Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs

Slides:



Advertisements
Similar presentations
Access Control List (ACL)
Advertisements

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Access Control Lists
Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.
CCNA 2 v3.1 Module 11.
Access Lists Lists of conditions that control access.
Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen

Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.
Network Certification Preparation. Module - 5 Basic troubleshooting of IP addressing issues Basic troubleshooting of RIP and IGRP Basic troubleshooting.
© 2002, Cisco Systems, Inc. All rights reserved..
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Access Control List ACL. Access Control List ACL.
Access Control Lists (ACLs)
Access Control List (ACL) W.lilakiatsakun. ACL Fundamental ► Introduction to ACLs ► How ACLs work ► Creating ACLs ► The function of a wildcard mask.
Sybex CCNA Chapter 12: Security Instructor & Todd Lammle.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
Access Control List (ACL)
Instructor & Todd Lammle
CCNA – Cisco Certified Network Associates Access Control List (ACL) By Roshan Chaudhary Lecturer Islington College.
Access-Lists Securing Your Router and Protecting Your Network.
ACLs ACLs are hard. Read, read, read. Practice, practice, practice ON TEST4.
Page 1 Access Lists Lecture 7 Hassan Shuja 04/25/2006.
Access Control List ACL’s 5/26/ What Is an ACL? An ACL is a sequential collection of permit or deny statements that apply to addresses or upper-layer.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration Access Lists.
1 What Are Access Lists? –Standard –Checks Source address –Generally permits or denies entire protocol suite –Extended –Checks Source and Destination address.
Semester 3 Chapter 6 ACLs. Overview Router can provide basic traffic filtering capability Access Control Lists can prevent packets from passing through.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 2 – 6 IP Access Lists 1.
Page 1 Chapter 11 CCNA2 Chapter 11 Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs.
Sem 3 Access Control Lists. Summary of Access Lists Access lists perform serveral functions within a Cisco router, including: ** Implement security /
Restricting Access in the network
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
ACCESS CONTROL LIST.
Chapter 3 Managing IP Traffic. Objectives Upon completion of this chapter you will be able to perform the following tasks: Configure IP standard access.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Sybex CCNA Chapter 10: Security Instructor & Todd Lammle.
Access Control Lists Mark Clements. 17 March 2009ITCN 2 This Week – Access Control Lists What are ACLs? What are they for? How do they work? Standard.
Wild Stuff ExtendedACLGeneralACLStandardACL Got the Right Number?
CCNA4 Perrine / Brierley Page 12/20/2016 Chapter 05 Access Control Non e0e1 s server.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
1 Access Control Lists (ACLs). 222 Overview 1.Network administrators must be able to a.deny unwanted access to a network and b.allow authorized users.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
Extended Access Control Lists. Extended ACLs Can Filter on One or Many Data Fields.
Lab 12 – Cisco Firewall.
Instructor & Todd Lammle
Instructor Materials Chapter 7: Access Control Lists
Instructor Materials Chapter 4: Access Control Lists
CCENT Study Guide Chapter 12 Security.
Managing IP Traffic with ACLs
Managing IP Traffic with ACLs
© 2002, Cisco Systems, Inc. All rights reserved.
Introducing ACL Operation
Chapter 4: Access Control Lists (ACLs)
Access Control Lists Last Update
Chapter 4: Access Control Lists
Access Control Lists CCNA 2 v3 – Module 11
ACCESS CONTROL LIST Slides Prepared By Adeel Ahmed,
Presentation transcript:

Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs By Carl Marandola CCAI-CCNA

Objectives Define and describe the purpose and operation of ACLs Explain the processes involved in testing packets with ACLs Describe ACL configuration commands, global statements, and interface commands Define and explain the function and operation of wildcard masks bits and the wildcards any and host Describe standard ACLs Describe extended ACLs Describe named ACLs Monitor and verify selected ACL operations on the router

ACL Overview Reasons to Create ACLs Creating an ACL in the Correct Order Using ACLs How ACLs Work

What Are ACLs? Lists of instructions you apply to a router's interface. Tell the router what kinds of packets to accept and what kinds to deny based on criteria defined in the ACL. Cisco ACLs support all routed network protocols (IP, IPX). Each protocol must have its own ACLs.

Reasons to Create ACLs Limit network traffic and increase network performance Provide traffic flow control Provide a basic level of security for network access Decide which types of traffic are forwarded or blocked at the router interfaces

ACL Configuration Tasks Grouping (Applying) ACLs to Interfaces Assigning a Unique Number to Each ACL Using Wildcard Mask Bits

Basic ACL Creation Steps Router#config t Router(config)#access-list 50 permit 192.168.1.10 Router(config)#access-list 50 deny 192.168.1.0 0.0.0.255 Router(config)#access-list 50 permit any Router(config)#interface Ethernet0 Router(config-if)#ip address 192.168.5.1 255.255.255.0 Router(config-if)#ip access-group 50 out (applying the ACL) Create a List of Permit or Deny Statements. Created in global configuration mode. Created in sequential order. Each new item is added to the bottom of the ACL. ACLs are processed in sequential order (top down). Apply the ACL to a Task. Although ACLs can be used in many ways, the CCNA exam covers only filtering interfaces.

Applying ACLs to Interfaces Router#config t Router(config)#access-list 50 permit 192.168.1.10 Router(config)#access-list 50 deny 192.168.1.0 0.0.0.255 Router(config)#access-list 50 permit any Router(config)#interface Ethernet0 Router(config-if)#ip address 192.168.5.1 255.255.255.0 Router(config-if)#ip access-group 50 out Keyword ip access-group applies ACL to an interface. In the above example, the ACL is applied “outbound” meaning: Only outbound traffic is checked by the ACL. Out or in is always viewed from the center of the router. The default direction is out (that is, if no designation is mad). Each interface can have an in and out ACL for each protocol configured on the interface.

