Access control lists (ACLs) are one of the toughest areas for any new Cisco engineer to master. You must have a strong grasp of all common network protocols, services, and port numbers before you create your ACL. After that, you need to learn all the available syntax, rules and exceptions involved in creating your ACL. You then must learn how to edit, check and troubleshoot them.
We cover access control lists in detail in our CCNA course and Cisco CCNP ENCOR.
Access Control Lists
The most fundamental method to protect your network (after passwords) is to decide which traffic can enter and leave your router. Access control lists (ACLs) are a set of filters that the traffic is checked against. If the traffic matches the ACL, it can be either permitted or denied, depending on what you have configured.
Although ACLs are relatively straightforward to configure, they can cause problems for many junior network engineers. This is because there are some commands at the bottom of any access list that exist but cannot be seen (these are known as implicit commands). Also, ACLs operate by a certain set of special rules, and if you are not aware of these rules, your access list will not work or will work only part of the time.
Cisco has made changes to ACL rules and features as IOS versions have been released, so you will find that what applies to 12.3, for example, may not apply to 12.4. I’ll explain the main upgrades as we progress in this lesson. You will be tested on IOS version 15.X in the exam.
As with any skill, the more you configure commands, the better you will understand them. I strongly advise you to type all of the commands discussed onto a router (not all of them will work on Packet Tracer). You will make mistakes and get frustrated, but eventually it will become second nature to you.
As traffic reaches the router interface, it’s checked against the ACL. If it is permitted, it is routed and then sent to the outbound interface. To see the full list of the order in which the router processes incoming and outgoing traffic, please Google “Cisco router order of operations”; however, for the purposes of the CCNA exam, you don’t need to know it.
FIG 22.1 – ACL order of operations
IP access control lists come in two main varieties—standard and extended. Standard access lists are very simple to configure but do not allow any granularity (they only match based on source IP addresses). Extended access control lists are far more flexible but they are more complex to configure. Both standard and extended ACLs can be configured with names instead of numbers to make them easier to manage.
Access Control List Numbers
There are many ranges of ACL numbers based on protocol type. In order for the router to understand which one you want to configure, you have to use the correct range. For example, to configure IP standard ACLs, use any number from 1 to 99 (or 1300 to 1999). For the sake of brevity, I’ve only included the IP ranges (leaving out AppleTalk, IPX, etc., which are now defunct).
Table 22-1: Access control list ranges
| Protocol | Range |
| Standard IP | 1 to 99 |
| Standard IP (expanded range) | 1300 to 1999 |
| Extended IP | 100 to 199 |
| Extended IP (expanded range) | 2000 to 2699 |
Standard IP Access Control Lists
Standard IP access control lists filter traffic based on the IP source address of the traffic only. They do not filter web, e-mail, or any other variety of traffic or filter based on destination.
The ACL is given a number to identify the type of list it is (see the access control list ranges above), configured to permit or deny traffic and then configured with the parameters of which traffic to permit or deny. Many people then think that this is all they need to do. You actually have to apply this ACL to an interface; otherwise, it will just sit there doing nothing in particular and all traffic will be allowed through the router.
All traffic not included in the ACL is denied. Even if you do not enter a deny any command at the end of the list, it will do this automatically (unless you configure it to permit everything). The rationale is that if you are permitting certain traffic, surely you want to deny everything else! This is known as the implicit deny statement, and you need to remember this ALWAYS!
The command syntax for a standard ACL is:
access-list number [deny | permit] source-prefix source-wildcard log
Wildcard Masks
The wildcard mask can cause confusion for anybody new to ACLs. Just remember that the router is working in binary instead of decimal. The wildcard mask is there to tell the ACL which parts of the address to look at. A 1 in binary means that part of the address can be ignored, while a 0 means that it must match.
Example
If you want to match all traffic from 172.16.2.x, then you would add the wildcard mask 0.0.0.255, or in binary:
10101100.00010000.00000010.00000000 = 172.16.2.0
00000000.00000000.00000000.11111111 = 0.0.0.255
Match Match Match Ignore
In action, this would mean that any host from the network starting with 172.16.2.x would match the ACL, but 172.16.3.x would not match the list.
Example
The output below shows an ACL permitting any traffic from the 10.x.x.x network:
access-list 9 permit 10.0.0.0 0.255.255.255
Remember that there is an implicit deny any at the end of the ACL, meaning that when you apply this to an interface the only permitted network will be 10.x.x.x.
access-list 9 permit 10.0.0.0 0.255.255.255
access-list 9 deny 0.0.0.0 255.255.255.255 – This is present, but you will not see it. This is the implicit deny any.
Example
access-list 12 permit 172.16.2.0 0.0.0.255 – 172.16.2.x allowed
access-list 12 permit 192.168.1.0 0.0.0.255 – 192.168.1.x allowed
access-list 12 permit 10.4.0.0 0.0.255.255 – 10.4.x.x allowed
The ACL above permits three networks and implicitly denies traffic from any other network.
Example
access-list 15 deny 172.16.0.0 0.0.255.255
access-list 15 deny 192.168.2.1 – You can specify a host address
access-list 15 permit any
When you want to deny a few networks, subnets, or hosts and permit the rest, use the logic shown above. You are denying anything from the 172.16.x.x network, but you can also specify a single host without using a wildcard mask. Just enter the host number, and the router will add an automatic 0.0.0.0 to it. In the example above, you can see that host 192.168.2.1 is denied.
Finally, you can add permit any to the end of the list to prevent the implicit deny rule from denying any other traffic. If you forget this line, all traffic will be denied anyway.
You can break down wildcard masks from the default subnet boundaries just as you can use VLSM to change the default subnet mask for an IP address.
Example
If you wanted to deny the 192.168.100.96 255.255.255.224 subnet, you would use the following wildcard mask:
0.0.0.31
This makes more sense when written out in binary:
1.1.1.1.1.1.1.1 1.1.1.1.1.1.1.1 1.1.1.1.1.1.1.1 1.1.1.0.0.0.0.0 = 255.255.255.224
0.0.0.0.0.0.0.0 0.0.0.0.0.0.0.0 0.0.0.0.0.0.0.0 0.0.0.1.1.1.1.1 = 0.0.0.31
As you can see, the ACL matches the first 27 bits, and the last five can be any bits. The simplest way to look at it is to swap each “on” bit to an “off” bit when you are writing out the wildcard mask.
