access lists

CCNA

MANAGING TRAFFIC WITH ACCESS LISTs

Standard Acces list

Syntax:



Router(Config)# access-list ACL_id deny/permit

source_id wildcard_mask

Router(Config)# interface interface_name

Router(Config)# ip access-group ACL_id outbound / inbound



Example:



Router(Config)# access-list 10 deny 10.0.0.0

0.255.255.255

Router(Config)# access-list 10 permit 0.0.0.0

255.255.255.255

Router(Config)# interface ethernet 0

Router(Config-if)# ip access-group 10 out



The upper example will deny entire network (10.0.0.0) to

pass any traffic on ethernet interface from outbound

interface.





Extended Access List

Syntax:



Router(Config)# access-list acl_id deny / permit

protocol_name source_id wildcard_mask destination_id

wildcard_mask eq port_number

Or

Router(Config)# access-list acl_id deny / permit

protocol_name source_id host destination_ip eq

port_number



Router(Config)# interface interface_name

Router(Config)# ip access-group acl_id outbound/inbound



Example:



Router(Config)# access-list 110 deny tcp 0.0.0.0

255.255.255.255 10.0.0.0 0.255.255.255 eq 23

Router(Config)# access-list 110 permit ip any any

Router(Config)# interface ethernet 0

Router(Config)# ip access-group 110 out





www.askasif.com 1 of 3

The above acl will deny telnet traffic from any ip to

10.0.0.0 network on ethernet interface outbound





Named access List

Synatx:

Router(Config)# ip access-list standard/extended acl_name

Router(Config-std-nac)# deny/permit source_id wildcard_mask

Router(Config-std-nac)# exit

Router(Config)# interface interface_name

Router(Config-if)# ip access-group acl_name out / in



Example:



Router(Config)# ip access-list standard hello

Router(Config-std-nac)# deny 10.0.0.0 0.255.255.255

Router(Config-std-nac)# exit

Router(Config)# interface ethernet 0

Router(Config-if)# ip access-group hello out



The above example will block the entire traffic from

10.0.0.0 network





Monitoring Access List



Show access-list To display all access lists

Show access-list ACL-number To display a specific access

list

Show ip access-list To show only the ip access

lists

Show ip interface To show that which interface

has access lists set







Switch Port Access List

S1#config t

S1(config)#mac access-list extended Todd_MAC_List

S1(config-ext-macl)#deny any host 000d.29bd.4b85

S1(config-ext-macl)#permit any any

S1(config-ext-macl)#do show access-list



S1(config-ext-macl)#int f0/6

S1(config-if)#mac access-group Todd_MAC_List in





www.askasif.com 2 of 3

Timed based ACL



Corp#config t

Corp(config)#time-range no-http

Corp(config-time-range)#periodic weekend 06:00 to 12:00

Corp(config-time-range)#exit

Corp(config)#time-range tcp-yes

Corp(config-time-range)#periodic weekend 06:00 to 12:00

Corp(config-time-range)#exit

Corp(config)#ip access-list extended Time

Corp(config-ext-nacl)#deny tcp any any eq www time-range

no-http

Corp(config-ext-nacl)#permit tcp any any time-range tcp-yes

Corp(config-ext-nacl)#interface f0/0

Corp(config-if)#ip access-group Time in

Corp(config-if)#do show time-range









www.askasif.com 3 of 3