Access Lists Workbook_Student.pdf
Document Details
Uploaded by TopnotchPhosphorus
TAFE
Tags
Related
- Chapter 4 - 01 - Discuss Access Control Principles, Terminologies, and Models - 01_ocred.pdf
- Chapter 4 - 01 - Discuss Access Control Principles, Terminologies, and Models - 02_ocred.pdf
- Chapter 4 - 01 - Discuss Access Control Principles, Terminologies, and Models - 03_ocred.pdf
- ENSA_Module_5_ACL_IPv4_Conf.pdf
- ENSA_Module_4_ACL_Concept.pdf
- ACL.pdf
Full Transcript
ACL Extended Any Access 0.0.0.0 Lists Workbook Version 1.2 permit deny access-group access-list Wildcard Mask Standard ...
ACL Extended Any Access 0.0.0.0 Lists Workbook Version 1.2 permit deny access-group access-list Wildcard Mask Standard Access-List Numbers IP Standard 1 to 99 IP Extended 100 to 199 Ethernet Type Code 200 to 299 Ethernet Address 700 to 799 DECnet and Extended DECnet 300 to 399 XNS 400 to 499 Extended XNS 500 to 599 Appletalk 600 to 699 48-bit MAC Addresses 700 to 799 IPX Standard 800 to 899 IPX Extended 900 to 999 IPX SAP (service advertisement protocol) 1000 to 1099 IPX SAP SPX 1000 to 1099 Extended 48-bit MAC Addresses 1100 to 1199 IPX NLSP 1200 to 1299 IP Standard, expanded range 1300 to 1999 IP Extended, expanded range 2000 to 2699 SS7 (voice) 2700 to 2999 Standard Vines 1 to 100 Extended Vines 101 to 200 Simple Vines 201 to 300 Transparent bridging (protocol type) 200 to 299 Transparent bridging (vendor type) 700 to 799 Extended Transparent bridging 1100 to 1199 Source-route bridging (protocol type) 200 to 299 Source-route bridging (vendor type) 700 to 799 Produced by: Robb Jones [email protected] Frederick County Career & Technology Center Cisco Networking Academy Frederick County Public Schools Frederick, Maryland, USA Special Thanks to Melvin Baker and Jim Dorsch for taking the time to check this workbook for errors. Inside Cover What are Access Control Lists? ACLs......are a sequential list of instructions that tell a router which packets to permit or deny. General Access Lists Information Access Lists......are read sequentially....are set up so that as soon as the packet matches a statement it stops comparing and permits or denys the packet....need to be written to take care of the most abundant traffic first....must be configured on your router before you can deny packets....can be written for all supported routed protocols; but each routed protocol must have a different ACL for each interface....must be applied to an interface to work. How routers use Access Lists (Outbound Port - Default) The router checks to see if the packet is routable. If it is it looks up the route in its routing table. The router then checks for an ACL on that outbound interface. If there is no ACL the router switches the packet out that interface to its destination. If there is an ACL the router checks the packet against the access list statements sequentially. Then permits or denys each packet as it is matched. If the packet does not match any statement written in the ACL it is denyed because there is an implicit “deny any” statement at the end of every ACL. 1 Standard Access Lists Standard Access Lists......are numbered from 1 to 99....filter (permit or deny) only source addresses....do not have any destination information so it must placed as close to the destination as possible....work at layer 3 of the OSI model. Why standard ACLs are placed close to the destination. If you want to block traffic from Juan’s computer from reaching Janet’s computer with a standard access list you would place the ACL close to the destination on Router D, interface E0. Since its using only the source address to permit or deny packets the ACL here will not effect packets reaching Routers B, or C. Router B Router D S1 S0 S1 Router A Router C E0 E0 S0 S1 S0 E0 E0 Janet’s Matt’s Computer Computer Juan’s Jimmy’s Computer Computer If you place the ACL on router A to block traffic to Router D it will also block all packets going to Routers B, and C; because all the packets will have the same source address. 2 Standard Access List Placement Sample Problems FA0 FA1 Router A Juan’s Jan’s Computer Computer In order to permit packets from Juan’s computer to arrive at Jan’s computer you would place the standard access list at FA1 router interface ______. E0 S0 E1 S1 Router A Router B Lisa’s Computer Paul’s Computer Lisa has been sending unnecessary information to Paul. Where would you place the standard ACL to deny all traffic from Lisa to Paul? Router B Interface ___________ Router Name ______________ E1 Where would you place the standard ACL to deny traffic from Paul to Lisa? Router A Interface ___________ Router Name ______________ E0 3 Standard Access List Placement Router B S1 S0 Router A E0 FA1 S0 S1 S1 Router C Ricky’s Jenny’s Computer Computer Amanda’s Computer Carrol’s Kathy’s George’s Computer Computer Computer S1 Router D E0 Jeff’s S0 Computer Jim’s Computer S1 E0 S0 FA1 S1 Router E Router F Linda’s Jackie’s Melvin’s Sarah’s Computer Computer Computer Computer 4 Standard Access List Placement 1. Where would you place a standard access list to Router D Router Name_________________ permit traffic from Ricky’s computer to reach Jeff’s E0 Interface ____________________ computer? 2. Where would you place a standard access list to Router A Router Name_________________ deny traffic from Melvin’s computer from reaching E0 Interface ____________________ Jenny’s computer? 3. Where would you place a standard access list to Router Name_________________ deny traffic to Carrol’s computer from Sarah’s Interface ____________________ computer? 4. Where would you place a standard access list to Router Name_________________ permit traffic from Ricky’s computer to reach Jeff’s Interface ____________________ computer? 5. Where would you place a standard access list to Router Name_________________ deny traffic from Amanda’s computer from reaching Interface ____________________ Jeff and Jim’s computer? 6. Where would you place a standard access list to Router Name_________________ permit traffic from Jackie’s computer to reach Linda’s Interface ____________________ computer? 7. Where would you place a standard access list to Router Name_________________ permit traffic from Ricky’s computer to reach Carrol Interface ____________________ and Amanda’s computer? 