Monday, April 11, 2016

CCNAv2 Custom Notes - How to Access your Control Lists

Greetings, and welcome to Seeseenayy.
I was thinking that some people may not be understanding the layout of ACLs. While simple, ACLs can be complex if you don't really understand it, so even though I've done the PTs required for this topic, I suggest the following.

For a quick understanding of ACLs via Cisco's definitions, you can do this packet tracer. 
Introductory Packet Tracer, use Cisco's side-window progress box from the PT.
Secondary Packet Tracer, same as above.

Below is a document from 9tuts, credits to them for the tutorial. Some parts have been edited by me.
It's a sufficient tutorial.

Access control lists (ACLs) provide a means to filter packets by allowing a user to permit or deny IP packets from crossing specified interfaces. Just imagine you come to a fair and see the guardian checking tickets. He only allows people with suitable tickets to enter. Well, an access list’s function is same as that guardian.
Access lists filter network traffic by controlling whether packets are forwarded or blocked at the router’s interfaces based on the criteria you specified within the access list.
To use ACLs, the system administrator must first configure ACLs and then apply them to specific interfaces. There are 3 popular types of ACL: Standard, Extended and Named ACLs.
Standard IP Access List
Standard IP lists (1-99) only check source addresses of all IP packets.
Configuration Syntax
access-list access-list-number {permit | deny} source {source-mask}
Apply ACL to an interface
ip access-group access-list-number {in | out}
Example of Standard IP Access List
In this example we will define a standard access list that will only allow network to access the server (located on the Fa0/1 interface)
Define which source is allowed to pass:
Router(config)#access-list 1 permit
(there is always an implicit deny all other traffic at the end of each ACL so we don’t need to define forbidden traffic)
Apply this ACL to an interface:
Router(config)#interface Fa0/1
Router(config-if)#ip access-group 1 out
The ACL 1 is applied to permit only packets from to go out of Fa0/1 interface while deny all other traffic. So can we apply this ACL to other interface, Fa0/2 for example? Well we can but shouldn’t do it because users can access to the server from other interface (s0 interface, for example). So we can understand why an standard access list should be applied close to the destination.
Note: The “” is the wildcard mask part of network “”. We will learn how to use wildcard mask later.
Extended IP Access List
Extended IP lists (100-199) check both source and destination addresses, specific UDP/TCP/IP protocols, and destination ports.
Configuration Syntax
access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port]
Example of Extended IP Access List
In this example we will create an extended ACL that will deny FTP traffic from network but allow other traffic to go through.
Note: FTP uses TCP on port 20 & 21.
Define which protocol, source, destination and port are denied:
Router(config)#access-list 101 deny tcp eq 21
Router(config)#access-list 101 deny tcp eq 20
Router(config)#access-list 101 permit ip any any
Apply this ACL to an interface:
Router(config)#interface Fa0/1
Router(config-if)#ip access-group 101 out
Notice that we have to explicit allow other traffic (access-list 101 permit ip any any) as there is an “deny all” command at the end of each ACL.
As we can see, the destination of above access list is “” which specifies a host. We can use “host” instead. We will discuss wildcard mask later.
In summary, below is the range of standard and extended access list
Access list typeRange
Standard1-99, 1300-1999
Extended100-199, 2000-2699
Named IP Access List Configuration Syntax
ip access-list {standard | extended} {name | number}
Example of Named IP Access List
This is an example of the use of a named ACL in order to block all traffic except the Telnet connection from host to host
Define the ACL:
Router(config)#ip access-list extended in_to_out permit tcp host host eq telnet
(notice that we can use ‘telnet’ instead of port 23)
Apply this ACL to an interface:
Router(config)#interface Fa0/0
Router(config-if)#ip access-group in_to_out in
Where to place access list?
Standard IP access list should be placed close to destination.
Extended IP access lists should be placed close to the source.
How many access lists can be used?
You can have one access-list per protocol, per direction and per interface. For example, you can not have two access lists on the inbound direction of Fa0/0 interface. However you can have one inbound and one outbound access list applied on Fa0/0.
How to use the wildcard mask?
Wildcard masks are used with access lists to specify a host, network or part of a network.
The zeros and ones in a wildcard determine whether the corresponding bits in the IP address should be checked or ignored for ACL purposes. For example, we want to create a standard ACL which will only allow network to pass through. We need to write an ACL, something like this:
access-list 1 permit
Of course we can’t write subnet mask in an ACL, we must convert it into wildcard mask by converting all bits 0 to 1 & all bits 1 to 0.
255 = 1111 1111 -> convert into 0000 0000
240 = 1111 0000 -> convert into 0000 1111
0 = 0000 0000 -> convert into 1111 1111
Therefore can be written in wildcard mask as 00000000.00000000.00001111.11111111 =
Remember, for the wildcard mask, 1′s are I DON’T CARE, and 0′s are I CARE. Now let’s analyze our wildcard mask.
Two first octets are all 0’s meaning that we care about the network 172.23.x.x. The third octet, 15 (0000 1111 in binary), means that we care about first 4 bits but don’t care about last 4 bits so we allow the third octet in the form of 0001xxxx (minimum:00010000 = 16; maximum: 0001111 = 31).

The fourth octet is 255 (all 1 bits) that means I don’t care.
Therefore network ranges from to
Some additional examples:
+ Block TCP packets on port 30 from any source to any destination:
Router(config)#access-list 101 deny tcp any any eq 30
+ Permit any IP packets in network with subnet mask to any network:
Router(config)#access-list 101 permit ip any
Apply the access control list to an interface:
Router(config)#interface fastEthernet0/0
Router(config-if)#ip access-group 101 in

Second Source Credit:
Standard/Extended Access List Fundamentals

Cisco has defined two types of IP access lists: standard and extended. However, only one type can be applied to an interface at time. This means that you cannot have an inbound standard access list and an inbound extended access list applied to the same interface. Each access list must have its own number range and applications, for network security.

Standard Access Lists
Standard access lists match packets by examining the source IP address field in the packet's IP header. Any bit positions in the 32-bit source IP address can be compared to the access list statements. However, the matching is flexible and does not consider the subnet mask in use.

Access lists use the inverse mask, sometimes called the wildcard mask or I-mask. This mask is named because it inverts the meaning of the bits. In a normal mask, ones mean "must match," while zeroes mean "may vary." For example, for two hosts to be on the same Class C network, the first 24 bits of their address must match, while the last 8 may vary. Inverse masks swap the rules so that zeroes mean "must match" and ones mean "may vary."

The easy way to calculate the inverse mask when you already know the normal mask is to subtract from all ones. The table that follows shows an example. The normal mask is subtracted, column by column, from the all-ones mask to determine the inverse mask.

All Ones

Normal Mask

Inverse Mask

The command for configuring a standard access list is as follows:
Router(config)# access-list {1-99} {permit | deny} source-addr [source-mask]

As you can see from the command syntax, the first option is to specify the access list number. The number range for standard access lists is 1 to 99. The second value that you must specify is to permit or deny the configured source IP address. The third value is the source IP address that you want to match. The fourth value is the wildcard mask that you want to apply to the IP address previously configured.

All access lists have an implicit deny, meaning that if a packet does not match any of the criteria that you have specified in your access list, it will be denied. If you have deny statements in your access lists, be sure to create permit statements to allow valid traffic.

When the access list has been created, you need to apply it to the appropriate interface. The command to apply the access list is as follows:
Router(config-if)# ip access-group {number | name [in | out] }

The access list is applied under the interface configuration mode. You must specify only the number or name and whether it is an incoming or an outgoing access list.

Extended Access Lists
Extended IP access lists are almost identical to standard IP access lists in their use. The key difference between the two types is the variety of fields in the packet that can be compared for matching by extended access lists. As with standard lists, extended access lists are enabled for packets entering or exiting an interface. The list is searched sequentially; the first statement matched stops the search through the list and defines the action to be taken. All these features are true of standard access lists as well. The matching logic, however, is different than that used with standard access lists and makes extended access lists much more complex. Extended access lists can match source and destination addresses as well as different TCP and UDP ports. This gives greater flexibility and control over network access.

To configure extended access lists, the command is similar to standard access list, but with more options. The command is this:

Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-
mask] [operator operand] destination-addr [destination-mask] [operator operand]

The first value that you must configure is the access list number. Extended access lists range from 100 to 199. Then you need to permit or deny the criteria that you will specify next. The next value is the protocol type. Here, you could specify IP, TCP, UDP, or other specific IP sub-protocols. The next value is the source IP address and its wildcard mask. Next is the destination IP address and its wildcard mask. When the destination IP address and mask are configured, you can specify the port number that you want to match, by number or by a well-known port name.
As with standard access lists, after the extended access list is created, you need to apply it to an interface with the ip access-group command. Review the lab objectives associated with the chapter before beginning to configure the access lists.

Article Source:

Cisco ACLs are available for several types of routed protocols including IP, IPX, AppleTalk, XNS, DECnet, and others. However, we will be discussing ACLs pertaining to TCP/IP protocol only. 

ACLs for TCP/IP traffic filtering are primarily divided into two types:
Standard Access Lists, and
Extended Access Lists

Standard Access Control Lists: Standard IP ACLs range from 1 to 99. A Standard Access List  allows you to permit or deny traffic FROM specific IP addresses. The destination of the packet and the ports involved can be anything.

This is the command syntax format of a standard ACL.
access-list access-list-number {permit|deny}
{host|source source-wildcard|any}

Standard ACL example:
access-list 10 permit

This list allows traffic from all addresses in the range to
Note that when configuring access lists on a router, you must identify each access list uniquely by assigning either a name or a number to the protocol's access list.
There is an implicit deny added to every access list. If you entered the command:

show access-list 10

The output looks like:
access-list 10 permit
access-list 10 deny any

Extended Access Control Lists: Extended IP ACLs allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to have granular control by specifying controls for different types of protocols such as ICMP, TCP, UDP, etc within the ACL statements. Extended IP ACLs range from 100 to 199. In Cisco IOS Software Release 12.0.1, extended ACLs began to use additional numbers (2000 to 2699).

The syntax for IP Extended ACL is given below:
access-list access-list-number {deny | permit} protocol source source-wildcard
destination destination-wildcard [precedence precedence]

Note that the above syntax is simplified, and given for general understanding only.

Extended ACL example:
access-list 110 - Applied to traffic leaving the office (outgoing)
access-list 110 permit tcp any eq 80

ACL 110 permits traffic originating from any address on the network. The 'any' statement means that the traffic is allowed to have any destination address with the limitation of going to port 80. The value of can be specified as 'any'.

Applying an ACL to a router interface:
After the ACL is defined, it must be applied to the interface (inbound or outbound). The syntax for applying an ACL to a router interface is given below:
interface <interface>
ip access-group {number|name} {in|out}

An Access List may be specified by a name or a number. "in" applies the ACL to the inbound traffic, and "out" applies the ACL on the outbound traffic.

To apply the standard ACL created in the previous example, use the following commands:
Rouer(config)#interface serial 0
Rouer(config-if)#ip access-group 10 out

Example Question:
Which command sequence will allow only traffic from network to enter interface s0?
A. access-list 25 permit
int s0 ; ip access-list 25 out
B. access-list 25 permit
int s0 ; ip access-group 25 out
C. access-list 25 permit
int s0 ; ip access-list 25 in
D. access-list 25 permit
int s0 ; ip access-group 25 in

The correct sequence of commands are:

1. access-list 25 permit
2. int s0
3. ip access-group 25 in

No comments:

Post a Comment

Feel free to comment if you have a question, commendation, or concern. We love to hear your feedback!

Please do not share links to external websites if it not relevant to discussion. We reserve our right to remove any content we deem advertising.