19 ACL Part 2

Naveen Patel
Naveen Patel
All deny statements have to be given First
There should be at least one Permit statement
An implicit deny blocks all traffic by default when
there is no match (an invisible statement).
Can have one access-list per interface per direction.
(i.e.) Two access-list per interface, one in inbound
direction and one in outbound direction.
Works in Sequential order
Editing of access-lists is not possible (i.e) Selectively
adding or removing access-list statements is not
possible.
Rules of Access List
Naveen Patel
Standard ACL - Network Diagram
E0
192.168.1.1/24
LAN - 192.168.1.0/24
E0
192.168.2.1/24
LAN - 192.168.2.0/24
E0
192.168.3.1/24
LAN - 192.168.3.0/24
10.0.0.1/8
S0
S1
10.0.0.2/8
11.0.0.1/8
S0
S1
11.0.0.2/8
1.2 1.3 1.4 2.2 2.3 2.4 3.2 3.3 3.4
192.168.1.2 & 192.168.1.3 should not communicate with
192.168.2.0 network
HYD
CHE
BAN
Creation and
Implementation
is done Closest
to the
Destination.
Naveen Patel
How Standard ACL Works ?
E0
192.168.1.1/24
LAN - 192.168.1.0/24
E0
192.168.2.1/24
CHE
LAN - 192.168.2.0/24
E0
192.168.3.1/24
LAN - 192.168.3.0/24
10.0.0.1/8
S0
S1
10.0.0.2/8
11.0.0.1/8
S0
S1
11.0.0.2/8
1.2 1.3 1.4 2.2 2.3 2.4 3.2 3.3 3.4
192.168.1.2 is accessing 192.168.2.2
1.2
HYD
CHE
BAN
Naveen Patel
1.2 2.2
Source IP
192.168.1.2

Destination IP
192.168.2.2
access-list 1 deny 192.168.1.2 0.0.0.0
access-list 1 deny 192.168.1.3 0.0.0.0
access-list 1 permit any
Source IP
192.168.1.2
Naveen Patel
1.2 2.2
Source IP
192.168.1.2

Destination IP
192.168.2.2
Source IP
192.168.1.2
access-list 1 deny 192.168.1.2 0.0.0.0
access-list 1 deny 192.168.1.3 0.0.0.0
Naveen Patel
E0
192.168.1.1/24
HYD
LAN - 192.168.1.0/24
E0
192.168.2.1/24
LAN - 192.168.2.0/24
E0
192.168.3.1/24
LAN - 192.168.3.0/24
10.0.0.1/8
S0
S1
10.0.0.2/8
11.0.0.1/8
S0
S1
11.0.0.2/8
1.2 1.3 1.4 2.2 2.3 2.4 3.2 3.3 3.4
192.168.1.4 is accessing 192.168.2.2
1.4
HYD
CHE
BAN
Naveen Patel
1.4 2.2
Source IP
192.168.1.4

Destination IP
192.168.2.2
access-list 1 deny 192.168.1.2 0.0.0.0
access-list 1 deny 192.168.1.3 0.0.0.0
Source IP
192.168.1.4
x
Naveen Patel
1.4 2.2
Source IP
192.168.1.4

Destination IP
192.168.2.2
Source IP
192.168.1.4
x
access-list 1 deny 192.168.1.2 0.0.0.0
access-list 1 deny 192.168.1.3 0.0.0.0
Naveen Patel
1.4 2.2
Source IP
192.168.1.4

Destination IP
192.168.2.2
Source IP
192.168.1.4
access-list 1 deny 192.168.1.2 0.0.0.0
access-list 1 deny 192.168.1.3 0.0.0.0
Naveen Patel
1.4 2.2
Source IP
192.168.1.4

Destination IP
192.168.2.2
Source IP
192.168.1.4
access-list 1 deny 192.168.1.1 0.0.0.0
access-list 1 deny 192.168.1.2 0.0.0.0
Naveen Patel
Standard ACL - Network Diagram
E0
192.168.1.1/24
HYD
LAN - 192.168.1.0/24
E0
192.168.2.1/24
LAN - 192.168.2.0/24
E0
192.168.3.1/24
LAN - 192.168.3.0/24
10.0.0.1/8
S0
S1
10.0.0.2/8
11.0.0.1/8
S0
S1
11.0.0.2/8
1.2 1.3 1.4 2.2 2.3 2.4 3.2 3.3 3.4
192.168.1.2 & 192.168.3.0 should not communicate with
192.168.2.0 network
HYD
CHE
BAN
Creation and
Implementation
is done Closest
to the
Destination.
Naveen Patel
E0
192.168.1.1/24
LAN - 192.168.1.0/24
E0
192.168.2.1/24
LAN - 192.168.2.0/24
E0
192.168.3.1/24
LAN - 192.168.3.0/24
10.0.0.1/8
S0
S1
10.0.0.2/8
11.0.0.1/8
S0
S1
11.0.0.2/8
1.1 1.3 1.4 2.2 2.3 2.4 3.2 3.3 3.4
192.168.1.2 is accessing 192.168.2.2
1.2
HYD
CHE
BAN
Naveen Patel
1.2 2.2
Source IP
192.168.1.2

