Cisco Networking/CCENT/Access Control Lists

This lesson covers access control lists.

Objectives and Skills

edit

Objectives and skills for the access control lists portion of Cisco CCENT certification include:[1]

  • Describe the types, features, and applications of ACLs
    • Standard (editing and sequence numbers)
    • Extended
    • Named
    • Numbered
    • Log option
  • Configure and verify ACLs in a network environment
    • Named
    • Numbered
    • Log option
  • Configure and verify ACLs to filter network traffic
  • Configure and verify ACLs to limit telnet and SSH access to the router

Readings

edit
  1. Wikipedia: Access control list
  2. Cisco: Configuring IP Access Lists

Multimedia

edit
  1. YouTube: Access Control Lists - CompTIA Network+ N10-005: 5.2
  2. Cisco: Introducing Access Control List Operation
  3. YouTube: CCNA CCENT Video Boot Camp: Applying ACLs (Or Not!)
  4. YouTube: Access-List Tutorial

Examples

edit

access-list (IP standard)

edit

To define a standard IP access list, use the standard version of the access-list command in global configuration mode.[2]

access-list <access-list-number> {deny | permit} <source> [<source-wildcard>] [log]
access-list 1 deny 127.0.0.0 0.255.255.255 log
access-list 1 permit any

access-list (IP extended)

edit

To define an extended IP access list, use the extended version of the access-list command in global configuration mode.[3]

access-list <access-list-number> [dynamic <dynamic-name> [timeout <minutes>]] {deny | permit} <protocol> <source> <source-wildcard> <destination> <destination-wildcard> [log | log-input]]
access-list 101 permit tcp host 192.168.1.2 host 192.168.1.1 eq telnet
access-list 101 deny tcp any any eq telnet log
access-list 101 permit ip any any

ip access-list

edit

To define an IP access list by name, use the ip access-list command in global configuration mode.[4]

ip access-list {standard | extended} access-list-name

ip access-list standard block-private
deny 10.0.0.0 0.255.255.255 log

ip access-list extended filter-ssh
permit tcp host 192.168.1.2 host 192.168.1.1 eq 22
deny tcp any any eq 22 log
permit ip any any

ip access-group

edit

To control access to an interface, use the ip access-group command in interface configuration mode.[5]

ip access-group {<access-list-number> | <access-list-name>}{in | out}
ip access-group 1 out
ip access-group block-private out
ip access-group 101 in
ip access-group filter-ssh in

show access-lists

edit

To display the contents of current access lists, use the show access-lists privileged EXEC command.[6]

show access-lists [<access-list-number> | <access-list-name>]
show access-lists
show access-lists 1
show access-lists block-private

show ip access-lists

edit

To display the contents of all current IP access lists, use the show ip access-list EXEC command.[7]

show ip access-lists [access-list-number | access-list-name]
show ip access-lists 1
show ip access-lists block-private

Command Sequence

edit

A command sequence to configure port security might be similar to the following.

enable
configure terminal

access-list 1 deny 10.0.0.0 0.255.255.255 log
access-list 1 deny 172.16.0.0 0.15.255.255 log
access-list 1 deny 192.168.0.0 0.0.255.255 log
access-list 1 permit any

access-list 101 permit tcp host 192.168.1.2 host 192.168.1.1 eq 22
access-list 101 deny tcp any any eq 22 log
access-list 101 permit ip any any

interface fastethernet 0/0
ip access-group 101 in

interface fastethernet 0/1
ip access-group 1 out

exit
exit

show access-lists
show ip interface
exit

Activities

edit
  1. Complete the Cisco Access Lists training tutorial.
  2. Configure numbered standard ACLs to filter network traffic.
     