8. Where would you place a standard access list to Router Name_________________ deny traffic to Jenny’s computer from Jackie’s Interface ____________________ computer? 9. Where would you place a standard access list to Router Name_________________ permit traffic from George’s computer to reach Linda Interface ____________________ and Sarah’s computer? 10. Where would you place an ACL to deny traffic from Router Name_________________ Jeff’s computer from reaching George’s computer? Interface ____________________ 11. Where would you place a standard access list to Router Name_________________ deny traffic to Sarah’s computer from Ricky’s Interface ____________________ computer? 12. Where would you place an ACL to deny traffic from Router Name_________________ Linda’s computer from reaching Jackie’s computer? Interface ____________________ 5 Extended Access Lists Extended Access Lists......are numbered from 100 to 199....filter (permit or deny) based on the: source address destination address protocol port number... are placed close to the source....work at both layer 3 and 4 of the OSI model. Why extended ACLs are placed close to the source. If you want to deny traffic from Juan’s computer from reaching Janet’s computer with an extended access list you would place the ACL close to the source on Router A, interface E0. Since it can permit or deny based on the destination address it can reduce backbone overhead and not effect traffic to Routers B, or C. Router B Router D S1 S0 S1 Router A Router C E0 FA0 S0 S1 S0 E0 E0 Matt’s Janet’s Computer Computer Juan’s Jimmy’s Computer Computer If you place the ACL on Router E to block traffic from Router A, it will work. However, Routers B, and C will have to route the packet before it is finally blocked at Router E. This increases the volume of useless network traffic. 6 Extended Access List Placement Sample Problems E0 E1 Router A Jan’s Juan’s Computer Computer In order to permit packets from Juan’s computer to arrive at Jan’s computer you would place the extended access list at E0 router interface ______. FA0 S0 FA1 S1 Router A Router B Lisa’s Paul’s Computer Computer Lisa has been sending unnecessary information to Paul. Where would you place the extended ACL to deny all traffic from Lisa to Paul? Router A Interface ___________ Router Name ______________ FA0 Where would you place the extended ACL to deny traffic from Paul to Lisa? Router B Interface ___________ Router Name ______________ FA1 7 Extended Access List Placement Router B S1 S0 Router A FA0 E1 S0 S1 S1 Router C Ricky’s Jenny’s Computer Computer Amanda’s Computer Carrol’s Kathy’s George’s Computer Computer Computer S1 Router D FA0 Jeff’s S0 Computer Jim’s Computer S1 FA0 S0 FA1 S1 Router E Router F Linda’s Jackie’s Melvin’s Sarah’s Computer Computer Computer Computer 8 Extended Access List Placement 1. Where would you place an ACL to deny traffic from Router D Router Name_________________ Jeff’s computer from reaching George’s computer? FA0 Interface ____________________ 2. Where would you place an extended access list to Router F Router Name_________________ permit traffic from Jackie’s computer to reach Linda’s FA1 Interface ____________________ computer? 3. Where would you place an extended access list to Router Name_________________ deny traffic to Carrol’s computer from Ricky’s Interface ____________________ computer? 4. Where would you place an extended access list to Router Name_________________ deny traffic to Sarah’s computer from Jackie’s Interface ____________________ computer? 5. Where would you place an extended access list to Router Name_________________ permit traffic from Carrol’s computer to reach Jeff’s Interface ____________________ computer? 6. Where would you place an extended access list to Router Name_________________ deny traffic from Melvin’s computer from reaching Jeff Interface ____________________ and Jim’s computer? 7. Where would you place an extended access list to Router Name_________________ permit traffic from George’s computer to reach Jeff’s Interface ____________________ computer? 8. Where would you place an extended access list to Router Name_________________ permit traffic from Jim’s computer to reach Carrol and Interface ____________________ Amanda’s computer? 9. Where would you place an ACL to deny traffic from Router Name_________________ Linda’s computer from reaching Kathy’s computer? Interface ____________________ 10. Where would you place an extended access list Router Name_________________ to deny traffic to Jenny’s computer from Sarah’s Interface ____________________ computer? 11. Where would you place an extended access list to Router Name_________________ permit traffic from George’s computer to reach Linda Interface ____________________ and Sarah’s computer? 12. Where would you place an extended access list Router Name_________________ to deny traffic from Linda’s computer from reaching Interface ____________________ Jenny’s computer? 9 Choosing to Filter Incoming or Outgoing Packets Access Lists on your incoming port......requires less CPU processing....filters and denys packets before the router has to make a routing decision. Access Lists on your outgoing port......are outbound by default unless otherwise specified....increases the CPU processing time because the routing decision is made and the packet switched to the correct outgoing port before it is tested against the ACL. Breakdown of a Standard ACL Statement permit or wildcard deny mask access-list 1 permit 192.168.90.36 0.0.0.0 autonomous source number address 1 to 99 source permit or deny address access-list 78 deny host 192.168.90.36 log autonomous indicates a (Optional) number specific host generates a log 1 to 99 address entry on the router for each packet that matches this statement 10 Breakdown of an Extended ACL Statement protocol icp, icmp, tcp, udp, source destination ip, wildcard wildcard autonomous etc. mask mask number 100 to 199 access-list 125 permit ip 192.168.90.36 0.0.0.0 192.175.63.12 0.0.0.0 permit or deny source destination address address port protocol number icp, icmp, (23 = telnet) tcp, udp, autonomous ip, indicates a destination number etc. specific address 100 to 199 host access-list 178 deny