Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Page 1 of 8
Submit Query
http://www.9tut.com/access-list-tutorial
12/15/2015
Page 2 of 8
Configuration:
In this example we will define a standard access list that will only allow network 10.0.0.0/8 to access the
server (located on the Fa0/1 interface)
Define which source is allowed to pass:
Router(config)#access-list 1 permit 10.0.0.0 0.255.255.255
(there is always an implicit deny all other traffic at the end of each ACL so we dont need to define
forbidden traffic)
Apply this ACL to an interface:
Router(config)#interface Fa0/1
Router(config-if)#ip access-group 1 out
The ACL 1 is applied to permit only packets from 10.0.0.0/8 to go out of Fa0/1 interface while deny all
other traffic. So can we apply this ACL to other interface, Fa0/2 for example? Well we can but shouldnt
do it because users can access to the server from other interface (s0 interface, for example). So we can
understand why an standard access list should be applied close to the destination.
Note: The 0.255.255.255 is the wildcard mask part of network 10.0.0.0. We will learn how to use
wildcard mask later.
Extended IP Access List
Extended IP lists (100-199) check both source and destination addresses, specific UDP/TCP/IP
protocols, and destination ports.
Configuration Syntax
access-list access-list-number {permit | deny} protocol source {source-mask} destination {destinationmask} [eq destination-port]
http://www.9tut.com/access-list-tutorial
12/15/2015
Page 3 of 8
In this example we will create an extended ACL that will deny FTP traffic from network 10.0.0.0/8 but
allow other traffic to go through.
Note: FTP uses TCP on port 20 & 21.
Define which protocol, source, destination and port are denied:
Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 21
Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 20
Router(config)#access-list 101 permit ip any any
Apply this ACL to an interface:
Router(config)#interface Fa0/1
Router(config-if)#ip access-group 101 out
Notice that we have to explicit allow other traffic (access-list 101 permit ip any any) as there is an deny
all command at the end of each ACL.
As we can see, the destination of above access list is 187.100.1.6 0.0.0.0 which specifies a host. We
can use host 187.100.1.6 instead. We will discuss wildcard mask later.
In summary, below is the range of standard and extended access list
Access list type Range
Standard
1-99, 1300-1999
Extended
100-199, 2000-2699
Pages: 1 2
http://www.9tut.com/access-list-tutorial
12/15/2015
Page 4 of 8
http://www.9tut.com/access-list-tutorial
12/15/2015
Page 5 of 8
please Can someone please send me the latest dumps for CCNA 200-120
sayedahmed25@gmail.com
many graet thanks for anyone helping me
10. Anonymus
December 7th, 2015
the latest dumps 200-120
ggithinji80@gmail.com
11. the latest dumps 200-120
December 10th, 2015
snpier86@yahoo.com
12. Omar Saeed
December 12th, 2015
plz send me the latest ccna dump 200-120 to pic-1@msn.com plzzz
13. Anonymous
December 13th, 2015
Remember these rules for ACLs :
ACLS IS A SET OF CONDITIONS
TYPES : STANDARD AND EXTENDED , NAMED(sTANDARD/EXTENDED)
AN ACL IS READ INORDER 1,2,3
AN ACL HAS AN IMPLICIT DENY (INVISIBLE, RUNS IN THE BACKGROUND)
IF YOU RUN AN ACL WITH A DENY STATEMENT, YOU MUST END THE STATEMENT
WITH PERMIT ANY
YOU CAN HAVE ONLY HAVE ONE ACL PER INTERFACE PER PROTOCOL PER
DIRECTION :
ONE ACL/PROTOCOL/DIRECTION
YOU CANNOT REMOVE A NUMBERED ACL THAT LIES WITHIN THE GROUP : YOU
HAVE MORE FLEXIBILITY WITH NAMED ACLS THEN WITH NUMBERED ACLS
ON THE TOP MORE SPECIFIC PERMIT/DENY , ON THE BOTTOM MOST GENERAL
PERMIT/DENY
USE WILDCARD MASKING W/ACLS
http://www.9tut.com/access-list-tutorial
12/15/2015
Page 6 of 8
14. Carllton
December 13th, 2015
EXAMPLE , HOW TO APPLY AN ACL :
* ONE ACL/ ONE PROTOCOL/ ONE DIRECTION
#CONFIG T
#INT F0/0.10
#IP ACCESS-GROUP 10 IN
15. Anonymous
December 15th, 2015
My exam is very soon. Could someone please send the latest dump to networknows@gmail.com
Thank you
Comment pages
Previous 1 8 9 10 458
Add a Comment
Name
Submit Comment
Premium Membership
Become a member to interact with all questions and read all tutorials, labs!
http://www.9tut.com/access-list-tutorial
12/15/2015
Page 7 of 8
CCNA 200-120
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
z
http://www.9tut.com/access-list-tutorial
12/15/2015
Page 8 of 8
CCNA Self-Study
z
z
z
Network Resources
z
ICND1/ICND2 Website
CCIE Website
Top
http://www.9tut.com/access-list-tutorial
12/15/2015