4 Cisco access control list examples

In Four access control list examples, we will configure 4 access controls lists covering both standards and extended access lists that will block different types of traffic

Example 1

access list examples

Standard access list example.

Blocking PC2 from accessing network 192.168.3.0

Only PC2 must be blocked, PC0 should be able to access the network.

To configure the access list, we will use the following commands

Router(config)#access-list 1 deny 192.168.2.5
Router(config)#access-list 1 permit any

Now, the access list will be assigned to FA 1/0 in the inbound direction.

After the configuration, PC2 should be blocked from network 192.168.3.0 however this PC must be able to ping PC0

Download this lab to test the configuration.

Example 2

access list examples

Standard access list for blocking PC2 from establishing the telnet connection with the router

VTY lines are configured on the router and the password is Cisco.

The other two PCs should be able to connect with the router using telnet protocol.

We can use the previously used commands to achieve the expected results. To block the telnet access, we have to create a standard access list with the name and assign the created access list to the VTY lines using the following command.

Router(config-line)#ip access-class ping in

We cannot assign numbered access list on the Telnet line as it only allows a named access list.

Download this lab to test the configuration; PC2 cannot use telnet while other computers are successfully using telnet.

Example 3

Download

Extended access list to block internet access

The extended access list has the capability to allow or deny traffic based on the port number so we will create an access list to block the internet traffic.

Whenever we use the internet, the request is sent to the HTTP server on port 80 so to block the internet access; we have to block traffic destined for port 80 using the access list.

PC3 should be blocked to access the internet or any other web server on the internal network.

Commands to configure the extended access list to block the internet.

Router(config)#no ip access-list extended 100
Router(config-ext-nacl)#deny tcp host 192.168.5.5 any eq www
Router(config-ext-nacl)#permit ip any any

After creating and assigning the access list to the router’s interface, we can test the access list by generating HTTP traffic.

We can use the traffic generation tool available on the PC to generate traffic.

After generating the traffic, we will verify if the access list is working as required.

As seen in the below output the access list has blocked the HTTP traffic from PC3

Extended IP access list 100

10 deny tcp host 192.168.5.5 any eq www (20 match(es))
20 permit ip any any (19 match(es))

Example 4

Named extended access list to block only ICMP traffic.

In a standard access list, if we want to block traffic then complete traffic blocked from one destination to another however extended access list allows us to choose the traffic that we would like to block. E.g. in this lab, PC3 will not be able to ping the server however it will access the web service.

Commands to use

Router(config)#ip access-list extended Block-ICMP
Router(config-ext-nacl)#deny icmp host 192.168.5.5 host 192.168.4.1
Router(config-ext-nacl)#permit ip any any

Once the access list is enabled on the interface, it will block the ICMP packets sent from the PC3 while all other traffic will be allowed.

Extended IP access list Block-ICMP

10 deny icmp host 192.168.5.5 host 192.168.4.1 (8 match(es))
20 permit ip any any (2 match(es))

Download this lab and try pinging the server, you will see the destination host unreachable error however you can use other services provided by the server.

Try using the web service, it will work fine.

Leave a Reply