Cisco Networking/CCENT/Access Control Lists
This lesson covers access control lists.
Objectives and Skills
[edit | edit source]Objectives and skills for the access control lists portion of Cisco CCENT certification include:[1]
- Describe the types, features, and applications of ACLs
- Standard (editing and sequence numbers)
- Extended
- Named
- Numbered
- Log option
- Configure and verify ACLs in a network environment
- Named
- Numbered
- Log option
- Configure and verify ACLs to filter network traffic
- Configure and verify ACLs to limit telnet and SSH access to the router
Readings
[edit | edit source]Multimedia
[edit | edit source]- YouTube: Access Control Lists - CompTIA Network+ N10-005: 5.2
- Cisco: Introducing Access Control List Operation
- YouTube: CCNA CCENT Video Boot Camp: Applying ACLs (Or Not!)
- YouTube: Access-List Tutorial
Examples
[edit | edit source]access-list (IP standard)
[edit | edit source]To define a standard IP access list, use the standard version of the access-list command in global configuration mode.[2]
access-list <access-list-number> {deny | permit} <source> [<source-wildcard>] [log] access-list 1 deny 127.0.0.0 0.255.255.255 log access-list 1 permit any
access-list (IP extended)
[edit | edit source]To define an extended IP access list, use the extended version of the access-list command in global configuration mode.[3]
access-list <access-list-number> [dynamic <dynamic-name> [timeout <minutes>]] {deny | permit} <protocol> <source> <source-wildcard> <destination> <destination-wildcard> [log | log-input]] access-list 101 permit tcp host 192.168.1.2 host 192.168.1.1 eq telnet access-list 101 deny tcp any any eq telnet log access-list 101 permit ip any any
ip access-list
[edit | edit source]To define an IP access list by name, use the ip access-list command in global configuration mode.[4]
ip access-list {standard | extended} access-list-name ip access-list standard block-private deny 10.0.0.0 0.255.255.255 log ip access-list extended filter-ssh permit tcp host 192.168.1.2 host 192.168.1.1 eq 22 deny tcp any any eq 22 log permit ip any any
ip access-group
[edit | edit source]To control access to an interface, use the ip access-group command in interface configuration mode.[5]
ip access-group {<access-list-number> | <access-list-name>}{in | out} ip access-group 1 out ip access-group block-private out ip access-group 101 in ip access-group filter-ssh in
show access-lists
[edit | edit source]To display the contents of current access lists, use the show access-lists privileged EXEC command.[6]
show access-lists [<access-list-number> | <access-list-name>] show access-lists show access-lists 1 show access-lists block-private
show ip access-lists
[edit | edit source]To display the contents of all current IP access lists, use the show ip access-list EXEC command.[7]
show ip access-lists [access-list-number | access-list-name] show ip access-lists 1 show ip access-lists block-private
Command Sequence
[edit | edit source]A command sequence to configure port security might be similar to the following.
enable configure terminal access-list 1 deny 10.0.0.0 0.255.255.255 log access-list 1 deny 172.16.0.0 0.15.255.255 log access-list 1 deny 192.168.0.0 0.0.255.255 log access-list 1 permit any access-list 101 permit tcp host 192.168.1.2 host 192.168.1.1 eq 22 access-list 101 deny tcp any any eq 22 log access-list 101 permit ip any any interface fastethernet 0/0 ip access-group 101 in interface fastethernet 0/1 ip access-group 1 out exit exit show access-lists show ip interface exit
Activities
[edit | edit source]- Complete the Cisco Access Lists training tutorial.
- Configure numbered standard ACLs to filter network traffic.
- Add three routers and two VPCS PCs to a new GNS3 project.
- Add links to connect the following.
- PC1 Ethernet0 <-> R1 FastEthernet0/0
- R1 FastEthernet0/1 <-> R2 FastEthernet0/0
- R2 FastEthernet0/1 <-> R3 FastEthernet0/0
- PC2 Ethernet0 <-> R3 FastEthernet0/1
- Start the devices.
- Set the following IP addresses, subnet masks, and for the PCs, default gateways
- R1 FastEthernet0/0 = 192.168.1.1 255.255.255.0
- R1 FastEthernet0/1 = 192.168.2.1 255.255.255.0
- R2 FastEthernet0/0 = 192.168.2.2 255.255.255.0
- R2 FastEthernet0/1 = 192.168.3.1 255.255.255.0
- R3 FastEthernet0/0 = 192.168.3.2 255.255.255.0
- R3 FastEthernet0/1 = 192.168.4.1 255.255.255.0
- PC1 Ethernet0 = 192.168.1.11 255.255.255.0 192.168.1.1
- PC2 Ethernet0 = 192.168.4.11 255.255.255.0 192.168.4.1
- Add static routes or dynamic OSPF routing to connect all devices.
- Display the routing tables using the following command.
show ip route
- Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All tests should be successful.
ping
trace
- Add a numbered standard ACL to filter network traffic and prevent hosts on the different subnets from connecting to hosts on other subnets. Practice using the following commands.
access-list
ip access-group
show access-lists
show ip interface
- Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All PC-to-router and router-to-router tests should be successful. The PC-to-PC test should fail.
ping
trace
- Configure numbered extended ACLs to filter network traffic.
- Remove all ACLs from the configuration above. Verify the configuration using the following command.
show access-lists
- Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All tests should be successful.
ping
trace
- Add a numbered extended ACL that permits ICMP connections to routers, but prevents ICMP connections to other network hosts. Allow all other IP traffic. Practice using the following commands.
access-list
ip access-group
show access-lists
show ip interface
- Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All PC-to-router and router-to-router tests should be successful. The PC-to-PC test should fail.
ping
trace
- Remove all ACLs from the configuration above. Verify the configuration using the following command.
- Configure named standard ACLs to filter network traffic.
- Remove all ACLs from the configuration above. Verify the configuration using the following command.
show access-lists
- Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All tests should be successful.
ping
trace
- Add a named standard ACL to filter network traffic and prevent hosts on the different subnets from connecting to hosts on other subnets. Practice using the following commands.
access-list
ip access-group
show ip access-lists
show ip interface
- Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All PC-to-router and router-to-router tests should be successful. The PC-to-PC test should fail.
ping
trace
- Remove all ACLs from the configuration above. Verify the configuration using the following command.
- Configure named extended ACLs to filter network traffic.
- Remove all ACLs from the configuration above. Verify the configuration using the following command.
show access-lists
- Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All tests should be successful.
ping
trace
- Add a named extended ACL that permits ICMP connections to routers, but prevents ICMP connections to other network hosts. Allow all other IP traffic. Practice using the following commands.
access-list
ip access-group
show ip access-lists
show ip interface
- Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All PC-to-router and router-to-router tests should be successful. The PC-to-PC test should fail.
ping
trace
- Remove all ACLs from the configuration above. Verify the configuration using the following command.
- Configure ACLs to limit telnet and SSH access to the router.
- Remove all ACLs from the configuration above. Verify the configuration using the following command.
show access-lists
- Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All tests should be successful.
ping
trace
- Configure R2 to accept vty connections. Test the configuration using the following command from both routers. Both connections should be successful.
telnet
- Add an extended ACL that permits Telnet and SSH connections from R1 to R2, but prevents any other Telnet or SSH connections. Allow all other IP traffic. Practice using the following commands.
access-list
ip access-group
show ip access-lists
show ip interface
- Test the configuration using the following commands from both routers. The connection from R1 to R2 should be successful. The connection from R3 to R2 should fail.
telnet
- Test the configuration using the following commands from the routers and the PCs. Test all router and PC addresses. All tests should be successful.
ping
trace
- Remove all ACLs from the configuration above. Verify the configuration using the following command.
Lesson Summary
[edit | edit source]- An access control list refers to rules that are applied to port numbers or IP addresses that are available on a host, each with a list of hosts and/or networks permitted to use the service.[8]
- Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls.[9]
- To define a standard IP access list, use the standard version of the
access-list
command in global configuration mode.[10] - Access lists may be configured to specifically
permit
ordeny
network traffic.[11] - Access lists end with an implicit deny all. Only traffic explicitly permitted by the access list will be allowed.[12]
- Standard access lists filter based on source IP address.[13]
- Standard numbered access lists are numbered from 1 to 99 or from 1300 to 1999.[14]
- Access list wildcard masks are applied to IP addresses similar to the way subnet masks are applied, but with an opposite design. Subnet masks use 1-bits to identify the network. Access list wildcard masks use 1-bits to identify the host addresses to be filtered.[15]
- To define an extended IP access list, use the extended version of the
access-list
command in global configuration mode.[16] - Extended access lists filter based on source and destination IP addresses, protocols, and port numbers.[17]
- Extended numbered access lists are numbered from 100 to 199 or from 2000 to 2699.[18]
- The
log
access-list command option causes an informational logging message about the packet that matches the entry to be sent to the console.[19] - To define an IP access list by name, use the
ip access-list
command in global configuration mode.[20] - To control access to an interface, use the
ip access-group
command in interface configuration mode.[21] - Access lists filter either inbound or outbound traffic based on the
ip access-group
options ofin
orout
.[22] - To display the contents of current access lists, use the
show access-lists
privileged EXEC command.[23] - To display the contents of all current IP access lists, use the
show ip access-list
EXEC command.[24]
Key Terms
[edit | edit source]Included in Lesson Summary
Review Questions
[edit | edit source]-
An access control list refers to _____.An access control list refers to rules that are applied to port numbers or IP addresses that are available on a host, each with a list of hosts and/or networks permitted to use the service.
