Standard (1-99, 1300-1999) filters traffic using only the source IP address
Extended (100-199, 2000-2699) filters traffic on both source and destination IP address as long with protocol (network layer) and port numbers (transport layer)
Once a ACL is created it must be applied to an interface, inbound or outbound. ACLs have a implicit deny all at the end of each access list , permit statements are needed or no traffic will pass through interface. ACLs are read from top to bottom, adding entries will put them at the end of the list.
In this example sales department shouldn't have access to marketing but should have access to the internet and finance. A standard access-list will be fine because I'm filtering only by source network.
From the sales PC I ping Marketing PC before I create and apply ACls.
Sales >ping 172.16.60.2
Pinging 172.16.60.2 with 32 bytes of data:
Reply from 172.16.60.2: bytes=32 time=7ms TTL=127
Reply from 172.16.60.2: bytes=32 time=13ms TTL=127
Reply from 172.16.60.2: bytes=32 time=9ms TTL=127
Reply from 172.16.60.2: bytes=32 time=10ms TTL=127
Ping statistics for 172.16.60.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 7ms, Maximum = 13ms, Average = 9ms
I created a standard ACL closer to the marketing network so that I don't deny Sales from other parts of the network. I used the number 10 to represent a standard access list (1-99) The deny command will prevent the outbound network 172.16.40.0 /24 from getting through interface fe 0/1. Wildcard masks are used in ACL to define a network. The permit any command at the end is need so that other IP traffic can access Marketing. The command ip access-group is used to apply a ACL (outbound or inbound) to an interface .
R1(config)#access-list 10 deny 172.16.40.0 0.0.0.255
R1(config)#access-list 10 permit any
R1(config)#int fastethernet 0/1
R1(config-if)#ip access-group 10 out
The show running-config command will show which interface the ACL is applied too
interface FastEthernet0/1
ip address 172.16.60.1 255.255.255.0
ip access-group 10 out
duplex auto
speed auto
!
interface Ethernet1/0
ip address 172.16.50.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
access-list 10 deny 172.16.40.0 0.0.0.255
access-list 10 permit any
!
The show ip access-list command will show detail information about the ACLlike how many times it has been hit.
R1#show ip access-lists 10
Standard IP access list 10
deny 172.16.40.0 0.0.0.255 (3 match(es))
permit any (4 match(es))
Next I tested the ACL, I pinged the Marketing PC and confirmed the access-list is working .
Sales>ping 172.16.60.2
Pinging 172.16.60.2 with 32 bytes of data:
Reply from 172.16.40.1: Destination host unreachable.
Reply from 172.16.40.1: Destination host unreachable.
Reply from 172.16.40.1: Destination host unreachable.
Reply from 172.16.40.1: Destination host unreachable.
Ping statistics for 172.16.60.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
R1(config)#access-list 5 permit host 192.168.10.2
R1(config)#line vty 0 4
R1(config-line)#access-class 5 in
.gif)
In this diagram, I want to allow web access to the finance server from host B only and deny access from everyone else. A standard access-list can only filter by source address so an extended ACL will be used. First I created a statement to allow web traffic to finance server from host b then a statement to deny web traffic from the entire subnet. Lastly a statement to allow all IP traffic anywhere. Order is important here because if I would have deny the entire subnet first, the packet would never gotten a chance to see the permit statement. I applied the ACL to the interface closest to the source for traffic that is destined outbound.
R1(config)#access-list 101 permit tcp host 192.168.177.2 host 172.22.89.26 eq www
R1(config)#access-list 101 deny tcp 192.168.177.0 0.0.0.255 any eq www
R1(config)#access-list 101 permit ip any any
R1(config)#int fastEthernet 0/0
R1(config-if)#ip access-group 101 in
No comments:
Post a Comment