Beruflich Dokumente
Kultur Dokumente
Rules of Access List All deny statements have to be given First There should be at least one Permit statement An implicit deny blocks all traffic by default when there is no match (an invisible statement). Can have one access-list per interface per direction. (i.e.) Two access-list per interface, one in inbound direction and one in outbound direction. Works in Sequential order Editing of access-lists is not possible (i.e) Selectively adding or removing access-list statements is not possible.
Naveen Patel
Creation and
Implementation is done Closest
10.0.0.1/8 S0
11.0.0.1/8 S0
to the
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE
Destination.
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2
1.3
1.4
2.2
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
Naveen Patel
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE CHE
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2
1.3
1.4
2.2
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
1.2
2.2
Naveen Patel
1.2
2.2
Naveen Patel
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2
1.3
1.4 1.4
2.2
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
Naveen Patel
1.4
2.2
Naveen Patel
1.4
2.2
Naveen Patel
1.4
2.2
Naveen Patel
1.4
2.2
Naveen Patel
Creation and
Implementation is done Closest
10.0.0.1/8 S0
11.0.0.1/8 S0
to the
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE
Destination.
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2
1.3
1.4
2.2
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
Naveen Patel
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2 1.1
1.3
1.4
2.2
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
Naveen Patel
1.2
2.2
Naveen Patel
1.2
2.2
Naveen Patel
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2
1.3
1.4 1.3
2.2
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
Naveen Patel
1.3
2.2
Naveen Patel
1.3
2.2
Naveen Patel
1.3
2.2
Naveen Patel
1.3
2.1
Naveen Patel
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.150/24
S1 10.0.0.2/8
CHE
E0 192.168.2.150/24
S1 11.0.0.2/8
BAN
E0 192.168.3.150/2
1.2
1.3
1.4
2.2
2.3
2.4
3.2 3.1
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
Naveen Patel
3.1
2.1
Naveen Patel
3.1
2.1
Naveen Patel
3.1
2.1
Naveen Patel
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2
1.3
1.4
2.2
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
Naveen Patel
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2
1.3
1.4
2.2 2.1
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
Naveen Patel
2.2
3.2
Naveen Patel
2.2
3.2
Naveen Patel
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2
1.3
1.4
2.2 2.1
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
2.2
3.2
Naveen Patel
2.2
3.2
Naveen Patel
2.2
3.2
Naveen Patel
10.0.0.1/8 S0
11.0.0.1/8 S0
HYD
E0 192.168.1.1/24
S1 10.0.0.2/8
CHE
E0 192.168.2.1/24
S1 11.0.0.2/8
BAN
E0 192.168.3.1/24
1.2
1.3
1.4
2.2 2.1
2.3
2.4
3.2
3.3
3.4
LAN - 192.168.1.0/24
LAN - 192.168.2.0/24
LAN - 192.168.3.0/24
Naveen Patel
2.2
1.2
Naveen Patel
2.2
1.2
Naveen Patel
2.2
1.2
Naveen Patel
Access-lists are identified using Names rather than Numbers. Names are Case-Sensitive No limitation of Numbers here. One Main Advantage is Editing of ACL is Possible (i.e) Removing a specific statement from the ACL is possible. (IOS version 11.2 or later allows Named ACL)
Naveen Patel
Creation of Standard Named Access List Router(config)# ip access-list standard <name> Router(config-std-nacl)# <permit/deny> <source address>
Naveen Patel
Naveen Patel
Naveen Patel
Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\> telnet 192.168.1.1 Connecting ..... ================================ Welcome to Hyderabad Router ================================ User Access Verification password : **** Hyderabad> enable password : **** Hyderabad# show ip route Gateway of last resort is not set C 10.0.0.0/8 is directly connected, Serial0 R 11.0.0.0/8 [120/1] via 10.0.0.2, 00:00:25, Serial0 C 192.168.1.0/24 is directly connected, Ethernet0 R 192.168.2.0/24 [120/1] via 10.0.0.2, 00:00:25, Serial0 R 192.168.3.0/24 [120/2] via 10.0.0.2, 00:00:25, Serial0 Hyderabad# Naveen Patel
Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\> telnet 192.168.2.1 Connecting ..... ================================ Welcome to Chennai Router ================================ User Access Verification password : **** Chennai> enable password : **** Chennai# show ip route Gateway of last resort is not set C 10.0.0.0/8 is directly connected, Serial1 C 11.0.0.0/8 is directly connected, Serial0 R 192.168.1.0/24 [120/1] via 10.0.0.1, 00:00:01, Serial1 C 192.168.2.0/24 is directly connected, Ethernet0 R 192.168.3.0/24 [120/1] via 11.0.0.2, 00:00:12, Serial0 Chennai# Naveen Patel
Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\> telnet 192.168.3.1 Connecting ..... ================================ Welcome to Banglore Router ================================ User Access Verification password : **** Banglore> enable password : **** Banglore# show ip route Gateway of last resort is not set R 10.0.0.0/8 [120/1] via 11.0.0.1, 00:00:04, Serial1 C 11.0.0.0/8 is directly connected, Serial1 R 192.168.1.0/24 [120/2] via 11.0.0.1, 00:00:04, Serial1 R 192.168.2.0/24 [120/1] via 11.0.0.1, 00:00:04, Serial1 C 192.168.3.0/24 is directly connected, Ethernet0 Banglore# Naveen Patel
Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\> telnet 192.168.2.1 Connecting ..... ================================ Welcome to Chennai Router ================================ User Access Verification password : **** Chennai> enable password : **** Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# interface serial 1 Chennai(config-if)# ip address 10.0.0.2 255.0.0.0 Chennai(config-if)# no shut Chennai(config-if)# encapsulation hdlc Chennai(config-if)# interface serial 0 Chennai(config-if)# ip address 11.0.0.1 255.0.0.0 Chennai(config-if)# no shut Chennai(config-if)# encapsulation hdlc Naveen Patel
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 1 deny 192.168.1.2 0.0.0.0 Chennai(config)# access-list 1 deny 192.168.1.3 0.0.0.0 Chennai(config)# access-list 1 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 1 out Chennai(config-if)# Implementation of Standard Access List Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in>
Creation of Standard Access List Router(config)# access-list <acl no> <permit/deny> <source address> <source wildcard mask>
Naveen Patel
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 1 deny 192.168.1.2 0.0.0.0 Chennai(config)# access-list 1 deny 192.168.1.3 0.0.0.0 Chennai(config)# access-list 1 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 1 out Chennai(config-if)# ^Z Chennai# show ip access-list Standard IP access list 1 deny 192.168.1.2 deny 192.168.1.3 permit any Chennai#
Naveen Patel
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 5 deny 192.168.1.2 0.0.0.0 Chennai(config)# access-list 5 deny 192.168.3.0 0.0.0.255 Chennai(config)# access-list 5 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 5 out Chennai(config-if)# ^Z Chennai# show ip access-list Standard deny deny permit Chennai# IP access list 5 192.168.1.2 192.168.3.0 any
Naveen Patel
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 5 deny 192.168.1.2 0.0.0.0 Chennai(config)# access-list 5 deny 192.168.3.0 0.0.0.255 Chennai(config)# access-list 5 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 5 out Chennai(config-if)# Creation of Standard Access List Router(config)# access-list <acl no> <permit/deny> <source address> <source wildcard mask>
Implementation of Standard Access List Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Naveen Patel
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.2 0.0.0.0 eq 80 Chennai(config)# access-list 101 permit ip any any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 101 in Chennai(config-if)# Creation of Extended Access List Router(config)# access-list <acl no> <permit/deny> <protocol> <source address> <source wildcard mask> <destination address> < destination wildcard mask> <operator> <service> Implementation of Extended Access List Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in>
Naveen Patel
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.2 0.0.0.0 eq 80 Chennai(config)# access-list 101 permit ip any any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 101 in Chennai(config-if)# ^Z Chennai# show ip access-list Extended IP access list 101 deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2 eq www permit ip any any Chennai#
Naveen Patel