200 for network 200 will be forwarded out e0.
D. Traffic from network 200, destined for network 100, will be forwarded out e2.
E. The access list is applied to an outgoing interface and filters outbound traffic.
Answer B, E
Explanation
The key commands for this question are "ipx access-group 800 out" and "access-list 800 permit
200 100".
The first command identifies the access list as an outbound access list. In the command
"access-list 800 permit 200"; the first network, 200, is source network number and the second
network, 100, is the destination network.
Incorrect Answers
A. There is no reference to network 400 in this question.
C. Network 200 would not need the access list to send traffic within itself.
D. This traffic will be forwarded to interface e0, not interface e2.
Question
What are two commands that you can use to view your access lists? (Choose two)
A. Show filters.
B. Show access-lists.
C. Show IP access-list.
D. Show running-Config.
Answer B, D
Explanation
B. The show access-list command is used to display all access lists' contents. Furthermore, if
you only want to display IP access lists then you would issue the show ip access-lists cmd.
D. show running-config, command will show which access lists are configured on each port.
Incorrect Answers
A. There is no show filters command.
C. The show IP access-list command only shows the IP access lists.
Question
If you issued the command show access-list 101 list what would be displayed?
A. All extended access lists.

B. All access lists within the router.
C. The contents of standard access list 101
D. The contents of extended access list 101
Answer D
Explanation
As the command is directing that the contents of access list 101 be displayed and as 101 is a
number for an extended IP access list D is correct.
Incorrect Answers
A and B. Only access list 101 will be displayed.
C. Standard IP address lists are in the range of 1-99, IP extended address lists are in the range
of 100-199.
Question
A network administrator in London has been instructed to prevent all traffic originating on the
Paris LAN from entering the London router.
Which statement would accomplish this filtering?
A. access-list 101 deny ip 192.168.45.0 0.0.0.255 any

B. access-list 101 deny ip 192.168.45.0 0.0.0.0 any
C. access list 101 deny ip 192.168.46.0 0.0.0.0.255 198.168.45.0 0.0.0.255
D. access-list 101 deny ip 192.168.46.0 0.0.0.255 any
Answer A
Explanation
The access-list is configured to deny all the traffic from Paris router network 192.168.45.0 to
any network in london. The wild card mask also correctly defined for Class C network.
Incorrect Answers
B. Wild card mask for 192.168.45.0 network is wrong. Wild card mask should be 0.0.0.255
instead of 0.0.0.0
C. This access list deny all traffic from 192.168.46.0 network to 192.168.45.0 network( There is
type in this answer 192 as printed as 198.This can be defined at Paris router if we want to deny
traffic from London network (192.168.46.0) to Paris Network(192.168.45.0)
D. This access-list deny traffic from network 192.168.46.0 to any network.
Question
The following access list was applied outbound on the E0 interface connected to the
192.168.1.8/29 LAN
access-list 123 deny tcp 192.168.1.8 0.0.0.7 eq 20 any
What effect will this access list have?
A. All traffic will be allowed to exit E0 except FTP traffic.

B. FTP traffic from 192.168.1.22 to any host will be denied.
C. FTP traffic from 192.168.1.9 to any host will be denied.
D. All traffic exiting E0 will be denied.
E. All FTP traffic to network 192.168.1.8/29 from any host will be denied.
Answer D
Explanation
By default access list is having implicit deny statement at the end. In this example there is no
permit statement, so it will deny all traffic exiting E0 Interface.
Incorrect answers
A. It will deny FTP and Telnet Traffic
B, C, E. It will deny all traffic in addition to the condition mentioned in the answer. Because
there is no permit statement at the end.
Question
A network administrator has been instructed to prevent all traffic originating on the Dallas1 LAN
from entering the Dallas2 router. Which command would implement the access list on the
interface of the Dallas2 router?
A. access-list 101 in
B. access-list 101 out
C. ip access-group 101 in
D. ip access-group 101 out
Answer C
Explanation
In order to use access list for an interface ip access-group command to be defined on interface.
Before defining ip access group in an interface one should configure access-list. If ip access-
group is not defined it will permit all traffic.
Incorrect answers
A, B. There are no such commands.
D. This will apply on an interface for outgoing packets from the interface. Our question requires
access-list to be applied for incoming packets to a particular interface on Dallas2.
Question
The network administrator of the TestKing1 router adds the following command to the router
configuration
ip route 192.168.12.0 255.255.255.0 172.16.12.1
What are the results of adding this command? (Choose two)
A. The command establishes a static route.

