Access control lists for all network security Foundation. Device ACL to control traffic and to prevent unwanted traffic from a specific source to a specific destination. This laboratory will discuss and demonstrate numbered access lists are not due to the newer access list named advantage is quite common. Numbered access lists of biggest downfall was involved with editing time numbered ACL. Unfortunately, you can't manually ACE (access control list) which can lead to time-consuming editing ACL ACE row 10, line numbering for a specific line in the ACL.
However, as a Cisco network engineer you can still see the number of the field in the access lists from the old deployment or do not know the new way of configuring the ACL, lack of experienced network engineers no matter what, remains a CCNA certification goals.
Lab Prerequisites:
- Than load if you use GNS3 CCNA free Binder GNS3 topology than starting system R1, R2, and SW1.
- Establish a console session with R1 and R2 devices.
- Configure R1 with 10.1.1.2/24 ′ s FastEthernet0/0 IP address of the interface 10.1.1.1/24 and R2 ′ s FastEthernet0/0 interface
- Verify that you can ping R2 ′ s Ethernet interface before starting this lab, from R1 and vice versa.
Lab Instruction:
There are several different specific ranges of numbered access-list used to perform different types of access control as shown below from the Cisco CLI context sensitive help;
R1(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<2700-2799> MPLS access list
<300-399> DECnet access list
<600-699> Appletalk access list
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list
<900-999> IPX extended access list
compiled Enable IP access-list compilation
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
Step 1. To complete this lab, the first number you will need to create a standard access list. Context-sensitive means you'll notice by reference to a standard IP access list number ranges between 1 and 99. You can choose your own numbers to accomplish this goal, but for demonstration purposes, will use the number 50. IP destination country you need to block inbound access on the R1 host 10.1.1.2 ′ s FastEthernet0/0 interface but allows all other communication. As shown in the example;
R1 con0 is now available
Press RETURN to get started.
R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#access-list 50 deny host 10.1.1.2
R1(config)#access-list 50 permit any
Now that the numbered access-list is created you need to apply it in the ingress direction of interface Fa0/0 on Router 1 as shown below;
R1(config)#interface fa0/0
R1(config-if)#ip access-group 50 in
You can verify your configuration by pinging R1′s Fa0/0 interface from R2, as a prerequisite you should have been able to ping the IP prior to applying the access-list. Now if configured correctly your pings will be Unreachable;
R2>ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R2>
You can also verify access list works performed by the privileged mode on the R1 show access-list command. As shown in the following command and you will notice that the first ACE of the hit number is 8;
R1(config-if)#end
R1#show access-list
Standard IP access list 50
10 deny 10.1.1.2 (8 matches)
20 permit any
R1#
Change the IP address on R2′s FastEthernet interface to 10.1.1.3/24 and verify test your access-list again to ensure traffic destined to destinations excluding 10.1.1.2/32 is permitted;
R2>enable
R2#configure terminal
R2(config)#interface fa0/0
R2(config-if)#ip add 10.1.1.3 255.255.255.0
R2(config-if)#end
R2#
Step 2. Now it's time to create an extended access list of numbers. As previously shown in the CLI in the context-sensitive help, you will see the extended scope of access list numbered 100 to 199, but then adds Cisco to expand, both standard and extended numbered access lists. In this goal, you need to create an access list to block Telnet traffic oubound R1 ′ s Fa0/0 interface to 10.1. version 1.3 on the telnet host, and allows all other communication. Because the Telnet TCP communication, you need to match TCP traffic through the specified ACE only and specifically after the match as your destination agreements needed to prevent traffic from reaching the target with 22 (Telnet) to the destination port number, as shown below;
R1#configure terminal
R1(config)#access-list 150 deny tcp any host 10.1.1.3 eq telnet
R1(config)#access-list 150 permit ip any any
This access list is now required in R1 interface Fa0/0 ′ s; application of export orientation on
R1(config)#interface fa0/0
R1(config-if)#ip access-group 150 out
Because of how Cisco equipment sources of traffic from its own nature, this goal cannot be tested unless another network and a static route configuration, will be discussed in a later section. Traffic from one router does not process outbound access list. However, anything from a network to host 10.1. version 1.3 is equal to the Telnet Protocol to traverse a router's traffic will be dropped.
Inbound and outbound access lists can be configured on a Cisco device and you have routers are traffic police said authorized traffic to pass what traffic gets knocked into the bucket and look at it.
General rule of thumb when dealing with access lists. The most effective order of the access-list extended access lists you should place the nearest source of standard access lists as possible and as close as possible to the target
Also bear in mind that there is an implicit deny at the end of each access list, means that you cannot configure the Deny statement sensible approach, it is as the configuration end of the access list "rejected any" same thing. Therefore, by default, unless you allow it to traffic will be dropped. Engineers often place an explicit deny access list during the period after the end of the statement as a method to access the list of troubleshooting log denied traffic.
0 comments:
Post a Comment