deny access for an entire protocol suite, based on the network, subnet, and host addresses. For example, packets coming in Fa0/0 are checked for source address and protocol. If they are permitted, the packets are routed through the router to an output interface. If they are not permitted, they are dropped at the incoming interface.The standard version of the access-list global configuration command is used to define a standard ACL with a number in the range of 1 to 99 (also from 1300 to 1999 in recent IOS). In the first ACL statement, notice that there is no wildcard mask. In this case where no list is shown, the default mask is used, which is 0.0.0.0. This means that the entire address must match or this line in the ACL does not apply and the router must check for a match in the next line in the ACL.. The full syntax of the standard ACL command is: Router(config)#access-list access-list-number {deny | permit} source [source-wildcard ] [log] The no form of this command is used to remove a standard ACL. This is the syntax: Router(config)#no access-list access-list-number The table shows descriptions of the parameters used in this syntax. Lab Activity Lab Exercise: Configuring Standard Access Lists In this lab, the student will configure and apply a standard ACL to permit or deny specific traffic. Lab Activity Lab Exercise: Standard ACLs In this lab, the student will plan, configure, and apply a standard ACL to permit or deny specific traffic. The student will then test the ACL to determine if the desired results were achieved. Lab Activity e-Lab Activity: Configuring a Standard Access List In this lab, the students will plan, configure, and apply a standard ACL to permit or deny specific traffic and test the ACL to determine if the desired results were achieved. Lab Activity e-Lab Activity: Standard ACL In this lab, the students will configure a standard access-control list for the local router "Rome". Lab Activity e-Lab Activity: Standard ACL In this lab, the students will configure a standard access-control list for the local router "Athens". Lab Activity e-Lab Activity: Standard ACL In this lab, the students will configure a standard access-control list for the local router "Bucharest". Lab Activity e-Lab Activity: Standard ACL In this lab, the students will configure a standard access-control list for the local router "Sofia". Web Links access-list Command http://www.cisco.com/en/US/products/sw/ iosswrel/ps1835/ products_command_reference_ chapter09186a00800873c8.html#1072438
Content 11.2 Access Control Lists (ACLs) 11.2.2 Extended ACLs Extended ACLs are used more often than standard ACLs because they provide a greater range of control. Extended ACLs check the source and destination packet addresses as well as being able to check for protocols and port numbers. This gives greater flexibility to describe what the ACL will check. Packets can be permitted or denied access based on where the packet originated and its destination as well as protocol type and port addresses. An extended ACL can allow e-mail traffic from Fa0/0 to specific S0/0 destinations, while denying file transfers and web browsing. When packets are discarded, some protocols send an echo packet to the sender, stating that the destination was unreachable.For a single ACL, multiple statements may be configured. Each of these statements should contain the same access-list-number, to relate the statements to the same ACL. There can be as many condition statements as needed, limited only by the available router memory. Of course, the more statements there are, the more difficult it will be to comprehend and manage the ACL. The syntax for the extended ACL statement can get very long and often will wrap in the terminal window. The wildcards also have the option of using the host or any keywords in the command. At the end of the extended ACL statement, additional precision is gained from a field that specifies the optional Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number. The well-known port numbers for TCP/IP are shown in Figure . Logical operations may be specified such as, equal (eq), not equal (neq), greater than (gt), and less than (lt), that the extended ACL will perform on specific protocols. Extended ACLs use an access-list-number in the range 100 to 199 (also from 2000 to 2699 in recent IOS). The ip access-group command links an existing extended ACL to an interface. Remember that only one ACL per interface, per direction, per protocol is allowed. The format of the command is: Router(config-if)#ip access-group access-list-number {in | out} Lab Activity Lab Exercise: Configuring Extended Access Lists This lab is to configure, and apply an extended ACL to permit or deny specific traffic. Lab Activity Lab Exercise: Simple Extended Access Lists This lab is to configure, and apply extended access lists to filter network to network, host to network, and network to host traffic. Lab Activity e-Lab Activity: Configuring an Extended Access List In this lab, the student will plan, configure, and apply and extended ACL to permit or deny specific traffic and test the ACL to determine if the desired results were achieved. Lab Activity e-Lab Activity: Extended ACL In this lab, the students will configure an extended access-control list for the local router "Mexico". Lab Activity e-Lab Activity: Extended ACL's In this lab, the students will configure an extended access-control list for the local router "Jakarta". Lab Activity e-Lab Activity: Extended ACL In this lab, the students will configure an extended access-control list for the local router "Kuwait". Lab Activity e-Lab Activity: Extended ACL In this lab, the students will configure an extended access-control list for the local router "Abuja". Web Links access-list Command http://www.cisco.com/en/US/products/sw/ iosswrel/ps1835/ products_command_reference_ chapter09186a00800873c8.html#1072413
Content 11.2 Access Control Lists (ACLs) 11.2.3 Named ACLs IP named ACLs were introduced in Cisco IOS Software Release 11.2, allowing standard and extended ACLs to be given names instead of numbers. The advantages that a named access list provides are: