What are Access Control Lists?

ACLs...
...are a sequential list of instructions that tell a router which packets to
permit or deny.
General Access Lists Information
Access Lists...
...are read sequentially.
...are set up so that as soon as the packet matches a statement it
stops comparing and permits or denys the packet.
...need to be written to take care of the most abundant traffic first.
...must be configured on your router before you can deny packets.
...can be written for all supported routed protocols; but each routed
protocol must have a different ACL for each interface.
...must be applied to an interface to work.

How routers use Access Lists

(Outbound Port - Default)
The router checks to see if the packet is routable. If it is it looks up
the route in its routing table.
The router then checks for an ACL on that outbound interface.
If there is no ACL the router switches the packet out that interface to its
destination.
If there is an ACL the router checks the packet against the access list
statements sequentially. Then permits or denys each packet as it is
matched.
If the packet does not match any statement written in the ACL it is
denyed because there is an implicit deny any statement at the end of
every ACL.

Standard Access Lists

Standard Access Lists...
...are numbered from 1 to 99.
...filter (permit or deny) only source addresses.
...do not have any destination information so it must placed as close
to the destination as possible.
...work at layer 3 of the OSI model.
Why standard ACLs are placed close to the
destination.
If you want to block traffic from Juan s computer from reaching
Janet s computer with a standard access list you would place the
ACL close to the destination on Router D, interface E0. Since
its using only the source address to permit or deny packets the
ACL here will not effect packets reaching Routers B, or C.
Router A
Router B
Router C
Router D
If you place the ACL on router A to block traffic to Router D
it will also block all packets going to Routers B, and C;
because all the packets will have the same source address.
Juan s
Computer
Janet s
Computer
Jimmy s
Computer
Matt s
Computer
E0
E0 E0
E0
S0
S1 S0
S0S1
S1

3
Lisa s
Computer
Standard Access List Placement
Sample Problems
In order to permit packets from Juan s computer to arrive at
Jan s computer you would place the standard access list at
router interface _F__A__1_.
Lisa has been sending unnecessary information to Paul. Where
would you place the standard ACL to deny all traffic from Lisa to Paul?
Router Name ______________ Interface ___________
Where would you place the standard ACL to deny traffic from Paul to
Lisa?
Router Name ______________ Interface ___________
Router B E1
Router A E0
Paul s
Computer
FA0 FA1
Router A
Juan s
Computer
Jan s
Computer
S0
E0 S1 E1
Router A Router B

Standard Access List Placement

Router B
Amanda s
Computer
Jackie s
S0 S1E0 FA1
S0S1
Router C
Router A
S0
S1E0 FA1
Router F Router E
Router D
S1
S0
S1
E0
S1
Jim s
Computer
Jeff s
Computer
George s
Computer
Kathy sCarrol s
ComputerComputer
Ricky s
Computer
Jenny s
Computer
Melvin s
Linda s Sarah s
Computer Computer
Computer Computer

5
Router D
E0
Standard Access List Placement
1. Where would you place a standard access list to
permit traffic from Ricky s computer to reach Jeff s
computer?
2. Where would you place a standard access list to
deny traffic from Melvin s computer from reaching
Jenny s computer?
3. Where would you place a standard access list to
deny traffic to Carrol s computer from Sarah s
computer?
4. Where would you place a standard access list to
permit traffic from Ricky s computer to reach Jeff s
computer?
5. Where would you place a standard access list to
deny traffic from Amanda s computer from reaching
Jeff and Jim s computer?
6. Where would you place a standard access list to
permit traffic from Jackie s computer to reach Linda s
computer?
7. Where would you place a standard access list to
permit traffic from Ricky s computer to reach Carrol
and Amanda s computer?
8. Where would you place a standard access list to
deny traffic to Jenny s computer from Jackie s
computer?
9. Where would you place a standard access list to
permit traffic from George s computer to reach Linda
and Sarah s computer?
10. Where would you place an ACL to deny traffic from
Jeff s computer from reaching George s computer?
11. Where would you place a standard access list to
deny traffic to Sarah s computer from Ricky s
computer?
12. Where would you place an ACL to deny traffic from
Linda s computer from reaching Jackie s computer?
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________

Interface ____________________
Router Name_________________
Interface ____________________
Router A
E0

Extended Access Lists...

...are numbered from 100 to 199.
...filter (permit or deny) based on the: source address
destination address
protocol
port number
... are placed close to the source.
...work at both layer 3 and 4 of the OSI model.
Extended Access Lists
Why extended ACLs are placed close to the source.
If you want to deny traffic from Juan s computer from reaching
Janet s computer with an extended access list you would place
the ACL close to the source on Router A, interface E0. Since it
can permit or deny based on the destination address it can reduce
backbone overhead and not effect traffic to Routers B, or C.
If you place the ACL on Router E to block traffic from Router
A, it will work. However, Routers B, and C will have to route
the packet before it is finally blocked at Router E. This
increases the volume of useless network traffic.
Router A
Router B
Router C
Router D
Juan s
Computer
Janet s
Computer
Jimmy s
Computer
Matt s
Computer
E0
FA0
E0
E0
S0
S1 S0
S0S1
S1
Juan s
Computer
Janet s
Computer
Jimmy s
Computer
Matt s
Computer
E0
FA0
E0
E0
S0
S1 S0
S0S1
S1

7
Juan s
Computer
Jan s
Computer
Extended Access List Placement
Sample Problems
In order to permit packets from Juan s computer to arrive at
Jan s computer you would place the extended access list at
router interface _E__0___.
Lisa has been sending unnecessary information to Paul. Where would
you place the extended ACL to deny all traffic from Lisa to Paul?
Router Name ______________ Interface ___________
Where would you place the extended ACL to deny traffic from Paul to
Lisa?
Router Name ______________ Interface ___________
Router A FA0
Router B FA1
E0 E1
Router A
S0
S1
FA0 FA1
Router A Router B
Lisa s
Computer
Paul s
Computer

Extended Access List Placement

Router B
Amanda s
Computer
Jackie s
S0 S1FA0 E1
S0S1
Router C
Router A
S0FA0 S1
FA1
Router F Router E
Router D
S1
S0
S1
FA0
S1
Jim s
Computer
Jeff s
Computer
George s
Computer
Kathy sCarrol s
ComputerComputer
Ricky s
Computer
Jenny s
Computer
Melvin s
Linda s Sarah s
Computer Computer
Computer Computer

9
Extended Access List Placement
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
Router Name_________________
Interface ____________________
1. Where would you place an ACL to deny traffic from
Jeff s computer from reaching George s computer?
2. Where would you place an extended access list to
permit traffic from Jackie s computer to reach Linda s
computer?
3. Where would you place an extended access list to
deny traffic to Carrol s computer from Ricky s
computer?
4. Where would you place an extended access list to
deny traffic to Sarah s computer from Jackie s
computer?
5. Where would you place an extended access list to
permit traffic from Carrol s computer to reach Jeff s
computer?
6. Where would you place an extended access list to
deny traffic from Melvin s computer from reaching Jeff
and Jim s computer?
7. Where would you place an extended access list to
permit traffic from George s computer to reach Jeff s
computer?
8. Where would you place an extended access list to
permit traffic from Jim s computer to reach Carrol and
Amanda s computer?
9. Where would you place an ACL to deny traffic from
Linda s computer from reaching Kathy s computer?
10. Where would you place an extended access list
to deny traffic to Jenny s computer from Sarah s
computer?
11. Where would you place an extended access list to
permit traffic from George s computer to reach Linda
and Sarah s computer?
12. Where would you place an extended access list
to deny traffic from Linda s computer from reaching

Jenny s computer?
Router D
FA0
Router F
FA1

Access Lists on your incoming port...

...requires less CPU processing.
...filters and denys packets before the router has to make a
routing decision.
Access Lists on your outgoing port...
...are outbound by default unless otherwise specified.
...increases the CPU processing time because the routing decision
is made and the packet switched to the correct outgoing port
before it is tested against the ACL.
Choosing to Filter Incoming or Outgoing Packets
Breakdown of a Standard ACL Statement
access-list 1 permit 192.168.90.36 0.0.0.0
permit
or
deny
autonomous
number
1 to 99
source
address
wildcard
mask
access-list 78 deny host 192.168.90.36 log
permit or deny
autonomous
number
1 to 99
source
address
indicates a
specific host
address
(Optional)
generates a log
entry on the
router for each
packet that
matches this
statement
10

Breakdown of an Extended ACL Statement

access-list 125 permit ip 192.168.90.36 0.0.0.0 192.175.63.12 0.0.0.0
permit or deny
autonomous
number
100 to 199
source
wildcard
mask
destination
address
destination
wildcard
mask
access-list 178 deny tcp host 192.168.90.36 host 192.175.63.12 eq 23 log
permit
or
deny
autonomous
number
100 to 199
source
address
indicates a
specific
host
protocol
icp,
icmp,
tcp, udp,
ip,
etc.
destination
address
operator
eq for =
gt for >
lt for <
neg for =
port
number
(23 = telnet)
(Optional)
generates a log
entry on the
router for each
packet that
matches this
statement
protocol
icp,
icmp,
tcp, udp,
ip,
etc.
11
source
address
Protocols Include:

IP IGMP IPINIP
TCP GRE OSPF
UDP IGRP NOS
ICMP EIGRP Integer 0-255
To match any internet protocol use IP.
indicates a
specific
host

Named ACLs...
...are standard or extended ACLs which have an alphanumeric name
instead of a number. (ie. 1-99 or 100-199)
Named Access Lists Information
Named Access Lists...
...identify ACLs with an intuutive name instead of a number.
...eliminate the limits imposed by using numbered ACLs.
(798 for standard and 799 for extended)
...provide the ability to modify your ACLs without deleting and
reloading the revised access list. It will only allow you to add
statements to the end of the exsisting statements.
...are not compatable with any IOS prior to Release 11.2.
...can not repeat the same name on multiple ACLs.
What are Named Access Control Lists?
Applying a Standard Named Access List
called George
Write a named standard access list called George on Router A, interface E1 to bloc
k Melvin s
computer from sending information to Kathy s computer; but will allow all other tr
affic.
Place the access list at:
Router Name: Router A
Interface: E1
Access-list Name: George
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)#ip access-list standard George
Router(config-std-nacl)# deny host 72.16.70.35
Router(config-std-nacl)# access-list permit any
Router(config-std-nacl)# interface e1
Router(config-if)# ip access-group George out
Router(config-if)# exit
Router(config)# exit
12

Applying an extended Named Access List

called Gracie
Write a named extended access list called Gracie on Router A, Interface E0 called
racie to deny HTTP traffic intended for web
server 192.168.207.27, but will permit all other HTTP traffic to reach the only
the 192.168.207.0 network. Deny all other IP traffic.
Keep in mind that there may be multiple ways many of the individual statements i
n an ACL can be written.
Place the access list at:
Router Name: Router A
Interface: E0
Access-list Mail: Gracie
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)#ip access-list extended Gracie
Router(config-ext-nacl)# deny tcp any host 192.168.207.27 eq www
Router(config-ext-nacl)# permit tcp any 192.168.207.0 0.0.0.255 eq www
Router(config-ext-nacl)# interface e0
Router(config-if)# ip access-group Gracie in
Router(config-if)# exit
Router(config)# exit
13

Choices for Using Wildcard Masks

Wildcard masks are usually set up to do one of four things:
1. Match a specific host.
2. Match an entire subnet.
3. Match a specific range.
4. Match all addresses.
1. Matching a specific host.
For standard access lists:
Access-List 10 permit 192.168.150.50 0.0.0.0
or
Access-List 10 permit 192.168.150.50
or
Access-List 10 permit host 192.168.150.50
For extended access lists:
Access-list 110 deny ip 192.168.150.50 0.0.0.0 any
or
Access-list 110 deny ip host 192.168.150.50 any
2. Matching an entire subnet
Example 1
Address: 192.168.50.0 Subnet Mask: 255.255.255.0
Access-list 25 deny 192.168.50.0 0.0.0.255
Example 2
Address: 172.16.0.0 Subnet Mask: 255.255.0.0
Access-list 12 permit 172.16.0.0 0.0.255.255
Example 3
Address: 10.0.0.0 Subnet Mask: 255.0.0.0
Access-list 125 deny udp 10.0.0.0 0.255.255.255 any
(standard ACL s
assume a 0.0.0.0 mask)

Example 1
Address: 10.250.50.112 Subnet Mask: 255.255.255.224
Access-list 125 permit udp 10.250.50.112 0.0.0.31 any
e Example 2
Address Range: 192.168.16.0 to 192.168.16.127
Access-list 125 deny ip 192.168.16.0 0.0.0.127 any
(This ACL would block the lower half of the subnet.)
Example 3
Address: 172.250.16.32 to 172.250.31.63
Access-list 125 permit ip 172.250.16.32 0.0.15.31 any
4. Match everyone.
For standard access lists:
Access-List 15 permit any
or
Access-List 15 deny 0.0.0.0 255.255.255.255
For extended access lists:
Access-List 175 permit ip any any
or
Access-List 175 deny tcp 0.0.0.0 255.255.255.255 any
3. Match a specific range
192.
-192.
Wildcard: 0.
168.
168.
0.
16.
16.
0.
127
0
127
255.
-255.
Wildcard: 0.
255.
255.
0.
255.
255.
0.
255
224
31
Custom Subnet mask:
172.
-172.
0.
250.
250.
0.
31.
16.
15.
63
32
31Wildcard:

Creating Wildcard Masks

Just like a subnet mask the wildcard mask tells the router what part of theaddre
ss to check or ignore. Zero (0) must match exactly, one (1) will beignored.
The source address can be a single address, a range of addresses, oran entire su
bnet.
As a rule of thumb the wildcard mask is the reverse of the subnet mask.
Example #1:
IP Address and subnet mask: 204.100.100.0 255.255.255.0
IP Address and wildcard mask: 204.100.100.0 0.0.0.255
All zero s (or 0.0.0.0) means the address must match exactly.
Example #2:
10.10.150.95 0.0.0.0 (This address must match exactly.)
One s will be ignored.
Example #3:
10.10.150.95 0.0.0.255 (Any 10.10.150.0 subnet address will match.
10.10.150.0 to 10.10.150.255)
This also works with subnets.
Example #4:
IP Address and subnet mask: 192.170.25.30 255.255.255.224
IP Address and wildcard mask: 192.170.25.30 0.0.0.31
(Subtract the subnet mask from
255.255.255.255 to create the wildcard)
Do the math... 255 - 255 = 0 (This is the inverse of the subnet mask.)
255 - 224 = 31
Example #5:
IP Address and subnet mask: 172.24.128.0 255.255.128.0
IP Address and wildcard mask: 172.24.128.0 0.0.127.255
Do the math... 255 -255 = 0 (This is the inverse of the subnet mask.)
255-128= 127
255-0 = 255

17
Wildcard Mask Problems
1. Create a wildcard mask to match this exact address.
IP Address: 192.168.25.70
Subnet Mask: 255.255.255.0 ___________________________________
2. Create a wildcard mask to match this range.
IP Address: 210.150.10.0
Subnet Mask: 255.255.255.0 ___________________________________
3. Create a wildcard mask to match this host.
IP Address: 195.190.10.35
Subnet Mask: 255.255.255.0 __________________________________
4. Create a wildcard mask to match this range.
IP Address: 172.16.0.0
Subnet Mask: 255.255.0.0 __________________________________
5. Create a wildcard mask to match this range.
IP Address: 10.0.0.0
Subnet Mask: 255.0.0.0 __________________________________
6. Create a wildcard mask to match this exact address.
IP Address: 165.100.0.130
Subnet Mask: 255.255.255.192 __________________________________
7. Create a wildcard mask to match this range.
IP Address: 192.10.10.16
Subnet Mask: 255.255.255.224 __________________________________
8. Create a wildcard mask to match this range.
IP Address: 171.50.75.128
Subnet Mask: 255.255.255.192 __________________________________
9. Create a wildcard mask to match this host.
IP Address: 10.250.30.2
Subnet Mask: 255.0.0.0 __________________________________
10. Create a wildcard mask to match this range.
IP Address: 210.150.28.16
Subnet Mask: 255.255.255.248 __________________________________
11. Create a wildcard mask to match this range.
IP Address: 172.18.0.0
Subnet Mask: 255.255.224.0 __________________________________
12. Create a wildcard mask to match this range.
IP Address: 135.35.230.32
Subnet Mask: 255.255.255.248 __________________________________
0 . 0 . 0 . 0
0 . 0 . 0 . 255

Wildcard Mask Problems

Based on the given information list the usable source addresses or range of
usable source addresses that would be permitted or denied for each access
list statement.
1.access-list 10 permit 192.168.150.50 0.0.0.0
Answer: __________________________________________________________________
2. access-list 5 permit any
Answer: __________________________________________________________________
3. access-list 125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1 fragments
Answer: __________________________________________________________________
4. access-list 11 deny 210.10.10.0 0.0.0.255
Answer: __________________________________________________________________
5. access-list 108 deny ip 192.220.10.0 0.0.0.15 172.32.4.0 0.0.0.255
Answer: __________________________________________________________________
6. access-list 171 deny any host 175.18.24.10 fragments
Answer: __________________________________________________________________
7. access-list 105 permit 192.168.15.0 0.0.0.255 any
Answer: __________________________________________________________________
8. access-list 109 permit tcp 172.16.10.0 0.0.0.255 host 192.168.10.1 eq 80
Answer: __________________________________________________________________
9. access-list 111 permit ip any any
Answer: __________________________________________________________________
10. access-list 195 permit udp 172.30.12.0 0.0.0.127 172.50.10.0 0.0.0.255
Answer: __________________________________________________________________
Any address
18
192.168.150.50
195.223.50.1 to 195.223.50.63

11. access-list 110 permit ip 192.168.15.0 0.0.0.3 192.168.30.10 0.0.0.0

Answer: _________________________________________________________________
12. access-list 120 permit ip 192.168.15.0 0.0.0.7 192.168.30.10 0.0.0.0
Answer: _________________________________________________________________
13. access-list 130 permit ip 192.168.15.0 0.0.0.15 192.168.30.10 0.0.0.0
Answer: _________________________________________________________________
14. access-list 140 permit ip 192.168.15.0 0.0.0.31 192.168.30.10 0.0.0.0
Answer: _________________________________________________________________
15. access-list 150 permit ip 192.168.15.0 0.0.0.63 192.168.30.10 0.0.0.0
Answer: _________________________________________________________________
16. access-list 101 Permit ip 192.168.15.0 0.0.0.127 192.168.30.10 0.0.0.0
Answer:__________________________________________________________________
17. access-list 185 permit ip 192.168.15.0 0.0.0.255 192.168.30.0 0.0.0.255
Answer: _________________________________________________________________
18. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 gt 22
Answer: _________________________________________________________________
19. access-list 195 permit icmp 172.85.0.0 0.0.15.255 172.50.10.0 0.0.0.255
Answer: _________________________________________________________________
20. access-list 10 permit 175.15.120.0 0.0.0.255
Answer: _________________________________________________________________
21. access-list 190 permit tcp 172.15.0.0 0.0.15.31 any
Answer: _________________________________________________________________
22. access-list 100 permit ip 10.0.0.0 0.255.255.255 172.50.10.0 0.0.0.255
Answer: _________________________________________________________________

20
Wildcard Mask Problems
Based on the given information list the usable destination addresses or range
of usable destination addresses that would be permitted or denied for each
access list statement.
1.access-list 125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1 fragments
Answer: __________________________________________________________________
2. access-list 115 permit any any
Answer: __________________________________________________________________
3. access-list 150 permit ip 192.168.30.10 0.0.0.0 192.168.15.0 0.0.0.63
Answer: __________________________________________________________________
4. access-list 120 deny tcp 172.32.4.0 0.0.0.255 192.220.10.0 0.0.0.15
Answer: __________________________________________________________________
5. access-list 108 deny ip 192.220.10.0 0.0.0.15 172.32.4.0 0.0.0.255
Answer: __________________________________________________________________
6. access-list 101 deny ip 140.130.110.100 0.0.0.0 0.0.0.0 255.255.255.255
Answer: __________________________________________________________________
7. access-list 105 permit any 192.168.15.0 0.0.0.255
Answer: __________________________________________________________________
8. access-list 120 permit ip 192.168.15.10 0.0.0.0 192.168.30.0 0.0.0.7
Answer: __________________________________________________________________
9. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 eq 21
Answer: __________________________________________________________________
10. access-list 150 permit ip 192.168.15.10 0.0.0.0 192.168.30.0 0.0.0.63
Answer: __________________________________________________________________
Any address
172.168.10.1
192.168.15.1 to 192.168.15.63

Writing
Standard Access Lists...

