ACL part 2



Comments



Description

Naveen PatelRules of Access List • All deny statements have to be given First • There should be at least one Permit statement • An implicit deny blocks all traffic by default when there is no match (an invisible statement). • Can have one access-list per interface per direction. (i.e.) Two access-list per interface, one in inbound direction and one in outbound direction. • Works in Sequential order • Editing of access-lists is not possible (i.e) Selectively adding or removing access-list statements is not possible. Naveen Patel Standard ACL - Network Diagram Creation and Implementation is done Closest 10.0.0.1/8 S0 11.0.0.1/8 S0 to the HYD E0 192.168.1.1/24 S1 10.0.0.2/8 CHE Destination. E0 192.168.2.1/24 S1 11.0.0.2/8 BAN E0 192.168.3.1/24 1.2 1.3 1.4 2.2 2.3 2.4 3.2 3.3 3.4 LAN - 192.168.1.0/24 LAN - 192.168.2.0/24 LAN - 192.168.3.0/24 Naveen Patel 192.168.1.2 & 192.168.1.3 should not communicate with 192.168.2.0 network How Standard ACL Works ? 10.0.0.1/8 S0 11.0.0.1/8 S0 HYD E0 192.168.1.1/24 S1 10.0.0.2/8 CHE CHE E0 192.168.2.1/24 S1 11.0.0.2/8 BAN E0 192.168.3.1/24 1.2 1.3 1.4 2.2 2.3 2.4 3.2 3.3 3.4 LAN - 192.168.1.0/24 LAN - 192.168.2.0/24 LAN - 192.168.3.0/24 Naveen Patel 192.168.1.2 is accessing 192.168.2.2 How Standard ACL Works ? 1.2 Source IP 192.168.1.2 Destination IP 192.168.2.2 2.2 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 deny 192.168.1.3 0.0.0.0 access-list 1 permit any Naveen Patel 168.2 Source IP 192.How Standard ACL Works ? 1.0 access-list 1 permit any Naveen Patel .168.1.2 Destination IP 192.2.0.0.168.2 0.0.0 access-list 1 deny 192.0.2 access-list 1 deny 192.2 2.1.3 0.1.168. How Standard ACL Works ? 10.1.168.192.1.2 .3.4 3.1/8 S0 11.192.0/24 LAN .0.3 2.2.168.4 LAN .168.168.0.0.2 1.0/24 LAN .0.0.0/24 Naveen Patel 192.4 1.3.168.0.4 2.2/8 CHE E0 192.2.4 is accessing 192.3 3.1.2/8 BAN E0 192.1/24 S1 11.0.168.192.168.1/24 1.2 3.1/8 S0 HYD E0 192.2 2.2.168.3 1.1/24 S1 10.0. 168.2 0.3 0.0 access-list 1 permit any x Naveen Patel .4 Destination IP 192.1.1.2 2.0.0.1.168.0 access-list 1 deny 192.2 access-list 1 deny 192.2.0.168.168.4 Source IP 192.0.How Standard ACL Works ? 1. 0.0.4 Destination IP 192.1.How Standard ACL Works ? 1.1.168.2 2.3 0.4 Source IP 192.0.2 0.0.2 access-list 1 deny 192.168.1.0 access-list 1 deny 192.0 access-list 1 permit any x Naveen Patel .168.2.168. 0.0.3 0.168.2.4 Destination IP 192.0.How Standard ACL Works ? 1.168.168.0 access-list 1 permit any Naveen Patel .0 access-list 1 deny 192.4 Source IP 192.0.1.2 access-list 1 deny 192.2 0.1.168.2 2.1. 168.1.168.0 access-list 1 permit any Naveen Patel .2 0.0.1.4 Source IP 192.0.4 Destination IP 192.168.1.168.0.2 2.1.2.2 access-list 1 deny 192.1 0.0.0 access-list 1 deny 192. 1.3.3.3 2.0.192.4 3.2 3.0 network .1/24 S1 11.168.Standard ACL .2 1.0.0.1.0/24 Naveen Patel 192.3 1.3.2/8 CHE Destination.2. E0 192.192.168.0/24 LAN .2.168.2 2.Network Diagram Creation and Implementation is done Closest 10.1/24 S1 10.2/8 BAN E0 192.0.0.0 should not communicate with 192.168.4 2.168.1/8 S0 11.192.2.0.168.168.168.1/8 S0 to the HYD E0 192.4 LAN .2 & 192.168.0/24 LAN .3 3.0.1.1/24 1.0. 1/8 S0 HYD E0 192.How Standard ACL Works ? 