CCNA 6.3: Configure, verify, and troubleshoot IPv4 and IPv6 access list for traffic filtering

Overview:

Access-lists are used to permit and deny different traffic based on the filtering criteria specified in the list

 

Study Notes:

  • Access-lists are evaluated top down from first entry to last entry
  • Once the traffic matches an entry in the list an action is taken - permit or deny
  • Therefore, put more specific entries at the top of the list
  • An implicit deny is added to the end of each access-list
  • Access-lists are applied to interfaces
  • It is best practice to apply an access-list to the interface closest to the source traffic thereby reducing undue processing

6.3.a Standard

  • Standard ACLs are numbered from 1 to 99
  • Permit or deny traffic using subnet and wildcard mask
  • Cannot permit or deny based on ports
  • Implicit deny is automatically added to the end of each access-list
  • Configuration example:
Router#config t
Router(config)#access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)#access-list 10 permit 192.168.2.0 0.0.0.255
Router(config)#Ctrl+Z
Router#show access-lists 10

Standard IP access-list 10
    permit 192.168.1.0 0.0.0.255
    10 permit 192.168.2.0 0.0.0.255

Router#config t
Router(config)#interface f0/1
Router(config-if)#ip access-group 10 in

 

6.3.b Extended

  • Extended ACLs are numbered from 100-199
  • Permit or deny traffic from specific source IPs or ranges to specific destination IPs or ranges
  • Can also permit or deny based on specific ports or port ranges
  • Implicit deny is automatically added to the end of each access-list
  • Configuration example:
Router#config t
Router(config)#access-list 100 permit udp 192.168.1.0 0.0.0.255 any eq 53
Router(config)#access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
Router(config)#Ctrl+Z

Router#show access-lists 100
Extended IP access-list 100
    permit udp 192.168.1.0 0.0.0.255 any eq 53
    permit tcp 192.168.1.0 0.0.0.255 any eq 80

Router#config t
Router(config)#interface f0/1
Router(config-if)#ip access-group 100 in

 

6.3.c Named

  • Named access-lists simply give a Network Administrator the option of using a more relevant name to identify the access-list instead of a number
  • IPv4 configuration example:
Router#config t
Router(config)#ip access-list extended LAN-access 
Router(config-ext-nacl)#permit udp 192.168.1.0 0.0.0.255 any eq 53
Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 80
Router(config-ext-nacl)#Ctrl+Z

Router#show access-lists LAN-access
Extended IP access list LAN-access
    permit udp 192.168.1.0 0.0.0.255 any eq domain
    permit tcp 192.168.1.0 0.0.0.255 any eq www

Router#config t
Router(config)#interface f0/1
Router(config-if)#ip access-group LAN-access in

 

  • IPv6 configuration example:
Router#config t
Router(config)#ipv6 access-list LAN-access 
Router(config-ext-nacl)#permit udp your:ipv6:lan:subnet::/64 any eq 53
Router(config-ext-nacl)#permit tcp your:ipv6:lan:subnet::/64 any eq 80
Router(config)#Ctrl+Z

Router#show access-lists LAN-access
Extended IP access list LAN-access
    permit udp your:ipv6:lan:subnet::/64 any eq 53
    permit tcp your:ipv6:lan:subnet::/64 any eq 80

Router#config t
Router(config)#interface f0/1
Router(config-if)#ipv6 traffic-filter LAN-access in

 

PacketTracer Lab: CCNA-6.3-Configure-verify-and-troubleshoot-IPv4-and-IPv6-access-list-for-traffic-filtering.pkt

Subscribe Now for access to the labs!

2 comments
  1. joseph yang
    joseph yang
    July 16, 2019 at 4:06 am

    the syntax eq is for comparative conditionals yea? equals, greater than, etc

  2. Joe Barger (CCNP/CCDP)
    Joe Barger (CCNP/CCDP) • Post Author •
    July 16, 2019 at 7:03 am

    Yes that’s right. Operators include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

Leave a Reply
s2Member®