Melvin s
Computer
172.16.70.35
Kathy s
Computer
192.168.90.38
E0 E1
Router A
Frank s
Computer
172.16.70.32
Jim s
Computer
192.168.90.36
22
172.16.70.1 192.168.90.2
Write a standard access list to block Melvin s computer from sending information t
o Kathy s
computer; but will allow all other traffic. Keep in mind that there may be multi
ple ways many of
the individual statements in an ACL can be written.
Place the access list at:
Router Name: Router A
Interface: E1
Access-list #: 10
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# access-list 10 deny 172.16.70.35
or
access-list 10 deny 172.16.70.35 0.0.0.0
or
access-list 10 deny host 172.16.70.35
Router(config)# access-list 10 permit 0.0.0.0 255.255.255.255
or
access-list 10 permit any
Router(config)# interface e1
Router(config-if)# ip access-group 10 out
Router(config-if)# exit
Router(config)# exit
[Viewing information about existing ACL s]
Router# show configuration (This will show which access groups are associated
with particular interfaces)
Router# show access list 10 (This will show detailed information about this ACL)
Standard Access List Sample #1
210.30.28.0
S0

23
Write a standard access list
rank s
computer; but will allow all
all traffic from the
210.30.28.0 network to reach
ep in mind that there
may be multiple ways many of

to block Jim s computer from sending information to F

other traffic from the 192.168.90.0 network. Permit
the 172.16.70.0 network. Deny all other traffic. Ke
the individual statements in an ACL can be written.

Place the access list at:

Router Name: Router A
Interface: E0
Access-list #: 28
[Writing and installing an ACL]
Router# configure terminal
Router(config)# access-list 28 deny 192.168.90.36
or
access-list 28 deny 192.168.90.36 0.0.0.0
or
access-list 28 deny host 192.168.90.36
Router(config)# access-list 28 permit 192.168.90.0 0.0.0.255
Router(config)# access-list 28 permit 210.30.28.0 0.0.0.255
Router(config)# interface e0
Router(config-if)# ip access-group 28 out
Router(config-if)# exit
Router(config)# exit
Router# copy run start
[Disabling ACL s]
Router# configure terminal
Router(config)# interface e0
Router(config-if)# no ip access-group 28 out
Router(config-if)# exit
Router(config)# exit
[Removing an ACL]
Router# configure terminal
Router(config)# interface e0
Router(config-if)# no ip access-group 28 out
Router(config-if)# exit
Router(config)# no access-list 28
Router(config)# exit
Standard Access List Sample #2

Write a standard access list to block Debbie s computer from receiving information
from
Michael s computer; but will allow all other traffic. List all the command line op
tions for this
problem. Keep in mind that there may be multiple ways many of the individual sta
tements in
an ACL can be written.
Place the access list at:
Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# ________________________________________________________
or
________________________________________________________
or
________________________________________________________
Router(config)# ________________________________________________________
or
______________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)
Router(config-if)# exit
Router(config)# exit
S0
S1
FA0
FA1
Router B
Router A
223.190.32.1
192.16.32.94
Michael s 172.16.28.36
Computer
Debbie s
Computer
223.190.32.16 192.16.32.95
24
Standard Access List Problem #1
FA0

Write a standard access list to permit Debbie s computer to receive information fr

om
Michael s computer; but will deny all other traffic from the 223.190.32.0 network.
Block all
traffic from the 172.16.0.0 network. Permit all other traffic. List all the comm
and line options
for this problem. Keep in mind that there may be multiple ways many of the indiv
idual
statements in an ACL can be written.
Place the access list at:
Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# ________________________________________________________
or
________________________________________________________
or
________________________________________________________
Router(config)#_________________________________________________________
Router(config)#_________________________________________________________
Router(config)#_________________________________________________________
or
_______________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)
Router(config-if)# exit
Router(config)# exit
25
Standard Access List Problem #2