Example
10.1.64.0 255.255.192.0
If you wanted to permit or deny this subnet, you would need to create a specific wildcard mask to match that subnet. The wildcard mask needs to be the reverse of the subnet mask to permit or deny this subnet.
1.1.1.1.1.1.1.1 1.1.1.1.1.1.1.1 1.1.0.0.0.0.0.0 0.0.0.0.0.0.0.0 = 255.255.192.0
0.0.0.0.0.0.0.0 0.0.0.0.0.0.0.0 0.0.1.1.1.1.1.1 1.1.1.1.1.1.1.1 = 0.0.63.255
If you add the two columns together below and get 255, you know that the wildcard mask is correct (as also shown in the examples above).
| Subnet mask | 255 | 255 | 192 | 0 |
| Wildcard mask | 0 | 0 | 63 | 255 |
| Equals | 255 | 255 | 255 | 255 |
Example
Which wildcard mask would deny the subnet 172.16.32.0 255.255.240.0?
| Subnet mask | 255 | 255 | 240 | 0 |
| Wildcard mask | 0 | 0 | 15 | 255 |
| Equals | 255 | 255 | 255 | 255 |
As you can see above, the wildcard mask 0.0.15.255 would deny subnet 172.16.32.0.
Example
I actually came across one very tricky example during my CCIE lab exam attempt back in 2002 that threw me off at the time. In this example, you have to match both 10.0.0.0/24 and 10.0.1.0/24. The last octet won’t matter, so you can use 255 for the wildcard mask; however, the third octet has two subnets to contend with.
You need to use the wildcard mask 0.0.1.255. In order for this to make any sense, write down all three addresses in binary:
00001010.00000000.00000000.00000000 = 10.0.0.0
00001010.00000000.00000001.00000000 = 10.0.1.0
00000000.00000000.00000001.11111111 = 0.0.1.255
From the output above, you can see that only the first 23 bits have to match. This means that all addresses in the range of 10.0.0.0 to 10.0.1.255 will match, which matches both subnets 10.0.0.0 and 10.0.1.0. This was achieved simply by adding the “don’t care” bit to the end of the third octet.
Wildcard masks are commonly used with OSPF to advertise specific subnets. For the exam, it would be time well spent to practice your wildcard masks for various subnets, such as 192, 224, 240, etc.
Access Control List Logging
There is an optional log command that you can add to the end of an ACL. This allows any matches to the access list to be logged to the console session or router memory in case you want to check for hacking attacks or configuration problems.
access-list 15 deny 172.16.0.0 0.0.255.255 log
If you added the logging buffered command to the configuration, the output would be added to the router’s memory buffer. This could be interrogated later to investigate ACL violations.
 |
Logging ACLs consumes CPU cycles, so use the command with caution. |
Extended IP Access Control Lists
Many administrators find that they need a lot more flexibility when locking down their networks. Filtering based on only traffic source addresses is very limited. Extended ACLs can filter based on source addresses, destination addresses, protocols, port numbers, and other features (see the explanation of port numbers in the following section).
Please do type out these commands on a router as you see them. Your output and options may differ slightly due to IOS versions but the core function will remain the same.
The syntax for a TCP access control list is shown below. As you will see, there are also IP, UDP, and ICMP access control lists and the syntax is slightly different for each.
access-list access-list-number [dynamic dynamic-name [timeout minutes]] [deny | permit] tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tostos] [log | log-input]
- number – extended ACLs can be from 100 to 199
- dynamic – creates temporary entries in the ACL
- timeout – how long the dynamic list is activated for
- deny/permit – the list denying or permitting traffic
- tcp – you can deny a TCP port or all TCP traffic
- source – source host or network
- destination – destination host or network
- operator – can be greater than, less than, equal to
- port – port number
- established – only permitted traffic instigated from inside the network
- precedence – filters based on the precedence levels 0 to 7
- tos – filters based on service levels 0 to 5 or by name
- log – logs the ACL violations
The ACL looks at the source address going to the destination address (i.e., the first address is “from” and the second address is “to”).
It is worth briefly mentioning the established command in more detail. Perhaps you want to allow certain types of traffic into your network but only if your internal users have started the session or requested the service. The established keyword checks for the ACK (acknowledged) bit in the packet. If the ACK or RST (reset) bit is set, then this indicates that the packet is a response packet to a TCP request made from your network, and thus it is safe. This, obviously, only works with TCP packets. Figure 22.2 below shows a capture revealing the ACK and RST fields:
FIG 22.2 – ACK and RST fields
It would probably help to have some examples now.
access-list 101 permit tcp any any
The command above permits TCP traffic from any network to any network.
access-list 102 permit udp host 20.0.2.1 any eq 53
The command above permits UDP traffic from host 20.0.2.1 to anywhere, provided that the port is equal to 53 (DNS).
access-list 101 permit tcp host 11.1.2.1 host 172.16.1.1 eq telnet
access-list 101 permit tcp host 11.1.1.2 host 172.16.1.1
access-list 101 permit udp host 15.2.1.5 host 172.16.1.1
access-list 101 permit ip 15.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
The commands above permit Telnet traffic from host 11.1.2.1 to host 172.16.1.1 (you could have put 23 at the end instead of telnet), any TCP traffic from host 11.1.1.2 to host 172.16.1.1, any UDP traffic from host 15.2.1.5 to host 172.16.1.1, and any IP traffic from network 15.1.1.x to network 172.16.1.x. The implicit deny any at the end of the ACL will deny any other traffic.
Port Numbers
Traffic flowing from network to network uses IP addressing to access information or a certain service, or to carry out a certain task. In order for the network to understand what type of traffic is contained within the packet, a port number is used.
A port number identifies whether the service is web, e-mail, Telnet, name resolution, etc. There are literally thousands of port numbers available. The port numbers 0 to 1023 are called well-known numbers, and they are reserved. There are 65,535 available port numbers in total.
Table 22-2: Common port numbers
| Port Number | Service | Protocol |
| 20 | File Transfer Protocol-Data (FTP-Data) | TCP |
| 21 | File Transfer Protocol (FTP) | TCP |
| 22 | Secure Shell (SSH) | TCP |
| 23 | Telnet | TCP |
| 25 | Simple Mail Transfer Protocol (SMTP) | TCP |
| 53 | Domain Name System (DNS) | TCP/UDP |
| 69 | Trivial File Transfer Protocol (TFTP) | UDP |
| 80 | HyperText Transfer Protocol (HTTP) | TCP/UDP |
| 110 | Post Office Protocol (POP3) | TCP |
| 119 | Network News Transfer Protocol (NNTP) | TCP |
| 123 | Network Time Protocol (NTP) | UDP |
| 161, 162 | Simple Network Management Protocol (SNMP) | UDP |
| 443 | HTTP Secure (HTTPS) | TCP |
You need to be aware that some ports are exclusive to TCP, some to UDP, and some are shared (such as DNS). You can either type in the port number or (depending on your IOS release) use the service name. I’ve removed most of the output to save space.
Router(config)#access-list 100 permit tcp any any eq ?
[0-65535] Port number
bgp Border Gateway Protocol (179)
domain Domain Name Service (53)
echo Echo (7)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (used infrequently, 20)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
telnet Telnet (23)
www World Wide Web (HTTP, 80)
Router(config)#access-list 100 permit udp any any eq ?
[0-65535] Port number
biff Biff (mail notification, comsat, 512)
bootpc Bootstrap Protocol (BOOTP) client (68)
bootps Bootstrap Protocol (BOOTP) server (67)
domain Domain Name Service (DNS, 53)
pim-auto-rp PIM Auto-RP (496)
rip Routing Information Protocol (router, in.routed, 520)
snmp Simple Network Management Protocol (161)
tftp Trivial File Transfer Protocol (69)
time Time (37)
You can find all the port numbers listed at:
http://www.iana.org/assignments/port-numbers
Access control lists can also filter ICMP traffic (output truncated):
Router(config)#access-list 100 permit icmp any any ?
[0-255] ICMP message type
echo Echo (ping)
echo-reply Echo reply
log Log matches against this entry
log-input Log matches against this entry,
no-room-for-option Parameter required but no room
port-unreachable Port unreachable
precedence Match packets with given precedence
source-quench Source quenches
source-route-failed Source route failed
tos Match packets with given TOS value
traceroute Traceroute
ttl-exceeded TTL exceeded
unreachable All unreachables
You will only need to remember ICMP echo and echo-reply, which is the ping request and response using ICMP.
Access Control Lists and Routing Protocols
Access control lists will permit the traffic you specify. It is vital to remember that if you are using routing protocols and ACLs on your router, you must permit the routing protocol as well.
To permit IGRP, specify:
access-list 101 permit igrp any any
To permit RIP, specify:
access-list 101 permit udp any any eq rip
To permit OSPF, specify:
access-list 101 permit ospf any any
To permit EIGRP, specify:
access-list 101 permit eigrp any any
Access Control List Rules
There are a few ACL rules that you need to be aware of for the exam and the real world. If you aren’t aware of them, then you will quickly run into configuration and troubleshooting issues.
ACL Rule 1 – Use Only One ACL Per Interface, Per Direction, and Per Protocol.
The Cisco IOS will not let you have more than one ACL per interface per direction, and, frankly, you don’t need more than one. Each interface can have an ingress and egress policy, per layer 3 protocol. Because most modern networks use IP, you can only have a single IP ACL per direction. Think about it: you can compress the entries of multiple ACLs into one ACL, so you should never need more than one!
FIG 22.3 – One ACL per interface and per direction
ACL Rule 2 – The Lines Are Processed Top-Down.
It is really important to remember this. Always put more specific entries higher in the ACL. Because the router processes ACLs top-down, it will stop when it reaches a match. This can make some ACL entries redundant if another policy matching the same parameters exists above.
For example, take the ACL blocking host 172.16.1.5. Here is what will happen as the router checks each line:
- Permit 10.0.0.0 – No match (move to next line)
- Permit 192.168.1.5 – No match (move to next line)
- Permit 172.16.0.0 – Match (permit packet and do not move to next line)
- Permit 172.16.1.0 – Not processed
- Deny 172.16.1.5 – Not processed
In the example above, the Deny 172.16.1.5 entry needs to be above the Permit 172.16.0.0 statement for it to have any effect.
ACL Rule 3 – There Is an Implicit Deny All at the Bottom of Every ACL.
If there is no explicit rule permitting a packet, then it is denied. The only way to override this is to configure a permit any entry at the bottom of the ACL.
ACL Rule 4 – The Router Cannot Filter Self-Generated Traffic.
It is important to remember this rule when testing ACLs. Traffic generated from the router will not be affected by an ACL. This is demonstrated in Figure 22.4 below, which shows that a packet passing through the router is checked.
FIG 22.4 – Traffic passing through the router is checked
The next packet is generated by the router and not checked by the ACL:
FIG 22.5 – Traffic generated by the router is not checked
ACL Rule 5 – You Can Edit a Live ACL.
Prior to IOS 12.4, the safe way to edit an ACL was to remove it, edit it in a text editor such as Notepad, and then reapply the ACL, as removing a line in the ACL would delete the entire ACL. After IOS 12.4, you can now edit a live ACL without first removing it.
ACL Rule 6 – You Can Disable the ACL on the Interface.
ACLs need to be applied on an interface to take effect. Similarly, removing the ACL from the interface disables it. You do not need to delete the entire ACL to disable it. This is useful because multiple interfaces might have the same ACL applied and removing the ACL disables it on all the interfaces. The configuration snippet below shows how to disable an ACL that was applied to interface Fast Ethernet 0/0:
Router(config)#int fast0/0
Router(config-if)#no ip access-group 1 in
Router(config-if)#^Z
ACL Rule 7 – You Can Reuse the Same ACL.
The same ACL can be applied to multiple interfaces. If you have the same ACL policy, there is no point in creating multiple ACLs; just reapply the same one to the multiple interfaces. This is common in large ISPs where a group policy on which traffic should be permitted into and out of the network is agreed upon. It is then applied to all gateway routers or firewalls. This is demonstrated in Figure 22.6 below:
FIG 22.6 – You can reuse an ACL
ACL Rule 8 – Keep Them Short!