10.1.0/24 LAN .1/24 S1 11.0.3 2.168.1/24 S1 10.4 LAN .1/8 S0 11.0.168.2 2.0.168.2 is accessing 192.2.192.0.2/8 BAN E0 192.0/24 Naveen Patel 192.2.1.2 1.1 1.192.0/24 LAN .0.0.2 3.3 3.2.0.168.168.2 .3.192.4 3.0.4 2.3 1.1.2/8 CHE E0 192.168.168.3.1/24 1.168. 1.168.168.0.255 access-list 5 permit any Naveen Patel .2 Destination IP 192.0.2 2.168.1.3.0 access-list 5 deny 192.2 0.2.2 Source IP 192.How Standard ACL Works ? 1.0 0.0.2 access-list 5 deny 192.0.168. 0.2 Destination IP 192.0 access-list 5 deny 192.255 access-list 5 permit any Naveen Patel .0 0.168.How Standard ACL Works ? 1.168.2 Source IP 192.0.1.2 0.1.168.0.2.2 2.0.3.168.2 access-list 5 deny 192. 3 2.0.1/24 1.0.1.4 1.2 3.1.168.1/24 S1 10.168.4 LAN .1.3.3 is accessing 192.168.3.192.3 1.2/8 BAN E0 192.0/24 LAN .192.168.168.168.2.2 2.0.0/24 LAN .4 3.0.3 3.1/24 S1 11.3 2.0/24 Naveen Patel 192.0.168.2 1.0.192.2.1/8 S0 11.168.0.2 .2.How Standard ACL Works ? 10.1/8 S0 HYD E0 192.0.2/8 CHE E0 192. 0.1.0.0 access-list 5 permit any x access-list 5 deny 192.0.0.2 0.3.168.168.0 0.1.168.2 2.255 Naveen Patel .2.3 Source IP 192.2 access-list 5 deny 192.3 Destination IP 192.168.How Standard ACL Works ? 1. 2.1.0.2 access-list 5 deny 192.How Standard ACL Works ? 1.3 Destination IP 192.2 2.0.0.1.3 Source IP 192.168.168.0 access-list 5 deny 192.3.2 0.168.0 0.255 x access-list 5 permit any Naveen Patel .0.168. 2 2.0 0.0.1.168.3 Destination IP 192.0.2.2 access-list 5 deny 192.0.3.0.0 access-list 5 deny 192.168.2 0.3 Source IP 192.255 access-list 5 permit any Naveen Patel .How Standard ACL Works ? 1.168.168.1. 1.168.0 0.3 Destination IP 192.2 2.168.2.0 access-list 5 deny 192.168.1.0.255 access-list 5 permit any Naveen Patel .1 access-list 5 deny 192.2 0.168.1.3 Source IP 192.0.0.3.0. 1/8 S0 HYD E0 192.150/2 1.0.2 .168.0.0.2 3.3.2.150/24 S1 10.4 LAN .How Standard ACL Works ? 10.168.192.0.2/8 BAN E0 192.3.0/24 Naveen Patel 192.2.2/8 CHE E0 192.0.1.3 2.3 3.2.168.3.0.0.2 1.0/24 LAN .168.168.1 3.192.3 1.192.2 2.1.0/24 LAN .4 3.168.1/8 S0 11.0.150/24 S1 11.4 2.168.168.2 is accessing 192. 0 0.168.How Standard ACL Works ? 3.168.0.1 Destination IP 192.0.168.168.0.255 Naveen Patel .1 2.3.1 Source IP 192.2.3.1 0.0.0 access-list 5 permit any x access-list 5 deny 192.1 access-list 5 deny 192.1. 1 0.0.1 Destination IP 192.0.0 0.0.168.1 access-list 5 deny 192.255 access-list 5 permit any Naveen Patel .0 access-list 5 deny 192.2.1 Source IP 192.3.1 2.168.3.168.How Standard ACL Works ? 3.1.168.0. 1 access-list 5 deny 192.168.1 0.1 Source IP 192.0 0.0.3.168.2.3.1 2.0.0 access-list 5 deny 192.168.168.How Standard ACL Works ? 3.0.0.1.255 access-list 5 permit any Naveen Patel .1 Destination IP 192. 1/24 1.1.0.2/8 CHE E0 192.1/8 S0 11.4 3.168.3 1.1/24 S1 11.0/24 LAN .1/24 S1 10.Extended ACL .2.0.3 2.3 3.0.168.192.0.168.3.3.0/24 LAN .Network Diagram Creation and Implementation 10.4 2.4 LAN .192.0.2.168.168.0 should not access with 192.2.0.168.0.1. HYD E0 192.0.1/8 S0 is done Closest to the Source.2 (Web Service) .2 1.2/8 BAN E0 192.168.192.2 3.168.0/24 Naveen Patel 192.2 2.3. 2 .2 1.192.3.Web Service .3.1/24 S1 11.1.3 1.2.0.3 2.192.2 3.3 3.2 2.4 3.2.168.4 LAN .2 is accessing 192.2.1/8 S0 11.0.168.4 2.168.192.168.0/24 LAN .0/24 LAN .1/24 1.How Extended ACL Works ? 10.0/24 Naveen Patel 192.0.2/8 CHE E0 192.1/24 S1 10.0.3.0.0.1 2.168.0.168.168.1.0.1/8 S0 HYD E0 192.168.2/8 BAN E0 192. How Extended ACL Works ? 