ACLs Command-Line Basics Router#config t Router(config)#access-list 50 permit 192.168.1.10 Router(config)#access-list 50 deny 192.168.1.0 0.0.0.255 Router(config)#access-list 50 permit any Router(config)#interface Ethernet0 Router(config-if)#ip address 192.168.5.1 255.255.255.0 Router(config-if)#ip access-group 50 out Keyword access-list required; identifies an ACL item. ACL number (50 above) is the identifier for this particular list. Things to know about ACL numbers: Standard IP ACLs use numbers 1–99. Extended IP ACLs use numbers 100–199. Each item in the list will have the same number. No two ACLs on a router can use the same number. ACLs and ACL numbers are router-specific. Keywords permit / deny allow or prevent passage, respectively. Balance of the ACL is the criteria (rules for filtering).

How an Outbound ACL Works

Flowchart of the ACL Test Matching Process ACL lines are processed sequentially (top-down). When a criteria is matched, the packet is permitted or denied and no other testing occurs on that packet. If no ACL test matches, the packet it is denied by default.

Wildcard Mask Bits #1 Router#config t Router(config)#access-list 50 deny 192.168.1.0 0.0.0.255 Router(config)#access-list 50 permit any Router(config)#interface Ethernet0 Router(config-if)#ip address 192.168.5.1 255.255.255.0 Router(config-if)#ip access-group 50 out Although maybe not a perfect explanation, it is often easiest to see wildcard masks as being just the opposite of subnet masks. The subnet mask 255.255.255.0 identifies the network, the wildcard mask 0.0.0.255 identifies the hosts. A subnet mask is a 32-bit value made up of contiguous 1s and then 0s. A wildcard is a 32-bit value made up of contiguous 0s indicating a “must match” and then 1s. In the above example, the 0s mean the first 3 octets must match exactly. The 255 means any value from 0 to 255 can be here. Both actually occur in binary and can often be understood only in binary.

Wildcard Mask Bits #2

Wildcard Mask Bits #3 It is possible to identify a range of subnets. = 16 This means any value that can be made using 4 bits (0 to 15), so the range is 16+0 to 16+15. It is possible to identify a range of subnets. 172.30.16.0 0.0.15.255 The 255 means the last octet can be 0 to 255. 3rd Octet

Keywords Any and Host Any Host Same as 0.0.0.0 255.255.255.255 Example: access-list 12 permit any Host Same as IP-address 0.0.0.0 Example: 192.168.1.10 0.0.0.0 Example: access-list 12 deny host 192.168.1.10 Can be omitted in standard IP ACLs Router(config)#access-list 75 deny host 192.168.1.10 Router(config)#access-list 75 deny 192.168.17.123 Router(config)#access-list 75 permit any

Implicit Deny Any Statement By default, an interface will allow all traffic in both directions. Once an ACL is applied, the default state switches to deny all traffic in the direction of the ACL (in or out). Many ACLs end with access-list # permit any to avoid the implied deny any. Router(config)#access-list 75 deny host 192.168.1.10 Router(config)#access-list 75 deny 192.168.17.123 Router(config)#access-list 75 permit any

Permit and Deny Statements Except in special circumstances, every ACL must have at least one permit statement. An ACL made up of only deny statements combined with the implicit deny any statement will block all traffic in the direction of the ACL. No similar requirement for deny statements.

Standard ACLs Criteria is limited to source network address only. Can identify a host, subnet, or network Denies or permits all traffic from the target address for the protocol Necessary to place close to the destination

Standard ACLs Example #1 This one-line ACL will allow into each LAN only packets from the other LAN, not from the cloud. The implicit deny any blocks any other traffic.

Standard ACLs Example #2 Network X This two-line ACL will deny traffic from a single host A from getting to the X network. The second line could and should have been access-list 1 permit any. The implicit deny any is negated by the previous line, which allowed every thing through.

Standard ACLs Example #3 This two-line ACL will deny traffic from the entire 172.16.4.0 network. The second line allows any traffic from the cloud. The implicit deny any is negated by the permit any line, which allowed everything else through.

Extended ACLs Can Filter on One or Many Data Fields

Extended ACLs – Creating an Extended Access List As with standard lists, the access-list command is used to create each condition of the list – using one condition per line. The syntax for each line in the list is: access-list access-list-number {permit | deny} {protocol | protocol keyword} {source | any} [source-wildcard] [source port] {destination | any} [destination-wildcard] [destination port] [options] Example: Lab-X#config t Lab-X(config)#Access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq www Lab-X(config)#Access-list 101 deny tcp any eq ftp 192.168.1.25 Lab-X(config)#Access-list 101 permit ip any any Lab-X(config)#interface Fastethernet 0/0 Lab-X(config-if)#ip access-group 101 out The access list-number range for IP extended access lists is 100 to 199. The protocol entry defines the protocol to be filtered, such as IP, TCP, UDP, or ICMP for example. Because IP headers transport TCP, UDP, and ICMP, it is important to specify the protocol or you could end up inadvertently filtering more than you want to. Simplest to create because the only criterion is the source address specified in each access-list statement. A standard ACL is similar to a security guard at a gate – if you don’t have the correct pass (source address) you don't get through – your purpose and ultimate destination address are irrelevant 1. The Log Option – Causes message to be printed to the console screen (or log file) the first time that the ACL is activated and then every five minutes while the ACL is still being used. The 5-minute reports summarize the number of occurrences the ACL was used 2. Denying a Specific Host – Following example shows how use a standard ACL to block inbound traffic from a single specific host Lab-X(config)#access-list 50 deny host 192.168.1.10 Lab-X(config)#access-list 50 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 50 in 3. Denying a Network – Following example shows how use a standard ACL to block inbound traffic from a class C network: Lab-X(config)#access-list 60 deny 192.168.1.0 0.0.0.255 Lab-X(config)access-list 60 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 60 in 4. Denying a Subnet– Following example shows how use a standard ACL to block inbound traffic from the subnet 192.168.1.64 255.255.255.192: Lab-X(config)#access-list 70 deny 192.168.1.64 0.0.0.63 Lab-X(config)access-list 70 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 70 in 5. Filtering Telnet Access – It is possible to limit telnet access to a router using ACLs. Similar to filtering the physical interfaces, you can use access lists to filter the virtual ports – limiting telnet access to our routers. a) There are five virtual ports, or vty lines (vty 0 through vty 4). Since you cannot control which virtual port will be accessed (first available), you will set identical restrictions on all vty lines at one time. Lab-X(config)#access-list 15 permit 192.168.1.128 0.0.0.63 Lab-X(config)#line vty 0 4 Lab-X(config-line)#access-class 15 in Lab-X(config-line)#password cisco Lab-X(config-line)#login b) The “access-class” is used in place of access-group when applying an ACL to a virtual terminal. While this command is not a requirement of the CCNA exam, but it is included here to show how ACLs can be used for more than filtering physical interfaces. As you continue your Cisco training you will learn about other implementations. 6. show line vty command – Lists the ACLs applied to the virtual terminals. 7. Placing an Standard Access List – Because standard ACLs can only use source address as the criteria, there is no choice but to place the ACLs as close to the destination as possible 8. show run Command – The IOS show run command displays the ACL and the implementation 9. show access-list Command - Displays all access lists on the router but does not show if or where they are applied. a) show ip access-list command – Includes only IP access lists b) Both commands allow you to specify an ACL number o to display. Example: show access-list 15 or show ip access-list 15 10. show ip interfaces Command – Tells if an inbound or outbound access list has been applied to an interface