With proper subnetting and wildcard knowledge, multiple ACL lines can be shortened into a few lines. This is generally a good practice that conserves CPU cycles. If you plan out your ACLs in advance, you should be able to see where excess lines can be reduced, for example:
access-list 2 deny 192.168.10.4
access-list 2 deny 192.168.10.5
access-list 2 deny 192.168.10.6
access-list 2 deny 192.168.10.7
Four networks are being denied, but you should be able to reduce this output with a wildcard mask that will match all four networks:
access-list 2 deny 192.168.10.4 0.0.0.3
ACL Rule 9 – Put Your ACL as Close to the Source as Possible.
To conserve resources, ACLs should be applied as close to the source as possible. There is no point in spending bandwidth and router resources when routing a packet across the network only to have the packet dropped by an ACL before it reaches its destination. This might not be possible all the time but you should always do so whenever possible.
FIG 22.7 – Put your ACL close to the source
Cisco has a general rule to place standard ACLs toward the destination and extended ACLs closer to the source. In my experience, this isn’t always the best thing to do. Just bear the general rule in mind in case you get an exam question on it.
Configuring Access Control Lists
You can configure three types of ACLs on a router: standard ACLs, extended ACLs, and named ACLs, although named ACLs will still be either standard or extended. You need to be familiar with all three methods for the CCNA exam. You should spend some time practicing the examples here in the labs and then make up your own examples. Before long, you will become an ACL master.
Standard ACLs
Standard ACLs are easy to configure because they only filter based on the packet’s source IP address or network.
FIG 22.8 – Incoming packet with source and destination addresses
The incoming packet in Figure 22.8 above has a source address, a destination address, and a destination port number. In a standard ACL, the only parameter that matters is the source address (172.16.20.1). The ACL to permit this packet would be:
Router(config)#access-list 1 permit host 172.16.20.1
FIG 22.9 – Network with multiple hosts/networks
Router(config)#access-list 1 permit host 10.0.0.1
Router(config)#access-list 1 permit host 10.10.0.1
Router(config)#access-list 1 permit 172.16.10.0 0.0.0.255
This would be applied to the Internet-facing router interface. Remember that there will be an implicit deny all at the end of this list, so all other traffic will be blocked.
Extended ACLs
Extended ACLs have more flexibility because you can filter them based on the source and destination networks, protocols, and application port numbers. The general syntax for extended ACLs is as follows (simplified version):
access list# permit/deny [service/protocol] [source network/IP] [destination network/IP] [port#]
For example:
access-list 101 deny tcp 10.1.0.0 0.0.255.255 host 172.30.1.1 eq 23
access-list 100 permit tcp 10.1.0.0 0.0.255.255 host 172.30.1.1 eq 21
access-list 100 permit icmp any any
Figure 22.10 below shows a sample network that needs to be configured with an ACL on the server-side router:
FIG 22.10 – Example of blocking server access
An example of an ACL you could configure for the network above, featuring e-mail, web, and file servers, would be as follows:
access-list 101 permit tcp host 10.0.0.1 host 192.168.10.1 eq smtp
access-list 101 permit tcp 172.16.10.0 0.0.0.255 host 192.168.20.1 eq ftp
access-list 101 permit tcp host 10.10.0.1 host 192.168.30.1 eq www
If you break down each line, you can see that the services are all being permitted and that they are all using TCP, but the source and destination host or network differs. Also, each port differs because each server is using a different service. You can also write out the port number or the service (i.e., www or 80).
Named ACLs
As well as using numbers for ACLs, you can also use names. Named ACLs were available beginning with IOS release 11.2. Using a name instead of a number makes the access list easier to identify when looking at the configuration. Because you are using names, you have to specify whether the ACL is standard or extended:
ip access-list [standard | extended] name
The following syntax will depend on whether you are configuring a standard or extended ACL. The access control list below has been named inbound_access:
Router(config)#ip access-list extended inbound_access
Router(config-ext-nacl)#permit tcp any 172.16.0.0 0.0.255.255 eq 80
Router(config-ext-nacl)#exit
Router(config)#int s0
Router(config-if)#ip access-group inbound_access in
Router(config-if)#exit
Router(config)#
Editing named ACLs works in the same way as for standard and extended ACLs after they were modified (for standard and extended ACLs, you used to have to delete the old ACL and create a new one). For named, standard, and extended ACLs, you are able to delete a specific entry.
Router#conf t
Router(config)#ip access-list standard lan_traffic
Router(config-std-nacl)#permit 172.16.0.0
Router(config-std-nacl)#permit 172.30.0.0
Router(config-std-nacl)#permit 192.168.2.0
Router(config-std-nacl)#permit 10.0.0.0
Router(config-std-nacl)#exit
Router(config)#int fast0
Router(config-if)#ip access-group lan_traffic in
Router(config-if)#^Z
Router#show ip access-lists
Standard IP access list lan_traffic
40 permit 10.0.0.0
30 permit 192.168.2.0
20 permit 172.30.0.0
10 permit 172.16.0.0
Router#conf t
Router(config)#ip access-list standard lan_traffic
Router(config-std-nacl)#no permit 10.0.0.0
Router(config-std-nacl)#exit
Router(config)#exit
Router#
Router#show ip access-lists
Standard IP access list lan_traffic
30 permit 192.168.2.0
20 permit 172.30.0.0
10 permit 172.16.0.0 ï The 10.0.0.0 entry has been deleted
Or for numbered ACLs:
Router(config)#access-list 10 permit 172.16.0.0
Router(config)#access-list 10 permit 172.30.0.0
Router(config)#access-list 10 permit 192.168.2.0
Router(config)#access-list 10 permit 10.0.0.0
Router(config)#exit
Router#sh ip access-list 10
Standard IP access list 10
40 permit 10.0.0.0
30 permit 192.168.2.0
20 permit 172.30.0.0
10 permit 172.16.0.0
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip access-list standard 10 – Edit the numbered ACL just like the named ACL
Router(config-std-nacl)#no permit 10.0.0.0
Router(config-std-nacl)#end
Router#sh ip access-list 10
Standard IP access list 10
30 permit 192.168.2.0
20 permit 172.30.0.0
10 permit 172.16.0.0
Applying ACLs
Access control lists need to be applied on an interface or a terminal line for the ACLs to come into effect. It is a common mistake for junior Cisco engineers to create an ACL and then wonder why it isn’t working! Configuring an ACL without applying it to an interface has NO effect! Remember also that you can use the same ACL multiple times.