B. The command invokes a dynamic routing protocol for 192.168.12.0.
C. Traffic for network 192.168.12.0 is forwarded to 172.16.12.1.
D. Traffic for all networks is forwarded to 172.16.12.1.
E. This route is automatically propagated throughout the entire network.
Answer A, C
Explanation
IP route command defines static route on a particular router, Traffic from 192.168.12.0 network
is forwarded to 172.16.12.1 (IP address of next hop interface).
Incorrect Answers
B. It will not invoke any routing Protocol. It defines static route.
D. Only traffic from 192.168.12.0 network is forwarded to 172.16.12.1.
E. It will not propagate route automatically by using ip route command. Route will be
propagated only if you defined routing protocol configured networks.
Question
Which command is used to display the placement and direction of an IP access control list on a
router?
A. show access-list
B. show ip route
C. show ip interface
D. show interface
E. show interface list
F. show ip interface brief
Answer C
Explanation: "The show ip interface command displays IP interface information and indicates
whether any access lists are set for a specific interface."
Incorrect Answers
A. show access-list will display all configured access lists but not the placement or direction.
B. show ip route will show the contents of the ip routing table
D. show interface will display the status of an interface, including the encapsulation method, but
not the access control list.
E. show interface list is not a valid command
F. show ip interface brief is not a valid command
Question
You are configuring a E0 interface connected to the 192.168.1.8/29 LAN on a Cisco router.
You apply the following access list to the interface.

What consequence will this access list have?
A. All traffic will be allowed to exit E0 except FTP traffic.

B. FTP traffic from 192.168.1.22 to any host will be denied.
C. FTP traffic from 192.168.1.9 to any host will be denied.
D. All traffic exiting E0 will be denied.
E. All FTP traffic to network 192.168.1.8/29 from any host will be denied.
Answer D
Explanation
By default access list is having implicit deny statement at the end. In this example there is no
permit statement, so it will deny all traffic exiting E0 Interface.
Incorrect answers
A. It will deny FTP and Telnet Traffic
B,C,E. It will deny all traffic in addition to the condition mentioned in the answer. Because there
is no permit statement at the end.
Question
As a network technician you are configuring access lists on an interface of a Cisco router.
You use multiple access lists.
Which of the following statements are valid? (Select one)
A. There is no limit to the number of access lists that can be applied to an interface, as long as
they are applied in order from most specific to most general.
B. Cisco IOS allows only one access list to be applied to an interface.
C. One access list may be configured per direction for each Layer 3 protocol configured on an
interface.
D. Up to three access lists per protocol can be applied to a single interface.
E. No more than two access lists can be applied to a single interface.
F. The maximum number allowed varies depending on the amount of RAM installed in the
router.
Answer C
Question
Your trainee Jose is interested in ACLs (access control lists).
He asks you want they can be used for. What should you tell him? (Choose three)
A. Protect hosts from viruses.

B. Classify network traffic.
C. Provide high network availability.
D. Identify interesting traffic for DDR.
E. IP route filtering.
F. Monitor the number of bytes and packets.
Answer C, D, E
Explanation
IP access control lists (ACLs) cause a router to discard some packets based on criteria defined
by the network engineer. The goal of these filters is to prevent unwanted traffic in the network –
whether to prevent hackers from penetrating the network or just to prevent employees from
using systems they should not be using. IP access lists can also be used to filter routing
updates, to match packets for prioritization, to match packets for VPN tunneling, and to match
packets for implementing quality of service features.
Question
An administrator creates an access list prohibiting Telnet on his router. He then successfully
initiates a Telnet session from the router. What is the most likely reason the access list failed?
A. The access list should be changed to stop UDP traffic.

