SlideShare a Scribd company logo

Access Control List 1

Download as PPT, PDF
Kishore Kumar, profile picture
Kishore Kumar

The document outlines rules for access control lists (ACLs) in networking, stating that all deny statements must precede permit statements and that each interface can have one ACL per direction. It describes standard ACLs and their function in controlling traffic between different IP networks while emphasizing that they operate in a sequential manner without the ability to edit individual statements once created. Additionally, the document details examples of ACL configurations for specific source and destination IP pairs, illustrating how access restrictions are implemented.

EducationTechnologyBusiness
1 of 53
Downloaded 390 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
1
Rules of Access List • All deny statements have to be given First • There should be at least one Permit statement • An implicit deny blocks all traffic by default when there is no match (an invisible statement). • Can have one access-list per interface per direction. (i.e.) Two access-list per interface, one in inbound direction and one in outbound direction. • Works in Sequential order • Editing of access-lists is not possible (i.e) Selectively adding or removing access-list statements is not possible. 2
Standard ACL - Network Diagram 10.0.0.1/8 S0 HYD 1.2 S1 10.0.0.2/8 1.3 LAN - 192.168.1.0/24 is done Closest is done Closest to the to the 11.0.0.1/8 S0 E0 192.168.1.150/24 1.1 Creation and Creation and Implementation Implementation 2.1 Destination. Destination. CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 1.1 & 1.2 should not communicate with 2.0 network 1.1 & 1.2 should not communicate with 2.0 network 3
How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.1 is accessing 2.1 1.1 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 4
How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 5
How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 6
How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.3 is accessing 2.1 1.3 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 7
How Standard ACL Works ? 1.1 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 8 x
How Standard ACL Works ? 1.1 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 9 x
How Standard ACL Works ? 1.1 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 10
1.1 Source IP 192.168.1.1 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 11
Standard ACL - Network Diagram 10.0.0.1/8 S0 HYD 1.2 S1 10.0.0.2/8 1.3 LAN - 192.168.1.0/24 is done Closest is done Closest to the to the 11.0.0.1/8 S0 E0 192.168.1.150/24 1.1 Creation and Creation and Implementation Implementation 2.1 Destination. Destination. CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 1.1 & 3.0 should not communicate with 2.0 network 1.1 & 3.0 should not communicate with 2.0 network 12
How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.1 is accessing 2.1 1.1 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 13
How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 14
How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 15
How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.3 is accessing 2.1 1.3 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 16
How Standard ACL Works ? 1.3 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 x access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 17
How Standard ACL Works ? 1.3 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 x access-list 5 permit any 18
How Standard ACL Works ? 1.3 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 19
1.3 Source IP 192.168.1.1 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 20
How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 is accessing 2.1 3.1 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 21
How Standard ACL Works ? 3.1 Source IP 192.168.3.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 x access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 22
How Standard ACL Works ? 3.1 Source IP 192.168.3.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 23
How Standard ACL Works ? 3.1 Source IP 192.168.3.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 24
Extended ACL - Network Diagram Creation and Creation and Implementation Implementation 10.0.0.1/8 S0 HYD S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 is done Closest is done Closest to the Source. to the Source. 11.0.0.1/8 S0 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.0 should not access with 3.1 (Web Service) 2.0 should not access with 3.1 (Web Service) 25
How Extended ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.1 is accessing 3.1 -- Web Service 2.1 is accessing 3.1 Web Service 26
How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 80 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 27
How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 80 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 28
How Extended ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.1 is accessing 3.1 – Telnet Service 2.1 is accessing 3.1 – Telnet Service 29
How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 23 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 30 x
How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 23 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 31
How Extended ACL Works ? 2.1 Source IP 192.168.1.1 192.168.2.1 Destination IP 192.168.3.1 Port - 23 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 32
How Extended ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.1 is accessing 1.1 -- Web Service 2.1 is accessing 1.1 Web Service 33
How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.1.1 192.168.1.1 Port - 80 1.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 34 x
How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.1.1 Port - 80 1.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 35
How Extended ACL Works ? 2.1 Source IP 192.168.1.1 192.168.2.1 Destination IP 192.168.1.1 Port - 80 1.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 36
Named Access List • Access-lists are identified using Names rather than Numbers. • Names are Case-Sensitive • No limitation of Numbers here. • One Main Advantage is Editing of ACL is Possible (i.e) Removing a specific statement from the ACL is possible. (IOS version 11.2 or later allows Named ACL) 37
Standard Named Access List Creation of Standard Named Access List Creation of Standard Named Access List Router(config)# ip access-list standard <name> Router(config)# ip access-list standard <name> Router(config-std-nacl)# <permit/deny> <source address> Router(config-std-nacl)# <permit/deny> <source address> <source wildcard mask> <source wildcard mask> Implementation of Standard Named Access List Implementation of Standard Named Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <name> <out/in> Router(config-if)#ip access-group <name> <out/in> 38
