In this Free CCNA Lab we will use the provided Packet Tracer activity to Plan, configure, and apply a standard Access Control List (ACL) to permit or deny specific traffic to flow through the network. We will then use Ping and Cisco show commands to test the ACL to determine if the desired results were achieved.
Learning Objectives:
- Understand the function of an ACL.
- Configure a standard ACL to filter traffic.
- Verify the ACL operation.
Standard Access Lists:
Standard access lists match packets by examining the source IP address field in the packet’s IP header. Any bit positions in the 32-bit source IP address can be compared to the access list statements. However, the matching is flexible and does not consider the subnet mask in use.
Access lists use the inverse mask, sometimes called the wildcard mask or I-mask. This mask is named because it inverts the meaning of the bits. In a normal mask, ones mean “must match,” while zeroes mean “may vary.” For example, for two hosts to be on the same Class C network, the first 24 bits of their address must match, while the last 8 may vary. Inverse masks swap the rules so that zeroes mean “must match” and ones mean “may vary.”
Planning and implementing an ACL:
The easy way to calculate the inverse mask when you already know the normal mask is to subtract from all ones. The table that follows shows an example. The normal mask is subtracted, column by column, from the all-ones mask to determine the inverse mask.
All Ones 255 255 255 255
Normal Mask 255 255 240 0
Inverse Mask 0 0 15 255
The command for configuring a standard access list is as follows:
Router(config)# access-list {1-99} {permit | deny} source-addr [source-mask]
As you can see from the command syntax, the first option is to specify the access list number. The number range for standard access lists is 1 to 99. The second value that you must specify is to permit or deny the configured source IP address. The third value is the source IP address that you want to match. The fourth value is the wildcard mask that you want to apply to the IP address previously configured.
Note: All access lists have an implicit deny, meaning that if a packet does not match any of the criteria that you have specified in your access list, it will be denied. If you have deny statements in your access lists, be sure to create permit statements to allow valid traffic.
When the access list has been created, you need to apply it to the appropriate interface. The command to apply the access list is as follows:
Router(config-if)# ip access-group {number | name [in | out] }
The access list is applied under the interface configuration mode. You must specify only the number or name and whether it is an incoming or an outgoing access list.
Search for Additional CCNA Labs: [adsense_id=”4″]
Standard-ACL (278.0 KiB, 4,607 hits) Packet Tracer 5-3-3 By Cisco (48.3 MiB, 1,934 hits)
You do not have permission to download this file.
Posted in 
Tags: