zeldor.biz

Linux, programming and more

Copyright © 2023
Log in

CCNA Exploration 4 – Module 5

September 26, 2010 by Igor Drobot Leave a Comment

Standard ACLs allow you to permit or deny traffic from source IP addresses. The destination of the packet and the ports involved do not matter.

Extended ACLs filter IP packets based on several attributes, for example, protocol type, source and destination IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports, and optional protocol type information for finer granularity of control.

Standard ACL:

1
access-list 10 permit 192.168.30.0 0.0.0.255

access-list 10 permit 192.168.30.0 0.0.0.255

Extended ACL:

1
access-list 103 permit tcp 192.168.30.0 0.0.0.255 any eq 80

access-list 103 permit tcp 192.168.30.0 0.0.0.255 any eq 80

You assign a number based on which protocol you want filtered:
(1 to 99) and (1300 to 1999): Standard IP ACL
(100 to 199) and (2000 to 2699): Extended IP ACL

1
2
3
ip access-list extended TELNETTING
remark Do not allow Gates workstation to Telnet
deny tcp host 192.168.10.13 any eq telnet

ip access-list extended TELNETTING remark Do not allow Gates workstation to Telnet deny tcp host 192.168.10.13 any eq telnet

Editing named ACLs:

1
2
3
4
ip access-list standard WEBSERVER
15 permit host 192.168.11.10
end
show access-lists

ip access-list standard WEBSERVER 15 permit host 192.168.11.10 end show access-lists

Debug:

1
show access-lists

show access-lists

1
2
3
4
R1(config)#access-list 10 deny 192.168.10.0 0.0.0.255
R1(config)#access-list 10 permit any
R1(config)#interface fa0/1
R1(config-if)#ip access-group 10 out

R1(config)#access-list 10 deny 192.168.10.0 0.0.0.255 R1(config)#access-list 10 permit any R1(config)#interface fa0/1 R1(config-if)#ip access-group 10 out

1
2
3
4
5
6
R3(config)# ip access-list standard NO_ACCESS
R3(config-std-nacl)# deny host 192.168.30.128
R3(config-std-nacl)# permit any
R3(config-std-nacl)# exit
R3(config)# interface fa0/0
R3(config-if)# ip access-group NO_ACCESS

R3(config)# ip access-list standard NO_ACCESS R3(config-std-nacl)# deny host 192.168.30.128 R3(config-std-nacl)# permit any R3(config-std-nacl)# exit R3(config)# interface fa0/0 R3(config-if)# ip access-group NO_ACCESS

More extended:

1
2
3
4
access-list 111 permit tcp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq www
access-list 111 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp
access-list 111 deny ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 111 permit ip any any

access-list 111 permit tcp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq www access-list 111 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp access-list 111 deny ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255 access-list 111 permit ip any any

1
2
3
4
5
6
7
8
9
10
11
R3(config)#access-list 130 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
# The second statement allows the lower half of the 192.168.30.0/24 network access to any other destinations.
 
R3(config)#access-list 130 permit ip 192.168.30.0 0.0.0.127 any
 
 
R3(config)#access-list 130 permit ip 192.168.30.128 0.0.0.127 192.168.10.0 0.0.0.255
R3(config)#access-list 130 permit ip 192.168.30.128 0.0.0.127 192.168.11.0 0.0.0.255
R3(config)#access-list 130 permit tcp 192.168.30.128 0.0.0.127 any eq www
R3(config)#access-list 130 permit icmp 192.168.30.128 0.0.0.127 any
R3(config)#access-list 130 deny ip any any

R3(config)#access-list 130 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255 # The second statement allows the lower half of the 192.168.30.0/24 network access to any other destinations. R3(config)#access-list 130 permit ip 192.168.30.0 0.0.0.127 any R3(config)#access-list 130 permit ip 192.168.30.128 0.0.0.127 192.168.10.0 0.0.0.255 R3(config)#access-list 130 permit ip 192.168.30.128 0.0.0.127 192.168.11.0 0.0.0.255 R3(config)#access-list 130 permit tcp 192.168.30.128 0.0.0.127 any eq www R3(config)#access-list 130 permit icmp 192.168.30.128 0.0.0.127 any R3(config)#access-list 130 deny ip any any

Filed Under: Cisco, Networking

Categories

Archives

Tags

apache2 Apple arduino ARM Automation backup bash Cisco Cluster Corosync Database Debian Debian squeeze DIY DNS Fedora FTP Fun Icinga Ipv6 KVM Linux LVM MAC OS X Monitoring MySQL Nagios Nginx openSUSE OpenVPN PHP Proxy Python python3 qemu RAID rsync Samba security ssh Ubuntu virtualization Windows Windows 7 Wordpress

Leave a Reply

Your email address will not be published. Required fields are marked *