Access Control List Part – 2

By | June 14, 2020

We discussed the standard ACL but there is a big limitation in this list that it can only work on source IP address. This can only work on layer 3.
The numbers for Standard ACL are 1 – 99 and 1300 – 1999.

Extended ACL can work on source and destination IP address, sessions, ports, and protocols. This list an work on layer 3, 4, and 5. Extended ACL could work on more detailed rules.
The numbers for Extended ACL are 100 – 199 and 2000 – 2699.
A good advice is try to make the control that can fit into standard ACL to ease the complexity and increase the performance.



We want to allow the access to R4 from R1 using SSH not telnet.


Case – 1

First let’s block the telnet connection using source and destination IP address but before that let’s make sure we can ping, telnet, and SSH to R4.


We are going to create the ACL on R2 because it sits between our targets and hence best choice to filter the rules.


Now we have configured to block the traffic from to this rule will block all the traffic. Keep in mind that there is a implicit deny rule and we have block all the traffic from R1 to R4. We need to allow other traffic and we also need to allow EIGRP traffic explicitly because our routers are using this protocol to run the routes and we also have to punch the rule to the interface.


Now it is time to test the ACL, let’s do ping, telnet, and SSH again and see the response.


We have successfully blocked the traffic we wanted to and here is the proof.

Case – 2

Allow all traffic from R1 to R4 and just block telnet connection because it is insecure.


There are options eq, lt, neq, and gt first let’s discuss them.
eq means equal to this is the option for port as if we want to block port 443 we can use this switch.
gt is greater than we define the port and greater than that ports are affected, for instance we want to block all the ports above 49000 so we can use this switch.
lt is less than it works on lower ports.
neq is not equal to.

All of the above options are for source IP not for destination IP so we do not know that what port will be used for the telnet on source IP but we know the port that must be denied on the destination IP and the above options are for source so we have to move further and then pick the option.


Now after entering the destination IP we can pick the port number and we did using eq switch. We need to apply this on interface and as soon as we apply this on interface the previous ACL will be overridden and this ACL will take effect.


Now it is time to test the ACL and for this purpose we move to R1.

Note: ICMP does not use any port.


Look at the result ICMP, and SSH are working perfectly but telnet in not working this is all because ACL.


Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo