StudyXY
RegisterLog in

CCNA 200-301 Portable Command Guide 5th Edition 22

Manage traffic using ACLs: Learn to create, apply, and verify standard, extended, named, and IPv6 ACLs. Includes tips, keywords, sequence numbers, and configuration examples.

Alice Edwards
Contributor
4.0
43
2 months ago
Preview (5 of 15)
Sign in to access the full document!
CHAPTER 21
Managing Traffic Using
Access Control Lists (ACLs)
This chapter provides information and commands concerning the following topics:
D Access list numbers
n Using wildcard masks
n ACL keywords
Creating standard ACLs
D Applying standard ACLs to an interface
D Verifying ACLs
Removing ACLs
u Creating extended ACLs
u Applying extended ACLs to an interface
u The established keyword
The log keyword
Creating named ACLs
n Using sequence numbers in named ACLs
n Removing specific lines in named ACLs using sequence numbers
n Sequence number tips
n Including comments about entries in ACLs
D Restricting virtual terminal access
Tips for configuring ACLs
U IPv6 ACLs
u Verifying IPv6 ACLs
u Configuration examples: IPv4 ACLs
u Configuration examples: IPv6 ACLs
Access List Numbers
Although many different protocols can use access control lists (ACLs), the CCNA
200-301 certification exam is concerned only with IPv4 ACLs. The following chart
shows some of the other protocols that can use ACLs.
1-99 or 1300-1999 Standard IPv4
100-199 or 2000-2699 Extended IPv4
NOTE: IPv6 ACLs do not use numbers; IPv6 ACLs are configured using names only.
Technet24
198 Using Wildcard Masks
Using Wildcard Masks
When applied to an IP address, a wildcard mask identifies which addresses get matched
to be applied to the permit or deny argument in an ACL statement. A wildcard mask can
identify a single host, a range of hosts, a complete network or subnetwork, or even all
possible addresses.
There are two rules when working with wildcard masks:
u A 0 (zero) in a wildcard mask means to check the corresponding bit in the
address for an exact match.
n A 1 (one) in a wildcard mask means to ignore the corresponding bit in the
address—can be either 1 or 0. In the examples, this is shown as x.
Example 1: 172.16.0.0 0.0.255.255
172.16.0.0 = 10101100.00010000.00000000.00000000
0.0.255.255 = 00000000.00000000.11111111.11111111
Result = 10101100.00010000. xxxxxxxxxxxxxxxx
172.16.x.x (Anything between 172.16.0.0 and 172.16.255.255 matches the example
statement)
TIP: An octet of all 0s means that the octet has to match exactly to the address. An
octet of all 1s means that the octet can be ignored.
Example 2: 172.16.8.0 0.0.7.255
172.16.8.0 = 10101100.00010000.00001000.00000000
0.0.7.255 = 00000000.00000000.00000111.11111111
Result = 10101100.00010000.OOOOlxxxxxxxxxxx
00001 XXX = 00001000 to 00001 111 = 8-15
xxxxxxxiw 00000000 to 11111111 = 0-255
Anything between 172.16.8.0 and 172.16.15.255 matches the example statement
ACL Keywords
any Used in place of 0.0.0.0 255.255.255.255, matches any address that it is
compared against
host Used in place of 0.0.0.0 in the wildcard mask, matches only one specific
address
Creating Standard ACLs
NOTE: Standard ACLs are the oldest type of ACL. They date back as early as Cisco
IOS Release 8.3. Standard ACLs control traffic by comparing the source of the IP pack-
ets to the addresses configured in the ACL.
Applying Standard ACLs to an Interface 199
NOTE: Each line in an ACL is called an access control entry (ACE). Many ACEs
grouped together form a single ACL.
Router(config)#
access-list 10
permit 172.16.0.0
0.0.255.255
Read this line to say, "All packets with a source IP address
of 172.16.x.x will be matched by the statement, and the
packet will be exited from processing the rest of the ACL"
access-list = ACL command
10 = Arbitrary number between 1 and 99, or 1300 and
1 999, designating this as a standard IP ACL
permit = Packets that match this statement will be allowed to
continue
172.16.0.0 = Source IP address to be compared to
0.0.255.255 = Wildcard mask
Router( config)#
access-list 10 deny
host 172.17.0.1
Read this line to say, "All packets with a source IP address
of 172.17.0.1 will be dropped and discarded"
access-list ACL command
10 Number between 1 and 99, or 1300 and 1999, designating
this as a standard IP ACL
deny Packets that match this statement will be dropped and
discarded
host Keyword
172.17.0.1 Specific host address
Router( config)#
access-list 10
permit any
Read this line to say, "All packets with any source IP
address will be matched by the statement, and the packet
will be exited from processing the rest of the ACL"
access-list ACL command
10 Number between 1 and 99, or 1300 and 1999, designating
this as a standard IP ACL
permit Packets that match this statement will be allowed to continue
any Keyword to mean all IP addresses
TIP: An implicit deny statement is assumed into every ACL. You cannot see it, but it
states "deny everything not already matched by an ACE in the list." This is always the last
line of any ACL. If you want to defeat this implicit deny , put a permit any statement in
your standard ACLs or a permit ip any any in your extended ACLs as the last line.
Applying Standard ACLs to an Interface
Router(config)# interface
gigabitethemet 0/0
Moves to interface configuration mode
Router(config-if)#
ip access-group 10 out
Takes all ACEs that are defined as being part of
group 10 and applies them in an outbound manner.
Packets leaving the router through interface
gigabitethemet 0/0 will be checked
Technet24
Preview Mode