Extended ACLs – TCP Relational Operators The access list TCP protocol option supports both source and destination ports. You can access each by using either the port number or a mnemonic or acronym. Keyword relational operators such as those shown in the following code output precede these: Lab-X(config)#access-list 101 deny tcp any ? A.B.C.D Destination address. any Any destination host. eq Match only packets on a given port number. gt Match only packets with a greater port number. host A single destination host. lt Match only packets with a lower port number. neq Match only packets not on a given port number. range Match only packets in the range of port numbers. Simplest to create because the only criterion is the source address specified in each access-list statement. A standard ACL is similar to a security guard at a gate – if you don’t have the correct pass (source address) you don't get through – your purpose and ultimate destination address are irrelevant 1. The Log Option – Causes message to be printed to the console screen (or log file) the first time that the ACL is activated and then every five minutes while the ACL is still being used. The 5-minute reports summarize the number of occurrences the ACL was used 2. Denying a Specific Host – Following example shows how use a standard ACL to block inbound traffic from a single specific host Lab-X(config)#access-list 50 deny host 192.168.1.10 Lab-X(config)#access-list 50 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 50 in 3. Denying a Network – Following example shows how use a standard ACL to block inbound traffic from a class C network: Lab-X(config)#access-list 60 deny 192.168.1.0 0.0.0.255 Lab-X(config)access-list 60 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 60 in 4. Denying a Subnet– Following example shows how use a standard ACL to block inbound traffic from the subnet 192.168.1.64 255.255.255.192: Lab-X(config)#access-list 70 deny 192.168.1.64 0.0.0.63 Lab-X(config)access-list 70 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 70 in 5. Filtering Telnet Access – It is possible to limit telnet access to a router using ACLs. Similar to filtering the physical interfaces, you can use access lists to filter the virtual ports – limiting telnet access to our routers. a) There are five virtual ports, or vty lines (vty 0 through vty 4). Since you cannot control which virtual port will be accessed (first available), you will set identical restrictions on all vty lines at one time. Lab-X(config)#access-list 15 permit 192.168.1.128 0.0.0.63 Lab-X(config)#line vty 0 4 Lab-X(config-line)#access-class 15 in Lab-X(config-line)#password cisco Lab-X(config-line)#login b) The “access-class” is used in place of access-group when applying an ACL to a virtual terminal. While this command is not a requirement of the CCNA exam, but it is included here to show how ACLs can be used for more than filtering physical interfaces. As you continue your Cisco training you will learn about other implementations. 6. show line vty command – Lists the ACLs applied to the virtual terminals. 7. Placing an Standard Access List – Because standard ACLs can only use source address as the criteria, there is no choice but to place the ACLs as close to the destination as possible 8. show run Command – The IOS show run command displays the ACL and the implementation 9. show access-list Command - Displays all access lists on the router but does not show if or where they are applied. a) show ip access-list command – Includes only IP access lists b) Both commands allow you to specify an ACL number o to display. Example: show access-list 15 or show ip access-list 15 10. show ip interfaces Command – Tells if an inbound or outbound access list has been applied to an interface

Extended ACLs – Protocol Identifiers After choosing a relational operator, specify a mnemonic (or acronym) or port number, such as the following code output for the TCP port names: Lab-X(config)#access-list 101 deny tcp any eq ? <0-65535> Port number bgp Border Gateway Protocol (179) chargen Character generator (19) cmd Remote commands (rcmd, 514) daytime Daytime (13) discard Discard (9) domain Domain Name Service (53) echo Echo (7) exec Exec (rsh, 512) finger Finger (79) ftp File Transfer Protocol (21) --Some output omitted— uucp Unix-to-Unix Copy Program (540) whois Nicname (43) www World Wide Web (HTTP, 80) Simplest to create because the only criterion is the source address specified in each access-list statement. A standard ACL is similar to a security guard at a gate – if you don’t have the correct pass (source address) you don't get through – your purpose and ultimate destination address are irrelevant 1. The Log Option – Causes message to be printed to the console screen (or log file) the first time that the ACL is activated and then every five minutes while the ACL is still being used. The 5-minute reports summarize the number of occurrences the ACL was used 2. Denying a Specific Host – Following example shows how use a standard ACL to block inbound traffic from a single specific host Lab-X(config)#access-list 50 deny host 192.168.1.10 Lab-X(config)#access-list 50 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 50 in 3. Denying a Network – Following example shows how use a standard ACL to block inbound traffic from a class C network: Lab-X(config)#access-list 60 deny 192.168.1.0 0.0.0.255 Lab-X(config)access-list 60 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 60 in 4. Denying a Subnet– Following example shows how use a standard ACL to block inbound traffic from the subnet 192.168.1.64 255.255.255.192: Lab-X(config)#access-list 70 deny 192.168.1.64 0.0.0.63 Lab-X(config)access-list 70 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 70 in 5. Filtering Telnet Access – It is possible to limit telnet access to a router using ACLs. Similar to filtering the physical interfaces, you can use access lists to filter the virtual ports – limiting telnet access to our routers. a) There are five virtual ports, or vty lines (vty 0 through vty 4). Since you cannot control which virtual port will be accessed (first available), you will set identical restrictions on all vty lines at one time. Lab-X(config)#access-list 15 permit 192.168.1.128 0.0.0.63 Lab-X(config)#line vty 0 4 Lab-X(config-line)#access-class 15 in Lab-X(config-line)#password cisco Lab-X(config-line)#login b) The “access-class” is used in place of access-group when applying an ACL to a virtual terminal. While this command is not a requirement of the CCNA exam, but it is included here to show how ACLs can be used for more than filtering physical interfaces. As you continue your Cisco training you will learn about other implementations. 6. show line vty command – Lists the ACLs applied to the virtual terminals. 7. Placing an Standard Access List – Because standard ACLs can only use source address as the criteria, there is no choice but to place the ACLs as close to the destination as possible 8. show run Command – The IOS show run command displays the ACL and the implementation 9. show access-list Command - Displays all access lists on the router but does not show if or where they are applied. a) show ip access-list command – Includes only IP access lists b) Both commands allow you to specify an ACL number o to display. Example: show access-list 15 or show ip access-list 15 10. show ip interfaces Command – Tells if an inbound or outbound access list has been applied to an interface

UDP and TCP Port Numbers

Extended ACLs – TCP Example The first statement could have used the mnemonic “telnet” in place of 23 with exactly the same result. The one advantage to using the mnemonic is that it is more intuitive to anyone having to support the device. Lab-X#config t Lab-X(config)#access-list 101 deny tcp 192.168.5.0 0.0.0.255 any eq 23 Lab-X(config)#access-list 101 permit ip any any Lab-X(config)#interface fastethernet 0/1 Lab-X(config-if)#ip access-group 101 in If you want to block network 192.168.5.0 from being able to surf the Web while still allowing other services such as FTP, use this code: Lab-X(config)#access-list 106 deny tcp 192.168.5.0 0.0.0.255 any eq www Lab-X(config)#access-list 106 permit ip any any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 106 in Simplest to create because the only criterion is the source address specified in each access-list statement. A standard ACL is similar to a security guard at a gate – if you don’t have the correct pass (source address) you don't get through – your purpose and ultimate destination address are irrelevant 1. The Log Option – Causes message to be printed to the console screen (or log file) the first time that the ACL is activated and then every five minutes while the ACL is still being used. The 5-minute reports summarize the number of occurrences the ACL was used 2. Denying a Specific Host – Following example shows how use a standard ACL to block inbound traffic from a single specific host Lab-X(config)#access-list 50 deny host 192.168.1.10 Lab-X(config)#access-list 50 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 50 in 3. Denying a Network – Following example shows how use a standard ACL to block inbound traffic from a class C network: Lab-X(config)#access-list 60 deny 192.168.1.0 0.0.0.255 Lab-X(config)access-list 60 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 60 in 4. Denying a Subnet– Following example shows how use a standard ACL to block inbound traffic from the subnet 192.168.1.64 255.255.255.192: Lab-X(config)#access-list 70 deny 192.168.1.64 0.0.0.63 Lab-X(config)access-list 70 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 70 in 5. Filtering Telnet Access – It is possible to limit telnet access to a router using ACLs. Similar to filtering the physical interfaces, you can use access lists to filter the virtual ports – limiting telnet access to our routers. a) There are five virtual ports, or vty lines (vty 0 through vty 4). Since you cannot control which virtual port will be accessed (first available), you will set identical restrictions on all vty lines at one time. Lab-X(config)#access-list 15 permit 192.168.1.128 0.0.0.63 Lab-X(config)#line vty 0 4 Lab-X(config-line)#access-class 15 in Lab-X(config-line)#password cisco Lab-X(config-line)#login b) The “access-class” is used in place of access-group when applying an ACL to a virtual terminal. While this command is not a requirement of the CCNA exam, but it is included here to show how ACLs can be used for more than filtering physical interfaces. As you continue your Cisco training you will learn about other implementations. 6. show line vty command – Lists the ACLs applied to the virtual terminals. 7. Placing an Standard Access List – Because standard ACLs can only use source address as the criteria, there is no choice but to place the ACLs as close to the destination as possible 8. show run Command – The IOS show run command displays the ACL and the implementation 9. show access-list Command - Displays all access lists on the router but does not show if or where they are applied. a) show ip access-list command – Includes only IP access lists b) Both commands allow you to specify an ACL number o to display. Example: show access-list 15 or show ip access-list 15 10. show ip interfaces Command – Tells if an inbound or outbound access list has been applied to an interface

Extended ACLs – Blocking RIP Routing Updates One example of using ACLs with UDP packets would be to block RIP routing updates from passing out a particular interface using an ACL such as the following: Lab-X#config t Lab-X(config)#access-list 150 deny udp any any eq rip Lab-X(config)#access-list 150 permit ip any any Lab-X(config)#int e0 Lab-X(config-if)#ip access-group 150 out Simplest to create because the only criterion is the source address specified in each access-list statement. A standard ACL is similar to a security guard at a gate – if you don’t have the correct pass (source address) you don't get through – your purpose and ultimate destination address are irrelevant 1. The Log Option – Causes message to be printed to the console screen (or log file) the first time that the ACL is activated and then every five minutes while the ACL is still being used. The 5-minute reports summarize the number of occurrences the ACL was used 2. Denying a Specific Host – Following example shows how use a standard ACL to block inbound traffic from a single specific host Lab-X(config)#access-list 50 deny host 192.168.1.10 Lab-X(config)#access-list 50 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 50 in 3. Denying a Network – Following example shows how use a standard ACL to block inbound traffic from a class C network: Lab-X(config)#access-list 60 deny 192.168.1.0 0.0.0.255 Lab-X(config)access-list 60 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 60 in 4. Denying a Subnet– Following example shows how use a standard ACL to block inbound traffic from the subnet 192.168.1.64 255.255.255.192: Lab-X(config)#access-list 70 deny 192.168.1.64 0.0.0.63 Lab-X(config)access-list 70 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 70 in 5. Filtering Telnet Access – It is possible to limit telnet access to a router using ACLs. Similar to filtering the physical interfaces, you can use access lists to filter the virtual ports – limiting telnet access to our routers. a) There are five virtual ports, or vty lines (vty 0 through vty 4). Since you cannot control which virtual port will be accessed (first available), you will set identical restrictions on all vty lines at one time. Lab-X(config)#access-list 15 permit 192.168.1.128 0.0.0.63 Lab-X(config)#line vty 0 4 Lab-X(config-line)#access-class 15 in Lab-X(config-line)#password cisco Lab-X(config-line)#login b) The “access-class” is used in place of access-group when applying an ACL to a virtual terminal. While this command is not a requirement of the CCNA exam, but it is included here to show how ACLs can be used for more than filtering physical interfaces. As you continue your Cisco training you will learn about other implementations. 6. show line vty command – Lists the ACLs applied to the virtual terminals. 7. Placing an Standard Access List – Because standard ACLs can only use source address as the criteria, there is no choice but to place the ACLs as close to the destination as possible 8. show run Command – The IOS show run command displays the ACL and the implementation 9. show access-list Command - Displays all access lists on the router but does not show if or where they are applied. a) show ip access-list command – Includes only IP access lists b) Both commands allow you to specify an ACL number o to display. Example: show access-list 15 or show ip access-list 15 10. show ip interfaces Command – Tells if an inbound or outbound access list has been applied to an interface

Important Concept for Extended ACLs Both ACLs below implicitly deny all other IP traffic, not just all other TCP traffic. A common mistake many people make is assuming that because they specified only TCP in the main statement(s), they need only to refer to TCP in the final permit any statement (102 below). The unplanned result would be that all ICMP and UDP traffic matching the address/protocol criteria would be blocked (102 below). ACL 101’s permit IP any any statement will allow all other traffic. Lab-X#config t Lab-X(config)#Access-list 101 deny tcp any 192.168.1.25 eq ftp Lab-X(config)#Access-list 101 permit IP any any Lab-X(config)#Access-list 102 deny tcp 10.0.0.0 0.255.255.255 192.168.1.1 eq ftp Lab-X(config)#Access-list 102 permit TCP any any Lab-X(config)#interface Fastethernet 0/0 Lab-X(config-if)#ip access-group 101 out Lab-X(config-if)#ip access-group 102 in Simplest to create because the only criterion is the source address specified in each access-list statement. A standard ACL is similar to a security guard at a gate – if you don’t have the correct pass (source address) you don't get through – your purpose and ultimate destination address are irrelevant 1. The Log Option – Causes message to be printed to the console screen (or log file) the first time that the ACL is activated and then every five minutes while the ACL is still being used. The 5-minute reports summarize the number of occurrences the ACL was used 2. Denying a Specific Host – Following example shows how use a standard ACL to block inbound traffic from a single specific host Lab-X(config)#access-list 50 deny host 192.168.1.10 Lab-X(config)#access-list 50 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 50 in 3. Denying a Network – Following example shows how use a standard ACL to block inbound traffic from a class C network: Lab-X(config)#access-list 60 deny 192.168.1.0 0.0.0.255 Lab-X(config)access-list 60 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 60 in 4. Denying a Subnet– Following example shows how use a standard ACL to block inbound traffic from the subnet 192.168.1.64 255.255.255.192: Lab-X(config)#access-list 70 deny 192.168.1.64 0.0.0.63 Lab-X(config)access-list 70 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 70 in 5. Filtering Telnet Access – It is possible to limit telnet access to a router using ACLs. Similar to filtering the physical interfaces, you can use access lists to filter the virtual ports – limiting telnet access to our routers. a) There are five virtual ports, or vty lines (vty 0 through vty 4). Since you cannot control which virtual port will be accessed (first available), you will set identical restrictions on all vty lines at one time. Lab-X(config)#access-list 15 permit 192.168.1.128 0.0.0.63 Lab-X(config)#line vty 0 4 Lab-X(config-line)#access-class 15 in Lab-X(config-line)#password cisco Lab-X(config-line)#login b) The “access-class” is used in place of access-group when applying an ACL to a virtual terminal. While this command is not a requirement of the CCNA exam, but it is included here to show how ACLs can be used for more than filtering physical interfaces. As you continue your Cisco training you will learn about other implementations. 6. show line vty command – Lists the ACLs applied to the virtual terminals. 7. Placing an Standard Access List – Because standard ACLs can only use source address as the criteria, there is no choice but to place the ACLs as close to the destination as possible 8. show run Command – The IOS show run command displays the ACL and the implementation 9. show access-list Command - Displays all access lists on the router but does not show if or where they are applied. a) show ip access-list command – Includes only IP access lists b) Both commands allow you to specify an ACL number o to display. Example: show access-list 15 or show ip access-list 15 10. show ip interfaces Command – Tells if an inbound or outbound access list has been applied to an interface

