CCNA Extended Access List Commands
Access control lists (ACLs) are an essential tool for network security. ACLs enable control over which packets are allowed to enter or exit your network, based on various criteria such as source or destination IP address, protocol, port numbers, and more. Equally important to know is that access control list configuration and especially CCNA extended access list commands to pass the 200-301 exam. In this post, we’ll discuss how to use Cisco CCNA access list commands to configure access lists on your routers and switches.
Types of Access Lists
There are two types of access lists to know for the Cisco CCNA: standard and extended.
Standard access lists filter traffic based only on the source IP address of the packet. They have a range of numbers from 1 to 99 and from 1300 to 1999.
In contrast, extended access lists filter traffic based on multiple criteria such as source or destination IP address, protocol, port numbers, and more. They have a range of numbers from 100 to 199 and from 2000 to 2699.
Configuring Access Lists
First, to configure an access list on a Cisco router or switch, you need to use the following commands:
access-list command
permit or deny command
interface command
ip access-group command
Here’s an example of how to create a standard access list on a router:
Router(config)# access-list 10 deny host 192.168.1.1
Router(config)# access-list 10 permit any
In this example, access list 10 is created to deny packets from the IP address 192.168.1.1 and permit any other packet.
Second, you need to apply the access list to an interface using the following command:
Router(config)# interface interface_name
Router(config-if)# ip access-group access_list_number {in | out}
Third, you would apply access list 10 to an interface using the following command:
Router(config)# interface gigabitethernet 0/0
Router(config-if)# ip access-group 10 in
This applies the access list to the inbound direction of the GigabitEthernet 0/0 interface.
CCNA Extended Access Lists
It’s important to understand that extended access lists are more powerful than standard access lists because they allow you to filter packets based on a range of criteria. Here’s an example of how to create an extended access list on a router:
Router(config)# access-list 101 permit tcp host 192.168.1.1 any eq 80
Router(config)# access-list 101 permit udp any any eq 53
Router(config)# access-list 101 deny ip any any
In this example, access list 101 is created to permit TCP traffic from the IP address 192.168.1.1 to any destination on port 80, UDP traffic from any source to any destination on port 53, and deny all other IP traffic.
Next, you need to apply the access list to an interface using the same command as before:
Router(config)# interface gigabitethernet 0/0
Router(config-if)# ip access-group 101 in
This applies the access list to the inbound direction of the GigabitEthernet 0/0 interface.
Example CCNA Extended Access List Scenario:
A small company has a network with a web server that provides HTTP and HTTPS services to the public. The company wants to allow incoming traffic only from specific IP addresses to increase network security.
Solution: We can create two access lists, one for HTTP and one for HTTPS, to permit traffic from specific IP addresses and deny traffic from all other IP addresses. Here’s an example configuration for this scenario:
access-list 101 permit tcp host 203.0.113.1 host 198.51.100.10 eq www
access-list 101 permit tcp host 203.0.113.1 host 198.51.100.10 eq 443
access-list 101 deny tcp any host 198.51.100.10 eq www
access-list 101 deny tcp any host 198.51.100.10 eq 443
interface GigabitEthernet0/0
ip address 198.51.100.10 255.255.255.0
ip access-group 101 in
Explanation
In this configuration, access list 101 is used to permit traffic from the specific IP address 203.0.113.1 to the web server’s IP address (198.51.100.10) on ports 80 (HTTP) and 443 (HTTPS). In addition, the access list also denies all other traffic to the web server on these ports.
The access list is applied to the inbound traffic on the GigabitEthernet0/0 interface using the ip access-group 101 in command. This ensures that the access list is applied to all traffic coming into the network interface from the public internet.
By using access lists to permit traffic only from specific IP addresses, this small company can increase the security of their network and reduce the risk of unauthorized access to their web server.
Conclusion
Access lists are a vital component of network security and a vital topic of the CCNA exam so the future CCNA extended access list commands must be mastered. By using access list commands to configure access lists on your routers and switches, you can filter traffic based on a range of criteria to protect your network from unauthorized access and attacks. In addition, whether you’re configuring standard or extended access lists, be sure to follow the best practices for access list configuration and testing to ensure the security and stability of your network.
Leave a Reply