B. The access list should be changed to stop TCP traffic.
C. The access list should be changed to block port 23 traffic.
D. The access list cannot stop the administrator's action.
Answer D
Access lists stop traffic going through the router—not traffic originating from the router, as in
this scenario. Therefore, the administrator's Telnet session is able to connect. A is incorrect
because Telnet uses TCP. B is incorrect. Telnet does use TCP traffic, but this is not the most
likely cause of the problem. C is incorrect. Telnet connects to remote port 23 by default;
however, the issue here is that the session initiated from the router, and access lists filter only
traffic going through the router.
Question
You need to place an access list on the Fa0 interface of the Home router; that will deny access
to all hosts that lie within the range 192.168.160.0 - 192.168.191.0. Hosts in the 192.168.195.0
network should be granted full access. Which one of the following answer choices fulfills your
needs?
A. access-list 1 deny 192.168.163.0 0.0.0.255

B. access-list 1 deny 192.168.128.0 0.0.127.255
C. access-list 1 deny 192.168.160.0 0.0.255.255
D. access-list 1 deny 192.168.160.0 0.0.31.255
Range 192.168.160.0/24 > 192.168.191.0/24
note 160 +31 =191
Answer D
Explanation: This question is really more of an inverse subnet masking questions than a
security question. Your goal is to block access to the host range 192.168.160.0- 192.168.191.0
while allowing everything else (including hosts from 192.168.195.0) full access. Answer D is
correct because the address and mask are numbered correctly.
Question
Which of the following access list statements would deny traffic from a specific host?
A. Router(config)# access-list 1 deny 172.31.212.74 any

B. Router(config)# access-list 1 deny 10.6.111.48 host
C. Router(config)# access-list 1 deny 172.16.4.13 0.0.0.0
D. Router(config)# access-list 1 deny 192.168.14.132 255.255.255.0
E. Router(config)# access-list 1 deny 192.168.166.127 255.255.255.255
Answer C
Explanation: Only choice C is the correct syntax for a specific host. The access list is denying
all traffic from the host with IP address 172.16.4.13. It is important to note that in an access list,
the subnet mask is the inverse. Normally, a host subnet mask is 255.255.255.255, but in an
access list it is 0.0.0.0.
Incorrect Answers
A. The syntax is incorrect here, as there is no subnet mask at all specified.
B. This would be an acceptable choice, if the "host" keyword were placed in front of the IP
address, not after.
D. The subnet mask here includes the entire class C network here, not an individual host.
E. In an access list, the subnet mask is an inverse mask. The mask specified here would be
equivalent to all 0's in a subnet mask, meaning that the don't care bits apply to the entire
address.
Question
Which IP address and wildcard mask would you use in your ACL to block all the hosts in the
subnet 192.168.16.43/28?
A. 192.168.16.32 0.0.0.16
B. 192.168.16.43 0.0.0.212
C. 192.168.16.0 0.0.0.15
D. 192.168.16.32 0.0.0.15
E. 192.168.16.0 0.0.0.31
F. 192.168.16.16 0.0.0.31
Answer D
Explanation: Since there are 28 bits in the subnet mask, we can find the inverse mask by
reversing the 1's and 0's.
/28 = 11111111.11111111.11111111.11110000
/28 Inverse = 00000000.00000000.00000000.00001111 = 192.168.16.32/15
The address 192.168.16.32 and the wildcard mask 0.0.0.15 is the correct answer as shown.
This will match all addresses in the 192.168.16.32-192.168.16.47 range.
Question
Two routers are connected together as shown
In order to control access on the network, the following access list is created.
access-list 101 permit tcp 192.168.1.16 0.0.0.15 192.168.2 16 0.0.0.15 eq 23
What would happen if you applied the following ACL to any one of the routers in the above
exhibit? On what interface and what direction should you apply it? Once applied, what will this
access list accomplish? (Select all valid answer choices)
A. Telnet traffic from 192.168.1.16 0.0.0.15 to 168.2.16 0.0.0.15 is allowed.

B. SMTP traffic from 192.168.1.16 0.0.0.15 to 168.2.16 0.0.0.15 is allowed.
C. The ACL is configured to allow traffic from one specific host to another.
D. The ACL should be applied inbound to the e0 interface of Router CertKing1.
E. The ACL should be applied outbound to the e0 interface of Router CertKing1.
Answer A, D
Explanation: This is a two part question. The first part is the type of traffic that will match this
specific access list entry. Since telnet uses TCP port 23, choice B is correct. Next, to determine
which interface and which direction to apply the access list, we see that the source of the traffic
is the 192.168.1.16/28 network, while the destination is the 192.168.2.16/28 network.
Therefore, only choice D makes sense.
Incorrect Answers
B. SMTP uses TCP port 25.
C. There is a /15 network mask for both the source and destination in this access list, which
translates to a /28 network.
E. This would not be useful if applied to the outbound, as no traffic would match then. Note that
if this answer had stated that the access list be placed on the outbound serial (WAN) interface,
then this would have been an acceptable choice.
Question
A standard IP access list is applied to an Ethernet interface of a router. What does this standard
access list filter on?
A. The source and destination addresses