Destination IP
192.168.2.2
access-list 5 deny 192.168.1.2 0.0.0.0
access-list 5 deny 192.168.3.0 0.0.0.255
Source IP
192.168.1.2
Naveen Patel
1.2 2.2
Source IP
192.168.1.2

Destination IP
192.168.2.2
Source IP
192.168.1.2
access-list 5 deny 192.168.1.2 0.0.0.0
access-list 5 deny 192.168.3.0 0.0.0.255
Naveen Patel
E0
192.168.1.1/24
LAN - 192.168.1.0/24
E0
192.168.2.1/24
LAN - 192.168.2.0/24
E0
192.168.3.1/24
LAN - 192.168.3.0/24
10.0.0.1/8
S0
S1
10.0.0.2/8
11.0.0.1/8
S0
S1
11.0.0.2/8
1.2 1.3 1.3 2.2 2.3 2.4 3.2 3.3 3.4
192.168.1.3 is accessing 192.168.2.2
1.4
HYD
CHE
BAN
Naveen Patel
1.3 2.2
Source IP
192.168.1.3

Destination IP
192.168.2.2
access-list 5 deny 192.168.1.2 0.0.0.0
access-list 5 deny 192.168.3.0 0.0.0.255
Source IP
192.168.1.3
x
Naveen Patel
1.3 2.2
Source IP
192.168.1.3

Destination IP
192.168.2.2
Source IP
192.168.1.3
x
access-list 5 deny 192.168.1.2 0.0.0.0
access-list 5 deny 192.168.3.0 0.0.0.255
Naveen Patel
1.3 2.2
Source IP
192.168.1.3

Destination IP
192.168.2.2
Source IP
192.168.1.3
access-list 5 deny 192.168.1.2 0.0.0.0
access-list 5 deny 192.168.3.0 0.0.0.255
Naveen Patel
1.3 2.1
Source IP
192.168.1.3

Destination IP
192.168.2.2
Source IP
192.168.1.3
access-list 5 deny 192.168.1.2 0.0.0.0
access-list 5 deny 192.168.3.0 0.0.0.255
Naveen Patel
E0
192.168.1.150/24
LAN - 192.168.1.0/24
E0
192.168.2.150/24
LAN - 192.168.2.0/24
E0
192.168.3.150/24
LAN - 192.168.3.0/24
10.0.0.1/8
S0
S1
10.0.0.2/8
11.0.0.1/8
S0
S1
11.0.0.2/8
1.2 1.3 1.4 2.2 2.3 2.4 3.1 3.3 3.4
192.168.3.2 is accessing 192.168.2.2
3.2
HYD
CHE
BAN
Naveen Patel
3.1 2.1
Source IP
192.168.3.1

Destination IP
192.168.2.1
access-list 5 deny 192.168.1.1 0.0.0.0
access-list 5 deny 192.168.3.0 0.0.0.255
Source IP
192.168.3.1
x
Naveen Patel
3.1 2.1
Source IP
192.168.3.1

Destination IP
192.168.2.1
access-list 5 deny 192.168.1.1 0.0.0.0
access-list 5 deny 192.168.3.0 0.0.0.255
Source IP
192.168.3.1
Naveen Patel
3.1 2.1
Source IP
192.168.3.1

