Standard ACL specify only the source, implying traffic for all destination while you can specify traffic from one source to one destination for extended ACL. e.g standard ACL allow you to deny traffic for 192.168.1.20, which completely block the user from any type of traffic. Basically, that user doesn't own a NOS right now, s/he owns a simple computer that can't talk to anyone. Extended ACL allow you to specify conversation between, e.g Bill and Jill, but no preventing Bill from talking to anyone else. - Another significant difference is that standard ACL denies/permits all traffic whereas extended ACL selectively deny/permit some or all traffic depending on your preference. A standard ACL denial means all types of traffic is blocked, data, video, or music. On the other hand, an extended ACL can deny only video and music but allow data. Standard Match Source (entire protocol) # 1-99, 1300-1999 Place close to dest Extended Match Source & Destination (individual port) #100-199, 2000-2699 Place close to source Standard ACL ! Step 1 - Create an ACL statement in the global config R4(config)#access-list 1 deny 172.31.3.16 0.0.0.15 R4(config)#access-list 1 permit any R4(config)# ! ! Step 2 - Apply the ACL on the interface R4(config)#int s0/2 R4(config-if)#ip access-group 1 in R4(config-if)# Practice Standard ACL: Configuring standard access-list according to a given set of conditions. Instructions: 1. Hosts on Router R3 should not be able to access hosts on R2. 2. Only host A on R1 can access hosts on R2. 3. All other communication is allowed. Use standard access lists with ACL 1. 4. Apply the access-list 1 on serial interfaces se0 and se1. Extended ACL example R1(config)#access-list 100 deny tcp any any eq telnet R1(config)#access-list 100 permit ip any any R1(config)#int s0/1 R1(config-if)#ip access-group 100 in R1(config-if)#end R1# Additional Example: access-list 100 deny tcp host 10.0.0.2 host 10.0.1.2 eq www access-list 100 permit ip any any interface fastEthernet 0/0 ip access-group 100 in Named extended ACL RA(config)#ip access-list extended DROPICMP RA (config-ext-nacl)#deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255 RA (config-ext-nacl)#deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255 RA (config-ext-nacl)#permit ip any any RA (config-ext-nacl)#exit RA (config)#interface fastEthernet 0/0 RA (config-if)#ip access-group DROPICMP in Passwords 1. From the privileged EXEC (enable) prompt, enter configuration mode ((config)) and then switch to line configuration mode ((config-line), by issuing the following commands: Note: Notice that the prompt changes to reflect the current mode. router#conf t !--- Enter configuration commands, one per line. End with CNTL/Z. router(config)#line con 0 router(config-line)# 2. Configure the password, and enable password checking at login. router(config-line)#password <password> router(config-line)#login 3. Exit configuration mode. router(config-line)#end router# %SYS-5-CONFIG_I: Configured from console by console Note: Do not save your configuration changes until your ability to log in has been verified. 4. Verify the configuration. Examine the configuration of the router to make sure that the commands have been properly entered by issuing the show running-config command. To test the configuration, log off the console with the exit command and log in again, using the configured password to access the router. router#exit router con0 is now available Press RETURN to get started. 5. Save your configuration. router#write memory Perform these steps to configure Telnet passwords. Note: Before performing this test, ensure that you have an alternate connection into the router, such as console or dial-in, in case there is a problem logging back in to the router. 1. From the privileged EXEC (or enable) prompt, enter configuration mode (or (config)) and then switch to line configuration mode ((config-line)), by issuing the following commands: Note: Notice that the prompt changes to reflect the current mode. router#conf t !--- Enter configuration commands, one per line. End with CNTL/Z. router(config)#line vty 0 4 router(config-line)# 2. Configure the password, and enable password checking at login. 3. router(config-line)#password <password> router(config-line)#login 4. Exit configuration mode. 5. router(config-line)#end 6. router# %SYS-5-CONFIG_I: Configured from console by console 7. Note: Do not save your configuration changes until your ability to log in has been verified. Verify the configuration. Examine the configuration of the router to make sure that the commands have been properly entered, by issuing the show running-config command. Test the configuration by making a Telnet connection to the router. This can be done by connecting from a different host on the network, but you can also do so from the router itself by Telnetting to the IP address of any interface on the router that is in an up/up state as seen in the output of the show interfaces command. router#telnet <ip address> 5. Save your configuration. router#write memory Follow these steps to configure Auxiliary (AUX) port passwords. Note: before performing this test, ensure that you have an alternate connection into the router, such as console or Telnet, in case there is a problem logging back in to the router. 1. From the privileged EXEC (or enable) prompt, enter configuration mode ((config)) and then switch to line configuration mode ((config-line)), by issuing the following commands: Note: Notice that the prompt changes to reflect the current mode. router#conf t !--- Enter configuration commands, one per line. End with CNTL/Z. router(config)#line aux 0 router(config-line)# 2. Configure the password, and enable password checking at login. 3. router(config-line)#password <password> 4. router(config-line)#login 5. Exit configuration mode. 6. router(config-line)#end 7. router# %SYS-5-CONFIG_I: Configured from console by console