Extended Named Access List Creation of Extended Named Access List Creation of Extended Named Access List Router(config)# ip access-list extended <name> Router(config)# ip access-list extended <name> Router(config-ext-nacl)# <permit/deny> <protocol> Router(config-ext-nacl)# <permit/deny> <protocol> <source address> <source wildcard mask> <destination <source address> <source wildcard mask> <destination address> < destination wildcard mask> <operator> address> < destination wildcard mask> <operator> <service> <service> Implementation of Extended Named Access List Implementation of Extended Named Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <name> <out/in> Router(config-if)#ip access-group <name> <out/in> 39
40
Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.1.150 Connecting ..... ================================ Welcome to Hyderabad Router ================================ User Access Verification password : **** Hyderabad> enable password : **** Hyderabad# show ip route Gateway of last resort is not set C 10.0.0.0/8 is directly connected, Serial0 R 11.0.0.0/8 [120/1] via 10.0.0.2, 00:00:25, Serial0 C 192.168.1.0/24 is directly connected, Ethernet0 R 192.168.2.0/24 [120/1] via 10.0.0.2, 00:00:25, Serial0 R 192.168.3.0/24 [120/2] via 10.0.0.2, 00:00:25, Serial0 Hyderabad# 41
Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.2.150 Connecting ..... ================================ Welcome to Chennai Router ================================ User Access Verification password : **** Chennai> enable password : **** Chennai# show ip route Gateway of last resort is not set C 10.0.0.0/8 is directly connected, Serial1 C 11.0.0.0/8 is directly connected, Serial0 R 192.168.1.0/24 [120/1] via 10.0.0.1, 00:00:01, Serial1 C 192.168.2.0/24 is directly connected, Ethernet0 R 192.168.3.0/24 [120/1] via 11.0.0.2, 00:00:12, Serial0 Chennai# 42
Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.3.150 Connecting ..... ================================ Welcome to Banglore Router ================================ User Access Verification password : **** Banglore> enable password : **** Banglore# show ip route Gateway of last resort is not set R 10.0.0.0/8 [120/1] via 11.0.0.1, 00:00:04, Serial1 C 11.0.0.0/8 is directly connected, Serial1 R 192.168.1.0/24 [120/2] via 11.0.0.1, 00:00:04, Serial1 R 192.168.2.0/24 [120/1] via 11.0.0.1, 00:00:04, Serial1 C 192.168.3.0/24 is directly connected, Ethernet0 Banglore# 43
Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.2.150 Connecting ..... ================================ Welcome to Chennai Router ================================ User Access Verification password : **** Chennai> enable password : **** Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# interface serial 1 Chennai(config-if)# ip address 10.0.0.2 255.0.0.0 Chennai(config-if)# no shut Chennai(config-if)# encapsulation hdlc Chennai(config-if)# interface serial 0 Chennai(config-if)# ip address 11.0.0.1 255.0.0.0 Chennai(config-if)# no shut Chennai(config-if)# encapsulation hdlc 44
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 1 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 1 deny 192.168.1.2 0.0.0.0 Chennai(config)# access-list 1 permit any Creation of Standard Access List Creation of Standard Access List Chennai(config)# interface ethernet 0 Router(config)# access-list out Chennai(config-if)# ip access-group 1 <acl no> <permit/deny> Router(config)# access-list <acl no> <permit/deny> <source address> <source wildcard mask> <source address> <source wildcard mask> Chennai(config-if)# Implementation of Standard Access List Implementation of Standard Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Router(config-if)#ip access-group <number> <out/in> 45
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 1 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 1 deny 192.168.1.2 0.0.0.0 Chennai(config)# access-list 1 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 1 out Chennai(config-if)# ^Z Chennai# show ip access-list Standard IP access list 1 deny 192.168.1.1 deny 192.168.1.2 permit any Chennai# 46
Chennai# show ip int e0 Ethernet0 is up, line protocol is up Internet address is 192.168.2.150/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is 1 Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Chennai# 47
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 5 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 5 deny 192.168.3.0 0.0.0.255 Chennai(config)# access-list 5 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 5 out Chennai(config-if)# ^Z Chennai# show ip access-list Standard deny deny permit Chennai# IP access list 5 192.168.1.1 192.168.3.0 any 48
Chennai# show ip int e0 Ethernet0 is up, line protocol is up Internet address is 192.168.2.150/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is 5 Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Chennai# 49
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 5 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 5 deny 192.168.3.0 0.0.0.255 Chennai(config)# access-list 5 permit any Creation of Standard Access List Creation of Standard Access List Chennai(config)# interface ethernet 0 Router(config)# access-list out Chennai(config-if)# ip access-group 5 <acl no> <permit/deny> Router(config)# access-list <acl no> <permit/deny> <source address> <source wildcard mask> <source address> <source wildcard mask> Chennai(config-if)# Implementation of Standard Access List Implementation of Standard Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Router(config-if)#ip access-group <number> <out/in> 50
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 Chennai(config)# access-list 101 Extended Access List permit ip any any Creation of Extended Access List Creation of Chennai(config)# interface ethernet 0 Router(config)# access-list <acl no> <permit/deny> Router(config)# access-list <acl no> <permit/deny> Chennai(config-if)# ip access-group 101 <source wildcard mask> <protocol> <source address> in <protocol> <source address> <source wildcard mask> Chennai(config-if)# <destination address> < destination wildcard mask> <destination address> < destination wildcard mask> <operator> <service> Implementation of Extended Access List <operator> <service> of Extended Access List Implementation Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Router(config-if)#ip access-group <number> <out/in> 51
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 Chennai(config)# access-list 101 permit ip any any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 101 in Chennai(config-if)# ^Z Chennai# show ip access-list Extended IP access list 101 deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.1 eq www permit ip any any Chennai# 52
Chennai# show ip int e0 Ethernet0 is up, line protocol is up Internet address is 192.168.2.150/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is not set Inbound access list is 101 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Chennai# 53

