Please enable JavaScript.

Coggle requires JavaScript to display documents.

Module 5: ACLs for IPv4 Configuration - Coggle Diagram

- - - - Include remarks to document the ACL.
      - Copy and paste the commands onto the device.
      - Add the IOS configuration commands to accomplish those tasks.
      - Always thoroughly test an ACL to ensure that it correctly applies the desired policy.
      - Use a text editor and write out the specifics of the policy to be implemented.
- - - - In the example, the first ACE should have been to deny the host at 192.168.10.10. However, the ACE was incorrectly entered.
        To correct the error:
        Copy the ACL from the running configuration and paste it into the text editor.
        Make the necessary edits changes.
        Remove the previously configured ACL on the router otherwise, pasting the edited ACL commands will only append (i.e., add) to the existing ACL ACEs on the router.
        Copy and paste the edited ACL back to the router.
  - - - Use the ip access-list standard command to edit an ACL. Statements cannot be overwritten using the same sequence number as an existing statement. Therefore, the current statement must be deleted first with the no 10 command. Then the correct ACE can be added using sequence number 10 is configured. Verify the changes using the show access-lists command, as shown in the example.
  - - - The solution is to add an ACE denying host 192.168.10.5 in between ACE 10 and ACE 20, such as ACE 15, as shown in the example. Also notice that the new ACE was entered without using the host keyword. The keyword is optional when specifying a destination host.
        Use the show access-lists command to verify the ACL now has a new ACE 15 inserted appropriately before the permit statement.
  - - - Note that the implied deny any the last statement does not display any statistics. To track how many implicit denied packets have been matched, you must manually configure the deny any command at the end of the ACL.
        Use the clear access-list counters command to clear the ACL statistics. This command can be used alone or with the number or name of a specific ACL.
- - - - However, TCP traffic generated by an outside host and attempting to communicate with an inside host is denied.
        
        The established keyword can be used to permit only the return HTTP traffic from requested websites, while denying all other traffic.
  - - - Router(config)# ip access-list extended access-list-name
  - - - To correct this error using sequence numbers, the original statement is removed with the no sequence_# command and the corrected statement is added replacing the original statement.