Back to Dashboard
Module 13
Access Control Lists (ACLs)
β Previous Module
Next Module β
# π CCNA 200-301 - Video 13: Access Control Lists (ACLs) ## Deep Study Notes --- ## π Learning Objectives By the end of this video, you should understand: - What ACLs are and why they are used - Standard vs. Extended ACLs - Named vs. Numbered ACLs - ACL logic (implicit deny, top-down processing) - ACL configuration and placement - Wildcard masks - Troubleshooting ACLs --- ## π§ Core Concepts ### 1. What is an ACL? **Definition:** An Access Control List (ACL) is a set of rules (ordered entries) that control traffic flow based on packet headers. ACLs determine whether to permit or deny traffic. **Analogy:** Think of an ACL like a security guard at a building entrance with a list of rules. The guard checks each person (packet) against the list from top to bottom. The first rule that matches determines whether the person enters (permit) or is turned away (deny). If no rule matches, the person is denied by default. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β ACL CONCEPT β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β ACL RULES (Ordered List): β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β 1. permit 192.168.1.0 0.0.0.255 β β β β 2. deny 192.168.2.5 0.0.0.0 β β β β 3. permit any β β β β 4. (implicit deny all) - not visible but always present β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β Packet Processing: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β Packet arrives with source IP 192.168.1.10 β β β β βββ Rule 1: Match? YES β PERMIT (forward) β β β β βββ Processing stops β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β Packet arrives with source IP 192.168.2.5 β β β β βββ Rule 1: Match? NO (not in 192.168.1.0/24) β β β β βββ Rule 2: Match? YES β DENY (drop) β β β β βββ Processing stops β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β Packet arrives with source IP 10.1.1.1 β β β β βββ Rule 1: Match? NO β β β β βββ Rule 2: Match? NO β β β β βββ Rule 3: Match? YES (permit any) β PERMIT β β β β βββ Processing stops β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β Key Principles: β β β’ Processed top-down (first match wins) β β β’ Implicit deny all at the end (if no match, packet is dropped) β β β’ Order matters! β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 2. ACL Types | Type | Number Range | Matches On | Best For | |------|--------------|------------|----------| | **Standard ACL** | 1-99, 1300-1999 | Source IP address only | Simple filtering, near destination | | **Extended ACL** | 100-199, 2000-2699 | Source/destination IP, protocol, port | Detailed filtering, near source | | **Named ACL** | Any name | Same as numbered | Better management, editing | **Standard vs. Extended Comparison:** ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β STANDARD vs. EXTENDED ACL β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β STANDARD ACL (1-99, 1300-1999): β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β access-list 10 permit 192.168.1.0 0.0.0.255 β β β β Matches: Source IP = 192.168.1.0/24 β β β β β β β β Can match: β β β β βββ Source IP address only β β β β β β β β Cannot match: β β β β βββ Destination IP β β β β βββ Protocol (TCP/UDP/ICMP) β β β β βββ Port numbers β β β β βββ Any other fields β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β EXTENDED ACL (100-199, 2000-2699): β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.1.1.1 eq 80β β β β Matches: Protocol=TCP, Source=192.168.1.0/24, Dest=10.1.1.1, Port=80β β β β β β β β Can match: β β β β βββ Source IP β β β β βββ Destination IP β β β β βββ Protocol (TCP, UDP, ICMP, IP) β β β β βββ Source port (eq, gt, lt, range) β β β β βββ Destination port (eq, gt, lt, range) β β β β βββ TCP flags (established, etc.) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 3. Wildcard Masks **Definition:** Wildcard masks are the inverse of subnet masks. They specify which bits of an IP address to match (0 = check this bit, 1 = ignore this bit). **Analogy:** Think of a wildcard mask like a "don't care" switch. A 0 means "must match exactly", a 1 means "anything is fine". ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β WILDCARD MASK CONCEPT β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β IP Address: 192.168.1.0 β β Wildcard: 0.0.0.255 β β β β Binary Representation: β β IP: 11000000.10101000.00000001.00000000 β β Wildcard: 00000000.00000000.00000000.11111111 β β β β Interpretation: β β β’ First 3 octets: Must match exactly (wildcard bits = 0) β β β’ Last octet: Anything (wildcard bits = 1) β β β’ Matches: 192.168.1.0 - 192.168.1.255 β β β β Wildcard to Subnet Mask Conversion: β β Wildcard Mask = 255.255.255.255 - Subnet Mask β β β β Subnet Mask: 255.255.255.0 = 11111111.11111111.11111111.00000000 β β Wildcard: 0.0.0.255 = 00000000.00000000.00000000.11111111 β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` **Common Wildcard Masks:** | Subnet Mask | Wildcard Mask | Description | |-------------|---------------|-------------| | 255.255.255.255 | 0.0.0.0 | Single host | | 255.255.255.0 | 0.0.0.255 | /24 network | | 255.255.0.0 | 0.0.255.255 | /16 network | | 255.0.0.0 | 0.255.255.255 | /8 network | | 255.255.255.248 | 0.0.0.7 | /29 network | **Special Wildcard Masks:** ```cisco ! Match a single host access-list 10 permit host 192.168.1.10 ! Equivalent to: access-list 10 permit 192.168.1.10 0.0.0.0 ! Match any IP address access-list 10 permit any ! Equivalent to: access-list 10 permit 0.0.0.0 255.255.255.255 ! Match specific range (non-contiguous) access-list 10 permit 192.168.1.0 0.0.0.31 ! Matches .0 - .31 access-list 10 permit 192.168.1.32 0.0.0.31 ! Matches .32 - .63 ``` --- ### 4. ACL Placement **Rule:** Standard ACLs should be placed **as close to the destination as possible**. Extended ACLs should be placed **as close to the source as possible**. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β ACL PLACEMENT STRATEGY β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β NETWORK DIAGRAM: β β β β Source Router A Router B β β βββββββββββ βββββββββββ βββββββββββ β β β PC1 ββββββββββββββββ βββββββββββββββββ β β β β10.1.1.10β β β β β β β βββββββββββ βββββββββββ βββββββββββ β β β β β β β β β β β β ββββββΌβββββ ββββββΌβββββ ββββββΌβββββ β β β PC2 β β β β Server β β β β10.1.1.20β β β β10.2.2.10β β β βββββββββββ βββββββββββ βββββββββββ β β β β STANDARD ACL (blocks based on source only): β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β access-list 10 deny 10.1.1.10 β β β β access-list 10 permit any β β β β β β β β Placement: Router B (closer to destination) β β β β Reason: Standard ACL cannot match destination; placing near dest β β β β prevents blocking legitimate traffic to other destinations β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β EXTENDED ACL (blocks based on source/destination/port): β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β access-list 100 deny tcp host 10.1.1.10 host 10.2.2.10 eq 80 β β β β access-list 100 permit ip any any β β β β β β β β Placement: Router A (closer to source) β β β β Reason: Extended ACL can filter precisely; placing near source β β β β saves bandwidth by dropping traffic early β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 5. Numbered ACL Configuration **Standard ACL (Numbered 1-99, 1300-1999):** ```cisco ! Configure standard ACL Router(config)# access-list 10 deny 192.168.1.10 0.0.0.0 Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255 Router(config)# access-list 10 permit any ! Apply to interface (inbound or outbound) Router(config)# interface gigabitEthernet 0/0 Router(config-if)# ip access-group 10 in ! or Router(config-if)# ip access-group 10 out ``` **Extended ACL (Numbered 100-199, 2000-2699):** ```cisco ! Configure extended ACL Router(config)# access-list 100 deny tcp host 192.168.1.10 host 10.1.1.1 eq 80 Router(config)# access-list 100 permit ip any any ! Apply to interface Router(config)# interface gigabitEthernet 0/0 Router(config-if)# ip access-group 100 in ``` **Extended ACL Syntax:** ``` access-list [number] [permit|deny] [protocol] [source] [wildcard] [dest] [wildcard] [operator] [port] ``` | Parameter | Example | Description | |-----------|---------|-------------| | protocol | tcp, udp, icmp, ip | Layer 4 protocol | | source | 192.168.1.0 | Source network/host | | dest | 10.1.1.1 | Destination network/host | | operator | eq, gt, lt, range | Port comparison | | port | 80, 443, 53 | Port number | --- ### 6. Named ACL Configuration **Advantages:** - Can be edited (insert/delete individual lines) - Descriptive names - Can have multiple ACLs with same name type (standard/extended) ```cisco ! Create named standard ACL Router(config)# ip access-list standard BLOCK_HR Router(config-std-nacl)# deny host 192.168.10.50 Router(config-std-nacl)# permit 192.168.10.0 0.0.0.255 Router(config-std-nacl)# permit any Router(config-std-nacl)# exit ! Create named extended ACL Router(config)# ip access-list extended WEB_TRAFFIC Router(config-ext-nacl)# deny tcp host 192.168.1.10 host 10.1.1.1 eq 80 Router(config-ext-nacl)# permit ip any any Router(config-ext-nacl)# exit ! Apply to interface Router(config)# interface gigabitEthernet 0/0 Router(config-if)# ip access-group WEB_TRAFFIC in ! Edit ACL (insert at line 5) Router(config)# ip access-list extended WEB_TRAFFIC Router(config-ext-nacl)# 5 permit tcp host 192.168.1.20 host 10.1.1.1 eq 443 Router(config-ext-nacl)# exit ! Remove specific line Router(config)# ip access-list extended WEB_TRAFFIC Router(config-ext-nacl)# no 5 Router(config-ext-nacl)# exit ``` --- ### 7. ACL Operators and Ports **Port Operators:** | Operator | Meaning | Example | |----------|---------|---------| | `eq` | Equal to | `eq 80` (port 80) | | `gt` | Greater than | `gt 1024` (ports > 1024) | | `lt` | Less than | `lt 1024` (ports < 1024) | | `neq` | Not equal to | `neq 80` (not port 80) | | `range` | Range of ports | `range 20 21` (ports 20-21) | **Protocol Keywords:** | Protocol | Description | |----------|-------------| | `ip` | Any IP protocol (all TCP/UDP/ICMP/etc.) | | `tcp` | TCP only | | `udp` | UDP only | | `icmp` | ICMP only (ping) | | `gre` | Generic Routing Encapsulation | **TCP Flags:** ```cisco ! Match established TCP connections (ACK or RST flag set) access-list 100 permit tcp any any established ! Match specific flags access-list 100 permit tcp any any syn ! Match SYN flag access-list 100 permit tcp any any ack ! Match ACK flag ``` --- ### 8. Common ACL Examples **Example 1: Block a Specific Host** ```cisco ! Block PC1 (192.168.1.10) from accessing anything access-list 10 deny host 192.168.1.10 access-list 10 permit any interface gigabitEthernet 0/0 ip access-group 10 in ``` **Example 2: Allow Web Traffic Only** ```cisco ! Allow only HTTP (80) and HTTPS (443) to web server access-list 100 permit tcp any host 10.1.1.100 eq 80 access-list 100 permit tcp any host 10.1.1.100 eq 443 access-list 100 deny ip any host 10.1.1.100 access-list 100 permit ip any any interface gigabitEthernet 0/0 ip access-group 100 in ``` **Example 3: Allow Specific Subnet to Specific Server** ```cisco ! Allow 192.168.1.0/24 to access FTP server 10.1.1.50 access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.1.1.50 eq 20 access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.1.1.50 eq 21 access-list 100 deny ip any any interface gigabitEthernet 0/0 ip access-group 100 in ``` **Example 4: Block ICMP (Ping) from External** ```cisco ! Block external ping requests (inbound on WAN) access-list 100 deny icmp any any echo-request access-list 100 permit ip any any interface gigabitEthernet 0/1 ip access-group 100 in ``` **Example 5: Allow Telnet/SSH Access Only** ```cisco ! Allow only Telnet (23) and SSH (22) to router access-list 100 permit tcp any host 192.168.1.1 eq 22 access-list 100 permit tcp any host 192.168.1.1 eq 23 access-list 100 deny ip any any ! Apply to VTY lines line vty 0 4 access-class 100 in ``` **Example 6: Restrict VLAN Access** ```cisco ! Allow only HR VLAN 10 to access server access-list 100 permit ip 192.168.10.0 0.0.0.255 host 10.1.1.100 access-list 100 deny ip any any interface gigabitEthernet 0/0.10 ip access-group 100 in ``` --- ### 9. ACL Verification Commands | Command | Purpose | |---------|---------| | `show access-lists` | Display all ACLs | | `show access-lists [name/number]` | Display specific ACL | | `show ip interface [interface]` | Show ACL applied to interface | | `show running-config | include access-list` | Show ACLs in config | **Example Outputs:** ```cisco Router# show access-lists Standard IP access list 10 10 deny host 192.168.1.10 20 permit 192.168.1.0 0.0.0.255 30 permit any Extended IP access list 100 10 deny tcp host 192.168.1.10 host 10.1.1.1 eq 80 20 permit ip any any Router# show ip interface gigabitEthernet 0/0 GigabitEthernet0/0 is up, line protocol is up Internet address is 192.168.1.1/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 10 ``` --- ### 10. ACL Troubleshooting | Problem | Symptom | Solution | |---------|---------|----------| | **No Traffic Permitted** | All traffic blocked | Check for implicit deny; ensure permit any at end if needed | | **Wrong Order** | Expected traffic blocked | Verify order; specific rules before general rules | | **Wrong Wildcard** | Too much or too little traffic | Verify wildcard mask calculation | | **ACL Not Applied** | ACL rules not working | Verify `ip access-group` on interface | | **Inbound vs. Outbound** | Traffic not filtered as expected | Understand direction (in = traffic entering interface) | | **Established Traffic** | Return traffic blocked | Use `established` keyword for TCP | **Troubleshooting Steps:** ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β ACL TROUBLESHOOTING FLOW β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β 1. Verify ACL is applied to correct interface and direction β β Router# show ip interface [interface] β β β β 2. View ACL rules and order β β Router# show access-lists [name] β β β β 3. Check for implicit deny at end β β Router# show access-lists [name] | include deny β β β β 4. Test with specific traffic β β Router# ping [destination] (source specific) β β β β 5. Use debug to see ACL hits (use cautiously) β β Router# debug ip packet [acl-number] β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ## π§ Complete Configuration Examples ### Lab 1: Standard ACL (Block Host, Allow Network) **Topology:** ``` 192.168.1.10 (PC1 - Blocked) β 192.168.1.20 (PC2 - Allowed) β βΌ βββββββββββββββββββ β Router β β 192.168.1.1 β βββββββββββββββββββ β βΌ βββββββββββββββββββ β Server β β 10.1.1.100 β βββββββββββββββββββ ``` **Configuration:** ```cisco hostname Router ! ! Create standard ACL access-list 10 deny host 192.168.1.10 access-list 10 permit 192.168.1.0 0.0.0.255 access-list 10 permit any ! ! Apply inbound on LAN interface interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip access-group 10 in ! interface GigabitEthernet0/1 ip address 10.1.1.1 255.255.255.0 ! end ``` **Result:** - PC1 (192.168.1.10) β Denied access to all destinations - PC2 (192.168.1.20) β Permitted access - Other networks β Permitted (due to permit any) --- ### Lab 2: Extended ACL (Allow Only Web to Server) **Topology:** ``` Users (192.168.1.0/24) β βΌ βββββββββββββββββββ β Router β β 192.168.1.1 β βββββββββββββββββββ β βΌ βββββββββββββββββββ β Web Server β β 10.1.1.100 β βββββββββββββββββββ ``` **Configuration:** ```cisco hostname Router ! ! Create extended ACL access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.1.1.100 eq 80 access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.1.1.100 eq 443 access-list 100 deny ip any host 10.1.1.100 access-list 100 permit ip any any ! ! Apply inbound on WAN interface (from users) interface GigabitEthernet0/1 ip address 10.1.1.1 255.255.255.0 ip access-group 100 in ! interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ! end ``` **Result:** - Users can access web server on ports 80 and 443 only - All other traffic to server is denied - Other internet traffic is permitted --- ### Lab 3: Named ACL with VTY Restriction **Topology:** ``` Management Network 192.168.100.0/24 β βΌ βββββββββββββββββββ β Router β β 192.168.100.1 β βββββββββββββββββββ β βΌ Production Network ``` **Configuration:** ```cisco hostname Router ! ! Create named extended ACL for management ip access-list extended MGMT_ACCESS permit tcp 192.168.100.0 0.0.0.255 any eq 22 permit tcp 192.168.100.0 0.0.0.255 any eq 23 deny tcp any any eq 22 deny tcp any any eq 23 permit ip any any ! ! Apply to VTY lines line vty 0 4 access-class MGMT_ACCESS in ! interface GigabitEthernet0/0 ip address 192.168.100.1 255.255.255.0 ! interface GigabitEthernet0/1 ip address 10.1.1.1 255.255.255.0 ! end ``` **Result:** - Only management network (192.168.100.0/24) can access router via SSH/Telnet - All other sources are denied access to router management - Data traffic unaffected --- ### Lab 4: ACL with Established Keyword **Topology:** ``` Internal Network Router Internet 192.168.1.0/24 β 10.1.1.1 β Any ``` **Configuration:** ```cisco hostname Router ! ! Allow internal users to initiate connections to internet access-list 100 permit tcp 192.168.1.0 0.0.0.255 any established access-list 100 permit udp 192.168.1.0 0.0.0.255 any access-list 100 permit icmp 192.168.1.0 0.0.0.255 any ! ! Block inbound connections from internet (except established) access-list 100 deny ip any any ! interface GigabitEthernet0/1 ip address 10.1.1.1 255.255.255.0 ip access-group 100 in ! interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ! end ``` **Result:** - Internal users can browse internet (TCP with ACK/RST flags) - Internet cannot initiate connections to internal network - UDP and ICMP allowed outbound --- ## π Text-Based Diagrams ### ACL Processing Logic ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β ACL PROCESSING FLOW β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β START: Packet arrives at interface β β β β β βΌ β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β Is ACL applied to interface in this direction? β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β βββββββββ΄ββββββββ β β β β β β NO YES β β β β β β βΌ βΌ β β FORWARD Check ACL rules (top-down) β β (No ACL) β β β βΌ β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β Does packet match rule? β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β ββββββββββ΄βββββββββ β β β β β β YES NO β β β β β β βΌ βΌ β β Apply action Next rule in list β β (permit/deny) β β β β βΌ β β β More rules? ββYESβββΊ Continue β β β β β β β NO β β β β β β β βΌ β β β IMPLICIT DENY β β β β β β βββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ β β βΌ β β PERMIT: Forward packet DENY: Drop packet β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ## β Exam Tips (For CCNA 200-301) | Topic | What Cisco Tests | |-------|------------------| | **ACL Order** | Top-down processing; first match wins | | **Implicit Deny** | All ACLs have implicit deny at end | | **Standard ACL** | 1-99, 1300-1999; matches source IP only; place near destination | | **Extended ACL** | 100-199, 2000-2699; matches source, dest, protocol, port; place near source | | **Wildcard Mask** | Inverse of subnet mask; 0=check, 1=ignore | | **Port Operators** | eq, gt, lt, range | | **Established** | Matches TCP packets with ACK or RST (return traffic) | ### Common Exam Scenarios: **Scenario 1:** "An ACL has entries: permit 192.168.1.0 0.0.0.255, deny any. A packet from 192.168.2.10 arrives. What happens?" - **Answer:** Denied (implicit deny after no match) **Scenario 2:** "A standard ACL is applied inbound on a router's WAN interface. What traffic does it filter?" - **Answer:** Traffic entering the router from the WAN (source IP only) **Scenario 3:** "What is the wildcard mask for subnet 192.168.1.0/28?" - **Answer:** 0.0.0.15 (255.255.255.255 - 255.255.255.240 = 0.0.0.15) ### Mnemonics: **ACL Number Ranges:** **"Standard Starts at 1, Extended at 100"** - Standard: 1-99, 1300-1999 - Extended: 100-199, 2000-2699 **Wildcard Calculation:** **"255.255.255.255 minus subnet mask"** **ACL Placement:** **"Standard to Destination, Extended to Source"** --- ## π Summary (1-Minute Revision) ``` ACL (Access Control List): PURPOSE: βββ Filter traffic based on packet headers βββ Permit or deny decisions βββ Applied to interfaces or VTY lines TYPES: βββ Standard (1-99, 1300-1999) β βββ Match: Source IP only β βββ Placement: Near destination βββ Extended (100-199, 2000-2699) βββ Match: Source, dest, protocol, port βββ Placement: Near source PROCESSING: βββ Top-down (first match wins) βββ Implicit deny all at end βββ Order matters! WILDCARD MASK: βββ 0 = check this bit βββ 1 = ignore this bit βββ host = 0.0.0.0, any = 255.255.255.255 CONFIGURATION: βββ numbered: access-list [number] [permit|deny]... βββ named: ip access-list [standard|extended] [name] βββ interface: ip access-group [acl] [in|out] βββ VTY: access-class [acl] in VERIFICATION: βββ show access-lists βββ show ip interface [interface] βββ show running-config | include access-list COMMON OPERATORS: βββ eq = equal to βββ gt = greater than βββ lt = less than βββ range = between (inclusive) ``` --- ## π§ͺ Practice Questions **1. What is the implicit action at the end of every ACL?** - A) Permit all - B) Deny all - C) Redirect - D) Log <details> <summary>Answer</summary> <b>B) Deny all</b> - All ACLs have an implicit deny at the end. Any traffic not explicitly permitted is denied. </details> **2. Which ACL number range is used for standard ACLs?