More Related Content

PPTX
Open Shortest Path First
Kashif Latif
 
PPTX
Subnetting
swascher
 
PDF
BGP
Anıl Alibeyoğlu
 
PPTX
IP Address - IPv4 & IPv6
Adeel Rasheed
 
PPTX
Internet Protocol version 6
Rekha Yadav
 
PDF
CCNAv5 - S2: Chapter3 Vlans
Vuz Dở Hơi
 
PPTX
OSPF Basics
Martin Bratina
 
PDF
Cisco ospf
sarasanandam
 
Open Shortest Path First
Kashif Latif
 
Subnetting
swascher
 
BGP
Anıl Alibeyoğlu
 
IP Address - IPv4 & IPv6
Adeel Rasheed
 
Internet Protocol version 6
Rekha Yadav
 
CCNAv5 - S2: Chapter3 Vlans
Vuz Dở Hơi
 
OSPF Basics
Martin Bratina
 
Cisco ospf
sarasanandam
 

What's hot (20)

PPTX
Chapter 17 : static routing
teknetir
 
PPTX
Access Control List (ACL)
ISMT College
 
PPT
Ip addressing
Online
 
PDF
How BGP Works
ThousandEyes
 
PDF
BGP (border gateway routing protocol)
Netwax Lab
 
PPTX
Access control list [1]
Summit Bisht
 
PPTX
IS-IS Packet Types
NetProtocol Xpert
 
PPTX
Open shortest path first (ospf)
Respa Peter
 
PPTX
IS-IS Protocol
Mhd Khaled Alhalai
 
PPTX
IPV6 ADDRESS
Jothi Lakshmi
 
PPT
Ip address and subnetting
IGZ Software house
 
PPTX
Routing Protocols
NetProtocol Xpert
 
PPTX
Subnetting Presentation
Touhidul Fahim
 
PPT
BGP protocol presentation
Gorantla Mohanavamsi
 
PDF
CCNAv5 - S2: Chapter5 Inter Vlan Routing
Vuz Dở Hơi
 
PPTX
A very good introduction to IPv6
Syed Arshad
 
PPTX
13. eigrp and ospf
Swarndeep Singh
 
PPTX
Network address translation
Varsha Honde
 
PPTX
Layer 2 switching
NetProtocol Xpert
 
DOCX
Packet Tracer: Load Balancing with GLBP and FHRP
Rafat Khandaker
 
Chapter 17 : static routing
teknetir
 
Access Control List (ACL)
ISMT College
 
Ip addressing
Online
 
How BGP Works
ThousandEyes
 
BGP (border gateway routing protocol)
Netwax Lab
 
Access control list [1]
Summit Bisht
 
IS-IS Packet Types
NetProtocol Xpert
 
Open shortest path first (ospf)
Respa Peter
 
IS-IS Protocol
Mhd Khaled Alhalai
 
IPV6 ADDRESS
Jothi Lakshmi
 
Ip address and subnetting
IGZ Software house
 
Routing Protocols
NetProtocol Xpert
 
Subnetting Presentation
Touhidul Fahim
 
BGP protocol presentation
Gorantla Mohanavamsi
 
CCNAv5 - S2: Chapter5 Inter Vlan Routing
Vuz Dở Hơi
 
A very good introduction to IPv6
Syed Arshad
 
13. eigrp and ospf
Swarndeep Singh
 
Network address translation
Varsha Honde
 
Layer 2 switching
NetProtocol Xpert
 
Packet Tracer: Load Balancing with GLBP and FHRP
Rafat Khandaker
 
Ad

Similar to Access Control List 1 (20)

PDF
Day+34+Slides+-+Standard+ACLs - Kasamba David
DavidKasamba
 
PDF
Modul 5 access control list
diah risqiwati
 
PDF
Cisco discovery drs ent module 8 - v.4 in english.
igede tirtanata
 
PPT
Access control list 2
Kishore Kumar
 
PDF
Lab8 Controlling traffic using Extended ACL Objectives Per.pdf
adityacommunication1
 
PDF
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Shu Shin
 
PDF
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Shu Shin
 
PDF
Lab 3.5.1 basic frame relay
Manuel Garcia Meza
 
PDF
Ccna 3-discovery-4-0-module-8-100-
junkut3
 
PDF
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
Salem Trabelsi
 
PDF
Ch4-Implementing Firewall Technologies.pdf
OhmRon
 
DOCX
Configuracion EIGRP
alexis marck Huiza Canchanya
 
PDF
Technical Overview of QUIC
shigeki_ohtsu
 
PPT
Multi Static Routng & Default Routing
Kishore Kumar
 
PDF
Linux router
Miguel E Arellano Quezada
 
PPT
CCNP 642-732 Training
saenaetr
 
PPT
ACIT - CCNA Training Course Topic - Switch Stp ACIT
Sleek International
 
PDF
Tri aoi training-supplementary_2011.01
Ralph Nguyen
 
PPT
Day 13.1..1 catalyst switch
CYBERINTELLIGENTS
 
PPT
Icnd210 s06l01
computerlenguyen
 
Day+34+Slides+-+Standard+ACLs - Kasamba David
DavidKasamba
 
Modul 5 access control list
diah risqiwati
 
Cisco discovery drs ent module 8 - v.4 in english.
igede tirtanata
 
Access control list 2
Kishore Kumar
 
Lab8 Controlling traffic using Extended ACL Objectives Per.pdf
adityacommunication1
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Shu Shin
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Shu Shin
 
Lab 3.5.1 basic frame relay
Manuel Garcia Meza
 
Ccna 3-discovery-4-0-module-8-100-
junkut3
 
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
Salem Trabelsi
 
Ch4-Implementing Firewall Technologies.pdf
OhmRon
 
Configuracion EIGRP
alexis marck Huiza Canchanya
 
Technical Overview of QUIC
shigeki_ohtsu
 
Multi Static Routng & Default Routing
Kishore Kumar
 
Linux router
Miguel E Arellano Quezada
 
CCNP 642-732 Training
saenaetr
 
ACIT - CCNA Training Course Topic - Switch Stp ACIT
Sleek International
 
Tri aoi training-supplementary_2011.01
Ralph Nguyen
 
Day 13.1..1 catalyst switch
CYBERINTELLIGENTS
 
Icnd210 s06l01
computerlenguyen
 
Ad

More from Kishore Kumar (20)