B. The destination port number
C. The destination address
D. The source address
E. All of the above
Answer D
Explanation: The standard IP access-list will only filter on the source address contained in the
packet. Extended access lists can filter on the source and destination address and port
information.
Question
The network is subnetted using 29 bits for the subnet mask. Which wild card mask should be
used to configure an extended access list to permit or deny access to an entire subnetwork?
A. 255.255.255.224
B. 255.255.255.248
C. 0.0.0.224
D. 0.0.0.8
E. 0.0.0.7
F. 0.0.0.3
Answer E
Explanation
Class C wild card masks start with 0.0.0.x. The subnet used in this example is 29 bits, or
subnet mask 255.255.255.248. Therefore, we are left with 7 hosts in the final octet (255-248) so
the answer is 0.0.0.7
Question
Part of the network is shown
The network administrator wants to prevent computers on the 192.168.23.64/26 subnet from
accessing the 192.168.23.128/26 subnet via FTP. All other hosts should be allowed to access.
What commands should be entered on the router to accomplish this task?
A. Router(config)#access-list 101 deny tcp 192.168.23.64 0.0.0.63 192.168.23.128 0.0.0.63 eq

ftp
Router(config)#access-list 101 permit ip any any
Router(config)#interface fa0/0
Router(config-if)#ip access-group 101 in
B. Router(config)#access-list 101 deny tcp 192.168.23.64 0.0.255 192.168.23.128 0.0.0.255 eq

ftp
C. Router(config)#access-list 101 deny tcp 192.168.23.64 0.0.0.63 192.168.23.128 0.0.0.63 eq

ftp
Router(config-if)#access-list 101 out
D. Router(config)#access-list 101 deny tcp 192.168.23.64 0.0.0.255 192.168.23.128 0.0.0.255

eq ftp
E. Router(config)#access-list 101 deny tcp 192.168.23.128 0.0.0.63 192.168.23.64 0.0.0.63 eq

ftp
F. Router(config)#access-list 101 deny tcp 192.168.23.128 0.0.0.255 192.168.23.128 0.0.0.255

eq ftp
Answer A
Explanation
Only choice A specifies the correct wildcard mask and direction. If we apply the access list to
interface FA0/0, we need to specify incoming FTP traffic from the 192.168.23.64/26 network to
the 192.168.23.128/26 network.
/26 = 11111111.11111111.11000000
= 255.255.255.192 (255 -192 = 63)
= 0.0.0.63
Incorrect Answers: B, D, F. The wildcard mask for a /26 network is 0.0.0.63, not 0.0.0.255. C.
This access list statement is correct, but when it is applied to the FA0/0 interface it needs to be
in the incoming direction. E. This access list needs to be applied to interface FA0/0, not FA0/1.
Alternatively, it could have been applied to interface FA0/1, but in the outbound direction, not
the inbound direction.
Question
The network administrator would like to permit only hosts on the 172.30.16.0/24 network to
access the Internet. Which wild card mask and address combination will only match addresses
on this network?
A. 172.30.0.0 0.0.0.0
B. 172.30.16.0 0.0.0.255
C. 172.30.0.0 0.0.15.255
D. 172.30.16.0 0.0.31.255
E. 172.30.16.0 0.0.255.255
Answer B
Explanation: Only the hosts from 172.30.16.30/24 network allow to access the Internet, for that
we should use the wildcard masking. 172.168.16.0 0.0.0.255 where 0 means exact and 255
means 1-255 range. For any particular host:
192.168.0.1 0.0.0.0 For Range: 192.168.0.1 0.0.0.3 means 1-4 total 4 hosts.
Question
What are two reasons that a network administrator would use access lists? (Choose two.)
A. To filter traffic as it passes through a router

