124 - 238 CCNA 2: Routers and Routing Basics v3.1 Instructor Guide – Module 11
Copyright
©
2004, Cisco Systems, Inc.
To test an ACL, the students will need to know what traffic will be permitted, denied, and the
path. Have students test for connectivity, apply the ACL, and then check the ACL to see if it
works. The
show running-config
command should be used sparsely. Since lab
configurations are relatively simple, the problems can usually be found rapidly with this
command. However, students can become too dependent on it. When students troubleshoot
the complex configurations of a production environment, this command will not be productive.
The
show
and
debug
commands are the troubleshooting commands that should be used.
11.2 Access Control Lists (ACLs)
Essential Labs:
11.2.1a, 11.2.1b, 11.2.2a, 11.2.2b, and 11.2.3a
Optional Labs:
11.2.3b, 11.2.3c, and 11.2.6
Core TIs:
11.2.1, 11.2.2, 11.2.3, and 11.2.4
Optional TIs:
11.2.5 and 11.2.6
Course-Level Claim:
Students can analyze, configure, implement, verify, and rectify access
control lists within a router configuration.
Certification-Level Claim:
Students can implement access lists, develop an access list to
meet user specifications, troubleshoot an access list, and evaluate rules for packet control.
Hands-on skills:
none
11.2.1 Standard ACLs
Standard ACLs check the source address of IP packets that are routed. The comparison will
result in either permit or deny access for an entire protocol suite, based on the network,
subnet, and host addresses. The standard version of the
access-list
global configuration
command is used to define an IP standard ACL with a number in the range of 1 to 99. The full
syntax of the standard ACL command is as follows:
Router(config)#
access-list access-list-number {deny | permit}
source-address [source-wildcard] [log]
The
no
form of this command is used to remove a standard ACL:
Router(config)#
no access-list access-list-number
A standard ACL only filters on the source address. The source can be a single host or an
entire network. This is the major difference between a standard and extended ACL. Have the
students discuss the ACL before they begin the labs. Draw a network, and tell the students to
create a standard ACL to block a host or a network. Show students the path the packet will
take from the source to the destination. At each router interface ask the students if the packet
is going in or out of the interface. This information will be used when the
ip access-group
command is applied. Next, have the students decide on which router to configure an ACL.
Remind them that a standard ACL is applied closest to the destination. When the students
have the correct router, they must then decide which interface to apply the ACL to and if it
should filter in or out. Ask the students which interface is closest to the destination and then
ask if the packet is going in or out the interface.