Cisco Systems CCNA 2 Creating ACLs, Rt1config#access-list ?, Rt1config#access-list 1 permit ?

If all the ACL statements are unmatched, an implicit "deny any" statement is placed at the end of the list by default. Even though the "deny any" is not visible, it will deny any packets that are not matched in the ACL.

An exercise to use with the students is to look at each line of an ACL and ask the students what each line accomplishes. ACL statements are processed from the top down, one line at a time until a match is made. Remind students that at the end of each ACL is an implied deny all. Since the statements are processed sequentially, the order in which the commands are entered is extremely important. Changing the order of the statements can completely change what the ACL accomplishes.

11.1.3 Creating ACLs

ACLs are created in global configuration mode. When ACLs are configured on a router, each ACL must be uniquely identified. This is accomplished by assigning a number to it. After the access list is created, it must be assigned to the proper interface. ACLs are assigned to one or more interfaces and can filter inbound traffic or outbound traffic with the ip access-groupcommand. The ip access-groupcommand is issued in the interface configuration mode. To assign an access list to an interface, the direction of the traffic that the list will filter must also be defined. Traffic that enters an interface is filtered with an inbound access list. Traffic that leaves an interface is filtered with an outbound access list. To alter an ACL that contains numbered ACL statements, all the statements in the numbered ACL must be deleted with the no access-list[list-number]command.

The steps to configure an ACL are as follows:

rt1(config)#access-list ?

<1-99> IP standard access list <100-199> IP extended access list <1000-1099> IPX SAP access list

<1100-1199> Extended 48-bit MAC address access list <1200-1299> IPX summary address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list <300-399> DECnet access list

<600-699> Appletalk access list <700-799> 48-bit MAC address access list <800-899> IPX standard access list <900-999> IPX extended access list

<2000-2699> IP extended access list (expanded range) rate-limit Simple rate-limit specific access list

The students will need to memorize the ACL numbers.

rt1(config)#access-list 1 ? deny Specify packets to reject permit Specify packets to forward remark Access list entry comment

rt1(config)#access-list 1 permit ?

Hostname or A.B.C.D Address to match

rt1(config)#access-list 1 permit 192.168.0.1 ?