Numbered access lists with main downfall was edited in the ability to access a particular row in the list. Unfortunately the only way to do this is to edit the lines in the text editor and delete and re-add the ACL completely. Numbered access lists can still be found in networks around the world, but engineers now commonly use a named access list, the minimum required to ensure compatibility with the ability to fly on time edit ACL. Also has the great advantage of a named ACL is a descriptive name, such as the ACL named "VTY_ACCESS", its pretty obvious that ACL access control for vty line.
Lab Objectives:
- Named access lists configuration standards are called INSIDE_IN and permits only inbound access 10.1.1.0/24; place an explicit deny lines refused to transport the 500 and log statements. This access list is applied inbound interfaces Fa0/1
- Called OUTSIDE_IN configuring extended named access list and deny hosts 71.23.44.50 and 204.221.190.5 EQ www, allows all other communication. This access list is applied inbound on interface FastEthernet0/0
Lab Instruction:
Named access lists are numbered access lists, but with the addition of the name and the line number. Now, you can specify which row to place ACE in the ACL. For example, you have an ACL with lines 5, 10, 15, 20, 25, 30, and you need to adhere to the line between 10, 15 and 20, and now you have this capability without the need to remove the entire access list entries. New ACE statement followed in the naming of a specific line number in the access list configuration mode.
Step 1. First target countries to create standard named access lists, and allow only the network 10.1.1.0/24, and configuring up 500, ACE of deny and log all denied traffic. Syntax is used to complete this goal; IP access-list standard ACLNAME, as shown below.
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list standard INSIDE_IN
R1(config-std-nacl)#
When a named access list configuration mode, the common start of each ACE with a specific row number. If no line number is specified, then the ACE is placed on the bottom of the ACL. It is the increase of the common ACL by line number 5 or 10. Complete the first laboratory of the target configuration row 10, allows the 10.1.1.0/24 and explicitly deny all other 500 lines of communication to enable logging.
R1(config-std-nacl)#10 permit 10.1.1.0 0.0.0.255
R1(config-std-nacl)#500 deny any log
Now in order to apply this named access-list to an interface you must navigate to the correct interface and execute the ip access-group command followed by the ACL name and direction as shown below;
R1(config-std-nacl)#exit
R1(config)#int f0/1
R1(config-if)#ip access-group INSIDE_IN in
You can verify your access-list configuration by executing the show access-list command;
R1(config-if)#do show access-list
Standard IP access list INSIDE_IN
10 permit 10.1.1.0, wildcard bits 0.0.0.255
500 deny any log
R1(config-if)#
As you can see you have enough space between line10 and line 500 is explicitly denied, at a later time to inject more declarations of an access control list entry.
Step 2. Called OUTSIDE_IN configuring extended named access list and deny hosts 71.23.44.50 and 204.221.190.5 EQ www, allows all other communication. This access list is applied inbound interface Fa0/0; last
R1(config-if)#exit
R1(config)#ip access-list extended OUTSIDE_IN
R1(config-ext-nacl)#10 deny ip host 71.23.44.50 any
R1(config-ext-nacl)#20 deny tcp host 204.221.190.5 any eq www
R1(config-ext-nacl)#500 permit ip any any
Inbound on R1 ′ s FastEthernet0/0 interface now allocates a new extension named access list you create, as follows;
R1(config-ext-nacl)#exit
R1(config)#int f0/0
R1(config-if)#ip access-group OUTSIDE_IN in
To verify your access list configuration from privileged mode, or by using the configuration mode displays the access list is OUTSIDE_IN command is executed the order shown below;
R1(config-ext-nacl)#do sh access-list OUTSIDE_IN
Extended IP access list OUTSIDE_IN
10 deny ip host 71.23.44.50 any
20 deny tcp host 204.221.190.5 any eq www
500 permit ip any any
R1(config-ext-nacl)#
0 comments:
Post a Comment