This tutorial explains Standard Access Control List configuration commands (with options, parameters and arguments) in detail with examples. Learn how to build a standard ACL (Numbered and Named) condition or statement and how to calculate the wildcard mask for Standard ACL configuration commands step by step.

1. Acl Time Slots Game
2. Acl Time Slots Online
3. Acl Time Slots Games

SCO link (transmitted in defined time slots). ESCO link (also transmitted in defined time slots). ACL link (transmitted in any other time slot). Data values are transmitted with the least significant bit first. Access Code (72 bits). If an airline loses its slots—on both ends of the route—it will need more time to rebuild its network and schedules. That, in turn, will leave the affected airports in an uncertain position.

Diagnosis: torn meniscus and ACL. Wells examined Justin and ordered an MRI of his knee. The radiological images showed what Dr. Wells had suspected: Justin had torn both his meniscus and anterior cruciate ligament (ACL), two key components that help stabilize the knee and minimize stress on the leg’s articular cartilage. ACL links are disconnected if there is nothing received for the supervision timeout period; the default timeout is 20 seconds, but this may be modified by the master. Synchronous Connection-Oriented (SCO) link. The type of radio link used for voice data. A SCO link is a set of reserved time slots on an existing ACL link. The device supports named, reusable time ranges, which allows you to configure a time range once and specify it by name when you configure many ACL rules. Time range names have a maximum length of 64 alphanumeric characters.

A standard ACL can be created in two ways:

1. Classical approach (numbered)
2. Modern approach (numbered or named)

This tutorial is the second part of our article “Cisco IP ACL Configuration Guide”. You can read other parts of this article here:-

This tutorial is the first part of this article. In this part I provided a brief introduction to Cisco IP ACLs such as what is ACL and how it works including ACLs direction and locations.

This tutorial is the third part of this article. In this part I will provide a step by step configuration guide for Standard Access Control List.

This tutorial is the fourth part of this article. In this part I will explain Extended Access Control List configuration commands and its parameters in detail with examples.

This tutorial is the last part of this article. In this part I will provide a step by step configuration guide for Extended Access Control List.

Classical approach (numbered ACL)

To create a standard numbered ACL following global configuration mode command is used:-

Router(config)#

This command prompt indicates that we are in global configuration mode.

access-list

Acl Time Slots Game

Through this parameter we tell router that we are creating or accessing an access list.

ACL_Identifier_number

With this parameter we specify the type of access list. We have two types of access list; standard and extended. Both lists have their own unique identifier numbers. Standard ACL uses numbers range 1 to 99 and 1300 to 1999. We can pick any number from this range to tell the router that we are working with standard ACL. This number is used in groping the conditions under a single ACL. This number is also a unique identifier for this ACL in router.

permit/deny

As we know an ACL condition has two actions; permit and deny. If we use permit keyword, ACL will allow all packets from the source address specified in next parameter. If we use deny keyword, ACL will drop all packets from the source address specified in next parameter.

matching-parameters

This parameter allows us to specify the contents of packet that we want to match. In a standard ACL condition it could be a single source address or a range of addresses. We have three options to specify the source address.

1. Any
2. host
3. A.B.C.D

Any

Any keyword is used to match all sources. Every packet compared against this condition would be matched.

Host

Host keyword is used to match a specific host. To match a particular host, type the keyword host and then the IP address of host.

A.B.C.D

Through this option we can match a single address or a range of addresses. To match a single address, simply type its address. To match a range of addresses, we need to use wildcard mask.

Wildcard mask

Just like subnet mask, wildcard mask is also used to draw a boundary in IP address. Where subnet mask is used to separate network address from host address, wildcard mask is used to distinguish the matching portion from the rest. Wildcard mask is the invert of Subnet mask. Wildcard can be calculated in decimal or in binary from subnet mask.

Different authors use different approaches while calculating wildcard mask. Among these approaches following method is the simplest one.

Subtract subnet mask from 255.255.255.255.

255.255.255.255 – Subnet mask = Wildcard mask

Once we got the wildcard mask, next logics are relatively simple.

• Decimal 0 :- Router must compare this octet.
• Decimal 255 :- Router ignores this octet.
• Decimal range 1- 254 :- Router matches the listed block size in this octet.

Calculating wildcard mask could be confusing even with the simplest method mentioned above. To understand this concept more clearly lets have some examples:-

What wildcard mask would you use to match following addresses?

• All addresses from all networks
• Single host address 200.100.1.10/24
• All addresses from network 10.0.0.0/8
• All addresses from network 172.168.0.0/16
• All addresses from network 192.168.0.0/24
• All address from network range 192.168.1.5/25
• All address from network range 195.160.1.20/26
• All address from network range 20.30.40.50/15

All addresses from all networks

To match this requirement we need an address that represents all networks. In IPv4 address 0.0.0.0 represents all networks. Now we need a proper wildcard mask that ignores everything from all octets. And we know that decimal value 255 tells ACL to ignore everything from octet and match all addresses. So if we want match all addresses from all network then we should use 0.0.0.0 network address with 255.255.255.255 wildcard mask.

To match all addresses from all networks we will use 0.0.0.0 255.255.255.255.

Single host address 200.100.1.10/8

To match a single host we use exact match wildcard mask. As we know decimal value 0 in wildcard mask octet asks router to match exact octet in IP address. So our answer wildcard mask for this question will be 0.0.0.0.

To match this host we will use 200.100.1.10 0.0.0.0

All addresses from network 10.0.0.0/8

In this requirement we need to match all addresses from given network. To match an address range, we use subtract method. In subtract method we subtract subnet mask from 255.255.255.255 to get required wildcard mask.

First write down the address with subnet mask.

10.0.0.0/8 = 10.0.0.0 255.0.0.0

Now subtract subnet mask from 255.255.255.255

To match all addresses from this network we will use 10.0.0.0 0.255.255.255

All addresses from network 172.168.0.0/16

This requirement also needs to match an addresses range. Use same subtract method to calculate the answer wildcard mask.

Write down the address with subnet mask

172.168.0.0/16 = 170.168.0.0 255.255.0.0

Now subtract subnet mask from 255.255.255.255

255.255.255.255 – 255.255.0.0 = 0.0.255.255

Our answer for this question will be 172.168.0.0 0.0.255.255

All addresses from network 192.168.0.0/24

Again we are matching an addresses range, so our method would be same.

Write down the address with subnet mask.

192.168.0.0/24 = 192.168.0.0 255.255.255.0

Now subtract subnet mask from 255.255.255.255

255.255.255.255 – 255.255.255.0 = 0.0.0.255

Our answer for this question will be 192.168.0.0 0.0.0.255

In remaining questions we will also match an address range, but this time we will match a Subnetted network. Subnetted network is a smaller network created from default network via Subnetting.

To represent all addresses from network we have to use network address. But in questions we are given host addresses instead of network addresses. So we have to go through one more steps in these types of question. We need to find out the network address from given address.

For this tutorial I assume that you know Subnetting and its concepts, especially finding network ID from given host.

I have already explained Subnetting and finding network ID and broadcast ID from given host in detail with examples. You can read that tutorial here
Subnetting Explained with examples

All address from network range 192.168.1.5/25

Write down the address with subnet mask

192.168.1.5/25 = 192.168.1.5 255.255.255.128

Find the network address from given host

192.168.1.0 255.255.255.128

Now subtract subnet mask from 255.255.255.255

255.255.255.255 – 255.255.255.128 = 0.0.0.127

Our answer for this question will be 192.168.1.0 0.0.0.127

All address from network range 195.160.1.20/26

Write down the address with subnet mask

195.160.1.20/26 = 195.160.1.20 255.255.255.192

Find the network address from given host

195.160.1.0 255.255.255.192

Now subtract subnet mask from 255.255.255.255

255.255.255.255 – 255.255.255.192 = 0.0.0.63

Our answer for this question will be 195.160.1.0 0.0.0.63

All address from network range 20.30.40.50/15

Write down the address with subnet mask

20.30.40.50/15 = 20.30.40.50 255.254.0.0

Find the network address from given host

20.30.0.0 255.254.0.0

Now subtract subnet mask from 255.255.255.255

255.255.255.255 – 255.254-0.0 = 0.1.255.255

Our answer for this question will be 20.30.0.0 0.1.255.255

Wildcard mask examples

Okay now we have basic understanding of IP ACL command and its parameters, let’s put all these together and create a real ACL.