Extended Access List Processing

Named ACLs – Basics The Cisco IOS release supports using named access lists rather than the traditional number designations. This ability to name a list makes them easier to recognize and can make them easier to debug. Another advantage is that it is possible to delete individual entries from a specific ACL instead of erasing the entire list. A couple things to consider when implementing named ACLs: 1. Names, like numbers, must be unique on each router. 2. Named ACLs do not work with IOS releases prior to 11.2. The first step is to create the ACL using the following syntax: Router(config)#ip access-list {standard | extended} name Example: Lab-X(config)#ip access-list extended BlockInternet Simplest to create because the only criterion is the source address specified in each access-list statement. A standard ACL is similar to a security guard at a gate – if you don’t have the correct pass (source address) you don't get through – your purpose and ultimate destination address are irrelevant 1. The Log Option – Causes message to be printed to the console screen (or log file) the first time that the ACL is activated and then every five minutes while the ACL is still being used. The 5-minute reports summarize the number of occurrences the ACL was used 2. Denying a Specific Host – Following example shows how use a standard ACL to block inbound traffic from a single specific host Lab-X(config)#access-list 50 deny host 192.168.1.10 Lab-X(config)#access-list 50 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 50 in 3. Denying a Network – Following example shows how use a standard ACL to block inbound traffic from a class C network: Lab-X(config)#access-list 60 deny 192.168.1.0 0.0.0.255 Lab-X(config)access-list 60 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 60 in 4. Denying a Subnet– Following example shows how use a standard ACL to block inbound traffic from the subnet 192.168.1.64 255.255.255.192: Lab-X(config)#access-list 70 deny 192.168.1.64 0.0.0.63 Lab-X(config)access-list 70 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 70 in 5. Filtering Telnet Access – It is possible to limit telnet access to a router using ACLs. Similar to filtering the physical interfaces, you can use access lists to filter the virtual ports – limiting telnet access to our routers. a) There are five virtual ports, or vty lines (vty 0 through vty 4). Since you cannot control which virtual port will be accessed (first available), you will set identical restrictions on all vty lines at one time. Lab-X(config)#access-list 15 permit 192.168.1.128 0.0.0.63 Lab-X(config)#line vty 0 4 Lab-X(config-line)#access-class 15 in Lab-X(config-line)#password cisco Lab-X(config-line)#login b) The “access-class” is used in place of access-group when applying an ACL to a virtual terminal. While this command is not a requirement of the CCNA exam, but it is included here to show how ACLs can be used for more than filtering physical interfaces. As you continue your Cisco training you will learn about other implementations. 6. show line vty command – Lists the ACLs applied to the virtual terminals. 7. Placing an Standard Access List – Because standard ACLs can only use source address as the criteria, there is no choice but to place the ACLs as close to the destination as possible 8. show run Command – The IOS show run command displays the ACL and the implementation 9. show access-list Command - Displays all access lists on the router but does not show if or where they are applied. a) show ip access-list command – Includes only IP access lists b) Both commands allow you to specify an ACL number o to display. Example: show access-list 15 or show ip access-list 15 10. show ip interfaces Command – Tells if an inbound or outbound access list has been applied to an interface

Named ACLs – Example Lab-X#conf t Lab-X(config)#ip access-list ? (to see the options) extended Extended Access List log-update Control access list log updates logging Control access list logging standard Standard Access List Lab-X(config)#ip access-list standard ProtectLAN Lab-X(config-std-nacl)#deny 192.168.20.0 0.0.0.255 Lab-X(config-std-nacl)#deny 192.168.30.0 0.0.0.255 Lab-X(config-std-nacl)#permit any Lab-X(config-std-nacl)#exit Lab-X(config)#ip access-list extended FilterOutside Lab-X(config-ext-nacl)#permit tcp any 192.168.5.0 0.0.0.255 established Lab-X(config-ext-nacl)#deny icmp any 192.168.5.0 0.0.0.255 Lab-X(config-ext-nacl)#permit ip any any Lab-X(config-ext-nacl)#^Z Lab-X# Simplest to create because the only criterion is the source address specified in each access-list statement. A standard ACL is similar to a security guard at a gate – if you don’t have the correct pass (source address) you don't get through – your purpose and ultimate destination address are irrelevant 1. The Log Option – Causes message to be printed to the console screen (or log file) the first time that the ACL is activated and then every five minutes while the ACL is still being used. The 5-minute reports summarize the number of occurrences the ACL was used 2. Denying a Specific Host – Following example shows how use a standard ACL to block inbound traffic from a single specific host Lab-X(config)#access-list 50 deny host 192.168.1.10 Lab-X(config)#access-list 50 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 50 in 3. Denying a Network – Following example shows how use a standard ACL to block inbound traffic from a class C network: Lab-X(config)#access-list 60 deny 192.168.1.0 0.0.0.255 Lab-X(config)access-list 60 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 60 in 4. Denying a Subnet– Following example shows how use a standard ACL to block inbound traffic from the subnet 192.168.1.64 255.255.255.192: Lab-X(config)#access-list 70 deny 192.168.1.64 0.0.0.63 Lab-X(config)access-list 70 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 70 in 5. Filtering Telnet Access – It is possible to limit telnet access to a router using ACLs. Similar to filtering the physical interfaces, you can use access lists to filter the virtual ports – limiting telnet access to our routers. a) There are five virtual ports, or vty lines (vty 0 through vty 4). Since you cannot control which virtual port will be accessed (first available), you will set identical restrictions on all vty lines at one time. Lab-X(config)#access-list 15 permit 192.168.1.128 0.0.0.63 Lab-X(config)#line vty 0 4 Lab-X(config-line)#access-class 15 in Lab-X(config-line)#password cisco Lab-X(config-line)#login b) The “access-class” is used in place of access-group when applying an ACL to a virtual terminal. While this command is not a requirement of the CCNA exam, but it is included here to show how ACLs can be used for more than filtering physical interfaces. As you continue your Cisco training you will learn about other implementations. 6. show line vty command – Lists the ACLs applied to the virtual terminals. 7. Placing an Standard Access List – Because standard ACLs can only use source address as the criteria, there is no choice but to place the ACLs as close to the destination as possible 8. show run Command – The IOS show run command displays the ACL and the implementation 9. show access-list Command - Displays all access lists on the router but does not show if or where they are applied. a) show ip access-list command – Includes only IP access lists b) Both commands allow you to specify an ACL number o to display. Example: show access-list 15 or show ip access-list 15 10. show ip interfaces Command – Tells if an inbound or outbound access list has been applied to an interface Named ACLs are applied to interfaces the same as other ACLs.

ACL Placement Standard ACLs must be placed close to the destination. Extended ACLs should be placed close to the source.

ACLs and Firewall Routers Border routers are charged with providing network security from potential attacks from outside the network. The figure shows the simplest situation where the border router becomes the clear demarcation between the network and the rest of the world. Typically intruders come from the global Internet and the thousands of networks connected to it. Border routers, those on the edge of a network, are often charged with the responsibility of providing network security from potential attacks from outside the network. Even the simplest routers between the internal network and the outside world will provide some level of security such as network address translation (NAT). NAT is implemented to conceal the internal IP addresses. Some systems offer varying degrees of filtering for additional security. These measures are considerably better than nothing at all but would generally present very little challenge to a serious hacker.

ACLs and Firewall Routers Another type of firewall implementation uses two or more routers to provide the security. The border router, A, is ultimately responsible for securing the LAN(s). The firewall router, F, is responsible for protecting both the shared servers and the internal networks from attack from outside. In an optimal solution, this would be a specialty device like Cisco’s PIX box, which combines hardware and software to secure the connection. Whether a specialty device or a router with the firewall feature set, ACLs will be a part of the solution. Border routers, those on the edge of a network, are often charged with the responsibility of providing network security from potential attacks from outside the network. Even the simplest routers between the internal network and the outside world will provide some level of security such as network address translation (NAT). NAT is implemented to conceal the internal IP addresses. Some systems offer varying degrees of filtering for additional security. These measures are considerably better than nothing at all but would generally present very little challenge to a serious hacker.

Verifying ACLs Lab-X#show ip interface Ethernet0 is up, line protocol is up Internet address is 192.168.5.1/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is 50 Inbound access list is 70 Proxy ARP is enabled The show ip interface command will tell whether an inbound or outbound access list has been applied to an interface. Rows 9 and 10 above contain the information. The rest of the lines do not pertain to ACLs, so they have been omitted.

The show access-lists Command Lab-X#show access-lists Standard IP access list 50 deny 192.168.1.10 log permit any Standard IP access list 75 deny 192.168.17.123 deny 192.168.1.10 Lab-X# The show access-lists command will display all access lists on the router but does not show whether or where they are applied. Another command, show ip access-lists, would include only IP access lists. Both commands enable you to specify an ACL number or name after the command to display just that ACL. Simplest to create because the only criterion is the source address specified in each access-list statement. A standard ACL is similar to a security guard at a gate – if you don’t have the correct pass (source address) you don't get through – your purpose and ultimate destination address are irrelevant 1. The Log Option – Causes message to be printed to the console screen (or log file) the first time that the ACL is activated and then every five minutes while the ACL is still being used. The 5-minute reports summarize the number of occurrences the ACL was used 2. Denying a Specific Host – Following example shows how use a standard ACL to block inbound traffic from a single specific host Lab-X(config)#access-list 50 deny host 192.168.1.10 Lab-X(config)#access-list 50 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 50 in 3. Denying a Network – Following example shows how use a standard ACL to block inbound traffic from a class C network: Lab-X(config)#access-list 60 deny 192.168.1.0 0.0.0.255 Lab-X(config)access-list 60 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 60 in 4. Denying a Subnet– Following example shows how use a standard ACL to block inbound traffic from the subnet 192.168.1.64 255.255.255.192: Lab-X(config)#access-list 70 deny 192.168.1.64 0.0.0.63 Lab-X(config)access-list 70 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 70 in 5. Filtering Telnet Access – It is possible to limit telnet access to a router using ACLs. Similar to filtering the physical interfaces, you can use access lists to filter the virtual ports – limiting telnet access to our routers. a) There are five virtual ports, or vty lines (vty 0 through vty 4). Since you cannot control which virtual port will be accessed (first available), you will set identical restrictions on all vty lines at one time. Lab-X(config)#access-list 15 permit 192.168.1.128 0.0.0.63 Lab-X(config)#line vty 0 4 Lab-X(config-line)#access-class 15 in Lab-X(config-line)#password cisco Lab-X(config-line)#login b) The “access-class” is used in place of access-group when applying an ACL to a virtual terminal. While this command is not a requirement of the CCNA exam, but it is included here to show how ACLs can be used for more than filtering physical interfaces. As you continue your Cisco training you will learn about other implementations. 6. show line vty command – Lists the ACLs applied to the virtual terminals. 7. Placing an Standard Access List – Because standard ACLs can only use source address as the criteria, there is no choice but to place the ACLs as close to the destination as possible 8. show run Command – The IOS show run command displays the ACL and the implementation 9. show access-list Command - Displays all access lists on the router but does not show if or where they are applied. a) show ip access-list command – Includes only IP access lists b) Both commands allow you to specify an ACL number o to display. Example: show access-list 15 or show ip access-list 15 10. show ip interfaces Command – Tells if an inbound or outbound access list has been applied to an interface