Destination IP
192.168.2.1
access-list 5 deny 192.168.1.1 0.0.0.0
access-list 5 deny 192.168.3.0 0.0.0.255
Naveen Patel
Extended ACL - Network Diagram
E0
192.168.1.1/24
LAN - 192.168.1.0/24
E0
192.168.2.1/24
LAN - 192.168.2.0/24
E0
192.168.3.1/24
LAN - 192.168.3.0/24
10.0.0.1/8
S0
S1
10.0.0.2/8
11.0.0.1/8
S0
S1
11.0.0.2/8
1.2 1.3 1.4 2.2 2.3 2.4 3.2 3.3 3.4
192.168.2.0 should not access with 192.168.3.2 (Web Service)
HYD
CHE
BAN
Creation and
Implementation
is done Closest
to the Source.
Naveen Patel
How Extended ACL Works ?
E0
192.168.1.1/24
LAN - 192.168.1.0/24
E0
192.168.2.1/24
LAN - 192.168.2.0/24
E0
192.168.3.1/24
LAN - 192.168.3.0/24
10.0.0.1/8
S0
S1
10.0.0.2/8
11.0.0.1/8
S0
S1
11.0.0.2/8
1.2 1.3 1.4 2.1 2.3 2.4 3.2 3.3 3.4
192.168.2.2 is accessing 192.168.3.2 - Web Service
2.2
HYD BAN
CHE
Naveen Patel
2.2 3.2
Source IP
192.168.2.2
Destination IP
192.168.3.2
Port - 80
access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.2 0.0.0.0 eq 80
access-list 101 permit ip any any
Source IP
192.168.2.2
Destination IP
192.168.3.2
Port - 80
Naveen Patel
2.2 3.2
Source IP
192.168.2.2
Destination IP
192.168.3.2
Port - 80
Naveen Patel
E0
192.168.1.1/24
LAN - 192.168.1.0/24
E0
192.168.2.1/24
LAN - 192.168.2.0/24
E0
192.168.3.1/24
LAN - 192.168.3.0/24
10.0.0.1/8
S0
S1
10.0.0.2/8
11.0.0.1/8
S0
S1
11.0.0.2/8
1.2 1.3 1.4 2.1 2.3 2.4 3.2 3.3 3.4
192.168.2.2 is accessing 192.168.3.2 Telnet Service
2.2
HYD
CHE
BAN
Naveen Patel
2.2 3.2
Source IP
192.168.2.2
Destination IP
192.168.3.2
Port - 23
Source IP
192.168.2.2
Destination IP
192.168.3.2
Port - 23
x
Naveen Patel
2.2 3.2
Source IP
192.168.2.2
Destination IP
192.168.3.2
Port - 23
Source IP
192.168.2.2
Destination IP
192.168.3.2
Port - 23
Naveen Patel
2.2 3.2
Source IP
192.168.2.2
Destination IP
192.168.3.2
Port - 23
Source IP
192.168.2.2
Naveen Patel
E0
192.168.1.1/24
LAN - 192.168.1.0/24
E0
192.168.2.1/24
LAN - 192.168.2.0/24
E0
192.168.3.1/24
LAN - 192.168.3.0/24
10.0.0.1/8
S0
S1
10.0.0.2/8
11.0.0.1/8
S0
S1
11.0.0.2/8
1.2 1.3 1.4 2.1 2.3 2.4 3.2 3.3 3.4
192.168.2.2 is accessing 192.168.1.2 - Web Service
2.2
HYD
CHE
BAN
Naveen Patel
2.2 1.2
Source IP
192.168.2.2
Destination IP
192.168.1.2
Port - 80
x
Source IP
192.168.2.2
Destination IP
192.168.1.2
Port - 80
Naveen Patel
2.2 1.2
Source IP
192.168.2.2
Destination IP
192.168.1.2
Port - 80
Source IP
192.168.2.2
Destination IP
192.168.1.2
Port - 80
Naveen Patel
2.2 1.2
Source IP
192.168.2.1
Destination IP
192.168.1.2
Port - 80
Source IP
192.168.2.2
Naveen Patel
Access-lists are identified using Names
rather than Numbers.
Names are Case-Sensitive
No limitation of Numbers here.
One Main Advantage is Editing of ACL is Possible (i.e)
Removing a specific statement from the ACL is
possible.
(IOS version 11.2 or later allows Named ACL)

Named Access List
Naveen Patel
Standard Named Access List
Creation of Standard Named Access List
Router(config)# ip access-list standard <name>
Router(config-std-nacl)# <permit/deny> <source address>
<source wildcard mask>

Implementation of Standard Named Access List
Router(config)#interface <interface type><interface no>
Router(config-if)#ip access-group <name> <out/in>
Naveen Patel
Extended Named Access List
Creation of Extended Named Access List
Router(config)# ip access-list extended <name>
Router(config-ext-nacl)# <permit/deny> <protocol>
<source address> <source wildcard mask> <destination
address> < destination wildcard mask> <operator>
<service>
Implementation of Extended Named Access List
Router(config-if)#ip access-group <name> <out/in>
Naveen Patel
Naveen Patel
telnet 192.168.1.1
================================
Welcome to Hyderabad Router
================================
User Access Verification
password :
****
****
enable
show ip route
Hyderabad>
password :
Hyderabad#

Gateway of last resort is not set

C 10.0.0.0/8 is directly connected, Serial0
R 11.0.0.0/8 [120/1] via 10.0.0.2, 00:00:25, Serial0
C 192.168.1.0/24 is directly connected, Ethernet0
R 192.168.2.0/24 [120/1] via 10.0.0.2, 00:00:25, Serial0
R 192.168.3.0/24 [120/2] via 10.0.0.2, 00:00:25, Serial0
Hyderabad#
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\>
Connecting .....
Naveen Patel
================================
Welcome to Chennai Router
================================
password :
****
****
enable
show ip route
Chennai>
password :
Chennai#