2.0 0.2 Destination IP 192.2 0.3.0.0 eq 80 access-list 101 permit ip any any Naveen Patel .0.2 Source IP 192.168.3.168.255 192.2.2 Port .0.168.2.2 access-list 101 deny tcp 192.0.168.80 3. 2 Destination IP 192.How Extended ACL Works ? 2.0.2 Port .2.2.3.80 3.255 192.3.168.2 Source IP 192.0.168.168.2 0.0.2 access-list 101 deny tcp 192.0 eq 80 access-list 101 permit ip any any Naveen Patel .0.168.0 0. 4 3.168.168.1.0/24 192.2 is accessing 192.3 2.2/8 CHE E0 192.192.2.1/24 S1 10.3 3.2.2.3.1/8 S0 11.3 1.3.168.168.1.0.0.1/24 1.0/24 LAN .2 – Telnet Service Naveen Patel .0.2 2.192.1/24 S1 11.4 LAN .168.0.168.168.2 3.0.2/8 BAN E0 192.1 2.168.2 1.192.1/8 S0 HYD E0 192.3.0.How Extended ACL Works ? 10.0.4 2.0.0/24 LAN . 2 0.2.168.23 3.2.2 Destination IP 192.3.0.3.0 0.0.168.0 eq 80 access-list 101 permit ip any any x Naveen Patel .0.255 192.168.168.2 Port .0.How Extended ACL Works ? 2.2 access-list 101 deny tcp 192.2 Source IP 192. 168.3.255 192.0 0.0.23 3.2.0.2 access-list 101 deny tcp 192.2 0.0 eq 80 access-list 101 permit ip any any Naveen Patel .168.168.How Extended ACL Works ? 2.168.0.2 Destination IP 192.2 Source IP 192.0.2.2 Port .3. 0.2.2 Source IP 192.3.2 access-list 101 deny tcp 192.3.2 0.168.How Extended ACL Works ? 2.0.2 Destination IP 192.2.0.0.255 192.2 Port .23 3.0 eq 80 access-list 101 permit ip any any Naveen Patel .168.168.168.0 0. 0/24 Naveen Patel 192.1 2.0/24 LAN .4 3.2 .4 2.168.Web Service .How Extended ACL Works ? 10.3.0.168.2.168.168.0.168.0.2/8 CHE E0 192.1/8 S0 HYD E0 192.2.1/24 1.2 2.1.0.0.192.1/24 S1 11.3 3.2 3.2 1.168.2 is accessing 192.4 LAN .192.0/24 LAN .0.168.3.2/8 BAN E0 192.192.1.0.3 2.3 1.0.1.1/8 S0 11.2.1/24 S1 10.168. 255 192.2.2 Port .168.168.80 1.2.0.3.0.168.How Extended ACL Works ? 2.0 0.1.168.2 Source IP 192.2 192.0 eq 80 access-list 101 permit ip any any x Naveen Patel .1.2 access-list 101 deny tcp 192.2 0.168.0.0.2 Destination IP 192. 0.168.0 0.168.2 Port .0 eq 80 access-list 101 permit ip any any Naveen Patel .2 Source IP 192.255 192.2 0.2.How Extended ACL Works ? 2.80 1.1.2 access-list 101 deny tcp 192.2.168.0.0.168.0.3.2 Destination IP 192. 3.0.80 1.1 192.2.168.168.168.2.2 Port .2 Source IP 192.1.How Extended ACL Works ? 2.168.0 eq 80 access-list 101 permit ip any any Naveen Patel .0.2.0.255 192.168.2 Destination IP 192.2 access-list 101 deny tcp 192.0.2 0.0 0. 2 or later allows Named ACL) Naveen Patel . • One Main Advantage is Editing of ACL is Possible (i.Named Access List • Access-lists are identified using Names rather than Numbers.e) Removing a specific statement from the ACL is possible. (IOS version 11. • Names are Case-Sensitive • No limitation of Numbers here. Standard Named Access List Creation of Standard Named Access List Router(config)# ip access-list standard <name> Router(config-std-nacl)# <permit/deny> <source address> <source wildcard mask> Implementation of Standard Named Access List Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <name> <out/in> Naveen Patel . Extended Named Access List Creation of Extended Named Access List Router(config)# ip access-list extended <name> Router(config-ext-nacl)# <permit/deny> <protocol> <source address> <source wildcard mask> <destination address> < destination wildcard mask> <operator> <service> Implementation of Extended Named Access List Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <name> <out/in> Naveen Patel . Naveen Patel . 