26
S0
S1
E0
FA1
Router B
Router A
204.90.30.124
10.250.30.35
10.250.30.36 192.168.88.4
Rodney s
Computer
Jim s
Computer
204.90.30.126
Carol s 192.168.88.5
Computer
204.90.30.125
Write a standard access list to block Rodney and Carol s computer from sending inf
ormation
to Jim s computer; but will allow all other traffic from the 204.90.30.0 network.
Block all other
traffic. Keep in mind that there may be multiple ways many of the individual sta
tements in an
ACL can be written.
Place the access list at:
Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)
Router(config-if)# exit
Router(config)# exit
Standard Access List Problem #3

27
Using a minimum number of commands write a standard access list named Ralph to blo
ck
Carol s computer from sending information to Jim s computer; but will permit Jim to
receive
data from Rodney. Block the upper half of the 204.90.30.0 range from reaching Ji
m s
computer while permitting the lower half of the range. Block all other traffic.
For help with
blocking the upper half of the range review page 13 or the wildcard mask problem
s on pages
16 and 17. For help with named ACLs review pages 12 and 13.
Place the access list at:
Router Name: ___________________________
Interface: _______________________________
Access-list Name: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# ________________________________________________________
Router(config-std-nacl)# _______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
Router(config-std-nacl)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)
Router(config-if)# exit
Router(config)# exit
Standard Access List Problem #4

28
Write a standard access list to block 172.30.225.2 and 172.30.225.3 from sending
information to the 212.180.10.0 network; but will allow all other traffic. Keep
in mind that
there may be multiple ways many of the individual statements in an ACL can be wr
itten.
Place the access list at:
Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)
Router(config-if)# exit
Router(config)# exit
E0 S0 S1 E1
S1 S0
Router B
Router C
Router A
S1
172.30.225.1 212.180.10.5
172.30.225.2
172.30.225.3
212.180.10.6
212.180.10.2
Standard Access List Problem #5

29
Write a standard access list to block and log 212.180.10.2 from sending informat
ion to the
172.30.225.0 network. Permit and log 212.180.10.6 to send data to the 172.30.225
.0 network.
Deny all other traffic. Keep in mind that there may be multiple ways many of the
individual
statements in an ACL can be written. (Check the example on page 10 for help with
the logging
option.)
Place the access list at:
Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)
Router(config-if)# exit
Router(config)# exit
Standard Access List Problem #6

30
Write a standard access list to block the addresses 192.168.15.1 to 192.168.15.3
1 from
sending information to the 210.140.15.0 network. Do not permit any traffic from
198.32.10.25
to reach the 210.140.15.0 network. Permit all other traffic. For help with this
problem review
page 13 or the wildcard mask problems on pages 16 and 17.
Place the access list at:
Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)
Router(config-if)# exit
Router(config)# exit
S0
S1
FA0
S0
Router B
Router A Router C
S1
192.168.15.3 210.140.15.8 198.32.10.25
Standard Access List Problem #7
FA1
FA0
192.168.15.172
210.140.15.1
198.32.10.25

31
Write a standard named access list called Cisco_Lab_A to permit traffic from the l
ower half of
the 198.32.10.0 network to reach 192.168.15.0 network; block the upper half of t
he addresses.
Allow host 198.32.10.192 to reach network 192.168.15.0. Permit all other traffic
. For help with
this problem review page 13 or the wildcard masks problems on pages 16 and 17. F
or
assistance with named ACLs review pages 12 and 13.
Place the access list at:
Router Name: ___________________________
Interface: _______________________________
Access-list Name: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# ________________________________________________________
Router(config-std-nacl)# _______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
_______________________________________________
Router(config-std-nacl)# interface ________
Router(config-if)# ip access-group __________________ in or out (circle one)
Router(config-if)# exit
Router(config)# exit
Standard Access List Problem #8

32
Write a standard access list to block network 192.168.255.0 from receiving infor
mation from
the following addresses: 10.250.1.1, 10.250.2.1, 10.250.4.1, and the entire 10.2
50.3.0
255.255.255.0 network. Allow all other traffic. Keep in mind that there may be m
ultiple ways
many of the individual statements in an ACL can be written.
Place the access list at:
Router Name: ___________________________
Interface: _______________________________
Access-list #: ____________________________
[Writing and installing an ACL]
Router# configure terminal (or config t)
Router(config)# ________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Router(config)# interface ________
Router(config-if)# ip access-group ________ in or out (circle one)
Router(config-if)# exit
Router(config)# exit
Standard Access List Problem #9
Router A
FA0
FA0