Access control lists can be applied to Telnet or console lines using the access-class command; similarly, it can be applied to an interface using the ip access-group command. It’s very important to note where you would apply an access class or access group for the exam and the real world.
Some examples of ACLs being applied to a terminal line or an interface are shown below. Please do try these commands and note whether you are at the configuration line or the configuration interface prompt.
Interface:
Router(config)#int Gig0/0
Router(config-if)#ip access-group 102 in
Terminal line for VTY (Telnet/SSH) access:
Router(config)#line vty 0 15
Router(config-line)#access-class 10 in
Interface:
Router(config)#int fast0/0
Router(config-if)#ip access-group BlockWEB in
Access Control List Sequence Numbers
In IOS versions 12.2(14)S and later, Cisco introduced a very useful ACL manipulation feature—the capability to assign sequence numbers to ACL entries. This offers a series of advantages in regard to ACL editing, including:
- The possibility to add an ACL entry anywhere in the list
- The possibility to remove any ACL entry
- The possibility to reorder ACL entries
Let’s start by creating a standard ACL with one entry, permitting traffic from network 10.0.1.0:
R1(config)#ip access-list standard CCNA
R1(config-std-nacl)#permit 10.0.1.0
You can see that the ACL entries are numbered even if you do not specifically configure a sequence number. The ACL entry created here was assigned a sequence number of 10:
R1#show access-list CCNA
Standard IP access list CCNA
10 permit 10.0.1.0
Next, insert two more entries for networks 10.0.2.0 and 10.0.3.0, one after the initial sequence number and one before, and assign them numbers 5 and 15:
R1(config)#ip access-list standard CCNA
R1(config-std-nacl)#5 permit 10.0.2.0
R1(config-std-nacl)#15 permit 10.0.3.0
R1#show access-list CCNA
Standard IP access list CCNA
5 permit 10.0.2.0
15 permit 10.0.3.0
10 permit 10.0.1.0
As you can see from the show command output above, the two entries were correctly assigned sequence numbers 5 and 15. Now, let’s assume that you want to delete the first entry created for network 10.0.1.0:
R1(config)#ip access-list standard CCNA
R1(config-std-nacl)#no 10 permit 10.0.1.0
R1#show access-list CCNA
Standard IP access list CCNA
5 permit 10.0.2.0
15 permit 10.0.3.0
You can see that ACL entry number 10 has been deleted. You can also resequence ACL entries by shifting their sequence numbers based on a new sequence start number and a predefined step. Let’s assume that you want to resequence the CCNA access control list so the sequence numbers start at 200 and are incremented at 15 for each line. The command used to accomplish this is:
R1(config)#ip access-list resequence CCNA 200 15
R1#show access-list CCNA
Standard IP access list CCNA
200 permit 10.0.2.0
215 permit 10.0.3.0
There are many other types of ACLs, such as turbo, time-based, lock and key, reflexive, and dynamic. You can use a dynamic ACL to authenticate remote users with a unique username and password. The authentication process is done by the router or a central access server, for example, a TACACS+ or RADIUS server, which then grants access to the network for a period determined by the person configuring the ACL. Cisco has documentation on this; however, configuration is beyond the scope of the CCNA exam.
It is well worth having a very good working knowledge of ACLs, both for the CCNA exam and as a Cisco engineer.
An Alternative to Access Control Lists
An alternative to using ACLs, which can become complicated and take up valuable CPU cycles, is to install a route to a Null interface. A Null interface, much like a Loopback interface, exists only in the software. Any traffic routed to the Null interface is automatically dropped by the router. One key difference to note here is that while ACLs match based on different parameters, depending on whether it is a standard or an extended ACL, Null routing only matches based on the destination address (like every other type of routing).
Say, for example, that you want to prevent any traffic leaving the router destined for network 10.2.4.x 255.255.255.0. You would install a static route and send traffic destined for that network to the Null 0 interface:
Router(config)#ip route 10.2.4.0 255.255.255.0 Null0
End of Chapter Questions
Please visit www.howtonetwork.com/ccnasimplified to take the free Chapter 22 exam.
Chapter 22 Labs
Lab 1: Access Control Lists (Standard)
The physical topology is shown in Figure 22.11 below:
FIG 22.11 – Standard access control lists
Lab Exercise
Your task is to configure the network in Figure 22.11 to allow full connectivity using a default route. Then you will need to configure an ACL to deny connections from the neighbor network on their Loopback 0. Please feel free to try the lab without following the Lab Walk-through section.
Text in Courier New font indicates commands that can be entered on the router.
Purpose
Access control lists are a fundamental way of protecting the router and are also a very useful troubleshooting tool. Standard ACLs allow you to filter traffic based on a source address or a network and are a great introduction before moving on to the more sophisticated extended ACLs.
Lab Objectives
- Use the IP addressing scheme depicted in Figure 22.11. Router A (if it is the DCE) needs to have a clock rate on interface Serial 0/0: set this to be 64000.
- Set Telnet access for the router to use the local login permissions for username banbury and the password ccna.
- Configure the enable secret password to be cisco.
- Configure a default route to allow full connectivity.
- Configure an ACL to deny any connection from the neighbor router’s Loopback 0 interface, while still allowing all other traffic through.
- Finally, to test that the ACL is working, you will need to use the extended ping command.
Lab Walk-through
- To set the IP addresses on an interface, you will need to do the following:
Router#config t
Router(config)#hostname RouterA
RouterA(config)#interface Serial0/0
RouterA(config-if)#ip address 192.168.1.1 255.255.255.252
RouterA(config-if)#clock rate 64000
RouterA(config-if)#no shutdown
RouterA(config-if)#interface Loopback0
RouterA(config-if)#ip address 172.16.1.1 255.255.0.0
RouterA(config-if)#interface Loopback1
RouterA(config-if)#ip address 172.20.1.1 255.255.0.0
Router B:
Router#config t
Router(config)#hostname RouterB
RouterB(config)#interface Serial0/0
RouterB(config-if)#ip address 192.168.1.2 255.255.255.252
RouterB(config-if)#no shutdown
RouterB(config-if)#interface Loopback0
RouterB(config-if)#ip address 172.30.1.1 255.255.0.0
RouterB(config-if)#interface Loopback1
RouterB(config-if)#ip address 172.31.1.1 255.255.0.0
Ping across the Serial interface now. If you wait until the ACL is in place, you will struggle to troubleshoot the problem. It could be a Serial link or ACL issue.
- To set Telnet access, you need to configure the VTY lines to allow Telnet access. To do this, type the following (in configuration mode):
RouterA(config)#line vty 0 4 – Enters the VTY line configuration
RouterA(config-line)#login local – This will use local usernames and passwords for Telnet access
RouterA(config-line)#exit – Exits the VTY config mode
RouterA(config)#username banbury password ccna – Creates username and password for Telnet access (login local)
Router B:
RouterB(config)#line vty 0 4
RouterB(config-line)#login local
RouterB(config-line)#exit
RouterB(config)#username banbury password ccna
- To set the enable password, do the following:
RouterA(config)#enable secret cisco – Sets the enable password (encrypted)
Router B:
RouterB(config)#enable secret cisco
- To configure a default route, there is one simple step (in configuration mode):
RouterA(config)#ip route 0.0.0.0 0.0.0.0 Serial0/0 – For all unknown addresses, send packet out of Serial0/0
Router B:
RouterB(config)#ip route 0.0.0.0 0.0.0.0 Serial0/0
- To configure an ACL, there are two steps: first, specify the networks to permit or deny; and second, apply the ACL to an interface:
RouterA(config)#access-list 1 deny 172.30.0.0 0.0.255.255 – Denies the network specified; remember to use a wildcard mask.
RouterA(config)#access-list 1 permit any – Permit everything else
RouterA(config)#interface Serial0/0
RouterA(config-if)#ip access-group 1 in – Assigns the access list to the interface and the direction of traffic to be checked
Router B:
RouterB(config)#access-list 1 deny 172.16.0.0 0.0.255.255
RouterB(config)#access-list 1 permit any
RouterB(config)#interface Serial0/0
RouterB(config-if)#ip access-group 1 in
- To test the ACL, you need to use an extended ping. The extended ping command allows you to specify a different source address for the ping instead of using the IP address assigned to the exiting interface:
RouterA#ping – Press Enter here
Protocol [ip]: – Press Enter here
Target IP address: 192.168.1.2
Repeat count [5]
Datagram size [100]
Timeout in seconds [2]
Extended commands [n]: y
Source address or interface: 172.16.1.1
Type of service [0]
Set DF bit in IP header? [no]
Validate reply data? [no]
Data pattern [0xABCD]
Loose, Strict, Record, Timestamp, Verbose[none]
Sweep range of sizes [n]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
U.U.U – Traffic from 172.16.0.0 network blocked by ACL on Router B
Success rate is 0 percent (0/5)
NOTE: Your response may be … instead of U. U. U.
RouterA#ping
Protocol [ip]
Target IP address: 192.168.1.2
Repeat count [5]
Datagram size [100]
Timeout in seconds [2]
Extended commands [n]: y
Source address or interface: 172.20.1.1
Type of service [0]
Set DF bit in IP header? [no]
Validate reply data? [no]
Data pattern [0xABCD]
Loose, Strict, Record, Timestamp, Verbose[none]
Sweep range of sizes [n]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.1.1, timeout is 2 seconds:
!!!!! – Traffic from 172.20.0.0 network permitted by ACL
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms
Router B:
RouterB#ping
Protocol [ip]:
Target IP address: 192.168.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.30.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.30.1.1, timeout is 2 seconds:
U.U.U – Traffic from 172.30.0.0 network denied by ACL
Success rate is 0 percent (0/5)#
RouterB#ping
Protocol [ip]:
Target IP address: 192.168.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.31.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.1.1, timeout is 2 seconds:
!!!!! – Traffic from 172.31.0.0 network permitted by ACL
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms
Try the following commands:
RouterA#show ip access-lists
RouterA#show access-lists
RouterA#show run interface Serial0/0 – This command may not work in the exam (so use show run instead)
Show Runs
RouterA#show run
Building configuration…
Current configuration: 810 bytes
!
version 15.1
!
hostname RouterA
!
enable secret 5 $1$jjQo$YJXxLo.EZm9t6Sq4UYeCv0
!
username banbury password 0 ccna
!
interface Loopback0
ip address 172.16.1.1 255.255.0.0
!
interface Loopback1
ip address 172.20.1.1 255.255.0.0
!
interface Serial0/0
ip address 192.168.1.1 255.255.255.252
ip access-group 1 in
clockrate 64000
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
no ip http server
!
access-list 1 deny 172.30.0.0 0.0.255.255
access-list 1 permit any
!
line con 0
line aux 0
line vty 0 4
login local
!
end
RouterA#
—
RouterB#show run
Building configuration…
Current configuration: 791 bytes
!
version 15.1
!
hostname RouterB
!
enable secret 5 $1$HrXN$ThplDHEZdnCbbeA/Ie67E1
!
username banbury password 0 ccna
!
interface Loopback0
ip address 172.30.1.1 255.255.0.0
!
interface Loopback1
ip address 172.31.1.1 255.255.0.0
!
interface Serial0/0
ip address 192.168.1.2 255.255.255.252
ip access-group 1 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
no ip http server
!
access-list 1 deny 172.16.0.0 0.0.255.255
access-list 1 permit any
!
end
RouterB#
Lab 2: Access Lists (Extended)
The physical topology is shown in Figure 22.12 below:
FIG 22.12 – Extended access control lists
Lab Exercise
Your task is to configure the network in Figure 22.12 to allow full connectivity using a default route. Then you will need to configure an ACL to deny Telnet connections into Router A and Web (HTTP) traffic into Router B. Please feel free to try the lab without following the Lab Walk-through section.
