Cisco Systems CCNA 2 manual Access Control Lists ACLs, Standard ACLs

To test an ACL, the students will need to know what traffic will be permitted, denied, and the path. Have students test for connectivity, apply the ACL, and then check the ACL to see if it works. The show running-configcommand should be used sparsely. Since lab configurations are relatively simple, the problems can usually be found rapidly with this command. However, students can become too dependent on it. When students troubleshoot the complex configurations of a production environment, this command will not be productive. The show and debug commands are the troubleshooting commands that should be used.

11.2 Access Control Lists (ACLs)

Essential Labs: 11.2.1a, 11.2.1b, 11.2.2a, 11.2.2b, and 11.2.3a

Optional Labs: 11.2.3b, 11.2.3c, and 11.2.6

Core TIs: 11.2.1, 11.2.2, 11.2.3, and 11.2.4

Course-Level Claim: Students can analyze, configure, implement, verify, and rectify access control lists within a router configuration.

Certification-Level Claim: Students can implement access lists, develop an access list to meet user specifications, troubleshoot an access list, and evaluate rules for packet control.

Hands-on skills: none

11.2.1 Standard ACLs

Standard ACLs check the source address of IP packets that are routed. The comparison will result in either permit or deny access for an entire protocol suite, based on the network, subnet, and host addresses. The standard version of the access-listglobal configuration command is used to define an IP standard ACL with a number in the range of 1 to 99. The full syntax of the standard ACL command is as follows:

Router(config)#access-list access-list-number{deny permit} source-address [source-wildcard] [log]

The no form of this command is used to remove a standard ACL:

Router(config)#no access-listaccess-list-number

A standard ACL only filters on the source address. The source can be a single host or an entire network. This is the major difference between a standard and extended ACL. Have the students discuss the ACL before they begin the labs. Draw a network, and tell the students to create a standard ACL to block a host or a network. Show students the path the packet will take from the source to the destination. At each router interface ask the students if the packet is going in or out of the interface. This information will be used when the ip access-groupcommand is applied. Next, have the students decide on which router to configure an ACL. Remind them that a standard ACL is applied closest to the destination. When the students have the correct router, they must then decide which interface to apply the ACL to and if it should filter in or out. Ask the students which interface is closest to the destination and then ask if the packet is going in or out the interface.