Access Control List Configuration Example:


Network Topology:

In this blog, we are going to configure the access control list as per different scenarios. We have five scenarios here we will apply the ACL accordingly.



Example 1: Write an ACL that prevents the 10.0 network from accessing the 30.0 networks but allows everyone else too.


R2(config)#access-list 10 deny 192.168.10.0 0.0.0.255

R2(config)#access-list 10 permit any

R2(config)#interface FastEthernet 0/0

R2(config)#ip access-group 10 out

Example 2: Write an ACL that states that 10.10 cannot access 30.10. Everyone else can.

R1(config)#access list 110 deny IP host 192.168.10.10 host 192.168.30.10

R1(config)#access list 110 permit ip any any

R1(config)#interface FastEthernet 0/0

R1(config)#ip access-group 110 in

Example 3: Write an ACL that states that 10.10 can telnet to the R2 router. No one else can do.

R2(config)#access-list 20 permit host 192.168.10.5

R2(config)#line vty 0 4

R2(config-line)#access-class 20 in


Example 4: Write a named ACL that states that 10.10 can telnet to 50.10. No one else from 10.0 can telnet to 50.10. Any other host from any other subnet can connect to 50.10 using anything that is available.


R1(config)#ip access-list extended server access

R1(config-ext-nacl)#10 permit tcp host 192.168.10.10 host 192.168.50.10 eq telnet

R1(config-ext-nacl)#20 deny tcp 192.168.10.0 0.0.0.255 host 192.168.50.10 eq telnet

R1(config-ext-nacl)#30 permit ip any any

R1(config-ext-nacl)#exit

R1(config)#interface FastEthernet 0/0

R1(config)#ip access-group server access in

Example 5: Write an ACL that states that hosts 10.1 to 10.63 are not allowed web access to 50.10.  Hosts 10.64 to 10.254 are. Everyone can do everything else.

R1(config)#access-list 101 deny tcp 192.168.10.0 0.0.0.63 host 192.168.50.10 eq 80

R1(config)#access-list 101 permit ip any any

R1(config)#interface FastEthernet 0/0

R1(config)#ip access-group 101 in


No comments