    1. Add three routers and two VPCS PCs to a new GNS3 project.
    2. Add links to connect the following.
      • PC1 Ethernet0 <-> R1 FastEthernet0/0
      • R1 FastEthernet0/1 <-> R2 FastEthernet0/0
      • R2 FastEthernet0/1 <-> R3 FastEthernet0/0
      • PC2 Ethernet0 <-> R3 FastEthernet0/1
    3. Start the devices.
    4. Set the following IP addresses, subnet masks, and for the PCs, default gateways
      • R1 FastEthernet0/0 = 192.168.1.1 255.255.255.0
      • R1 FastEthernet0/1 = 192.168.2.1 255.255.255.0
      • R2 FastEthernet0/0 = 192.168.2.2 255.255.255.0
      • R2 FastEthernet0/1 = 192.168.3.1 255.255.255.0
      • R3 FastEthernet0/0 = 192.168.3.2 255.255.255.0
      • R3 FastEthernet0/1 = 192.168.4.1 255.255.255.0
      • PC1 Ethernet0 = 192.168.1.11 255.255.255.0 192.168.1.1
      • PC2 Ethernet0 = 192.168.4.11 255.255.255.0 192.168.4.1
    5. Add static routes or dynamic OSPF routing to connect all devices.
    6. Display the routing tables using the following command.
      • show ip route
    7. Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All tests should be successful.
      • ping
      • trace
    8. Add a numbered standard ACL to filter network traffic and prevent hosts on the different subnets from connecting to hosts on other subnets. Practice using the following commands.
      • access-list
      • ip access-group
      • show access-lists
      • show ip interface
    9. Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All PC-to-router and router-to-router tests should be successful. The PC-to-PC test should fail.
      • ping
      • trace
  3. Configure numbered extended ACLs to filter network traffic.
     
    1. Remove all ACLs from the configuration above. Verify the configuration using the following command.
      • show access-lists
    2. Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All tests should be successful.
      • ping
      • trace
    3. Add a numbered extended ACL that permits ICMP connections to routers, but prevents ICMP connections to other network hosts. Allow all other IP traffic. Practice using the following commands.
      • access-list
      • ip access-group
      • show access-lists
      • show ip interface
    4. Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All PC-to-router and router-to-router tests should be successful. The PC-to-PC test should fail.
      • ping
      • trace
  4. Configure named standard ACLs to filter network traffic.
     
    1. Remove all ACLs from the configuration above. Verify the configuration using the following command.
      • show access-lists
    2. Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All tests should be successful.
      • ping
      • trace
    3. Add a named standard ACL to filter network traffic and prevent hosts on the different subnets from connecting to hosts on other subnets. Practice using the following commands.
      • access-list
      • ip access-group
      • show ip access-lists
      • show ip interface
    4. Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All PC-to-router and router-to-router tests should be successful. The PC-to-PC test should fail.
      • ping
      • trace
  5. Configure named extended ACLs to filter network traffic.
     
    1. Remove all ACLs from the configuration above. Verify the configuration using the following command.
      • show access-lists
    2. Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All tests should be successful.
      • ping
      • trace
    3. Add a named extended ACL that permits ICMP connections to routers, but prevents ICMP connections to other network hosts. Allow all other IP traffic. Practice using the following commands.
      • access-list
      • ip access-group
      • show ip access-lists
      • show ip interface
    4. Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All PC-to-router and router-to-router tests should be successful. The PC-to-PC test should fail.
      • ping
      • trace
  6. Configure ACLs to limit telnet and SSH access to the router.
    1. Remove all ACLs from the configuration above. Verify the configuration using the following command.
      • show access-lists
    2. Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All tests should be successful.
      • ping
      • trace
    3. Configure R2 to accept vty connections. Test the configuration using the following command from both routers. Both connections should be successful.
      • telnet
    4. Add an extended ACL that permits Telnet and SSH connections from R1 to R2, but prevents any other Telnet or SSH connections. Allow all other IP traffic. Practice using the following commands.
      • access-list
      • ip access-group
      • show ip access-lists
      • show ip interface
    5. Test the configuration using the following commands from both routers. The connection from R1 to R2 should be successful. The connection from R3 to R2 should fail.
      • telnet
    6. Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All tests should be successful.
      • ping
      • trace