R 192.168.1.0/24 [120/1] via 10.0.0.1, 00:00:01, Serial1
R 192.168.3.0/24 [120/1] via 11.0.0.2, 00:00:12, Serial0
Chennai#

C:\>
Connecting .....
telnet 192.168.2.1
Naveen Patel
================================
Welcome to Banglore Router
================================
password :
****
****
enable
show ip route
Banglore>
password :
Banglore#


R 10.0.0.0/8 [120/1] via 11.0.0.1, 00:00:04, Serial1
R 192.168.1.0/24 [120/2] via 11.0.0.1, 00:00:04, Serial1
R 192.168.2.0/24 [120/1] via 11.0.0.1, 00:00:04, Serial1
Banglore#

C:\>
Connecting .....
telnet 192.168.3.1
Naveen Patel
Chennai(config-if)#
Chennai(config-if)#
================================
Welcome to Chennai Router
================================
password :
****
****
enable
configure terminal
ip address 10.0.0.2 255.0.0.0
no shut
encapsulation hdlc
interface serial 0
Chennai>
password :
Chennai#
Enter configuration commands, one per line. End with CNTL/Z.
Chennai(config)#
Chennai(config-if)#
Chennai(config-if)#
Chennai(config-if)#
Chennai(config-if)#
C:\>
Connecting .....
Chennai(config-if)#
telnet 192.168.2.1
interface serial 1
ip address 11.0.0.1 255.0.0.0
no shut
encapsulation hdlc
Naveen Patel
configure terminal Chennai#
Chennai(config)#
access-list 1 deny 192.168.1.3 0.0.0.0 Chennai(config)#
access-list 1 deny 192.168.1.2 0.0.0.0
access-list 1 permit any Chennai(config)#
Chennai(config)#
ip access-group 1 out Chennai(config-if)#
interface ethernet 0
Chennai(config-if)#
Creation of Standard Access List
Router(config)# access-list <acl no> <permit/deny>
<source address> <source wildcard mask>

Implementation of Standard Access List
Router(config-if)#ip access-group <number> <out/in>
Naveen Patel
Chennai(config)#
access-list 1 deny 192.168.1.2 0.0.0.0
Chennai(config)#
Chennai(config-if)#
Chennai#
^Z
show ip access-list
Standard IP access list 1
deny 192.168.1.2
deny 192.168.1.3
permit any
Chennai#
Naveen Patel
Chennai# show ip int e0
Ethernet0 is up, line protocol is up
Internet address is 192.168.2.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is enabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is 1
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP multicast fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
Probe proxy name replies are disabled
Gateway Discovery is disabled
Policy routing is disabled
Network address translation is disabled
Chennai#
Naveen Patel
Chennai(config)#
access-list 5 deny 192.168.1.2 0.0.0.0
Chennai(config)#
Chennai(config-if)#
Chennai#
^Z
show ip access-list
Standard IP access list 5
deny 192.168.1.2
deny 192.168.3.0
permit any
Chennai#
Naveen Patel
MTU is 1500 bytes
Outgoing access list is 5
Inbound access list is not set
Chennai#
Naveen Patel
Chennai(config)#
access-list 5 deny 192.168.1.2 0.0.0.0
Chennai(config)#
Chennai(config-if)#
Implementation of Standard Access List
Creation of Standard Access List
<source address> <source wildcard mask>

Naveen Patel
Chennai(config)#
access-list 101 permit ip any any Chennai(config)#
access-list 101 deny tcp 192.168.2.0
0.0.0.255 192.168.3.2 0.0.0.0 eq 80
Chennai(config)#
ip access-group 101 in Chennai(config-if)#
Chennai(config-if)#
Creation of Extended Access List
<protocol> <source address> <source wildcard mask>
<destination address> < destination wildcard mask>
<operator> <service>
Implementation of Extended Access List
Naveen Patel
Chennai(config)#
access-list 101 permit ip any any Chennai(config)#
access-list 101 deny tcp 192.168.2.0
0.0.0.255 192.168.3.2 0.0.0.0 eq 80
Chennai(config)#
ip access-group 101 in Chennai(config-if)#
Chennai(config-if)#
Chennai#
^Z
show ip access-list
Extended IP access list 101
deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2 eq www
permit ip any any
Chennai#
Naveen Patel
MTU is 1500 bytes
Outgoing access list is not set
Inbound access list is 101
Chennai#

19 ACL Part 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

19 ACL Part 2

Uploaded by

Copyright:

Available Formats

Naveen Patel

You might also like