deny access for an entire protocol suite, based on
the network, subnet, and host addresses. For example, packets
coming in Fa0/0 are checked for source address and protocol. If
they are permitted, the packets are routed through the router
to an output interface. If they are not permitted, they are
dropped at the incoming interface.The standard version of the
access-list global configuration command is used to
define a standard ACL with a number in the range of 1 to 99
(also from 1300 to 1999 in recent IOS). In the first ACL
statement, notice that there is no wildcard mask. In this case
where no list is shown, the default mask is used, which is
0.0.0.0. This means that the entire address must match or this
line in the ACL does not apply and the router must check for a
match in the next line in the ACL.. The full syntax of the
standard ACL command is: Router(config)#access-list
access-list-number {deny | permit} source
[source-wildcard ] [log] The no form of this
command is used to remove a standard ACL. This is the syntax:
Router(config)#no access-list access-list-number
The table shows descriptions of the parameters used in this
syntax. Lab Activity Lab Exercise: Configuring Standard
Access Lists In this lab, the student will configure and apply
a standard ACL to permit or deny specific traffic. Lab
Activity Lab Exercise: Standard ACLs In this lab, the
student will plan, configure, and apply a standard ACL to
permit or deny specific traffic. The student will then test the
ACL to determine if the desired results were achieved. Lab
Activity e-Lab Activity: Configuring a Standard Access
List In this lab, the students will plan, configure, and apply
a standard ACL to permit or deny specific traffic and test the
ACL to determine if the desired results were achieved. Lab
Activity e-Lab Activity: Standard ACL In this lab, the
students will configure a standard access-control list for the
local router "Rome". Lab Activity e-Lab
Activity: Standard ACL In this lab, the students will configure
a standard access-control list for the local router
"Athens". Lab Activity e-Lab Activity:
Standard ACL In this lab, the students will configure a
standard access-control list for the local router
"Bucharest". Lab Activity e-Lab Activity:
Standard ACL In this lab, the students will configure a
standard access-control list for the local router
"Sofia". Web Links access-list Command
http://www.cisco.com/en/US/products/sw/ iosswrel/ps1835/
products_command_reference_ chapter09186a00800873c8.html#1072438
Content 11.2 Access Control Lists
(ACLs) 11.2.2 Extended ACLs Extended ACLs
are used more often than standard ACLs because they provide a
greater range of control. Extended ACLs check the source and
destination packet addresses as well as being able to check for
protocols and port numbers. This gives greater flexibility to
describe what the ACL will check. Packets can be permitted or
denied access based on where the packet originated and its
destination as well as protocol type and port addresses. An
extended ACL can allow e-mail traffic from Fa0/0 to specific
S0/0 destinations, while denying file transfers and web
browsing. When packets are discarded, some protocols send an
echo packet to the sender, stating that the destination was
unreachable.For a single ACL, multiple statements may be
configured. Each of these statements should contain the same
access-list-number, to relate the statements to the same ACL.
There can be as many condition statements as needed, limited
only by the available router memory. Of course, the more
statements there are, the more difficult it will be to
comprehend and manage the ACL. The syntax for the extended ACL
statement can get very long and often will wrap in the terminal
window. The wildcards also have the option of using the
host or any keywords in the command. At the end
of the extended ACL statement, additional precision is gained
from a field that specifies the optional Transmission Control
Protocol (TCP) or User Datagram Protocol (UDP) port number. The
well-known port numbers for TCP/IP are shown in Figure .
Logical operations may be specified such as, equal (eq), not
equal (neq), greater than (gt), and less than (lt), that the
extended ACL will perform on specific protocols. Extended ACLs
use an access-list-number in the range 100 to 199 (also from
2000 to 2699 in recent IOS). The ip access-group
command links an existing extended ACL to an interface.
Remember that only one ACL per interface, per direction, per
protocol is allowed. The format of the command is:
Router(config-if)#ip access-group
access-list-number {in | out} Lab Activity
Lab Exercise: Configuring Extended Access Lists This lab is to
configure, and apply an extended ACL to permit or deny specific
traffic. Lab Activity Lab Exercise: Simple Extended
Access Lists This lab is to configure, and apply extended
access lists to filter network to network, host to network, and
network to host traffic. Lab Activity e-Lab Activity:
Configuring an Extended Access List In this lab, the student
will plan, configure, and apply and extended ACL to permit or
deny specific traffic and test the ACL to determine if the
desired results were achieved. Lab Activity e-Lab
Activity: Extended ACL In this lab, the students will configure
an extended access-control list for the local router
"Mexico". Lab Activity e-Lab Activity:
Extended ACL's In this lab, the students will configure an
extended access-control list for the local router
"Jakarta". Lab Activity e-Lab Activity:
Extended ACL In this lab, the students will configure an
extended access-control list for the local router
"Kuwait". Lab Activity e-Lab Activity:
Extended ACL In this lab, the students will configure an
extended access-control list for the local router
"Abuja". Web Links access-list Command
http://www.cisco.com/en/US/products/sw/ iosswrel/ps1835/
products_command_reference_ chapter09186a00800873c8.html#1072413
Content 11.2 Access Control Lists
(ACLs) 11.2.3 Named ACLs IP named ACLs were
introduced in Cisco IOS Software Release 11.2, allowing
standard and extended ACLs to be given names instead of
numbers. The advantages that a named access list provides
are: - Intuitively identify an ACL using an alphanumeric
name.
- Eliminate the limit of 798 simple and 799
extended ACLs
- Named ACLs provide the ability to
modify ACLs without deleting and then reconfiguring them. It is
important to note that a named access list will allow the
deletion of statements but will only allow for statements to be
inserted at the end of a list. Even with named ACLs it is a