Building Standard IP ACL condition with classical approach (Number method)

Suppose we want to allow only one host address 20.0.0.10 255.0.0.0 blocking all others. To meet with this requirement we need to create two ACL conditions.

• 1. Permit 20.0.0.10 255.0.0.0.0
• 2. Block All

Order of conditions plays big role in filtration. If we have created denied condition first then we would have blocked entire traffic from all hosts including 20.0.0.10. For example have look on following conditions.

This ACL will block all traffic from all hosts. Why this happened?

Because conditions are matched in top to down order and once a match is found, no further conditions are matched. First condition in this ACL will match all packets from all hosts including 20.0.0.10. First condition has a block action. In block action packet will be dropped immediately. Thus all packets from all hosts will dropped in first condition. No packets will remain to match the second condition. This way, order of conditions play important role in packet filtration process.

To understand the order of conditions we have created two conditions otherwise we do not need to create a block condition for all traffic as it is already created and placed in the end of all ACLs. It is called Implicit deny statement.

For this requirement we only need to create one condition.

Router(config)#access-list 10 permit 20.0.0.10 0.0.0.0

Or

Router(config)#access-list 10 permit host 20.0.0.10

For single host entry we can use both 0.0.0.0 wildcard mask or host keyword.

Okay now we know how to create a standard ACL with classic approach. In next section we will create same condition with modern approach.

Modern approach (numbered or named)

Or

In modern approach, configuration style is different from classical approach. In modern style we start command with ip access-list instead of access-list. It tells router that we are creating a modern ACL.

In next parameter we have to specify whether we are creating a standard ACL or extended ACL.

In next parameter we need to define a unique identifier for this ACL. We can use either a number or name here. If we are using modern approach, we should use a descriptive name here instead of number.

After assigning the name or number hit the Enter key to enter in access list configuration mode.

From access-list configuration mode we can specify what to allow or what to block.

When finished, use exit command to return in global configuration mode.

Okay now we know the both classical and modern approach to create standard ACL. Before we move forward let’s have quick look on advantages which modern approach provides over classic approach.

• In classic method we are allowed to insert new condition only at end of the ACL. We cannot insert a new condition in the middle of ACL. The only way to insert new line in middle is to delete existing ACL and create new ACL with modification. In modern method we can insert new condition in ACL wherever we want without recreating entire ACL.
• In classic method we are not allowed to remove a condition from ACL. The only way to remove condition is delete entire ACL and recreate it. In modern method we can delete any condition from ACL.
• Modern approach uses sequence numbers for conditions that we create. With these sequence numbers we can modify an existing ACL without recreating it.

No matter which method we use to create a standard ACL, implanting process will be same.

Enabling Standard IP ACL

Following commands are used to activate ACL in interface.

First command is used to enter in interface configuration mode.

Second command is used to enable ACL. It accepts two parameters; first ACL_# and second in out.

ACL_# Through this parameter we specify which ACL we want to associate with this interface. In our case we need to use either 10 (Numbered unique identifier) or Secure_telnet (Named unique identifier).

in out With this parameter we specify the direction of filter. in keyword is used to filter the inbound traffic. out keyword is used to filter the outbound traffic.

Following commands will activate Standard ACL number 10 on Serial 0/0/0 interface in inbound direction.

Acl Time Slots Online

Following commands will activate Standard ACL name Secure_telnet on Serial 0/0/1 interface in outbound direction.

Key points

• We can apply same ACL to multiple interfaces.
• We can enable same ACL twice on same interface in separate direction inbound and outbound.
• We cannot enable same ACL twice on same interface in same direction.
• An empty ACL will permit all traffic.
• Implicit deny condition will works only if ACL has at least one user defined condition.
• We should place only one ACL on same interface, same direction and same type. For example there is no use of placing two standard ACLs on same interface in same direction.

Acl Time Slots Games

That’s all for this part. In next part of this article we will practically implement what we have learned from this part.