CCNA 6.3: Configure, verify, and troubleshoot IPv4 and IPv6 access list for traffic filtering

Overview:

Access-lists are used to permit and deny different traffic based on the filtering criteria specified in the list

 

Study Notes:

• Access-lists are evaluated top down from first entry to last entry
• Once the traffic matches an entry in the list an action is taken - permit or deny
• Therefore, put more specific entries at the top of the list
• An implicit deny is added to the end of each access-list
• Access-lists are applied to interfaces
• It is best practice to apply an access-list to the interface closest to the source traffic thereby reducing undue processing

6.3.a Standard

• Standard ACLs are numbered from 1 to 99
• Permit or deny traffic using subnet and wildcard mask
• Cannot permit or deny based on ports
• Implicit deny is automatically added to the end of each access-list
• Configuration example:

Router#config t
Router(config)#access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)#access-list 10 permit 192.168.2.0 0.0.0.255
Router(config)#Ctrl+Z
Router#show access-lists 10

Standard IP access-list 10
    permit 192.168.1.0 0.0.0.255
    10 permit 192.168.2.0 0.0.0.255

Router#config t
Router(config)#interface f0/1
Router(config-if)#ip access-group 10 in

 

6.3.b Extended

• Extended ACLs are numbered from 100-199
• Permit or deny traffic from specific source IPs or ranges to specific destination IPs or ranges
• Can also permit or deny based on specific ports or port ranges
• Implicit deny is automatically added to the end of each access-list
• Configuration example:

Router#config t
Router(config)#access-list 100 permit udp 192.168.1.0 0.0.0.255 any eq 53
Router(config)#access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
Router(config)#Ctrl+Z

Router#show access-lists 100
Extended IP access-list 100
    permit udp 192.168.1.0 0.0.0.255 any eq 53
    permit tcp 192.168.1.0 0.0.0.255 any eq 80

Router#config t
Router(config)#interface f0/1
Router(config-if)#ip access-group 100 in

 

6.3.c Named

• Named access-lists simply give a Network Administrator the option of using a more relevant name to identify the access-list instead of a number
• IPv4 configuration example:

Router#config t
Router(config)#ip access-list extended LAN-access 
Router(config-ext-nacl)#permit udp 192.168.1.0 0.0.0.255 any eq 53
Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 80
Router(config-ext-nacl)#Ctrl+Z

Router#show access-lists LAN-access
Extended IP access list LAN-access
    permit udp 192.168.1.0 0.0.0.255 any eq domain
    permit tcp 192.168.1.0 0.0.0.255 any eq www

Router#config t
Router(config)#interface f0/1
Router(config-if)#ip access-group LAN-access in

 

• IPv6 configuration example:

Router#config t
Router(config)#ipv6 access-list LAN-access 
Router(config-ext-nacl)#permit udp your:ipv6:lan:subnet::/64 any eq 53
Router(config-ext-nacl)#permit tcp your:ipv6:lan:subnet::/64 any eq 80
Router(config)#Ctrl+Z

Router#show access-lists LAN-access
Extended IP access list LAN-access
    permit udp your:ipv6:lan:subnet::/64 any eq 53
    permit tcp your:ipv6:lan:subnet::/64 any eq 80

Router#config t
Router(config)#interface f0/1
Router(config-if)#ipv6 traffic-filter LAN-access in

 

PacketTracer Lab: CCNA-6.3-Configure-verify-and-troubleshoot-IPv4-and-IPv6-access-list-for-traffic-filtering.pkt

Subscribe Now for access to the labs!