127 - 238 CCNA 2: Routers and Routing Basics v3.1 Instructor Guide – Module 11 Copyright © 2004, Cisco Systems, Inc.
Then enter extended or standard:
rt1(config)#ip access-list extended ?
<100-199> Extended IP access-list number
WORD Access-list name
The name used is named_ACL:
rt1(config)#ip access-list extended named_ACL
rt1(config-ext-nacl)#
rt1(config-ext-nacl)#?
Ext Access List configuration commands:
default Set a command to its defaults
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
evaluate Evaluate an access list
exit Exit from access-list configuration mode
no Negate a command or set its defaults
permit Specify packets to forward
remark Access list entry comment
From this point the ACL will work like any other extended ACL.
11.2.4 Placing ACLs ACLs are used to control traffic by filtering packets and eliminating unwanted traffic on a
network. Another important consideration of when ACLs are implemented is the placement of
the access list. The ACL should be placed where it has the greatest impact on increased
efficiency. The general rule is to put the extended ACLs as close as possible to the source of
the traffic that is denied. Standard ACLs do not specify destination addresses, so they should
be placed as close to the destination as possible. For example, a standard ACL should be
placed on Fa0/0 of Router D to prevent traffic from Router A.
Administrators can only place access lists on devices that they control.
A standard ACL should be placed close to the destination. First, have the students decide
which router is closest to the destination and then pick which interface is the closest to the
destination. An ACL can be applied to any of the interfaces, but if an ACL is applied to the
wrong interface a negative result is possible. The extended ACL should be placed closest to
the source. Have the students decide which router is closest and then choose the correct
interface. The in or out commands also need to be correct or the ACL will not work. Students
commonly forget to apply the ACL or filter in the wrong direction.
11.2.5 Firewalls A firewall is an architectural structure that exists between the user and the outside world to
protect the internal network from intruders. A network firewall usually consists of several
different machines that work together to prevent unwanted and illegal access. ACLs should be
used in firewall routers, which are often positioned between the internal network and an
external network, such as the Internet.
ACLs must be configured on border routers, which are routers situated on the boundaries of
the network, to provide security benefits. CCNA 2 will cover standard, extended, and named
ACLs. Other types will be covered in the CCNP classes.