ACL Part 2

Naveen Patel
Rules of Access List All deny statements have to be given First There should be at least one Permit statement An implicit deny blocks all traffic by default when there is no match (an invisible statement). Can have one access-list per interface per direction. (i.e.) Two access-list per interface, one in inbound direction and one in outbound direction. Works in Sequential order Editing of access-lists is not possible (i.e) Selectively adding or removing access-list statements is not possible.
Naveen Patel
Standard ACL - Network Diagram
Creation and
Implementation is done Closest
10.0.0.1/8 S0
11.0.0.1/8 S0
to the
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE
Destination.
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2
1.3
1.4
2.2
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
Naveen Patel
192.168.1.2 & 192.168.1.3 should not communicate with 192.168.2.0 network
How Standard ACL Works ?
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE CHE
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2
1.3
1.4
2.2
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
Naveen Patel 192.168.1.2 is accessing 192.168.2.2
1.2
Source IP 192.168.1.2 Destination IP 192.168.2.2
2.2
access-list 1 deny 192.168.1.2 0.0.0.0

access-list 1 deny 192.168.1.3 0.0.0.0 access-list 1 permit any
Naveen Patel
1.2
2.2
access-list 1 deny 192.168.1.2 0.0.0.0

Naveen Patel
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2
1.3
1.4 1.4
2.2
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
Naveen Patel
192.168.1.4 is accessing 192.168.2.2
1.4
2.2
access-list 1 deny 192.168.1.2 0.0.0.0

Naveen Patel
1.4
2.2
access-list 1 deny 192.168.1.2 0.0.0.0

Naveen Patel
1.4
2.2
access-list 1 deny 192.168.1.2 0.0.0.0

Naveen Patel
1.4
2.2
access-list 1 deny 192.168.1.1 0.0.0.0

Naveen Patel
Standard ACL - Network Diagram
Creation and
Implementation is done Closest
10.0.0.1/8 S0
11.0.0.1/8 S0
to the
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE
Destination.
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2
1.3
1.4
2.2
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
Naveen Patel
192.168.1.2 & 192.168.3.0 should not communicate with 192.168.2.0 network
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2 1.1
1.3
1.4
2.2
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
Naveen Patel
192.168.1.2 is accessing 192.168.2.2
1.2
2.2
access-list 5 deny 192.168.1.2 0.0.0.0

Naveen Patel
1.2
2.2
access-list 5 deny 192.168.1.2 0.0.0.0

Naveen Patel
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2
1.3
1.4 1.3
2.2
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
Naveen Patel
192.168.1.3 is accessing 192.168.2.2
1.3
2.2
access-list 5 deny 192.168.1.2 0.0.0.0

access-list 5 permit any
access-list 5 deny 192.168.3.0 0.0.0.255
Naveen Patel
1.3
2.2
access-list 5 deny 192.168.1.2 0.0.0.0

access-list 5 deny 192.168.3.0 0.0.0.255 x access-list 5 permit any
Naveen Patel
1.3
2.2
access-list 5 deny 192.168.1.2 0.0.0.0

Naveen Patel
1.3
2.1
access-list 5 deny 192.168.1.2 0.0.0.0

Naveen Patel
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.150/24
S1 10.0.0.2/8
CHE
E0 192.168.2.150/24
S1 11.0.0.2/8
BAN
E0 192.168.3.150/2
1.2
1.3
1.4
2.2
2.3
2.4
3.2 3.1
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
Naveen Patel
192.168.3.2 is accessing 192.168.2.2
3.1
2.1
access-list 5 deny 192.168.1.1 0.0.0.0

access-list 5 permit any
access-list 5 deny 192.168.3.0 0.0.0.255
Naveen Patel
3.1
2.1
access-list 5 deny 192.168.1.1 0.0.0.0

Naveen Patel
3.1
2.1
access-list 5 deny 192.168.1.1 0.0.0.0

Naveen Patel
Extended ACL - Network Diagram

Creation and Implementation
10.0.0.1/8 S0 11.0.0.1/8 S0
is done Closest to the Source.
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2
1.3
1.4
2.2
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
Naveen Patel
192.168.2.0 should not access with 192.168.3.2 (Web Service)
How Extended ACL Works ?
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2
1.3
1.4
2.2 2.1
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
Naveen Patel
192.168.2.2 is accessing 192.168.3.2 - Web Service
2.2
Source IP 192.168.2.2 Destination IP 192.168.3.2 Port - 80
3.2
access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.2 0.0.0.0 eq 80

access-list 101 permit ip any any
Naveen Patel
2.2
3.2

Naveen Patel
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2
1.3
1.4
2.2 2.1
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
192.168.2.2 is accessing 192.168.3.2 Telnet Service Naveen Patel
2.2
3.2