Lesson Summary

edit
  • An access control list refers to rules that are applied to port numbers or IP addresses that are available on a host, each with a list of hosts and/or networks permitted to use the service.[8]
  • Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls.[9]
  • To define a standard IP access list, use the standard version of the access-list command in global configuration mode.[10]
  • Access lists may be configured to specifically permit or deny network traffic.[11]
  • Access lists end with an implicit deny all. Only traffic explicitly permitted by the access list will be allowed.[12]
  • Standard access lists filter based on source IP address.[13]
  • Standard numbered access lists are numbered from 1 to 99 or from 1300 to 1999.[14]
  • Access list wildcard masks are applied to IP addresses similar to the way subnet masks are applied, but with an opposite design. Subnet masks use 1-bits to identify the network. Access list wildcard masks use 1-bits to identify the host addresses to be filtered.[15]
  • To define an extended IP access list, use the extended version of the access-list command in global configuration mode.[16]
  • Extended access lists filter based on source and destination IP addresses, protocols, and port numbers.[17]
  • Extended numbered access lists are numbered from 100 to 199 or from 2000 to 2699.[18]
  • The log access-list command option causes an informational logging message about the packet that matches the entry to be sent to the console.[19]
  • To define an IP access list by name, use the ip access-list command in global configuration mode.[20]
  • To control access to an interface, use the ip access-group command in interface configuration mode.[21]
  • Access lists filter either inbound or outbound traffic based on the ip access-group options of in or out.[22]
  • To display the contents of current access lists, use the show access-lists privileged EXEC command.[23]
  • To display the contents of all current IP access lists, use the show ip access-list EXEC command.[24]

Key Terms

edit

Included in Lesson Summary

Review Questions

edit
Enable JavaScript to hide answers.
Click on a question to see the answer.
  1. An access control list refers to _____.
    An access control list refers to rules that are applied to port numbers or IP addresses that are available on a host, each with a list of hosts and/or networks permitted to use the service.
  2. Access control lists can generally be configured to _____, and in this context they are similar to _____.
    Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls.
  3. To define a standard IP access list, use _____.
    To define a standard IP access list, use the standard version of the access-list command in global configuration mode.
  4. Access lists may be configured to specifically _____ or _____ network traffic.
    Access lists may be configured to specifically permit or deny network traffic.
  5. Access lists end with _____. Only traffic _____ will be allowed.
    Access lists end with an implicit deny all. Only traffic explicitly permitted by the access list will be allowed.
  6. Standard access lists filter based on _____.
    Standard access lists filter based on source IP address.
  7. Standard numbered access lists are numbered _____ or _____.
    Standard numbered access lists are numbered from 1 to 99 or from 1300 to 1999.
  8. Access list wildcard masks are applied to IP addresses similar to the way subnet masks are applied, but _____. Subnet masks use 1-bits to identify _____. Access list wildcard masks use 1-bits to identify _____.
    Access list wildcard masks are applied to IP addresses similar to the way subnet masks are applied, but with an opposite design. Subnet masks use 1-bits to identify the network. Access list wildcard masks use 1-bits to identify the host addresses to be filtered.
  9. To define an extended IP access list, use _____.
    To define an extended IP access list, use the extended version of the access-list command in global configuration mode.
  10. Extended access lists filter based on _____.
    Extended access lists filter based on source and destination IP addresses, protocols, and port numbers.
  11. Extended numbered access lists are numbered _____ or _____.
    Extended numbered access lists are numbered from 100 to 199 or from 2000 to 2699.
  12. The log access-list command option causes _____.
    The log access-list command option causes an informational logging message about the packet that matches the entry to be sent to the console.
  13. To define an IP access list by name, use _____.
    To define an IP access list by name, use the ip access-list command in global configuration mode.
  14. To control access to an interface, use _____.
    To control access to an interface, use the ip access-group command in interface configuration mode.
  15. Access lists filter either inbound or outbound traffic based on _____.
    Access lists filter either inbound or outbound traffic based on the ip access-group options of in or out.
  16. To display the contents of current access lists, use _____.
    To display the contents of current access lists, use the show access-lists privileged EXEC command.
  17. To display the contents of all current IP access lists, use _____.
    To display the contents of all current IP access lists, use the show ip access-list EXEC command.

Assessments

edit

See Also

edit

References

edit
  Completion status: this resource is considered to be complete.