Text in Courier New font indicates commands that can be entered on the router.
Purpose
Extended ACLs are one of the foundation skills of any competent CCNA engineer. You will be expected to be able to configure one to protect a client’s network from certain types of traffic. The number one tip for ACLs is to practice over and over again; the number two tip is to write them out on paper before you configure them.
Lab Objectives
- Use the IP addressing scheme depicted in Figure 22.12. Router A needs a clock rate on interface Serial 0/0: set this to 64000.
- Set Telnet access for the router to use the local login permissions for username banbury and the password ccna.
- Configure the enable password to be cisco.
- Configure a default route to allow full connectivity.
- Configure an ACL to deny any Telnet connections from the neighbor router, while still allowing all other traffic through.
- Finally, to test that the ACL is working, you will need to telnet to the neighbor router.
Lab Walk-through
- To set the IP addresses on an interface, you will need to do the following:
Router#config t
Router(config)#hostname RouterA
RouterA(config)#interface Serial0/0
RouterA(config-if)#ip address 192.168.1.1 255.255.255.252
RouterA(config-if)#clock rate 64000
RouterA(config-if)#no shutdown
RouterA(config-if)#interface Loopback0
RouterA(config-if)#ip address 172.16.1.1 255.255.0.0
RouterA(config-if)#interface Loopback1
RouterA(config-if)#ip address 172.20.1.1 255.255.0.0
RouterA(config-if)#^Z
RouterA#
Router B:
Router#config t
Router(config)#hostname RouterB
RouterB(config)#interface Serial0/0
RouterB(config-if)#ip address 192.168.1.2 255.255.255.252
RouterB(config-if)#no shutdown
RouterB(config-if)#interface Loopback0
RouterB(config-if)#ip address 172.30.1.1 255.255.0.0
RouterB(config-if)#interface Loopback1
RouterB(config-if)#ip address 172.31.1.1 255.255.0.0
RouterB(config-if)#^Z
RouterB#
- To set the clock rate on a Serial interface (DCE connection only), you need to use the clock rate # command on the Serial interface, where # indicates the speed:
RouterA(config-if)#clock rate 64000
Ping across the Serial link now.
- To set Telnet access, you need to configure the VTY lines to allow Telnet access. To do this, type the following (in configuration mode):
RouterA(config)#line vty 0 4
RouterA(config-line)#login local
RouterA(config-line)#exit
RouterA(config)#username banbury password ccna
Router B:
RouterB(config)#line vty 0 4
RouterB(config-line)#login local
RouterB(config-line)#exit
RouterB(config)#username banbury password ccna
- To set the enable password, do the following:
RouterA(config)#enable secret cisco
Router B:
RouterB(config)#enable secret cisco
To configure a default route, there is one simple step (in configuration mode):
RouterA(config)#ip route 0.0.0.0 0.0.0.0 Serial0/0
Router B:
RouterB(config)#ip route 0.0.0.0 0.0.0.0 Serial0/0
- To configure an ACL, there are two steps: first, specify the networks to permit or deny; and second, apply the ACL to an interface:
RouterA(config)#access-list 100 deny tcp any any eq 23
RouterA(config)#access-list 100 permit ip any any
RouterA(config)#interface Serial0/0
RouterA(config-if)#ip access-group 100 in
Router B:
RouterB(config)#access-list 100 deny tcp any any eq 80
RouterB(config)#access-list 100 permit ip any any
RouterB(config)#interface Serial0/0
RouterB(config-if)#ip access-group 100 in
RouterB(config-if)#exit
RouterB(config)#ip http server – Will permit Telnet on port 80
- To test this ACL, you will need to Telnet to the neighbor router. If the ACL is working, the connection will be denied:
RouterA#telnet 192.168.1.2 80 – Telnet using port 80 to test
Trying 192.168.1.2 …
% Destination unreachable; gateway or host down
Router B:
RouterB#telnet 192.168.1.1
Trying 192.168.1.1 …
% Destination unreachable; gateway or host down
- To make sure the ACL is doing its job, remove the ACL from the Serial interface and try the Telnet connection again. Router B must have the ip http server command added so that you can test the Telnet connection on port 80.
Router B:
RouterB#config t
RouterB(config)#interface Serial0/0
RouterB(config-if)#no ip access-group 100 in
RouterB(config-if)#exit
Router A:
RouterA#telnet 192.168.1.2 80 – Telnets from Router A to B
Trying 192.168.1.2, 80 … Open
exit Type exit
HTTP/1.0 501 Not Implemented
Date: Mon, 01 Mar 1993 00:17:40 UTC
Content-type: text/html
Expires: Thu, 16 Feb 1989 00:00:00 GMT
[H1]501 Not Implemented[/H1]
[Connection to 192.168.1.2 closed by foreign host]
RouterA#
Router A:
RouterA#config t
RouterA(config)#interface Serial0/0
RouterA(config-if)#no ip access-group 100 in – Removes the ACL from the interface
RouterB#telnet 192.168.1.1 – Telnets from Router B to A
RouterB#telnet
02:03:55: %SYS-5-CONFIG_I: Configured from console by console192.168.1.1
Trying 192.168.1.1 … Open
User Access Verification
Username: banbury
Password:
RouterA>
The Telnet connection should be successful now because the ACL is no longer in use.