PDF
Switching Types
Kishore Kumar
 
PDF
Switching Types
Kishore Kumar
 
PDF
Route Authentication
Kishore Kumar
 
PDF
Recognizing security threats
Kishore Kumar
 
PDF
Ccna simulation exam practice guide
Kishore Kumar
 
PPT
RIP Update Timers
Kishore Kumar
 
PPT
Password Recovery
Kishore Kumar
 
PPT
OSPF 3
Kishore Kumar
 
PPT
OSPF 2
Kishore Kumar
 
PPT
Ip addressing
Kishore Kumar
 
PPT
Internal & External of Routers
Kishore Kumar
 
PPT
Integrated Service Digital Network
Kishore Kumar
 
PPT
Initial Configuration of Router
Kishore Kumar
 
PPT
Frame Relay
Kishore Kumar
 
PPT
Dynamic Routing RIP
Kishore Kumar
 
PPT
OSI Layers
Kishore Kumar
 
PPT
Password Recovery
Kishore Kumar
 
PPT
OSPF 3
Kishore Kumar
 
PPT
OSPF 2
Kishore Kumar
 
PPT
IP Addressing
Kishore Kumar
 
Switching Types
Kishore Kumar
 
Switching Types
Kishore Kumar
 
Route Authentication
Kishore Kumar
 
Recognizing security threats
Kishore Kumar
 
Ccna simulation exam practice guide
Kishore Kumar
 
RIP Update Timers
Kishore Kumar
 
Password Recovery
Kishore Kumar
 
OSPF 3
Kishore Kumar
 
OSPF 2
Kishore Kumar
 
Ip addressing
Kishore Kumar
 
Internal & External of Routers
Kishore Kumar
 
Integrated Service Digital Network
Kishore Kumar
 
Initial Configuration of Router
Kishore Kumar
 
Frame Relay
Kishore Kumar
 
Dynamic Routing RIP
Kishore Kumar
 
OSI Layers
Kishore Kumar
 
Password Recovery
Kishore Kumar
 
OSPF 3
Kishore Kumar
 
OSPF 2
Kishore Kumar
 
IP Addressing
Kishore Kumar
 

Recently uploaded (20)

PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PDF
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
PPTX
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
PPTX
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PPTX
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
Pre independence Education in Inndia.pdf
goofy5603
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 