tcp host 192.168.90.36 host 192.175.63.12 eq 23 log permit source indicates a operator or address specific eq for = deny host gt for > lt for < neg for = Protocols Include: IP IGMP IPINIP (Optional) generates a log TCP GRE OSPF entry on the UDP IGRP NOS router for each ICMP EIGRP Integer 0-255 packet that matches this To match any internet protocol use IP. statement 11 What are Named Access Control Lists? Named ACLs......are standard or extended ACLs which have an alphanumeric name instead of a number. (ie. 1-99 or 100-199) Named Access Lists Information Named Access Lists......identify ACLs with an intuutive name instead of a number....eliminate the limits imposed by using numbered ACLs. (798 for standard and 799 for extended)...provide the ability to modify your ACLs without deleting and reloading the revised access list. It will only allow you to add statements to the end of the exsisting statements....are not compatable with any IOS prior to Release 11.2....can not repeat the same name on multiple ACLs. Applying a Standard Named Access List called “George” Write a named standard access list called “George” on Router A, interface E1 to block Melvin’s computer from sending information to Kathy’s computer; but will allow all other traffic. Place the access list at: Router Name: Router A Interface: E1 Access-list Name: George [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)#ip access-list standard George Router(config-std-nacl)# deny host 72.16.70.35 Router(config-std-nacl)# access-list permit any Router(config-std-nacl)# interface e1 Router(config-if)# ip access-group George out Router(config-if)# exit Router(config)# exit 12 Applying an extended Named Access List called “Gracie” Write a named extended access list called “Gracie” on Router A, Interface E0 called “Gracie” to deny HTTP traffic intended for web server 192.168.207.27, but will permit all other HTTP traffic to reach the only the 192.168.207.0 network. Deny all other IP traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: Router A Interface: E0 Access-list Mail: Gracie [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)#ip access-list extended Gracie Router(config-ext-nacl)# deny tcp any host 192.168.207.27 eq www Router(config-ext-nacl)# permit tcp any 192.168.207.0 0.0.0.255 eq www Router(config-ext-nacl)# interface e0 Router(config-if)# ip access-group Gracie in Router(config-if)# exit Router(config)# exit 13 Choices for Using Wildcard Masks Wildcard masks are usually set up to do one of four things: 1. Match a specific host. 2. Match an entire subnet. 3. Match a specific range. 4. Match all addresses. 1. Matching a specific host. For standard access lists: Access-List 10 permit 192.168.150.50 0.0.0.0 or Access-List 10 permit 192.168.150.50 (standard ACL’s assume a 0.0.0.0 mask) or Access-List 10 permit host 192.168.150.50 For extended access lists: Access-list 110 deny ip 192.168.150.50 0.0.0.0 any or Access-list 110 deny ip host 192.168.150.50 any 2. Matching an entire subnet Example 1 Address: 192.168.50.0 Subnet Mask: 255.255.255.0 Access-list 25 deny 192.168.50.0 0.0.0.255 Example 2 Address: 172.16.0.0 Subnet Mask: 255.255.0.0 Access-list 12 permit 172.16.0.0 0.0.255.255 Example 3 Address: 10.0.0.0 Subnet Mask: 255.0.0.0 Access-list 125 deny udp 10.0.0.0 0.255.255.255 any 14 3. Match a specific range Example 1 Address: 10.250.50.112 Subnet Mask: 255.255.255.224 255. 255. 255. 255 Custom Subnet mask: -255. 255. 255. 224 Wildcard: 0. 0. 0. 31 Access-list 125 permit udp 10.250.50.112 0.0.0.31 any e Example 2 Address Range: 192.168.16.0 to 192.168.16.127 192. 168. 16.127 -192. 168. 16. 0 Wildcard: 0. 0. 0.127 Access-list 125 deny ip 192.168.16.0 0.0.0.127 any (This ACL would block the lower half of the subnet.) Example 3 Address: 172.250.16.32 to 172.250.31.63 172. 250. 31. 63 -172. 250. 16. 32 Wildcard: 0. 0. 15. 31 Access-list 125 permit ip 172.250.16.32 0.0.15.31 any 4. Match everyone. For standard access lists: Access-List 15 permit any or Access-List 15 deny 0.0.0.0 255.255.255.255 For extended access lists: Access-List 175 permit ip any any or Access-List 175 deny tcp 0.0.0.0 255.255.255.255 any 15 Creating Wildcard Masks Just like a subnet mask the wildcard mask tells the router what part of the address to check or ignore. Zero (0) must match exactly, one (1) will be ignored. The source address can be a single address, a range of addresses, or an entire subnet. As a rule of thumb the wildcard mask is the reverse of the subnet mask. Example #1: IP Address and subnet mask: 204.100.100.0 255.255.255.0 IP Address and wildcard mask: 204.100.100.0 0.0.0.255 All zero’s (or 0.0.0.0) means the address must match exactly. Example #2: 10.10.150.95 0.0.0.0 (This address must match exactly.) One’s will be ignored. Example #3: 10.10.150.95 0.0.0.255 (Any 10.10.150.0 subnet address will match. 10.10.150.0 to 10.10.150.255) This also works with subnets. Example #4: IP Address and subnet mask: 192.170.25.30 255.255.255.224 IP Address and wildcard mask: 192.170.25.30 0.0.0.31 (Subtract the subnet mask from 255.255.255.255 to create the wildcard) Do the math... 255 - 255 = 0 (This is the inverse of the subnet mask.) 255 - 224 = 31 Example #5: IP Address and subnet mask: 172.24.128.0 255.255.128.0 IP Address and wildcard mask: 172.24.128.0 0.0.127.255 Do the math... 255 - 255 = 0 (This is the inverse of the subnet mask.) 255 - 128 = 127 255 - 0 = 255 16 Wildcard Mask Problems 1. Create a wildcard mask to match this exact address. 0. 0. 0. 0 IP Address: 192.168.25.70 Subnet Mask: 255.255.255.0 ___________________________________ 2. Create a wildcard mask to match this range. 0. 0. 0. 