The show run Command Lab-X#show run hostname Lab-X ! ! (output abbreviated) access-list 50 deny 192.168.1.10 log access-list 50 permit any access-list 75 deny 192.168.17.123 access-list 75 deny 192.168.1.10 access-list 75 permit any One way to see your access lists and how they are applied is to use the show run command to see the active configuration. The above lines show the output of a show run command with some of the unrelated lines removed. Simplest to create because the only criterion is the source address specified in each access-list statement. A standard ACL is similar to a security guard at a gate – if you don’t have the correct pass (source address) you don't get through – your purpose and ultimate destination address are irrelevant 1. The Log Option – Causes message to be printed to the console screen (or log file) the first time that the ACL is activated and then every five minutes while the ACL is still being used. The 5-minute reports summarize the number of occurrences the ACL was used 2. Denying a Specific Host – Following example shows how use a standard ACL to block inbound traffic from a single specific host Lab-X(config)#access-list 50 deny host 192.168.1.10 Lab-X(config)#access-list 50 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 50 in 3. Denying a Network – Following example shows how use a standard ACL to block inbound traffic from a class C network: Lab-X(config)#access-list 60 deny 192.168.1.0 0.0.0.255 Lab-X(config)access-list 60 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 60 in 4. Denying a Subnet– Following example shows how use a standard ACL to block inbound traffic from the subnet 192.168.1.64 255.255.255.192: Lab-X(config)#access-list 70 deny 192.168.1.64 0.0.0.63 Lab-X(config)access-list 70 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 70 in 5. Filtering Telnet Access – It is possible to limit telnet access to a router using ACLs. Similar to filtering the physical interfaces, you can use access lists to filter the virtual ports – limiting telnet access to our routers. a) There are five virtual ports, or vty lines (vty 0 through vty 4). Since you cannot control which virtual port will be accessed (first available), you will set identical restrictions on all vty lines at one time. Lab-X(config)#access-list 15 permit 192.168.1.128 0.0.0.63 Lab-X(config)#line vty 0 4 Lab-X(config-line)#access-class 15 in Lab-X(config-line)#password cisco Lab-X(config-line)#login b) The “access-class” is used in place of access-group when applying an ACL to a virtual terminal. While this command is not a requirement of the CCNA exam, but it is included here to show how ACLs can be used for more than filtering physical interfaces. As you continue your Cisco training you will learn about other implementations. 6. show line vty command – Lists the ACLs applied to the virtual terminals. 7. Placing an Standard Access List – Because standard ACLs can only use source address as the criteria, there is no choice but to place the ACLs as close to the destination as possible 8. show run Command – The IOS show run command displays the ACL and the implementation 9. show access-list Command - Displays all access lists on the router but does not show if or where they are applied. a) show ip access-list command – Includes only IP access lists b) Both commands allow you to specify an ACL number o to display. Example: show access-list 15 or show ip access-list 15 10. show ip interfaces Command – Tells if an inbound or outbound access list has been applied to an interface

Verifying Named ACLs Lab-X#show run ! (output edited and omitted) ip access-list standard ProtectLAN deny 192.168.20.0 0.0.0.255 deny 192.168.30.0 0.0.0.255 permit any ! ip access-list extended FilterOutside permit tcp any 192.168.5.0 0.0.0.255 established deny icmp any 192.168.5.0 0.0.0.255 permit ip any any Lab-X#show access-list Standard IP access list ProtectLAN deny 192.168.20.0, wildcard bits 0.0.0.255 deny 192.168.30.0, wildcard bits 0.0.0.255 Extended IP access list FilterOutside deny icmp any 192.168.5.0 0.0.0.255 Lab-X# Simplest to create because the only criterion is the source address specified in each access-list statement. A standard ACL is similar to a security guard at a gate – if you don’t have the correct pass (source address) you don't get through – your purpose and ultimate destination address are irrelevant 1. The Log Option – Causes message to be printed to the console screen (or log file) the first time that the ACL is activated and then every five minutes while the ACL is still being used. The 5-minute reports summarize the number of occurrences the ACL was used 2. Denying a Specific Host – Following example shows how use a standard ACL to block inbound traffic from a single specific host Lab-X(config)#access-list 50 deny host 192.168.1.10 Lab-X(config)#access-list 50 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 50 in 3. Denying a Network – Following example shows how use a standard ACL to block inbound traffic from a class C network: Lab-X(config)#access-list 60 deny 192.168.1.0 0.0.0.255 Lab-X(config)access-list 60 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 60 in 4. Denying a Subnet– Following example shows how use a standard ACL to block inbound traffic from the subnet 192.168.1.64 255.255.255.192: Lab-X(config)#access-list 70 deny 192.168.1.64 0.0.0.63 Lab-X(config)access-list 70 permit any Lab-X(config)#interface ethernet 0 Lab-X(config-if)#ip access-group 70 in 5. Filtering Telnet Access – It is possible to limit telnet access to a router using ACLs. Similar to filtering the physical interfaces, you can use access lists to filter the virtual ports – limiting telnet access to our routers. a) There are five virtual ports, or vty lines (vty 0 through vty 4). Since you cannot control which virtual port will be accessed (first available), you will set identical restrictions on all vty lines at one time. Lab-X(config)#access-list 15 permit 192.168.1.128 0.0.0.63 Lab-X(config)#line vty 0 4 Lab-X(config-line)#access-class 15 in Lab-X(config-line)#password cisco Lab-X(config-line)#login b) The “access-class” is used in place of access-group when applying an ACL to a virtual terminal. While this command is not a requirement of the CCNA exam, but it is included here to show how ACLs can be used for more than filtering physical interfaces. As you continue your Cisco training you will learn about other implementations. 6. show line vty command – Lists the ACLs applied to the virtual terminals. 7. Placing an Standard Access List – Because standard ACLs can only use source address as the criteria, there is no choice but to place the ACLs as close to the destination as possible 8. show run Command – The IOS show run command displays the ACL and the implementation 9. show access-list Command - Displays all access lists on the router but does not show if or where they are applied. a) show ip access-list command – Includes only IP access lists b) Both commands allow you to specify an ACL number o to display. Example: show access-list 15 or show ip access-list 15 10. show ip interfaces Command – Tells if an inbound or outbound access list has been applied to an interface

ACL Labs and exercises Complete the e-labs below: (6/09 and 6/11) 6.3.2 6.3.3 6.3.6.1 6.3.6.2 6.4.2.1 6.4.2.2 6.4.2.3 6.5.1 6.8.1.1 6.8.1.2 Regular lab—Handouts