2195] (C) Copyright 1985-2000 Microsoft Corp. 00:00:25. Ethernet0 R 192.0/8 [120/1] via 10.2.1.0.2.2.0.0... Serial0 Hyderabad# Naveen Patel .0/24 [120/1] via 10.168.168..0. 00:00:25.1. Serial0 C 192.2. C:\> telnet 192.0.0/8 is directly connected.0.168.0.00. Serial0 R 11.0/24 [120/2] via 10.0. Serial0 R 192. 00:00:25.3.Microsoft Windows 2000 [Version 5.0/24 is directly connected. ================================ Welcome to Hyderabad Router ================================ User Access Verification password : **** Hyderabad> enable password : **** Hyderabad# show ip route Gateway of last resort is not set C 10.1 Connecting .168..0.0. Serial0 R 192.168.2195] (C) Copyright 1985-2000 Microsoft Corp.0/8 is directly connected. ================================ Welcome to Chennai Router ================================ User Access Verification password : **** Chennai> enable password : **** Chennai# show ip route Gateway of last resort is not set C 10. Serial0 Chennai# Naveen Patel ..2.168. 00:00:12.168.0.0. Ethernet0 R 192.00.168.2.0.1.2. C:\> telnet 192.1. 00:00:01.0/24 [120/1] via 11.0..0...0/24 [120/1] via 10. Serial1 C 192.1 Connecting .0/24 is directly connected.3.Microsoft Windows 2000 [Version 5.0.0.0. Serial1 C 11.0/8 is directly connected. 0/24 [120/2] via 11. 00:00:04. Serial1 C 192.2195] (C) Copyright 1985-2000 Microsoft Corp.0. 00:00:04.0/24 [120/1] via 11.1.168.00.0/8 [120/1] via 11.1.0. Ethernet0 Banglore# Naveen Patel .0.1.0..0. Serial1 R 192.168..Microsoft Windows 2000 [Version 5.1 Connecting .0/24 is directly connected.0.0.0.0. 00:00:04.1.0/8 is directly connected.168.2. C:\> telnet 192.0.3. ================================ Welcome to Banglore Router ================================ User Access Verification password : **** Banglore> enable password : **** Banglore# show ip route Gateway of last resort is not set R 10... Serial1 C 11.3.168. Serial1 R 192. 1 Connecting .00.168..2 255.0.0..0.. ================================ Welcome to Chennai Router ================================ User Access Verification password : **** Chennai> enable password : **** Chennai# configure terminal Enter configuration commands. C:\> telnet 192.0 Chennai(config-if)# no shut Chennai(config-if)# encapsulation hdlc Naveen Patel . End with CNTL/Z..0. one per line.0 Chennai(config-if)# no shut Chennai(config-if)# encapsulation hdlc Chennai(config-if)# interface serial 0 Chennai(config-if)# ip address 11.0.2195] (C) Copyright 1985-2000 Microsoft Corp.1 255.0.Microsoft Windows 2000 [Version 5.0.2. Chennai(config)# interface serial 1 Chennai(config-if)# ip address 10.0. 168.Chennai# configure terminal Enter configuration commands.1.1.3 0.0.0. Chennai(config)# access-list 1 deny 192. one per line.0.0 Chennai(config)# access-list 1 deny 192.2 0.168.0.0 Chennai(config)# access-list 1 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 1 out Chennai(config-if)# Implementation of Standard Access List Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Creation of Standard Access List Router(config)# access-list <acl no> <permit/deny> <source address> <source wildcard mask> Naveen Patel . End with CNTL/Z. 168.1.168. one per line.1.Chennai# configure terminal Enter configuration commands.2 deny 192.168. Chennai(config)# access-list 1 deny 192.1.0 Chennai(config)# access-list 1 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 1 out Chennai(config-if)# ^Z Chennai# show ip access-list Standard IP access list 1 deny 192.3 permit any Chennai# Naveen Patel .0.0.168.2 0. End with CNTL/Z.1.0.0.0 Chennai(config)# access-list 1 deny 192.3 0. 