Cisco Systems CCNA 2 11.2 Access Control Lists (ACLs)

To test an ACL, the students will need to know what traffic will be permitted, denied, and the

path. Have students test for connectivity, apply the ACL, and then check the ACL to see if it

works. The show running-config command should be used sparsely. Since lab

configurations are relatively simple, the problems can usually be found rapidly with this

command. However, students can become too dependent on it. When students troubleshoot

the complex configurations of a production environment, this command will not be productive.

The show and debug commands are the troubleshooting commands that should be used.

11.2 Access Control Lists (ACLs)

Essential Labs: 11.2.1a, 11.2.1b, 11.2.2a, 11.2.2b, and 11.2.3a

Optional Labs: 11.2.3b, 11.2.3c, and 11.2.6

Core TIs: 11.2.1, 11.2.2, 11.2.3, and 11.2.4

Optional TIs: 11.2.5 and 11.2.6

Course-Level Claim: Students can analyze, configure, implement, verify, and rectify access

control lists within a router configuration.

Certification-Level Claim: Students can implement access lists, develop an access list to

meet user specifications, troubleshoot an access list, and evaluate rules for packet control.

Hands-on skills: none

Standard ACLs check the source address of IP packets that are routed. The comparison will

result in either permit or deny access for an entire protocol suite, based on the network,

subnet, and host addresses. The standard version of the access-list global configuration

command is used to define an IP standard ACL with a number in the range of 1 to 99. The full

syntax of the standard ACL command is as follows:

Router(config)#access-list access-list-number {deny | permit}

source-address [source-wildcard] [log]

The no form of this command is used to remove a standard ACL:

Router(config)#no access-list access-list-number

A standard ACL only filters on the source address. The source can be a single host or an

entire network. This is the major difference between a standard and extended ACL. Have the

students discuss the ACL before they begin the labs. Draw a network, and tell the students to

create a standard ACL to block a host or a network. Show students the path the packet will

take from the source to the destination. At each router interface ask the students if the packet

is going in or out of the interface. This information will be used when the ip access-group

command is applied. Next, have the students decide on which router to configure an ACL.

Remind them that a standard ACL is applied closest to the destination. When the students

have the correct router, they must then decide which interface to apply the ACL to and if it

should filter in or out. Ask the students which interface is closest to the destination and then

ask if the packet is going in or out the interface.