Interconnecting Cisco Networking

Devices Part 1
ICND1 100-105

Instructor
Paul A. Parker

1
 Chapter 25

Basic IPv4 Access Control Lists

2
 Chapter 25
Foundation Topics
v IPv4 Access Control List Basics
▼ IPv4 access control lists (IP ACL) give engineers a way to identify
different types of packets and whether to forward or filter the
packet
▼ Routers can apply ACL logic to packets when they enter of exit
an interface (in or out).

CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 3

 Chapter 25
IPv4 Access Control List Basics
v Matching Packets
▼  Matching packets refers to how to configure the ACL to decide
which packets should be discarded or allowed through the ACL.
▼ The configuration commands use deny or permit to discard the
packet or allow it to continue as if the ACL didn’t exist.

CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 4

 Chapter 25
IPv4 Access Control List Basics
v Types of IP ACLs
▼ Standard Numbered ACLs (1–99)
▼ Extended Numbered ACLs (100–199)
▼ Additional ACL Numbers (1300–1999 standard, 2000–2699
extended)
▼ Named ACLs
▼ Improved Editing with
Sequence Numbers

CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 5

 Chapter 25
Standard Numbered IPv4 ACLs
v ACLs use first-match logic. Once a packet matches one
line in the ACL, the router takes the action listed in that
line of the ACL, and stops looking further into the ACL.

CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 6

 Chapter 25
Standard Numbered IPv4 ACLs
v Matching Logic and Command Syntax
access-list {1-99 | 1300-1999} {permit | deny} matching-parameters

▼ Each standard numbered ACL has one or more access-list

commands with the same number and the action (permit or
deny) plus the matching logic.

v Matching the Exact IP Address

▼ Matching the full IP address is a simple as:
access-list 1 permit 10.1.1.1
▼ Earlier IOS versions included the host keyword as follows:
access-list 1 permit host 10.1.1.1

CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 7

 Chapter 25
Standard Numbered IPv4 ACLs
v Matching a Subset of the Address with Wildcards
▼ Wildcards are used to tell the matcher which bits to ignore when
trying to match IP addresses.

CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 8

 Chapter 25
Standard Numbered IPv4 ACLs
v Finding the Right Wildcard Mask to Match a Subnet
▼ Use the subnet number as the source value in the access-list
command.
▼ Use a wildcard mask found by subtracting the subnet mask from
255.255.255.255.
▼ Example:
access-list 1 permit 172.16.8.0 0.0.3.255

v Matching Any/All Addresses

▼ To match all addresses use the any keyword
access-list 1 permit any

CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 9

 Chapter 25
Standard Numbered IPv4 ACLs
v Implementing Standard IP ACLs
▼ Step 1. Plan the location (router and interface) and direction (in
or out) on that interface:
➘  A. Standard ACLs should be placed near to the destination of the
packets so that they do not unintentionally discard packets that
should not be discarded.
➘  B. Because standard ACLs can only match a packet’s source IP
address, identify the source IP addresses of packets as they go in
the direction that the ACL is examining.
▼ Step 2. Configure one or more access-list global configuration
commands to create the ACL, keeping the following in mind:
➘  A. The list is searched sequentially, using first-match logic.
➘  B. The default action, if a packet does not match any of the access-
list commands, is to deny (discard) the packet.

CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 10

 Chapter 25
Standard Numbered IPv4 ACLs
v Implementing Standard IP ACLs
▼ Step 3. Enable the ACL on the chosen router interface, in the
correct direction, using the ip access-group number {in | out}
interface subcommand.

CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 11

 Chapter 25
Standard Numbered IPv4 ACLs
v Building Access-list Commands
▼ To match a specific address, just list the address.
▼ To match any and all addresses, use the any keyword.
▼ To match based only on the first one, two, or three octets of an
address, use the 0.255.255.255, 0.0.255.255, and 0.0.0.255 WC
masks, respectively. Also, make the source (address) parameter
have 0s in the wildcard octets (those octets with 255 in the
wildcard mask).
▼ To match a subnet, use the subnet ID as the source, and find the
WC mask by subtracting the DDN subnet mask from
255.255.255.255.

CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 12

 Chapter 25
Standard Numbered IPv4 ACLs
v Check Interface and Direction for an ACL

CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 13

 Chapter 25
Standard Numbered IPv4 ACLs
v Reverse Engineering from ACL to Address Range
▼ Calculating the range of addresses for an ACL can be done by
adding the wildcard to the address specified in the ACL.
▼ For example:
➘  access-list 1 permit 172.16.200.0 0.0.7.255
➘  Adding 172.16.200.0 and 0.0.7.255 gives you the high-end of the
address range 172.16.207.255.

CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 14

 Chapter 25
Exam Preparation Tasks

CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 15

 Chapter 25
Command Reference
v Configuration Commands

CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 16

 Chapter 25
Command Reference
v EXEC Commands

CCENT/CCNA ICND1 Interconnecting Cisco Networking Devices Part 1 17

Questions?

18