** - A) 1-99 - B) 100-199 - C) 200-299 - D) 300-399 <details> <summary>Answer</summary> <b>A) 1-99</b> - Standard ACLs use numbers 1-99 and 1300-1999. </details> **3. Where should a standard ACL be placed?** - A) As close to the source as possible - B) As close to the destination as possible - C) On the source device - D) On the destination device <details> <summary>Answer</summary> <b>B) As close to the destination as possible</b> - Standard ACLs only filter source IP; placing near destination prevents unintended blocking. </details> **4. What is the wildcard mask for subnet 192.168.1.0/24?** - A) 0.0.0.0 - B) 0.0.0.255 - C) 255.255.255.0 - D) 255.255.255.255 <details> <summary>Answer</summary> <b>B) 0.0.0.255</b> - Wildcard mask = 255.255.255.255 - 255.255.255.0 = 0.0.0.255. </details> **5. Which command applies ACL 10 inbound on interface GigabitEthernet 0/0?** - A) `ip access-list 10 in` - B) `access-group 10 in` - C) `ip access-group 10 in` - D) `ip access-list in 10` <details> <summary>Answer</summary> <b>C) `ip access-group 10 in`</b> - This command applies ACL 10 to inbound traffic on the interface. </details> **6. What does the `established` keyword do in an extended ACL?** - A) Matches only TCP packets with ACK or RST flag - B) Matches established connections only - C) Creates a new connection - D) Logs established sessions <details> <summary>Answer</summary> <b>A) Matches only TCP packets with ACK or RST flag</b> - Established matches return traffic for existing connections. </details> **7. An ACL has entries: deny host 10.1.1.1, permit any. A packet from 10.1.1.1 arrives. What happens?** - A) Permitted - B) Denied - C) No match - D) Implicit deny <details> <summary>Answer</summary> <b>B) Denied</b> - First rule matches (deny host 10.1.1.1), so packet is denied. </details> **8. Which command displays all ACLs on a router?** - A) `show acl` - B) `show access-lists` - C) `show ip acl` - D) `show running-config acl` <details> <summary>Answer</summary> <b>B) `show access-lists`</b> - This displays all configured ACLs. </details> **9. What is the correct syntax to allow HTTP traffic from 192.168.1.0/24 to server 10.1.1.100?** - A) `access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.1.1.100 eq 80` - B) `access-list 100 permit tcp 192.168.1.0 255.255.255.0 host 10.1.1.100 eq 80` - C) `access-list 100 permit tcp 192.168.1.0 0.0.0.255 10.1.1.100 0.0.0.0 eq 80` - D) `access-list 100 permit tcp 192.168.1.0 255.255.255.0 10.1.1.100 255.255.255.255 eq 80` <details> <summary>Answer</summary> <b>A) `access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.1.1.100 eq 80`</b> - Correct syntax with wildcard mask and host keyword. </details> **10. How many ACLs can be applied to a single interface?** - A) One inbound, one outbound - B) Two inbound, two outbound - C) Unlimited - D) One total <details> <summary>Answer</summary> <b>A) One inbound, one outbound</b> - Each interface can have one inbound and one outbound ACL. </details> **11. Which statement about named ACLs is true?** - A) They cannot be edited - B) They can be edited (lines can be inserted/deleted) - C) They are only for standard ACLs - D) They are only for extended ACLs <details> <summary>Answer</summary> <b>B) They can be edited (lines can be inserted/deleted)</b> - Named ACLs allow individual line editing. </details> **12. What is the purpose of the `ip access-group` command?** - A) Create an ACL - B) Apply an ACL to an interface - C) Remove an ACL - D) Display ACLs <details> <summary>Answer</summary> <b>B) Apply an ACL to an interface</b> - `ip access-group` attaches the ACL to an interface in a specific direction. </details> --- ## π Next Steps After completing Video 13, you should be ready for: - **Video 14:** Network Address Translation (NAT) - **Video 15:** IPv6 Addressing and Configuration **Lab Practice:** 1. Configure standard ACL to block a specific host 2. Configure extended ACL to allow only web traffic to a server 3. Configure named ACL for VTY access restriction 4. Apply ACLs inbound and outbound on interfaces 5. Verify with `show access-lists` and `show ip interface` 6. Test connectivity and observe filtering --- **Ready for Video 14?** Share the link or say "next" and I'll continue with Network Address Translation (NAT). I'll create comprehensive deep notes for **Video 14: Network Address Translation (NAT)** based on the standard CCNA 200-301 curriculum. ---