Access Control List 1

  • 1. 1
  • 2. Rules of Access List • All deny statements have to be given First • There should be at least one Permit statement • An implicit deny blocks all traffic by default when there is no match (an invisible statement). • Can have one access-list per interface per direction. (i.e.) Two access-list per interface, one in inbound direction and one in outbound direction. • Works in Sequential order • Editing of access-lists is not possible (i.e) Selectively adding or removing access-list statements is not possible. 2
  • 3. Standard ACL - Network Diagram 10.0.0.1/8 S0 HYD 1.2 S1 10.0.0.2/8 1.3 LAN - 192.168.1.0/24 is done Closest is done Closest to the to the 11.0.0.1/8 S0 E0 192.168.1.150/24 1.1 Creation and Creation and Implementation Implementation 2.1 Destination. Destination. CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 1.1 & 1.2 should not communicate with 2.0 network 1.1 & 1.2 should not communicate with 2.0 network 3
  • 4. How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.1 is accessing 2.1 1.1 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 4
  • 5. How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 5
  • 6. How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 6
  • 7. How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.3 is accessing 2.1 1.3 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 7
  • 8. How Standard ACL Works ? 1.1 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 8 x
  • 9. How Standard ACL Works ? 1.1 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 9 x
  • 10. How Standard ACL Works ? 1.1 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 10
  • 11. 1.1 Source IP 192.168.1.1 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 11
  • 12. Standard ACL - Network Diagram 10.0.0.1/8 S0 HYD 1.2 S1 10.0.0.2/8 1.3 LAN - 192.168.1.0/24 is done Closest is done Closest to the to the 11.0.0.1/8 S0 E0 192.168.1.150/24 1.1 Creation and Creation and Implementation Implementation 2.1 Destination. Destination. CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 1.1 & 3.0 should not communicate with 2.0 network 1.1 & 3.0 should not communicate with 2.0 network 12
  • 13. How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.1 is accessing 2.1 1.1 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 13
  • 14. How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 14
  • 15. How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 15
  • 16. How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.3 is accessing 2.1 1.3 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 16
  • 17. How Standard ACL Works ? 1.3 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 x access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 17
  • 18. How Standard ACL Works ? 1.3 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 x access-list 5 permit any 18
  • 19. How Standard ACL Works ? 1.3 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 19
  • 20. 1.3 Source IP 192.168.1.1 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 20
  • 21. How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 is accessing 2.1 3.1 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 21
  • 22. How Standard ACL Works ? 3.1 Source IP 192.168.3.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 x access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 22
  • 23. How Standard ACL Works ? 3.1 Source IP 192.168.3.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 23
  • 24. How Standard ACL Works ? 3.1 Source IP 192.168.3.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 24
  • 25. Extended ACL - Network Diagram Creation and Creation and Implementation Implementation 10.0.0.1/8 S0 HYD S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 is done Closest is done Closest to the Source. to the Source. 11.0.0.1/8 S0 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.0 should not access with 3.1 (Web Service) 2.0 should not access with 3.1 (Web Service) 25
  • 26. How Extended ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.1 is accessing 3.1 -- Web Service 2.1 is accessing 3.1 Web Service 26
  • 27. How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 80 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 27
  • 28. How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 80 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 28
  • 29. How Extended ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.1 is accessing 3.1 – Telnet Service 2.1 is accessing 3.1 – Telnet Service 29
