Cisco CCNA Standard Access List
Click here to read the presentation
There are two kinds of ACL:
1) Standard ACL – in here we are only talking about the source
2) Extended ACL – in here we are talking about the source and Destination
and most of time you see the port number
Http=80
FTP=21
TELNET=23
SMTP= 25 (to send the e-mail)
POP3=110 (to retrieve your e-mail)
Hint:
THE ACL is two-step process :
step 1) write all your ACL
step 2) you go to interface and apply it
int s0/0
ip access-group ?
Receive our Cisco CCNA Packet Tracer!
Get our complete tutorial in PDF
——Now I will do a LAB—-Goal is that the sales LAN =10.10.10.0/24 will not be able to access the
EGR LAN= 30.30.30.0/24
Pre step 1) what kind Of ACL?
Standard ACL- since It talk about the source if it says I do not want SALES Lan cannot access the webserver=30.30.30.200 (port 80)
that will be extended ACL …why >? Since I am talking about both source and destination
————-Step 1) I go to R1 and Write my ACL —-R1#
R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#acc
R1(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
R1(config)#access-list 3 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
R1(config)#access-list 3 den
R1(config)#access-list 3 deny ?
A.B.C.D Address to match
any Any source host
host A single host address
R1(config)#access-list 3 deny 10.10.10.0 ?
A.B.C.D Wildcard bits
<cr>
R1(config)#access-list 3 deny 10.10.10.0 0.0.0.255
———–HINT: make sure you will have a permit statement at end of it why? Since there is an implicit deny at the end of ACL;
R1(config)#acc
R1(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
R1(config)#access-list 3 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
R1(config)#access-list 3 per
R1(config)#access-list 3 permit ?
A.B.C.D Address to match
any Any source host
host A single host address
R1(config)#access-list 3 permit any ?
<cr>
R1(config)#access-list 3 permit any
R1(config)#
——-Let’s look at show run —–
access-list 3 deny 10.10.10.0 0.0.0.255
access-list 3 permit any
———-NOW step 2) is to apply it to int s0/0
R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int s0/0
R1(config-if)#ip acc
R1(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)
WORD Access-list name
R1(config-if)#ip access-group 3 ?
in inbound packets
out outbound packets
R1(config-if)#ip access-group 3 out ?
<cr>
R1(config-if)#ip access-group 3 out
R1(config-if)#
——–Here is my show run so far—
R1#show run
!
interface Serial0/0
ip address 20.20.20.9 255.255.255.252
ip access-group 3 out
clock rate 64000
access-list 3 deny 10.10.10.0 0.0.0.255
access-list 3 permit any
——-As we see I cannot ping the other Lan—
PC>ping 30.30.30.4
Pinging 30.30.30.4 with 32 bytes of data:
Reply from 10.10.10.100: Destination host unreachable.
Reply from 10.10.10.100: Destination host unreachable.
Reply from 10.10.10.100: Destination host unreachable.
Reply from 10.10.10.100: Destination host unreachable.
Ping statistics for 30.30.30.4:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
———————————————
Here I ping and I see it did not work and I see the result—
R1#show access-lists
Standard IP access list 3
deny 10.10.10.0 0.0.0.255 (4 match(es))
permit any
R1#show access-lists
Standard IP access list 3
deny 10.10.10.0 0.0.0.255 (8 match(es))
permit any
[bs_icon name=”glyphicon glyphicon-expand”] Watch the video and you will be able to understand Standard Access List much better and Please subscribe to our YouTube Channel.
Want more information on how to become Cisco CCNA Certified? Learn more!
Also published on Medium.
