Cisco Networking/CCENT/Access Control Lists

This lesson covers access control lists.

Objectives and Skills
Objectives and skills for the access control lists portion of Cisco CCENT certification include:
 * Describe the types, features, and applications of ACLs
 * Standard (editing and sequence numbers)
 * Extended
 * Named
 * Numbered
 * Log option
 * Configure and verify ACLs in a network environment
 * Named
 * Numbered
 * Log option
 * Configure and verify ACLs to filter network traffic
 * Configure and verify ACLs to limit telnet and SSH access to the router

Readings

 * 1)  Access control list
 * 2) Cisco: Configuring IP Access Lists

Multimedia

 * 1) YouTube: Access Control Lists - CompTIA Network+ N10-005: 5.2
 * 2) Cisco: Introducing Access Control List Operation
 * 3) YouTube: CCNA CCENT Video Boot Camp: Applying ACLs (Or Not!)
 * 4) YouTube: Access-List Tutorial

access-list (IP standard)
To define a standard IP access list, use the standard version of the access-list command in global configuration mode. access-list  {deny | permit}
 * 1) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.
 * 2) Add a numbered standard ACL to filter network traffic and prevent hosts on the different subnets from connecting to hosts on other subnets.  Practice using the following commands.
 * 3) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All PC-to-router and router-to-router tests should be successful.  The PC-to-PC test should fail.
 * 4) Configure numbered extended ACLs to filter network traffic.Cisco CCENT Routing 3.png
 * 5) Remove all ACLs from the configuration above.  Verify the configuration using the following command.
 * 6) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.
 * 7) Add a numbered extended ACL that permits ICMP connections to routers, but prevents ICMP connections to other network hosts.  Allow all other IP traffic.  Practice using the following commands.
 * 8) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All PC-to-router and router-to-router tests should be successful.  The PC-to-PC test should fail.
 * 9) Configure named standard ACLs to filter network traffic.Cisco CCENT Routing 3.png
 * 10) Remove all ACLs from the configuration above.  Verify the configuration using the following command.
 * 11) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.
 * 12) Add a named standard ACL to filter network traffic and prevent hosts on the different subnets from connecting to hosts on other subnets.  Practice using the following commands.
 * 13) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All PC-to-router and router-to-router tests should be successful.  The PC-to-PC test should fail.
 * 14) Configure named extended ACLs to filter network traffic.Cisco CCENT Routing 3.png
 * 15) Remove all ACLs from the configuration above.  Verify the configuration using the following command.
 * 16) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.
 * 17) Add a named extended ACL that permits ICMP connections to routers, but prevents ICMP connections to other network hosts.  Allow all other IP traffic.  Practice using the following commands.
 * 18) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All PC-to-router and router-to-router tests should be successful.  The PC-to-PC test should fail.
 * 19) Configure ACLs to limit telnet and SSH access to the router.
 * 20) Remove all ACLs from the configuration above.  Verify the configuration using the following command.
 * 21) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.
 * 22) Configure R2 to accept vty connections.  Test the configuration using the following command from both routers.  Both connections should be successful.
 * 23) Add an extended ACL that permits Telnet and SSH connections from R1 to R2, but prevents any other Telnet or SSH connections.  Allow all other IP traffic.  Practice using the following commands.
 * 24) Test the configuration using the following commands from both routers.  The connection from R1 to R2 should be successful.  The connection from R3 to R2 should fail.
 * 25) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.
 * 1) Configure named standard ACLs to filter network traffic.Cisco CCENT Routing 3.png
 * 2) Remove all ACLs from the configuration above.  Verify the configuration using the following command.
 * 3) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.
 * 4) Add a named standard ACL to filter network traffic and prevent hosts on the different subnets from connecting to hosts on other subnets.  Practice using the following commands.
 * 5) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All PC-to-router and router-to-router tests should be successful.  The PC-to-PC test should fail.
 * 6) Configure named extended ACLs to filter network traffic.Cisco CCENT Routing 3.png
 * 7) Remove all ACLs from the configuration above.  Verify the configuration using the following command.
 * 8) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.
 * 9) Add a named extended ACL that permits ICMP connections to routers, but prevents ICMP connections to other network hosts.  Allow all other IP traffic.  Practice using the following commands.
 * 10) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All PC-to-router and router-to-router tests should be successful.  The PC-to-PC test should fail.
 * 11) Configure ACLs to limit telnet and SSH access to the router.
 * 12) Remove all ACLs from the configuration above.  Verify the configuration using the following command.
 * 13) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.
 * 14) Configure R2 to accept vty connections.  Test the configuration using the following command from both routers.  Both connections should be successful.
 * 15) Add an extended ACL that permits Telnet and SSH connections from R1 to R2, but prevents any other Telnet or SSH connections.  Allow all other IP traffic.  Practice using the following commands.
 * 16) Test the configuration using the following commands from both routers.  The connection from R1 to R2 should be successful.  The connection from R3 to R2 should fail.
 * 17) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.
 * 1) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.
 * 2) Add a named extended ACL that permits ICMP connections to routers, but prevents ICMP connections to other network hosts.  Allow all other IP traffic.  Practice using the following commands.
 * 3) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All PC-to-router and router-to-router tests should be successful.  The PC-to-PC test should fail.
 * 4) Configure ACLs to limit telnet and SSH access to the router.
 * 5) Remove all ACLs from the configuration above.  Verify the configuration using the following command.
 * 6) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.
 * 7) Configure R2 to accept vty connections.  Test the configuration using the following command from both routers.  Both connections should be successful.
 * 8) Add an extended ACL that permits Telnet and SSH connections from R1 to R2, but prevents any other Telnet or SSH connections.  Allow all other IP traffic.  Practice using the following commands.
 * 9) Test the configuration using the following commands from both routers.  The connection from R1 to R2 should be successful.  The connection from R3 to R2 should fail.
 * 10) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.
 * 1) Configure ACLs to limit telnet and SSH access to the router.
 * 2) Remove all ACLs from the configuration above.  Verify the configuration using the following command.
 * 3) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.
 * 4) Configure R2 to accept vty connections.  Test the configuration using the following command from both routers.  Both connections should be successful.
 * 5) Add an extended ACL that permits Telnet and SSH connections from R1 to R2, but prevents any other Telnet or SSH connections.  Allow all other IP traffic.  Practice using the following commands.
 * 6) Test the configuration using the following commands from both routers.  The connection from R1 to R2 should be successful.  The connection from R3 to R2 should fail.
 * 7) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.
 * 1) Configure R2 to accept vty connections.  Test the configuration using the following command from both routers.  Both connections should be successful.
 * 2) Add an extended ACL that permits Telnet and SSH connections from R1 to R2, but prevents any other Telnet or SSH connections.  Allow all other IP traffic.  Practice using the following commands.
 * 3) Test the configuration using the following commands from both routers.  The connection from R1 to R2 should be successful.  The connection from R3 to R2 should fail.
 * 4) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.
 * 1) Test the configuration using the following commands from both routers.  The connection from R1 to R2 should be successful.  The connection from R3 to R2 should fail.
 * 2) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.
 * 1) Test the configuration using the following commands from both routers.  The connection from R1 to R2 should be successful.  The connection from R3 to R2 should fail.
 * 2) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.
 * 1) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.
 * 1) Test the configuration using the following commands from the routers and the PCs.  Test all router and PC addresses.  All tests should be successful.