  • 30. How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 23 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 30 x
  • 31. How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 23 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 31
  • 32. How Extended ACL Works ? 2.1 Source IP 192.168.1.1 192.168.2.1 Destination IP 192.168.3.1 Port - 23 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 32
  • 33. How Extended ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.1 is accessing 1.1 -- Web Service 2.1 is accessing 1.1 Web Service 33
  • 34. How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.1.1 192.168.1.1 Port - 80 1.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 34 x
  • 35. How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.1.1 Port - 80 1.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 35
  • 36. How Extended ACL Works ? 2.1 Source IP 192.168.1.1 192.168.2.1 Destination IP 192.168.1.1 Port - 80 1.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 36
  • 37. Named Access List • Access-lists are identified using Names rather than Numbers. • Names are Case-Sensitive • No limitation of Numbers here. • One Main Advantage is Editing of ACL is Possible (i.e) Removing a specific statement from the ACL is possible. (IOS version 11.2 or later allows Named ACL) 37
  • 38. Standard Named Access List Creation of Standard Named Access List Creation of Standard Named Access List Router(config)# ip access-list standard <name> Router(config)# ip access-list standard <name> Router(config-std-nacl)# <permit/deny> <source address> Router(config-std-nacl)# <permit/deny> <source address> <source wildcard mask> <source wildcard mask> Implementation of Standard Named Access List Implementation of Standard Named Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <name> <out/in> Router(config-if)#ip access-group <name> <out/in> 38
  • 39. Extended Named Access List Creation of Extended Named Access List Creation of Extended Named Access List Router(config)# ip access-list extended <name> Router(config)# ip access-list extended <name> Router(config-ext-nacl)# <permit/deny> <protocol> Router(config-ext-nacl)# <permit/deny> <protocol> <source address> <source wildcard mask> <destination <source address> <source wildcard mask> <destination address> < destination wildcard mask> <operator> address> < destination wildcard mask> <operator> <service> <service> Implementation of Extended Named Access List Implementation of Extended Named Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <name> <out/in> Router(config-if)#ip access-group <name> <out/in> 39
  • 40. 40
  • 41. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.1.150 Connecting ..... ================================ Welcome to Hyderabad Router ================================ User Access Verification password : **** Hyderabad> enable password : **** Hyderabad# show ip route Gateway of last resort is not set C 10.0.0.0/8 is directly connected, Serial0 R 11.0.0.0/8 [120/1] via 10.0.0.2, 00:00:25, Serial0 C 192.168.1.0/24 is directly connected, Ethernet0 R 192.168.2.0/24 [120/1] via 10.0.0.2, 00:00:25, Serial0 R 192.168.3.0/24 [120/2] via 10.0.0.2, 00:00:25, Serial0 Hyderabad# 41
  • 42. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.2.150 Connecting ..... ================================ Welcome to Chennai Router ================================ User Access Verification password : **** Chennai> enable password : **** Chennai# show ip route Gateway of last resort is not set C 10.0.0.0/8 is directly connected, Serial1 C 11.0.0.0/8 is directly connected, Serial0 R 192.168.1.0/24 [120/1] via 10.0.0.1, 00:00:01, Serial1 C 192.168.2.0/24 is directly connected, Ethernet0 R 192.168.3.0/24 [120/1] via 11.0.0.2, 00:00:12, Serial0 Chennai# 42
  • 43. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.3.150 Connecting ..... ================================ Welcome to Banglore Router ================================ User Access Verification password : **** Banglore> enable password : **** Banglore# show ip route Gateway of last resort is not set R 10.0.0.0/8 [120/1] via 11.0.0.1, 00:00:04, Serial1 C 11.0.0.0/8 is directly connected, Serial1 R 192.168.1.0/24 [120/2] via 11.0.0.1, 00:00:04, Serial1 R 192.168.2.0/24 [120/1] via 11.0.0.1, 00:00:04, Serial1 C 192.168.3.0/24 is directly connected, Ethernet0 Banglore# 43