Show Runs
RouterA#show run
Building configuration…
Current configuration: 799 bytes
!
version 15.1
!
hostname RouterA
!
enable secret 5 $1$jjQo$YJXxLo.EZm9t6Sq4UYeCv0
!
username banbury password 0 ccna
!
ip subnet-zero
!
interface Loopback0
ip address 172.16.1.1 255.255.0.0
!
interface Loopback1
ip address 172.20.1.1 255.255.0.0
!
interface Serial0/0
ip address 192.168.1.1 255.255.255.252
ip access-group 100 in
clockrate 64000
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip http server
!
access-list 100 deny tcp any any eq telnet
access-list 100 permit ip any any
!
end
—
RouterB#show run
Building configuration…
Current configuration: 781 bytes
!
version 15.1
!
hostname RouterB
!
enable secret 5 $1$HrXN$ThplDHEZdnCbbeA/Ie67E1
!
username banbury password 0 ccna
!
ip subnet-zero
!
interface Loopback0
ip address 172.30.1.1 255.255.0.0
!
interface Loopback1
ip address 172.31.1.1 255.255.0.0
!
interface Serial0/0
ip address 192.168.1.2 255.255.255.252
ip access-group 100 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip http server
!
access-list 100 deny tcp any any eq www
access-list 100 permit ip any any
!
end
RouterB#
Lab 3: Access Control Lists (Named)
The physical topology is shown in Figure 22.13 below:
FIG 22.13 – Named access control lists
Lab Exercise
Your task is to configure the network in Figure 22.13 to allow full connectivity using a default route. Then, you will need to configure a named ACL to permit pings from Loopback 0 on Router B to Loopback 0 on Router A and Telnet traffic to Loopback 1 on Router A only. Any other traffic will be denied (which is done by default). Please feel free to try the lab without following the Lab Walk-through section.
Text in Courier New font indicates commands that can be entered on the router.
Purpose
Named ACLs are one of the foundation skills of any competent CCNA engineer. You will be expected to be able to configure one to protect a client’s network from certain types of traffic. Practice them over and over again and write them out on paper before you configure them.
Lab Objectives
- Use the IP addressing scheme depicted in Figure 22.13. Router A needs a clock rate on interface Serial 0/0: set this to 64000.
- Set Telnet access for the router to use the local login permissions for username banbury and the password ccna.
- Configure the enable password to be cisco.
- Configure a default route to allow full connectivity.
- Configure an ACL on Router A to permit ICMP from 172.30.1.1 to 172.16.1.1 and Telnet to 172.20.1.1 only.
- Finally, to test that the ACL is working, you will need to telnet to the neighbor router.
Lab Walk-through
- To set the IP addresses on an interface, you will need to do the following:
Router#config t
Router(config)#hostname RouterA
RouterA(config)#interface Serial0/0
RouterA(config-if)#ip address 192.168.1.1 255.255.255.252
RouterA(config-if)#clock rate 64000
RouterA(config-if)#no shutdown
RouterA(config-if)#interface Loopback0
RouterA(config-if)#ip address 172.16.1.1 255.255.0.0
RouterA(config-if)#interface Loopback1
RouterA(config-if)#ip address 172.20.1.1 255.255.0.0
RouterA(config-if)#^Z
RouterA#
Router B:
Router#config t
Router(config)#hostname RouterB
RouterB(config)#interface Serial0/0
RouterB(config-if)#ip address 192.168.1.2 255.255.255.252
RouterB(config-if)#no shutdown
RouterB(config-if)#interface Loopback0
RouterB(config-if)#ip address 172.30.1.1 255.255.0.0
RouterB(config-if)#interface Loopback1
RouterB(config-if)#ip address 172.31.1.1 255.255.0.0
RouterB(config-if)#^Z
RouterB#
- To set the clock rate on a Serial interface (DCE connection only), you need to use the clock rate # command on the Serial interface, where # indicates the speed:
RouterA(config-if)#clock rate 64000
Ping across the Serial link now.
- To set Telnet access, you need to configure the VTY lines to allow Telnet access. To do this, type the following (in configuration mode):
RouterA(config)#line vty 0 4
RouterA(config-line)#login local
RouterA(config-line)#exit
RouterA(config)#username banbury password ccna
Router B:
RouterB(config)#line vty 0 4
RouterB(config-line)#login local
RouterB(config-line)#exit
RouterB(config)#username banbury password ccna
- To set the enable password, do the following:
RouterA(config)#enable secret cisco
Router B:
RouterB(config)#enable secret cisco
To configure a default route, there is one simple step (in configuration mode):
RouterA(config)#ip route 0.0.0.0 0.0.0.0 Serial0/0
Router B:
RouterB(config)#ip route 0.0.0.0 0.0.0.0 Serial0/0
- To configure an ACL, there are two steps: first, specify the networks and traffic to permit or deny; and second, apply the ACL to an interface:
RouterA#config t
RouterA(config)#ip access-list extended secure_LAN
RouterA(config-ext-nacl)#permit icmp host 172.30.1.1 host 172.16.1.1 – Goes into Named mode
RouterA(config-ext-nacl)#permit tcp any host 172.20.1.1 eq telnet
RouterA(config-ext-nacl)#exit
RouterA(config)#interface Serial0/0
RouterA(config-if)#ip access-group secure_LAN in – Assigns the access-list to the interface and the direction of traffic to be checked
Router B:
To test this ACL, you will need to telnet to the neighbor router; if the ACL is working, the connection will be denied:
RouterB#telnet 192.168.1.1 – Telnets to the Serial interface
Trying 192.168.1.1 …
% Destination unreachable; gateway or host down
RouterB#telnet 172.20.1.1 – Telnet to Loopback1 will work
Trying 172.20.1.1 … Open
User Access Verification
Password:
Test the ICMP deny statement by pinging Loopback 0 from the Serial interface on Router B:
RouterB#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
RouterB#
Now, ping from source interface 172.30.1.1, which should be permitted:
RouterB#ping
Protocol [ip]:
Target IP address: 172.16.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.30.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms
Show Runs
RouterA#show run
Building configuration…
Current configuration: 831 bytes
!
version 15.1
!
hostname RouterA
!
interface Loopback0
ip address 172.16.1.1 255.255.0.0
!
interface Loopback1
ip address 172.20.1.1 255.255.0.0
!
interface Serial0/0
ip address 192.168.1.1 255.255.255.252
clockrate 64000
ip access-group secure_LAN in
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
ip access-list extended secure_LAN
permit icmp host 172.30.1.1 host 172.16.1.1
permit tcp any host 172.20.1.1 eq telnet
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
—
RouterB#show run
Building configuration…
Current configuration: 574 bytes
!
version 15.1
!
hostname RouterB
!
interface Loopback0
ip address 172.30.1.1 255.255.0.0
!
interface Loopback1
ip address 172.31.1.1 255.255.0.0
!
interface Serial0/0
ip address 192.168.1.2 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
end
Read the Cisco Access List guide.
