 |
| An access control list (ACL) is a list of rules that control & filter traffic based on source & destination IP addresses or port numbers. We can provide restrictions to individual users, subnets and services, etc. |
> It is also called a packet filtering firewall.
Access List has two types
1.) Standard Access List (1-99)
2.) Extended Access List (100-199)
Any access list is identified by its number.
1.) Standard Access List 2.) Extended Access List 1.) Can block a network, Host & subnet. 1.) Can block a network Host, Subnet & Services
2.) Two-way communication is stopped 2.) One-way communication is stopped
3.) All services are blocked (ex. Telnet) 3.) Selected services can be blocked.
4.) Implemented closest to the destination. 4.) Implemented closest to the source
5.) Filtering is done based on only the source
IP address
Access list in and out explained:-
Access list in (Inbound)-: Traffic coming towards the router interface. Before the router makes its forwarding (routing) decision.
Access list out(Outbound):- Traffic leaving the router interface. After the router makes its forwarding decision and has determined the exit interface to use.
1.) Access List Configuration:-
======================================
Topology:-
=======================================================
Tosif Router Configuration
Router>en
Router#configure terminal
Router(config)#hostname Tosif
Tosif(config)#interface gigabitEthernet 0/1
Tosif(config-if)#ip address 192.168.0.1 255.255.255.0
Tosif(config-if)#no Shutdown
Tosif(config-if)#exit
Tosif(config)#interface gigabitEthernet 0/0
Tosif(config-if)#ip address 10.0.0.1 255.0.0.0
Tosif(config-if)#no Shutdown
Tosif(config-if)#exit
Tosif(config)#exit
Tosif#write {To save the Configuration}
========================================================
Mizen Router Configuration
Router>en
Router#configure terminal
Router(config)#hostname Tosif
Mizen(config)#interface gigabitEthernet 0/1
Mizen(config-if)#ip address 172.168.0.1 255.255.0.0
Mizen(config-if)#no Shutdown
Mizen(config-if)#exit
Mizen(config)#interface gigabitEthernet 0/0
Mizen(config-if)#ip address 10.0.0.2 255.0.0.0
Mizen(config-if)#no Shutdown
Mizen(config-if)#exit
Mizen(config)#exit
Mizen#write {To save the Configuration}
==========================================================
Apply any Routing Protocol
Note:- In this topology, I am using Rip. It is applied on directly connected networks.
Tosif Router Rip Configuration
Tosif(config)#router rip
Tosif(config)#network 192.168.0.0
Tosif(config)#network 10.0.0.0
Mizen Router Rip configuration
Tosif(config)#router rip
Tosif(config)#network 172.168.0.0
Tosif(config)#network 10.0.0.0
Done
Note:- You can verify this routing configuration using this command
<Tosif>sh ip route {It will show you connected routes}
==========================================================
Standard Access List configuration in this topology
Mizen(config)#access-list?
<1-99> IP standard access list
<100-199> IP extended access list
Mizen(config)#access-list 12?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
Mizen(config)#access-list 12 deny 172.168.0.40 {Enter}
Mizen(config)#access-list 12 permit any {Enter}
Mizen(config)#interface gigabitEthernet 0/0
Mizen(config-if)#ip access-group 12 out
Mizen(config-if)#exit
Mizen(config)#exit
Mizen#write
Mizen(config)#interface gigabitEthernet 0/1
Mizen(config-if)#ip access-group 12 in
Mizen(config-if)#exit
Mizen(config)#exit
Mizen#write
Standard configuration is done now
==========================================================
Extended Access List configuration in this topology
Mizen(config)#access-list?
<100-199> IP extended access list
Mizen(config)#access-list 101 deny?
which service do you want to block select from the below list.
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
Mizen(config)#access-list 101 deny tcp?
A.B.C.D Source address
any Any source host
host A single source host
Mizen(config)#access-list 101 deny tcp 172.168.0.40?
A.B.C.D Source wildcard bits {Wildcard mask is the reverse of subnet mask}
Mizen(config)#access-list 101 deny tcp 172.168.0.40 0.0.255.255?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
Mizen(config)#access-list 101 deny tcp 172.168.0.40 0.0.255.255 192.168.0.2?
A.B.C.D Destination wildcard bits
Mizen(config)#access-list 101 deny tcp 172.168.0.40 0.0.255.255 192.168.0.2 0.0.0.255?
dscp Match packets with given dscp value
eq Match only packets on a given port number
established established
gt Match only packets with a greater port number
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
range Match only packets in the range of port numbers
<cr>
Mizen(config)#access-list 101 deny tcp 172.168.0.40 0.0.255.255 192.168.0.2 0.0.0.255 eq?
<0-65535> Port number
ftp File Transfer Protocol (21)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
telnet Telnet (23)
www World Wide Web (HTTP, 80)
Mizen(config)#access-list 101 deny tcp 172.168.0.40 0.0.255.255 192.168.0.2 0.0.0.255 eq telnet
Mizen(config)#access-list 101 permit ip any any {Enter}
Mizen(config)#interface gigabitEthernet 0/0
Mizen(config)#ip access-group 101 out { Now outgoing is blocked for access list 101}
Mizen(config)#exit
Done
Note:- Telnet service is blocked for the destination computer ( 192.168.0.2) on the source computer(172.168.0.40).
=========================================================
Comments
Post a Comment