Lesson Summary

 * An access control list refers to rules that are applied to port numbers or IP addresses that are available on a host, each with a list of hosts and/or networks permitted to use the service.
 * Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls.
 * To define a standard IP access list, use the standard version of the  command in global configuration mode.
 * Access lists may be configured to specifically  or   network traffic.
 * Access lists end with an implicit deny all. Only traffic explicitly permitted by the access list will be allowed.
 * Standard access lists filter based on source IP address.
 * Standard numbered access lists are numbered from 1 to 99 or from 1300 to 1999.
 * Access list wildcard masks are applied to IP addresses similar to the way subnet masks are applied, but with an opposite design. Subnet masks use 1-bits to identify the network.  Access list wildcard masks use 1-bits to identify the host addresses to be filtered.
 * To define an extended IP access list, use the extended version of the  command in global configuration mode.
 * Extended access lists filter based on source and destination IP addresses, protocols, and port numbers.
 * Extended numbered access lists are numbered from 100 to 199 or from 2000 to 2699.
 * The  access-list command option causes an informational logging message about the packet that matches the entry to be sent to the console.
 * To define an IP access list by name, use the  command in global configuration mode.
 * To control access to an interface, use the  command in interface configuration mode.
 * Access lists filter either inbound or outbound traffic based on the  options of   or.
 * To display the contents of current access lists, use the  privileged EXEC command.
 * To display the contents of all current IP access lists, use the  EXEC command.

Key Terms
Included in Lesson Summary

Assessments

 * Flashcards: Quizlet: CCENT - Access Control Lists
 * Quiz: Quizlet: CCENT - Access Control Lists