-
Access control lists can generally be configured to _____, and in this context they are similar to _____.Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls.
-
To define a standard IP access list, use _____.To define a standard IP access list, use the standard version of the access-list command in global configuration mode.
-
Access lists may be configured to specifically _____ or _____ network traffic.Access lists may be configured to specifically permit or deny network traffic.
-
Access lists end with _____. Only traffic _____ will be allowed.Access lists end with an implicit deny all. Only traffic explicitly permitted by the access list will be allowed.
-
Standard access lists filter based on _____.Standard access lists filter based on source IP address.
-
Standard numbered access lists are numbered _____ or _____.Standard numbered access lists are numbered from 1 to 99 or from 1300 to 1999.
-
Access list wildcard masks are applied to IP addresses similar to the way subnet masks are applied, but _____. Subnet masks use 1-bits to identify _____. Access list wildcard masks use 1-bits to identify _____.Access list wildcard masks are applied to IP addresses similar to the way subnet masks are applied, but with an opposite design. Subnet masks use 1-bits to identify the network. Access list wildcard masks use 1-bits to identify the host addresses to be filtered.
-
To define an extended IP access list, use _____.To define an extended IP access list, use the extended version of the access-list command in global configuration mode.
-
Extended access lists filter based on _____.Extended access lists filter based on source and destination IP addresses, protocols, and port numbers.
-
Extended numbered access lists are numbered _____ or _____.Extended numbered access lists are numbered from 100 to 199 or from 2000 to 2699.
-
The log access-list command option causes _____.The log access-list command option causes an informational logging message about the packet that matches the entry to be sent to the console.
-
To define an IP access list by name, use _____.To define an IP access list by name, use the ip access-list command in global configuration mode.
-
To control access to an interface, use _____.To control access to an interface, use the ip access-group command in interface configuration mode.
-
Access lists filter either inbound or outbound traffic based on _____.Access lists filter either inbound or outbound traffic based on the ip access-group options of in or out.
-
To display the contents of current access lists, use _____.To display the contents of current access lists, use the show access-lists privileged EXEC command.
-
To display the contents of all current IP access lists, use _____.To display the contents of all current IP access lists, use the show ip access-list EXEC command.
Assessments
[edit | edit source]- Flashcards: Quizlet: CCENT - Access Control Lists
- Quiz: Quizlet: CCENT - Access Control Lists
See Also
[edit | edit source]- SANS.org: Easy Steps to Cisco Extended Access List
- TechRepublic: Cisco IOS Access Lists: 10 Things You Should Know
References
[edit | edit source]- ↑ Cisco: ICND1 Exam Topics
- ↑ Cisco: IOS IP Command Reference
- ↑ Cisco: IOS IP Command Reference
- ↑ Cisco: Cisco IOS IP Command Reference
- ↑ Cisco: IOS IP Command Reference
- ↑ Cisco: IOS IP Command Reference
- ↑ Cisco: IOS IP Command Reference
- ↑ Wikipedia: Access control list
- ↑ Wikipedia: Access control list
- ↑ Cisco: IOS IP Command Reference
- ↑ Cisco: IOS IP Command Reference
- ↑ Cisco: IOS IP Command Reference
- ↑ Cisco: IOS IP Command Reference
- ↑ Cisco: IOS IP Command Reference
- ↑ Cisco: IOS IP Command Reference
- ↑ Cisco: IOS IP Command Reference
- ↑ Cisco: IOS IP Command Reference
- ↑ Cisco: IOS IP Command Reference
- ↑ Cisco: IOS IP Command Reference
- ↑ Cisco: Cisco IOS IP Command Reference
- ↑ Cisco: IOS IP Command Reference
- ↑ Cisco: IOS IP Command Reference
- ↑ Cisco: IOS IP Command Reference
- ↑ Cisco: IOS IP Command Reference