zeldor.biz

Linux, programming and more

CCNA Exploration 4 – Module 5

by Leave a Comment

Standard ACLs allow you to permit or deny traffic from source IP addresses. The destination of the packet and the ports involved do not matter.

Extended ACLs filter IP packets based on several attributes, for example, protocol type, source and destination IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports, and optional protocol type information for finer granularity of control.

Standard ACL:

1

access-list 10 permit 192.168.30.0 0.0.0.255

Extended ACL:

1

access-list 103 permit tcp 192.168.30.0 0.0.0.255 any eq 80

You assign a number based on which protocol you want filtered:
(1 to 99) and (1300 to 1999): Standard IP ACL
(100 to 199) and (2000 to 2699): Extended IP ACL

1
2
3

ip access-list extended TELNETTING
remark Do not allow Gates workstation to Telnet
deny tcp host 192.168.10.13 any eq telnet

Editing named ACLs:

1
2
3
4

ip access-list standard WEBSERVER
15 permit host 192.168.11.10
end
show access-lists

Debug:

1

show access-lists
1
2
3
4

R1(config)#access-list 10 deny 192.168.10.0 0.0.0.255
R1(config)#access-list 10 permit any
R1(config)#interface fa0/1
R1(config-if)#ip access-group 10 out
1
2
3
4
5
6

R3(config)# ip access-list standard NO_ACCESS
R3(config-std-nacl)# deny host 192.168.30.128
R3(config-std-nacl)# permit any
R3(config-std-nacl)# exit
R3(config)# interface fa0/0
R3(config-if)# ip access-group NO_ACCESS

More extended:

1
2
3
4

access-list 111 permit tcp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq www
access-list 111 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp
access-list 111 deny ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 111 permit ip any any
1
2
3
4
5
6
7
8
9
10
11

R3(config)#access-list 130 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
# The second statement allows the lower half of the 192.168.30.0/24 network access to any other destinations.
 
R3(config)#access-list 130 permit ip 192.168.30.0 0.0.0.127 any
 
 
R3(config)#access-list 130 permit ip 192.168.30.128 0.0.0.127 192.168.10.0 0.0.0.255
R3(config)#access-list 130 permit ip 192.168.30.128 0.0.0.127 192.168.11.0 0.0.0.255
R3(config)#access-list 130 permit tcp 192.168.30.128 0.0.0.127 any eq www
R3(config)#access-list 130 permit icmp 192.168.30.128 0.0.0.127 any
R3(config)#access-list 130 deny ip any any

Categories

Archives

Tags

apache2 Apple arduino ARM Automation backup bash Cisco Cluster Corosync Database Debian Debian squeeze DIY DNS Fedora FTP Fun Icinga Ipv6 KVM Linux LVM MAC OS X Monitoring MySQL Nagios Nginx openSUSE OpenVPN PHP Proxy Python python3 qemu RAID rsync Samba security ssh Ubuntu virtualization Windows Windows 7 Wordpress

Leave a Reply

Your email address will not be published. Required fields are marked *