Standard ACL specify only the source, implying traffic for all destination while you can specify traffic from one source
to one destination for extended ACL. e.g standard ACL allow you to deny traffic for 192.168.1.20, which completely
block the user from any type of traffic. Basically, that user doesn't own a NOS right now, s/he owns a simple
computer that can't talk to anyone. Extended ACL allow you to specify conversation between, e.g Bill and Jill, but no
preventing Bill from talking to anyone else.
- Another significant difference is that standard ACL denies/permits all traffic whereas extended ACL selectively
deny/permit some or all traffic depending on your preference. A standard ACL denial means all types of traffic is
blocked, data, video, or music. On the other hand, an extended ACL can deny only video and music but allow data.
Standard
Match Source (entire protocol)
# 1-99, 1300-1999
Place close to dest
Extended
Match Source & Destination (individual port)
#100-199, 2000-2699
Place close to source
Standard ACL
! Step 1 - Create an ACL statement in the global config
R4(config)#access-list 1 deny 172.31.3.16 0.0.0.15
R4(config)#access-list 1 permit any
R4(config)#
!
! Step 2 - Apply the ACL on the interface
R4(config)#int s0/2
R4(config-if)#ip access-group 1 in
R4(config-if)#
Practice Standard ACL:
Configuring standard access-list according to a given set of conditions.
Instructions:
1. Hosts on Router R3 should not be able to access hosts on R2.
2. Only host A on R1 can access hosts on R2.
3. All other communication is allowed. Use standard access lists with ACL 1.
4. Apply the access-list 1 on serial interfaces se0 and se1.
Extended ACL example
R1(config)#access-list 100 deny tcp any any eq telnet
R1(config)#access-list 100 permit ip any any
R1(config)#int s0/1
R1(config-if)#ip access-group 100 in
R1(config-if)#end
R1#
Additional Example:
access-list 100 deny tcp host 10.0.0.2 host 10.0.1.2 eq www
access-list 100 permit ip any any
interface fastEthernet 0/0
ip access-group 100 in
Named extended ACL
RA(config)#ip access-list extended DROPICMP
RA (config-ext-nacl)#deny icmp host 192.168.12.2 1.1.1.0 0.0.0.255
RA (config-ext-nacl)#deny icmp host 2.2.2.2 1.1.1.0 0.0.0.255
RA (config-ext-nacl)#permit ip any any
RA (config-ext-nacl)#exit
RA (config)#interface fastEthernet 0/0
RA (config-if)#ip access-group DROPICMP in
Passwords
1.
From the privileged EXEC (enable) prompt, enter configuration mode ((config)) and then switch to line configuration
mode ((config-line), by issuing the following commands:
Note: Notice that the prompt changes to reflect the current mode.
router#conf t
!--- Enter configuration commands, one per line. End with CNTL/Z.
router(config)#line con 0
router(config-line)#
2. Configure the password, and enable password checking at login.
router(config-line)#password <password>
router(config-line)#login
3. Exit configuration mode.
router(config-line)#end
router#
%SYS-5-CONFIG_I: Configured from console by console
Note: Do not save your configuration changes until your ability to log in has been verified.
4. Verify the configuration. Examine the configuration of the router to make sure that the commands have been
properly entered by issuing the show running-config command. To test the configuration, log off the console with
the exit command and log in again, using the configured password to access the router.
router#exit
router con0 is now available
Press RETURN to get started.
5. Save your configuration.
router#write memory
Perform these steps to configure Telnet passwords.
Note: Before performing this test, ensure that you have an alternate connection into the router, such as console or
dial-in, in case there is a problem logging back in to the router.
1.
From the privileged EXEC (or enable) prompt, enter configuration
mode (or (config)) and then switch to line
configuration mode ((config-line)), by issuing the following commands:
Note: Notice that the prompt changes to reflect the current mode.
router#conf t
!--- Enter configuration commands, one per line. End with CNTL/Z.
router(config)#line vty 0 4
router(config-line)#
2.
Configure the password, and enable password checking at login.
3. router(config-line)#password <password>
router(config-line)#login
4.
Exit configuration mode.
5. router(config-line)#end
6. router#
%SYS-5-CONFIG_I: Configured from console by console
7.
Note: Do not save your configuration changes until your ability to log in has been verified.
Verify the configuration. Examine the configuration of the router to make sure that the commands have been properly
entered, by issuing the show running-config command. Test the configuration by making a Telnet connection to the
router. This can be done by connecting from a different host on the network, but you can also do so from the router
itself by Telnetting to the IP address of any interface on the router that is in an up/up state as seen in the output of
the show interfaces command.
router#telnet <ip address>
5. Save your configuration.
router#write memory
Follow these steps to configure Auxiliary (AUX) port passwords.
Note: before performing this test, ensure that you have an alternate connection into the router, such as console or
Telnet, in case there is a problem logging back in to the router.
1.
From the privileged EXEC (or enable) prompt, enter configuration mode ((config)) and then switch to line
configuration mode ((config-line)), by issuing the following commands:
Note: Notice that the prompt changes to reflect the current mode.
router#conf t
!--- Enter configuration commands, one per line. End with CNTL/Z.
router(config)#line aux 0
router(config-line)#
2.
Configure the password, and enable password checking at login.
3. router(config-line)#password <password>
4. router(config-line)#login
5.
Exit configuration mode.
6. router(config-line)#end
7. router#
%SYS-5-CONFIG_I: Configured from console by console