Sign in to access the full document!

100%

Study Now!

XY-Copilot AI
Unlimited Access
Secure Payment
Instant Access
24/7 Support
Document Chat

Document Details

Subject
Information Technology

Related Documents

View all
Class Notes

DevOps and Its Importance Study Notes

DevOps Overview – Covers culture, performance metrics, CI/CD, CALMS model, automation, continuous testing, and frameworks like Agile, SAFe, and SRE. Ideal for modern IT and DevOps foundation learning.

Past Exams

Veeam Certified Engineer VMCE-V12

Veeam Backup Q&A – Covers Scale-out Backup Repositories, Oracle RMAN plug-in, agent-supported OS, and retention policies. Ideal for IT pros preparing for Veeam certification or data protection roles.

Past Exams

Modules 1 - 3 Basic Network Connectivity and Commu

Modules 1–3: ITN v7.0 Exam Answers on Basic Network Connectivity and Communications. Covers OSI model, IP addressing, protocols, and network devices. Ideal for CCNA exam prep.

Class Notes

Notes CCNA

Set boot file and recover from crash on Cisco switches. Use boot system commands, mode button, and boot loader steps to restore functionality after power loss or software issues.

Class Notes

CCNA 200-301 Portable Command Guide 5th Edition 20

Configure and secure NTP for accurate time across your network. Learn NTP design, troubleshooting, clock settings, and timestamps with configuration examples to support SLAs and log accuracy.

Class Notes

CCNA 200-301 Portable Command Guide 5th Edition 36

Learn how to subnet IPv4 addresses using binary math, including Class B and C subnetting, binary ANDing, and shortcuts—essential skills for mastering the CCNA 200-301 exam.

Class Notes

Foundations of Novell Networking Section 26

Learn how web servers work and explore installing and configuring the NetWare Enterprise Web Server in NetWare 6, including support for iFolder and iPrint.

Class Presentation

Modulo 7 DHCPv4

Aprende a configurar DHCPv4 para asignar IPs dinámicamente. Ideal para redes grandes o pequeñas, usando servidores dedicados o routers Cisco con IOS como servidor DHCP eficiente.

Class Notes

Build and troubleshooting Integration Challenge

Networking Practice Exam: Configura y soluciona redes con routers y VLANs. Incluye direccionamiento IP detallado, subredes, interfaces y pruebas de conectividad para integración de sistemas.

Class Notes

Entregable 02 Red Hat Kevin Cortez

Red Hat Linux: aprende a usar CLI, administrar archivos, configurar red, gestionar usuarios y seguridad del sistema. Proyecto práctico para dominar tareas clave del SO Linux.