B. To filter traffic that originates from the router
C. To replace passwords as a line of defense against security incursions
D. To control vty access into a router
E. To control broadcast traffic through a router
Answer A, D
Explanation
Access lists are used to process data received by a router can be divided into two broad
categories: 1. traffic that passes through the router via the forwarding path (choice A) 2. traffic
destined for the router via the receive path for route processor handling, such as ssh/telnet vty
access (Choice D) In normal operations, the vast majority of traffic simply flows through a router
en route to its ultimate destination.
Incorrect Answers
B. Traffic originated by the router will bypass the access list.
C. Access lists can be used to permit or deny access, but it can not be used to replace the
need for passwords for authorizing users into the system.
E. Routers do not forward broadcast traffic by default, and this is true regardless if access lists
are configured or are not.
Question
Which command sequence will allow only traffic from network 185.64.0.0 to enter interface s0?
A. access-list 25 permit 185.64.0.0 255.255.0.0

int s0; ip access-list 25 out
B. access-list 25 permit 185.64.0.0 255.255.0.0

int s0; ip access-group 25 out
C. access-list 25 permit 185.64.0.0 0.0.255.255

int s0; ip access-list 25 in
D. access-list 25 permit 185.64.0.0 0.0.255.255

int s0; ip access-group 25 in
Answer D
Explanation
The correct sequence of commands are:

1. access-list 25 permit 185.64.0.0 0.0.255.255
2. int s0
3. ip access-group 25 in

Cisco Access Control Lists (ACL)

Uploaded by

Copyright:

Available Formats

Cisco Access Control Lists (ACL)

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Access Control Lists (ACL)

Uploaded by

Copyright:

Available Formats

What are the different types of ACLs and their uses?

What are the different types of ACLs and their uses?

What are the differences between standard and extended ACLs?

What are the differences between standard and extended ACLs?

Cisco Access Control Lists (ACL)

Access Control List Types

1 - 99 or 1300 - 1999 Standard Access List (Looks at the source IP of a packet.)

100 - 199 or 2000 - 2699 Extended Access List

Able to look at the source IP, destination IP, IP protocol,

Name Named Access List

Know the principals of where which should be applied

Place IP standard access lists as close to the destination as possible.

When to use a Standard ACL vs an Extended one

• Protocol (Network layer header)

#access-list 10 permit 192.168.3.0 0.0.0.255

access-list 10 permit 192.168.3.0 0.0.0.255

We use the ip access-group command to bind the access list to an interface

router(config-if)#ip access-group number <direction in|out>

For example, to deny Host C from sending traffic to the WAN

router(config)#access-list 10 deny 192.168.23.11

Standard IP Access Lists

Lab A (config)#access-list 10 ? We then decide on a create or deny statement

Lab A (config)#access-list 10 deny ?

Hostname or a.b.c.d - address to match

Lab A (config)#access-list 10 deny 172.16.30.2

This tells the list to deny packets from host 172.16.30.2

Standard Access List Example 1

On the Acme router, the following standard IP access list is configured.

So the full configuration is

Standard Access List Example 2

Here is the access list we should use.

mask /27 = 11111111.11111111.11111111.11100000

192.168.10.129/27 = /24 +3 bits = 11100000 = 224, Block size = 256 – 224 = 32

Standard Access List Example 3

For Network on E0, host 172.16.144.17/19

Subnet 172.16.128.0 wildcard mask = 0.0.31.255

Similarly the other subnet and wildcards are

So the access list is

LabA(config)#access-list 50 permit 172.16.10.3

Extended Access Lists

LabA(config)#access-list ? extended number

At this point we need to decide the type of list entry

deny a specific packet

LabA(config)#access-list 110 deny ?

LabA(config)#access-list 110 deny tcp ?

a.b.c.d Source address

LabA(config)#access-list 110 deny tcp any ?

After selecting the source address choose the destination address

a.b.c.d Destination address

LabA(config)#access-list 110 deny tcp any 172.16.30.2 ?

LabA(config)#access-list 110 deny tcp any 172.16.30.2 eq ?

<0-65535> Port number

LabA(config)#access-list 110 permit ip any any

Remember any any is the same as

We now apply the access list to an interface.

LabA(config-if)#access-group 110 out

Extended Access List 1

Stop telnet access to the networks attached to the E1 and E2 interfaces.