255 IP Address: 210.150.10.0 Subnet Mask: 255.255.255.0 ___________________________________ 3. Create a wildcard mask to match this host. IP Address: 195.190.10.35 Subnet Mask: 255.255.255.0 __________________________________ 4. Create a wildcard mask to match this range. IP Address: 172.16.0.0 Subnet Mask: 255.255.0.0 __________________________________ 5. Create a wildcard mask to match this range. IP Address: 10.0.0.0 Subnet Mask: 255.0.0.0 __________________________________ 6. Create a wildcard mask to match this exact address. IP Address: 165.100.0.130 Subnet Mask: 255.255.255.192 __________________________________ 7. Create a wildcard mask to match this range. IP Address: 192.10.10.16 Subnet Mask: 255.255.255.224 __________________________________ 8. Create a wildcard mask to match this range. IP Address: 171.50.75.128 Subnet Mask: 255.255.255.192 __________________________________ 9. Create a wildcard mask to match this host. IP Address: 10.250.30.2 Subnet Mask: 255.0.0.0 __________________________________ 10. Create a wildcard mask to match this range. IP Address: 210.150.28.16 Subnet Mask: 255.255.255.248 __________________________________ 11. Create a wildcard mask to match this range. IP Address: 172.18.0.0 Subnet Mask: 255.255.224.0 __________________________________ 12. Create a wildcard mask to match this range. IP Address: 135.35.230.32 Subnet Mask: 255.255.255.248 __________________________________ 17 Wildcard Mask Problems Based on the given information list the usable source addresses or range of usable source addresses that would be permitted or denied for each access list statement. 1.access-list 10 permit 192.168.150.50 0.0.0.0 192.168.150.50 Answer: __________________________________________________________________ 2. access-list 5 permit any Any address Answer: __________________________________________________________________ 3. access-list 125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1 fragments 195.223.50.1 to 195.223.50.63 Answer: __________________________________________________________________ 4. access-list 11 deny 210.10.10.0 0.0.0.255 Answer: __________________________________________________________________ 5. access-list 108 deny ip 192.220.10.0 0.0.0.15 172.32.4.0 0.0.0.255 Answer: __________________________________________________________________ 6. access-list 171 deny any host 175.18.24.10 fragments Answer: __________________________________________________________________ 7. access-list 105 permit 192.168.15.0 0.0.0.255 any Answer: __________________________________________________________________ 8. access-list 109 permit tcp 172.16.10.0 0.0.0.255 host 192.168.10.1 eq 80 Answer: __________________________________________________________________ 9. access-list 111 permit ip any any Answer: __________________________________________________________________ 10. access-list 195 permit udp 172.30.12.0 0.0.0.127 172.50.10.0 0.0.0.255 Answer: __________________________________________________________________ 18 11. access-list 110 permit ip 192.168.15.0 0.0.0.3 192.168.30.10 0.0.0.0 Answer: _________________________________________________________________ 12. access-list 120 permit ip 192.168.15.0 0.0.0.7 192.168.30.10 0.0.0.0 Answer: _________________________________________________________________ 13. access-list 130 permit ip 192.168.15.0 0.0.0.15 192.168.30.10 0.0.0.0 Answer: _________________________________________________________________ 14. access-list 140 permit ip 192.168.15.0 0.0.0.31 192.168.30.10 0.0.0.0 Answer: _________________________________________________________________ 15. access-list 150 permit ip 192.168.15.0 0.0.0.63 192.168.30.10 0.0.0.0 Answer: _________________________________________________________________ 16. access-list 101 Permit ip 192.168.15.0 0.0.0.127 192.168.30.10 0.0.0.0 Answer:__________________________________________________________________ 17. access-list 185 permit ip 192.168.15.0 0.0.0.255 192.168.30.0 0.0.0.255 Answer: _________________________________________________________________ 18. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 gt 22 Answer: _________________________________________________________________ 19. access-list 195 permit icmp 172.85.0.0 0.0.15.255 172.50.10.0 0.0.0.255 Answer: _________________________________________________________________ 20. access-list 10 permit 175.15.120.0 0.0.0.255 Answer: _________________________________________________________________ 21. access-list 190 permit tcp 172.15.0.0 0.0.15.31 any Answer: _________________________________________________________________ 22. access-list 100 permit ip 10.0.0.0 0.255.255.255 172.50.10.0 0.0.0.255 Answer: _________________________________________________________________ 19 Wildcard Mask Problems Based on the given information list the usable destination addresses or range of usable destination addresses that would be permitted or denied for each access list statement. 1.access-list 125 deny tcp 195.223.50.0 0.0.0.63 host 172.168.10.1 fragments 172.168.10.1 Answer: __________________________________________________________________ 2. access-list 115 permit any any Any address Answer: __________________________________________________________________ 3. access-list 150 permit ip 192.168.30.10 0.0.0.0 192.168.15.0 0.0.0.63 192.168.15.1 to 192.168.15.63 Answer: __________________________________________________________________ 4. access-list 120 deny tcp 172.32.4.0 0.0.0.255 192.220.10.0 0.0.0.15 Answer: __________________________________________________________________ 5. access-list 108 deny ip 192.220.10.0 0.0.0.15 172.32.4.0 0.0.0.255 Answer: __________________________________________________________________ 6. access-list 101 deny ip 140.130.110.100 0.0.0.0 0.0.0.0 255.255.255.255 Answer: __________________________________________________________________ 7. access-list 105 permit any 192.168.15.0 0.0.0.255 Answer: __________________________________________________________________ 8. access-list 120 permit ip 192.168.15.10 0.0.0.0 192.168.30.0 0.0.0.7 Answer: __________________________________________________________________ 9. access-list 160 deny udp 172.16.0.0 0.0.1.255 172.18.10.18 0.0.0.0 eq 21 Answer: __________________________________________________________________ 10. access-list 150 permit ip 192.168.15.10 0.0.0.0 192.168.30.0 0.0.0.63 Answer: __________________________________________________________________ 20 Writing Standard Access Lists... Router A 172.16.70.1 192.168.90.2 E1 E0 S0 Jim’s Frank’s 210.30.28.0 Computer Computer 172.16.70.32 192.168.90.36 Kathy’s Computer Melvin’s 192.168.90.38 Computer 172.16.70.35 Standard Access List Sample #1 Write a standard access list to block Melvin’s computer from sending information to Kathy’s computer; but will allow all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: Router A Interface: E1 Access-list #: 10 [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# access-list 10 deny 172.16.70.35 or access-list 10 deny 172.16.70.35 0.0.0.0 or access-list 10 deny host 172.16.70.35 Router(config)# access-list 10 permit 0.0.0.0 255.255.255.255 or access-list 10 permit any Router(config)# interface e1 Router(config-if)# ip access-group 10 out Router(config-if)# exit Router(config)# exit [Viewing information about existing ACL’s] Router# show configuration (This will show which access groups are associated with particular interfaces) Router# show access list 10 (This will show detailed information about this ACL) 22 Standard Access List Sample #2 Write a standard access list to block Jim’s computer from sending information to Frank’s computer; but will allow all other traffic from the 192.168.90.0 network. Permit all traffic from the 210.30.28.0 network to reach the 172.16.70.0 network. Deny all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: Router A Interface: E0 Access-list #: 28 [Writing and installing an ACL] Router# configure terminal Router(config)# access-list 28 deny 192.168.90.36 or access-list 28 deny 192.168.90.36 0.0.0.0 or access-list 28 deny host 192.168.90.36 Router(config)# access-list 28 permit 192.168.90.0 0.0.0.255 Router(config)# access-list 28 permit 210.30.28.0 0.0.0.255 Router(config)# interface e0 Router(config-if)# ip access-group 28 out Router(config-if)# exit Router(config)# exit Router# copy run start [Disabling ACL’s] Router# configure terminal Router(config)# interface e0 Router(config-if)# no ip access-group 28 out Router(config-if)# exit Router(config)# exit [Removing an ACL] Router# configure terminal Router(config)# interface e0 Router(config-if)# no ip access-group 28 out Router(config-if)# exit Router(config)# no access-list 28 Router(config)# exit 23 FA0 S0 223.190.32.1 Router A Router B S1 FA1 192.16.32.94 FA0 Michael’s 172.16.28.36 Debbie’s Computer Computer 223.190.32.16 192.16.32.95 Standard Access List Problem #1 Write a standard access list to block Debbie’s computer from receiving information from Michael’s computer; but will allow all other traffic. List all the command line options for this problem. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# ________________________________________________________ or ________________________________________________________ or ________________________________________________________ Router(config)# ________________________________________________________ or ______________________________________________________ Router(config)# interface ________ Router(config-if)# ip access-group ________ in or out (circle one) Router(config-if)# exit Router(config)# exit 24 Standard Access List Problem #2 Write a standard access list to permit Debbie’s computer to receive information from Michael’s computer; but will deny all other traffic from the 223.190.32.0 network. Block all traffic from the 172.16.0.0 network. Permit all other traffic. List all the command line options for this problem. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# ________________________________________________________ or ________________________________________________________ or ________________________________________________________ Router(config)#_________________________________________________________ Router(config)#_________________________________________________________ Router(config)#_________________________________________________________ or _______________________________________________________ Router(config)# interface ________ Router(config-if)# ip access-group ________ in or out (circle one) Router(config-if)# exit Router(config)# exit 25 Router A 204.90.30.124 E0 S0 10.250.30.35 Router B Jim’s S1 FA1 Computer Carol’s 10.250.30.36 192.168.88.4 192.168.88.5 Computer Rodney’s 204.90.30.125 Computer 204.90.30.126 Standard Access List Problem #3 Write a standard access list to block Rodney and Carol’s computer from sending information to Jim’s computer; but will allow all other traffic from the 204.90.30.0 network. Block all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ Router(config)# interface ________ Router(config-if)# ip access-group ________ in or out (circle one) Router(config-if)# exit Router(config)# exit 26 Standard Access List Problem #4 Using a minimum number of commands write a standard access list named “Ralph” to block Carol’s computer from sending information to Jim’s computer; but will permit Jim to receive data from Rodney. Block the upper half of the 204.90.30.0 range from reaching Jim’s computer while permitting the lower half of the range. Block all other traffic. For help with blocking the upper half of the range review page 13 or the wildcard mask problems on pages 16 and 17. For help with named ACLs review pages 12 and 13. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list Name: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# ________________________________________________________ Router(config-std-nacl)# _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ Router(config-std-nacl)# interface ________ Router(config-if)# ip access-group ________ in or out (circle one) Router(config-if)# exit Router(config)# exit 27 Router B S1 S0 Router A 172.30.225.1 E0 S0 S1 E1 212.180.10.5 S1 Router C 172.30.225.2 212.180.10.6 172.30.225.3 212.180.10.2 Standard Access List Problem #5 Write a standard access list to block 172.30.225.2 and 172.30.225.3 from sending information to the 212.180.10.0 network; but will allow all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ Router(config)# interface ________ Router(config-if)# ip access-group ________ in or out (circle one) Router(config-if)# exit Router(config)# exit 28 Standard Access List Problem #6 Write a standard access list to block and log 212.180.10.2 from sending information to the 172.30.225.0 network. Permit and log 212.180.10.6 to send data to the 172.30.225.0 network. Deny all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. (Check the example on page 10 for help with the logging option.) Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ Router(config)# interface ________ Router(config-if)# ip access-group ________ in or out (circle one) Router(config-if)# exit Router(config)# exit 29 Router C Router A S0 S1 FA0 FA0 S1 Router B 198.32.10.25 192.168.15.172 S0 FA1 210.140.15.1 192.168.15.3 198.32.10.25 210.140.15.8 Standard Access List Problem #7 Write a standard access list to block the addresses 192.168.15.1 to 192.168.15.31 from sending information to the 210.140.15.0 network. Do not permit any traffic from 198.32.10.25 to reach the 210.140.15.0 network. Permit all other traffic. For help with this problem review page 13 or the wildcard mask problems on pages 16 and 17. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ Router(config)# interface ________ Router(config-if)# ip access-group ________ in or out (circle one) Router(config-if)# exit Router(config)# exit 30 Standard Access List Problem #8 Write a standard named access list called “Cisco_Lab_A” to permit traffic from the lower half of the 198.32.10.0 network to reach 192.168.15.0 network; block the upper half of the addresses. Allow host 198.32.10.192 to reach network 192.168.15.0. Permit all other traffic. For help with this problem review page 13 or the wildcard masks problems on pages 16 and 17. For assistance with named ACLs review pages 12 and 13. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list Name: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# ________________________________________________________ Router(config-std-nacl)# _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ _______________________________________________ Router(config-std-nacl)# interface ________ Router(config-if)# ip access-group __________________ in or out (circle one) Router(config-if)# exit Router(config)# exit 31 Standard Access List Problem #9 Write a standard access list to block network 192.168.255.0 from receiving information from the following addresses: 10.250.1.1, 10.250.2.1, 10.250.4.1, and the entire 10.250.3.0 255.255.255.0 network. Allow all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router A Router Name: ___________________________ FA0 Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ FA0 Router(config)# interface ________ Router(config-if)# ip access-group ________ in or out (circle one) Router(config-if)# exit Router(config)# exit 32 Writing Extended Access Lists... Router A 34 172.16.70.1 192.168.90.2 FA1 FA0 Gail’s Mike’s Computer Computer John’s Celeste’s Computer 172.16.70.32 192.168.90.36 Computer 172.16.70.35 192.168.90.38 Extended Access List Sample #1 Deny/Permit Specific Addresses Write an extended access list to prevent John’s computer from sending information to Mike’s computer; but will allow all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: Router A Interface: FA0 Access-list #: 110 [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# access-list 110 deny ip 172.16.70.35 0.0.0.0 192.168.90.36 0.0.0.0 or access-list 110 deny ip host 172.16.70.35 host 192.168.90.36 Router(config)# access-list 110 permit ip any any or access-list 110 permit ip 0.0.0.0 255.255.255.2550.0.0.0 255.255.255.255 Router(config)# interface fa0 Router(config-if)# ip access-group 110 in [Viewing information about existing ACL’s] Router(config-if)# exit Router# show configuration (This will show which access groups Router(config)# exit are associated with particular interfaces) Router# show access list 110 (This will show detailed information about this ACL) Extended Access List Sample #2 Deny/Permit Specific Addresses Write an extended access list to block the 172.16.70.0 network from receiving information from Mike’s computer at 192.168.90.36. Block the lower half of the ip addresses from 192.168.90.0 network from reaching Gail’s computer at 172.16.70.32. Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: Router A Interface: FA1 Access-list #: 135 [Writing and installing an ACL] Router# configure terminal Router(config)# access-list 135 deny ip 192.168.90.36 0.0.0.0 172.16.70.0 0.0.0.255 or access-list 135 deny ip host 192.168.90.36 172.16.70.0 0.0.0.255 Router(config)# access-list 135 deny ip 192.168.90.0 0.0.0.127 172.16.70.32 0.0.0.0 or access-list 135 deny ip 192.168.90.0 0.0.0.127 host 172.16.70.32 Router(config)# access-list 135 permit ip any any or access-list 135 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Router(config)# interface fa1 Router(config-if)# ip access-group 135 in Router(config-if)# exit Router(config)# exit Router# copy run start [Disabling ACL’s] [Removing an ACL] Router# configure terminal Router# configure terminal Router(config)# interface e1 Router(config)# interface e1 Router(config-if)# no ip access-group 135 out Router(config-if)# no ip access-group 135 out Router(config-if)# exit Router(config-if)# exit Router(config)# no access-list 135 Router(config)# exit Router(config)# exit 35 Router A Router B 36 FA0 S0 FA1 S1 192.168.122.52 172.20.70.15 Cindy’s Jay’s Computer Computer Bob’s Jackie’s Computer 172.20.70.89 192.168.122.128 Computer 172.20.70.80 192.168.122.129 Extended Access List Problem #1 Deny/Permit Specific Addresses Write an extended access list to prevent Jay’s computer from receiving information from Cindy’s computer. Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)#______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________ Router(config)# interface ____________ Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Router(config)# exit Extended Access List Problem #2 Deny/Permit Specific Addresses Write an extended access list to block the 172.20.70.0 255.255.255.0 network from receiving information from Jackie’s computer at 192.168.122.129. Block the lower half of the ip addresses from 192.168.122.0 network from reaching Cindy’s computer at 172.20.70.89. Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal Router(config)# _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ Router(config)# interface __________ Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Router(config)# exit 37 Router# copy run start Router A 38 E0 S0 218.35.50.1 Juan’s Computer 218.35.50.12 S1 Rebecca’s Computer Jan’s Rachael’s Computer Router B FA1 172.59.2.15 Computer 218.35.50.10 172.59.2.1 172.59.2.18 Extended Access List Problem #3 Deny/Permit Specific Addresses Write a named extended access list called “Lab_166” to permit Jan’s computer at 218.35.50.10 to receive packets from Rachael’s computer at 172.59.2.18; but not Rebecca’s computer at 172.59.2.15. Deny all other packets. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list Name: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)#_____________________________________________________________________________________ Router(config-ext-nacl)# ____________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ Router(config-ext-nacl)# interface ____________ Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Router(config)# exit Extended Access List Problem #4 Deny/Permit Specific Addresses Write an extended access list to allow Juan’s computer at 218.35.50.12 to send information to Rebecca’s computer at 172.59.2.15; but not Rachael’s computer at 172.59.2.18. Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal Router(config)#______________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Router(config)# interface __________ Router(config-if)# ip access-group _________ in or out (circle one) Router((config-if)# exit Router(config)# exit Router# copy run start 39 Router A 40 S0 Router B S1 E0 Ralph’s Bob’s Computer E1 Computer Cindy’s 192.16.20.5 Barbra’s Computer 192.16.20.7 192.18.50.11 Computer 192.16.20.6 192.18.50.10 192.18.50.12 Extended Access List Sample #3 Deny/Permit Entire Ranges Write an extended access list to permit the 192.16.20.0 network to receive packets from the 192.18.50.0 network. Deny all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: Router B Interface: E1 Access-list #: 111 [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# access-list 111 permit ip 192.18.50.0 0.0.0.255 192.168.20.0 0.0.0.255 Router(config)# access-list 111 deny ip any any or access-list 111 deny ip 0.0.0.0 255.255.255.2550.0.0.0 255.255.255.255 Router(config)# interface e1 Router(config-if)# ip access-group 111 in Router(config-if)# exit Router(config)# exit [Viewing information about existing ACL’s] Router# show configuration (This will show which access groups are associated with particular interfaces) Router# show access list 111 (This will show detailed information about this ACL) Extended Access List Sample #4 Deny/Permit Entire Ranges Write an extended access list to block the 192.18.50.0 network from receiving information from the 192.16.20.0 network. Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: Router A Interface: E0 Access-list #: 188 [Writing and installing an ACL] Router# configure terminal Router(config)# access-list 188 deny ip 192.16.20.0 0.0.0.255 192.18.50.0 0.0.0.255 Router(config)# access-list 188 permit ip any any or access-list 188 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Router(config)# interface e0 Router(config-if)# ip access-group 188 in Router(config-if)# exit Router(config)# exit Router# copy run start [Disabling ACL’s] [Removing an ACL] Router# configure terminal Router# configure terminal Router(config)# interface e0 Router(config)# interface e0 Router(config-if)# no ip access-group 188 out Router(config-if)# no ip access-group 188 out Router(config-if)# exit Router(config-if)# exit Router(config)# no access-list 188 Router(config)# exit Router(config)# exit 41 Router A 42 FA0 S0 210.250.10.0 204.95.150.11 Todd’s S0 Rebecca’s Computer S1 Computer Rachel’s 172.59.2.15 David’s Computer 204.95.150.12 FA1 Computer 204.95.150.10 Router B 172.59.2.1 172.59.2.18 Extended Access List Problem #5 Deny/Permit Entire Ranges Write an extended access list to permit network 204.95.150.0 to send packets to network 172.59.0.0, but not the 210.250.10.0 network. Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)#______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________ Router(config)# interface ____________ Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Router(config)# exit Extended Access List Problem #6 Deny/Permit Entire Ranges Write an extended access list to allow Rachel’s computer at 204.95.150.10 to receive information from the 172.59.0.0 network. Deny all other hosts on the 204.95.150.0 network access from the 172.59.2.0 network. Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal Router(config)#______________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ Router(config)# interface __________ Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Router(config)# exit Router# copy run start 43 Router A Router B 44 E0 S0 E1 172.120.170.45 S1 192.168.50.2 E1 S0 Tommy’s Computer Phyllis’s Tim’s Denise’s Computer 172.120.170.45 210.168.70.0 Computer Computer 172.120.170.45 10.250.1.0 192.168.50.3 192.168.50.4 Extended Access List Problem #7 Deny/Permit Entire Ranges Write a named extended access list called “Godzilla” to prevent the 172.120.0.0 network from sending information to the 210.168.70.0 , and 10.250.1.0 255.255.255.0 networks; but will permit traffic to the 192.168.50.0 network. Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list Name: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# _____________________________________________________________________________________ Router(config-ext-nacl)#_____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ Router(config-ext-nacl)# interface ____________ Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Router(config)# exit Extended Access List Problem #8 Deny/Permit Entire Ranges Assuming default subnet masks write an extended access list to permit Tim at 192.168.50.3 to receive data from the 172.120.0.0 network. Allow the 192.168.50.0 network to receive information from Phyllis’s computer at 172.120.170.45. Deny all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal Router(config)#______________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ Router(config)# interface __________ Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Router(config)# exit Router# copy run start 45 Router A 46 S0 Router B FA0 S1 192.168.15.20 E1 Jim’s Carol’s Computer 172.21.50.95 Computer Rodney’s Frank’s Computer 192.168.15.43 172.21.50.96 Computer 192.168.15.44 172.21.50.97 Extended Access List Sample #5 Deny/Permit a Range of Addresses Write an extended access list to deny the first 15 usable addresses of the 192.168.15.0 network from reaching the 172.21.0.0 network. Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: Router A Interface: FA0 Access-list #: 185 [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)# access-list 185 deny ip 192.168.15.0 0.0.0.15 172.21.50.0 0.0.255.255 Router(config)# access-list 185 permit ip any any or access-list 185 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Router(config)# interface fa1 Router(config-if)# ip access-group 185 in Router(config-if)# exit Router(config)# exit [Viewing information about existing ACL’s] Router# show configuration (This will show which access groups are associated with particular interfaces) Router# show access list 185 (This will show detailed information about this ACL) Extended Access List Sample #6 Deny/Permit a Range of Addresses Write an extended access list which will allow the lower half of 192.168.15.0 network access to the 172.21.50.0 network. Deny all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: Router A Interface: FA0 Access-list #: 121 [Writing and installing an ACL] Router# configure terminal Router(config)# access-list 121 permit ip 192.168.15.0 0.0.0.127 172.21.50.0 0.0.0.255 Router(config)# access-list 121 deny ip any any or access-list 121 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Router(config)# interface fa0 Router(config-if)# ip access-group 121 in Router(config-if)# exit Router(config)# exit Router# copy run start [Disabling ACL’s] [Removing an ACL] Router# configure terminal Router# configure terminal Router(config)# interface fa0 Router(config)# interface fa0 Router(config-if)# no ip access-group 121 in Router(config-if)# no ip access-group 121 in Router(config-if)# exit Router(config-if)# exit Router(config)# no access-list 121 Router(config)# exit Router(config)# exit 47 Router A 48 192.168.195.90 192.168.125.254 E0 E1 S0 Gail’s Mike’s Computer 172.31.195.0 Computer John’s Celeste’s Computer 192.168.195.145 192.168.125.17 Computer 192.168.195.88 192.168.125.108 Extended Access List Problem #9 Deny/Permit a Range of Addresses Write an extended access list to prevent the first 31 usable addresses in the 192.168.125.0 network from reaching the 192.168.195.0 network. Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)#______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________ Router(config)# interface ____________ Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Extended Access List Problem #10 Deny/Permit a Range of Addresses Write a named extended access list called “Media_Center” to permit the range of addresses from 172.31.195.1 through 172.31.195.7 to send date to the 192.168.125.0 network. Deny all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list Name: ____________________________ [Writing and installing an ACL] Router# configure terminal Router(config)#______________________________________________________________________________________ Router(config-ext-nacl)#_____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ Router(config-ext-nacl)# interface __________ Router(config-if)# ip access-group ________________ in or out (circle one) Router(config-if)# exit Router(config)# exit Router# copy run start 49 192.16.20.5 Router A Router C 50 FA0 S0 S1 FA1 S1 172.18.50.10 Jill’s Computer Ralph’s Router B Bob’s Computer S0 172.22.75.9 Computer Cindy’s Barbra’s Computer 192.16.20.7 Brad’s 172.18.50.11 Computer E1 Computer 172.18.50.12 192.16.20.6 172.22.75.8 172.22.75.10 Extended Access List Problem #11 Deny/Permit a Range of Addresses Write an extended access list to permit the first 3 usable addresses in the 192.16.20.0 network to reach the 172.22.75.0 network. Deny the addresses from 192.16.20.4 through 192.16.20.31 from reaching the 172.22.75.0 network. Permit all other traffic. Keep in mind that there are multiple ways this ACL can be written. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)#______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________ Router(config)# interface ____________ Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Extended Access List Problem #12 Deny/Permit a Range of Addresses Write an extended access list to deny the addresses from 172.22.75.8 through 172.22.75.127 from sending data to the 172.18.50.0 network. Deny the first half of the addresses from the 172.22.75.0 network from reaching the 192.16.20.0 network. Permit all other traffic. Keep in mind that there are multiple ways this ACL can be written. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal Router(config)#______________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ Router(config)# interface __________ Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Router(config)# exit Router# copy run start 51 Router A Router B 52 FA0 S0 FA1 172.16.70.1 S1 192.168.88.1 FA1 FA0 Bob’s Peggy’s Computer Computer Celeste’s Denise’s Computer 172.16.70.155 192.168.88.200 Computer 172.16.70.145 10.250.1.0 10.250.4.0 192.168.88.204 Extended Access List Problem #13 Deny/Permit a Range of Addresses Write an extended access list to permit the first 63 usable addresses in the 192.168.88.0 network to reach the lower half of the addresses in the 172.16.70.0 network; but not the upper half. Deny all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal (or config t) Router(config)#______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________ ______________________________________________________________________________________ Router(config)# interface ____________ Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Extended Access List Problem #14 Deny/Permit a Range of Addresses Write an extended access list to deny the addresses from 10.250.1.0 through 10.250.1.63 from sending data to Denise’s computer. Permit all other traffic. Keep in mind that there may be multiple ways many of the individual statements in an ACL can be written. Place the access list at: Router Name: ___________________________ Interface: _______________________________ Access-list #: ____________________________ [Writing and installing an ACL] Router# configure terminal Router(config)#______________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ Router(config)# interface __________ Router(config-if)# ip access-group _________ in or out (circle one) Router(config-if)# exit Router(config)# exit Router# copy run start 53 Router A 54 S0 Router B E0 S1 Web Server 192.168.207.25 E1 Web Server 192.168.207.27 210.128.50.10 210.128.50.11 192.168.207.26