Naveen Patel
2.2
3.2

Naveen Patel
2.2
3.2

Naveen Patel
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2
1.3
1.4
2.2 2.1
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
Naveen Patel
192.168.2.2 is accessing 192.168.1.2 - Web Service
2.2
Source IP 192.168.2.2 Destination IP 192.168.1.2 192.168.1.2 Port - 80
1.2

Naveen Patel
2.2
1.2

Naveen Patel
2.2
Source IP 192.168.2.1 192.168.2.2 Destination IP 192.168.1.2 Port - 80
1.2

Naveen Patel
Named Access List
Access-lists are identified using Names rather than Numbers. Names are Case-Sensitive No limitation of Numbers here. One Main Advantage is Editing of ACL is Possible (i.e) Removing a specific statement from the ACL is possible. (IOS version 11.2 or later allows Named ACL)
Naveen Patel
Standard Named Access List
Creation of Standard Named Access List Router(config)# ip access-list standard <name> Router(config-std-nacl)# <permit/deny> <source address>
<source wildcard mask>
Implementation of Standard Named Access List
Router(config)#interface <interface type><interface no>

Router(config-if)#ip access-group <name> <out/in>
Naveen Patel
Extended Named Access List
Creation of Extended Named Access List

Router(config)# ip access-list extended <name> Router(config-ext-nacl)# <permit/deny> <protocol> <source address> <source wildcard mask> <destination address> < destination wildcard mask> <operator> <service> Implementation of Extended Named Access List Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <name> <out/in>
Naveen Patel
Naveen Patel
Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\> telnet 192.168.1.1 Connecting ..... ================================ Welcome to Hyderabad Router ================================ User Access Verification password : **** Hyderabad> enable password : **** Hyderabad# show ip route Gateway of last resort is not set C 10.0.0.0/8 is directly connected, Serial0 R 11.0.0.0/8 [120/1] via 10.0.0.2, 00:00:25, Serial0 C 192.168.1.0/24 is directly connected, Ethernet0 R 192.168.2.0/24 [120/1] via 10.0.0.2, 00:00:25, Serial0 R 192.168.3.0/24 [120/2] via 10.0.0.2, 00:00:25, Serial0 Hyderabad# Naveen Patel
Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\> telnet 192.168.2.1 Connecting ..... ================================ Welcome to Chennai Router ================================ User Access Verification password : **** Chennai> enable password : **** Chennai# show ip route Gateway of last resort is not set C 10.0.0.0/8 is directly connected, Serial1 C 11.0.0.0/8 is directly connected, Serial0 R 192.168.1.0/24 [120/1] via 10.0.0.1, 00:00:01, Serial1 C 192.168.2.0/24 is directly connected, Ethernet0 R 192.168.3.0/24 [120/1] via 11.0.0.2, 00:00:12, Serial0 Chennai# Naveen Patel
Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\> telnet 192.168.3.1 Connecting ..... ================================ Welcome to Banglore Router ================================ User Access Verification password : **** Banglore> enable password : **** Banglore# show ip route Gateway of last resort is not set R 10.0.0.0/8 [120/1] via 11.0.0.1, 00:00:04, Serial1 C 11.0.0.0/8 is directly connected, Serial1 R 192.168.1.0/24 [120/2] via 11.0.0.1, 00:00:04, Serial1 R 192.168.2.0/24 [120/1] via 11.0.0.1, 00:00:04, Serial1 C 192.168.3.0/24 is directly connected, Ethernet0 Banglore# Naveen Patel
Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\> telnet 192.168.2.1 Connecting ..... ================================ Welcome to Chennai Router ================================ User Access Verification password : **** Chennai> enable password : **** Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# interface serial 1 Chennai(config-if)# ip address 10.0.0.2 255.0.0.0 Chennai(config-if)# no shut Chennai(config-if)# encapsulation hdlc Chennai(config-if)# interface serial 0 Chennai(config-if)# ip address 11.0.0.1 255.0.0.0 Chennai(config-if)# no shut Chennai(config-if)# encapsulation hdlc Naveen Patel
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 1 deny 192.168.1.2 0.0.0.0 Chennai(config)# access-list 1 deny 192.168.1.3 0.0.0.0 Chennai(config)# access-list 1 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 1 out Chennai(config-if)# Implementation of Standard Access List Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in>
Creation of Standard Access List Router(config)# access-list <acl no> <permit/deny> <source address> <source wildcard mask>
Naveen Patel
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 1 deny 192.168.1.2 0.0.0.0 Chennai(config)# access-list 1 deny 192.168.1.3 0.0.0.0 Chennai(config)# access-list 1 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 1 out Chennai(config-if)# ^Z Chennai# show ip access-list Standard IP access list 1 deny 192.168.1.2 deny 192.168.1.3 permit any Chennai#
Naveen Patel
Chennai# show ip int e0

Ethernet0 is up, line protocol is up Internet address is 192.168.2.1/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is 1 Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled
Chennai# Naveen Patel
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 5 deny 192.168.1.2 0.0.0.0 Chennai(config)# access-list 5 deny 192.168.3.0 0.0.0.255 Chennai(config)# access-list 5 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 5 out Chennai(config-if)# ^Z Chennai# show ip access-list Standard deny deny permit Chennai# IP access list 5 192.168.1.2 192.168.3.0 any
Naveen Patel

Ethernet0 is up, line protocol is up Internet address is 192.168.2.1/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is 5 Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 5 deny 192.168.1.2 0.0.0.0 Chennai(config)# access-list 5 deny 192.168.3.0 0.0.0.255 Chennai(config)# access-list 5 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 5 out Chennai(config-if)# Creation of Standard Access List Router(config)# access-list <acl no> <permit/deny> <source address> <source wildcard mask>
Implementation of Standard Access List Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Naveen Patel
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.2 0.0.0.0 eq 80 Chennai(config)# access-list 101 permit ip any any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 101 in Chennai(config-if)# Creation of Extended Access List Router(config)# access-list <acl no> <permit/deny> <protocol> <source address> <source wildcard mask> <destination address> < destination wildcard mask> <operator> <service> Implementation of Extended Access List Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in>
Naveen Patel
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.2 0.0.0.0 eq 80 Chennai(config)# access-list 101 permit ip any any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 101 in Chennai(config-if)# ^Z Chennai# show ip access-list Extended IP access list 101 deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2 eq www permit ip any any Chennai#
Naveen Patel

Ethernet0 is up, line protocol is up Internet address is 192.168.2.1/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is not set Inbound access list is 101 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled

ACL Part 2

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

ACL Part 2

Hochgeladen von

Copyright:

Verfügbare Formate

Naveen Patel

Standard ACL - Network Diagram

192.168.1.2 & 192.168.1.3 should not communicate with 192.168.2.0 network

How Standard ACL Works ?

Naveen Patel 192.168.1.2 is accessing 192.168.2.2

How Standard ACL Works ?

Source IP 192.168.1.2 Destination IP 192.168.2.2

access-list 1 deny 192.168.1.2 0.0.0.0

How Standard ACL Works ?

Source IP 192.168.1.2 Destination IP 192.168.2.2

access-list 1 deny 192.168.1.2 0.0.0.0

How Standard ACL Works ?

192.168.1.4 is accessing 192.168.2.2

How Standard ACL Works ?

Source IP 192.168.1.4 Destination IP 192.168.2.2

access-list 1 deny 192.168.1.2 0.0.0.0

How Standard ACL Works ?

Source IP 192.168.1.4 Destination IP 192.168.2.2

access-list 1 deny 192.168.1.2 0.0.0.0

How Standard ACL Works ?

Source IP 192.168.1.4 Destination IP 192.168.2.2

access-list 1 deny 192.168.1.2 0.0.0.0

Source IP 192.168.1.4 Destination IP 192.168.2.2

access-list 1 deny 192.168.1.1 0.0.0.0

Standard ACL - Network Diagram

192.168.1.2 & 192.168.3.0 should not communicate with 192.168.2.0 network

How Standard ACL Works ?

192.168.1.2 is accessing 192.168.2.2

How Standard ACL Works ?

Source IP 192.168.1.2 Destination IP 192.168.2.2

access-list 5 deny 192.168.1.2 0.0.0.0

How Standard ACL Works ?

Source IP 192.168.1.2 Destination IP 192.168.2.2

access-list 5 deny 192.168.1.2 0.0.0.0

How Standard ACL Works ?

192.168.1.3 is accessing 192.168.2.2

How Standard ACL Works ?

Source IP 192.168.1.3 Destination IP 192.168.2.2

access-list 5 deny 192.168.1.2 0.0.0.0

access-list 5 deny 192.168.3.0 0.0.0.255

How Standard ACL Works ?

Source IP 192.168.1.3 Destination IP 192.168.2.2

access-list 5 deny 192.168.1.2 0.0.0.0

How Standard ACL Works ?

Source IP 192.168.1.3 Destination IP 192.168.2.2

access-list 5 deny 192.168.1.2 0.0.0.0

Source IP 192.168.1.3 Destination IP 192.168.2.2

access-list 5 deny 192.168.1.2 0.0.0.0

How Standard ACL Works ?

192.168.3.2 is accessing 192.168.2.2

How Standard ACL Works ?

Source IP 192.168.3.1 Destination IP 192.168.2.1

access-list 5 deny 192.168.1.1 0.0.0.0

access-list 5 deny 192.168.3.0 0.0.0.255

How Standard ACL Works ?

Source IP 192.168.3.1 Destination IP 192.168.2.1

access-list 5 deny 192.168.1.1 0.0.0.0

How Standard ACL Works ?

Source IP 192.168.3.1 Destination IP 192.168.2.1

access-list 5 deny 192.168.1.1 0.0.0.0

Extended ACL - Network Diagram

is done Closest to the Source.

192.168.2.0 should not access with 192.168.3.2 (Web Service)