Sie sind auf Seite 1von 4

INT507: NETWORK ADMINISTRATION LABORATORY

Lab 10: Access List

AIM: Access Lists (Applying standard, named and Extended Access lists)

AIM:

Description of various Access Lists and their Implementation


Setting up LAB for applying Access List
--------------------------------------------------------------------------------------------------------------

1. Familiar your-self with the types of Routing protocol


a. Standard Access List,
b. Extended Access List
c. Name

2. Implement STANDATD Access List S the user PC1- (192.168.5.2) should be prevented from
accessing the Server0- (192.168.1.1).

3. Implement standard ACLs to deny the access of PC2 to Server A.

4. Implement extended ACLs to achieve the following security policies:

Chandra Prakash, LPU Page 1


INT507: NETWORK ADMINISTRATION LABORATORY
Lab 10: Access List

i) Deny PC2 access to ServerAs web server.


ii) Deny PC1 access to hosts on RT2 Ethernet.
iii) Allow PC3, a NMS, access to ServerAs SNMP service.
iv) All other combinations are allowed.

Solutions

Chandra Prakash, LPU Page 2


INT507: NETWORK ADMINISTRATION LABORATORY
Lab 10: Access List

Solution 2:

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface FastEthernet0/0
Router(config-if)#ip address 192.168.1.2 255.255.255.0
Router(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
Router(config)#interface FastEthernet1/0
Router(config-if)#ip address 192.168.2.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface Serial2/0
Router(config-if)#clock rate 64000
Router(config-if)#ip address 192.168.3.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#router rip
Router(config-router)#network 192.168.2.0
Router(config-router)#network 192.168.3.0
Router(config-router)#network 192.168.1.0
Router(config)#ACCESS ?
<1-99> IP standard access list
<100-199> IP extended access list
Router(config)#ACCESS-list 1 deny host 192.168.5.2
Router(config)#access-list 1 permit any
Router(config)#int fa0/0
Router(config-if)#ip access-group 1 out
Router(config-if)#do write
Building configuration...

Chandra Prakash, LPU Page 3


INT507: NETWORK ADMINISTRATION LABORATORY
Lab 10: Access List

[OK]

Solution 3:

Standard ACLs should be placed as near to the destination as possible, as standard ACLs often
discard packets that are allowed to forward (or pass) when they are placed close to the source.
Ex: If an inbound ACL is placed on RT2s Fa1/0, PC2 will never go further than RT2! Hence the
best place to deploy the ACL is on RT3s Fa1/0 with an outbound standard ACL.
Another reason is security loopholes might exist when a link between routers fails packets that
pass through another new path might no longer be passing through the ACL-secured interface.

Standard IP Access Lists configuration on RT3:

Chandra Prakash, LPU Page 4