1/24 Broadcast address is 255.9 Outgoing access list is 1 Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Chennai# Naveen Patel .255.Chennai# show ip int e0 Ethernet0 is up. line protocol is up Internet address is 192.0.168.2.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.255.0. 0 any Naveen Patel .168.0.0.168.3.168.0 0.0.1.255 Chennai(config)# access-list 5 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 5 out Chennai(config-if)# ^Z Chennai# show ip access-list Standard deny deny permit Chennai# IP access list 5 192.1.168. Chennai(config)# access-list 5 deny 192.Chennai# configure terminal Enter configuration commands.2 192.2 0.0 Chennai(config)# access-list 5 deny 192. one per line.3. End with CNTL/Z.0. 255.2.168. line protocol is up Internet address is 192.255.9 Outgoing access list is 5 Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Chennai# Naveen Patel .0.Chennai# show ip int e0 Ethernet0 is up.0.1/24 Broadcast address is 255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224. 0 Chennai(config)# access-list 5 deny 192.0 0. one per line.255 Chennai(config)# access-list 5 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 5 out Chennai(config-if)# Creation of Standard Access List Router(config)# access-list <acl no> <permit/deny> <source address> <source wildcard mask> Implementation of Standard Access List Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Naveen Patel .Chennai# configure terminal Enter configuration commands.168.1.0.0.168.3.0.2 0.0. Chennai(config)# access-list 5 deny 192. End with CNTL/Z. 0 eq 80 Chennai(config)# access-list 101 permit ip any any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 101 in Chennai(config-if)# Creation of Extended Access List Router(config)# access-list <acl no> <permit/deny> <protocol> <source address> <source wildcard mask> <destination address> < destination wildcard mask> <operator> <service> Implementation of Extended Access List Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Naveen Patel .0.255 192.2.0.Chennai# configure terminal Enter configuration commands.168. Chennai(config)# access-list 101 deny tcp 192.0.168.0.3. one per line.0 0.2 0. End with CNTL/Z. 3.0.0 eq 80 Chennai(config)# access-list 101 permit ip any any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 101 in Chennai(config-if)# ^Z Chennai# show ip access-list Extended IP access list 101 deny tcp 192.168.Chennai# configure terminal Enter configuration commands.255 192.2.0.0 0.255 host 192.0.3. one per line.168.0 0.0. Chennai(config)# access-list 101 deny tcp 192.168.2 eq www permit ip any any Chennai# Naveen Patel .2 0.0.168.0.2. End with CNTL/Z. 9 Outgoing access list is not set Inbound access list is 101 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Chennai# Naveen Patel .Chennai# show ip int e0 Ethernet0 is up.1/24 Broadcast address is 255.0.2.0.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.168.255. line protocol is up Internet address is 192.255.
Copyright © 2024 DOKUMEN.SITE Inc.