  • 44. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.2.150 Connecting ..... ================================ Welcome to Chennai Router ================================ User Access Verification password : **** Chennai> enable password : **** Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# interface serial 1 Chennai(config-if)# ip address 10.0.0.2 255.0.0.0 Chennai(config-if)# no shut Chennai(config-if)# encapsulation hdlc Chennai(config-if)# interface serial 0 Chennai(config-if)# ip address 11.0.0.1 255.0.0.0 Chennai(config-if)# no shut Chennai(config-if)# encapsulation hdlc 44
  • 45. Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 1 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 1 deny 192.168.1.2 0.0.0.0 Chennai(config)# access-list 1 permit any Creation of Standard Access List Creation of Standard Access List Chennai(config)# interface ethernet 0 Router(config)# access-list out Chennai(config-if)# ip access-group 1 <acl no> <permit/deny> Router(config)# access-list <acl no> <permit/deny> <source address> <source wildcard mask> <source address> <source wildcard mask> Chennai(config-if)# Implementation of Standard Access List Implementation of Standard Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Router(config-if)#ip access-group <number> <out/in> 45
  • 46. Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 1 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 1 deny 192.168.1.2 0.0.0.0 Chennai(config)# access-list 1 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 1 out Chennai(config-if)# ^Z Chennai# show ip access-list Standard IP access list 1 deny 192.168.1.1 deny 192.168.1.2 permit any Chennai# 46
  • 47. Chennai# show ip int e0 Ethernet0 is up, line protocol is up Internet address is 192.168.2.150/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is 1 Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Chennai# 47
  • 48. Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 5 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 5 deny 192.168.3.0 0.0.0.255 Chennai(config)# access-list 5 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 5 out Chennai(config-if)# ^Z Chennai# show ip access-list Standard deny deny permit Chennai# IP access list 5 192.168.1.1 192.168.3.0 any 48
  • 49. Chennai# show ip int e0 Ethernet0 is up, line protocol is up Internet address is 192.168.2.150/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is 5 Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Chennai# 49
  • 50. Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 5 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 5 deny 192.168.3.0 0.0.0.255 Chennai(config)# access-list 5 permit any Creation of Standard Access List Creation of Standard Access List Chennai(config)# interface ethernet 0 Router(config)# access-list out Chennai(config-if)# ip access-group 5 <acl no> <permit/deny> Router(config)# access-list <acl no> <permit/deny> <source address> <source wildcard mask> <source address> <source wildcard mask> Chennai(config-if)# Implementation of Standard Access List Implementation of Standard Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Router(config-if)#ip access-group <number> <out/in> 50
  • 51. Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 Chennai(config)# access-list 101 Extended Access List permit ip any any Creation of Extended Access List Creation of Chennai(config)# interface ethernet 0 Router(config)# access-list <acl no> <permit/deny> Router(config)# access-list <acl no> <permit/deny> Chennai(config-if)# ip access-group 101 <source wildcard mask> <protocol> <source address> in <protocol> <source address> <source wildcard mask> Chennai(config-if)# <destination address> < destination wildcard mask> <destination address> < destination wildcard mask> <operator> <service> Implementation of Extended Access List <operator> <service> of Extended Access List Implementation Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Router(config-if)#ip access-group <number> <out/in> 51
  • 52. Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 Chennai(config)# access-list 101 permit ip any any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 101 in Chennai(config-if)# ^Z Chennai# show ip access-list Extended IP access list 101 deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.1 eq www permit ip any any Chennai# 52
  • 53. Chennai# show ip int e0 Ethernet0 is up, line protocol is up Internet address is 192.168.2.150/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is not set Inbound access list is 101 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Chennai# 53