What is Access-List?
Access-List or ACL is a set
of rules which will allow or deny the specific traffic moving through the
router. ACL is
Access-list is to filter unwanted packets when implementing security policies. ACL is a layer 3 security that controls the flow of traffic from one router to another. it is also called a packet-filtering firewall.
How access-list works.
The packet is always
compared with each line of the access list in sequential order. This means the set of rules defined are matched serial wise i.e. matching starts with the first
line of the access list, then move to 2nd line, then 3rd, and so on.
The packet is compared with lines of the given access list only until a match is made. Once it matches the condition on the line of the access list or rules are matched then no further comparison takes place and that rule will be performed.
There is an
implicit deny at the end of each access list because if no condition or rules
matches then the packet will be discarded.
Types of Access- List
Mainly there are two types
of access lists:
Standard access lists These
ACLs use only the source IP address in an IP packet as the condition test. All decision
is made based on the source IP address. This means that a standard access list
basically permits or denies an entire suite of protocols. They do not distinguish between
any of the many types of IP traffic such as web, talent, UDP, HTTP, and so on. By using numbers 1-99 or
1300-1999, the router will understand it as a standard ACL and the specified
address as the source IP address.
Key: -
- All decision is made based on the source IP address.
- The access list number is 1-99 or
1300-1999
- Can block a network, host, and subnet
- All services are blocked.
- Implemented closet to the
destination.
- do not distinguish between any of the many
types of IP traffic.
Standard ACL |
Router(config)# access-list <acl no> <permit/deny> <source
address> <source WCM>
An extended access list can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. These are the ACLs that use source IP, Destination IP, source port, and Destination port. we can also mention which IP traffic should be allowed or denied. This gives the extended access list the ability to make much more granular decisions when controlling traffic. These uses range from 100-199 and 2000-2699.
key: -
- The access-list number range is 100-199 and 2000-2699.
- We can allow or deny a network, host, subnet, and service
- Selected services can be blocked
- Implemented closest to the source.
- Filtering is done based on source IP, destination IP, Protocol, and port no.
extended ACL |
Router(config)# access-list <acl no>
<permit/deny> <protocol> <source address> <source WCM>
<destination address> <destination WCM> <operator>
<service>
key: -
- Access-list are identified using names rather than numbers.
- Names are case-sensitive.
- No limitation of numbers here.
- One main advantage is the editing of ACL is possible (i,e) removing a specific statement from the ACL is possible.
- IOS version 11.2 or later allows names ACL
Number ACL |
Router(config)# ip access-list standard <name>
Router(config-std-nacl)# <permit/deny>
<source address> <source WCM>
when we create an access list on the router. it is not going to do anything until you apply it on the interface, sure it's on the router but inactive. we have to tell the router what to do with these ACLs. To use the access list as a packet filter, you need to apply it to an interface on the router where you want the traffic filter. And you have got to specify which direction of traffic you want the access list applied to. Once we create the access list, then it should be applied to the inbound or outbound of the interface.
Inbound ACLs- When an access list is applied on inbound packets of the interface. First, those packets are processed through the ACLs before being routed to the outbound interface. Any packet denial will not be routed or discarded.
Outbound ACLs- When
an access list is applied to outbound packets on the interface, packets are routed to the outbound interface and
then processed through the access list before being queued.
How to write an ACL statement
First understand the situation what we want to do and on which router we are going to implement ACls, and identify the source address and destination. Traffic direction Inbound or outbound. Make sure the router we implementing ACLs must be the transit router.
What is a time-based ACL?
The time-based access list is a type of access list that allows network access on the basis of a given time period. It is useful when you want to place restrictions on outbound or inbound traffic on the basis of particular days and time periods.
Sometimes it may be useful if you want to block particular traffic on specific days or during business hours.
- ACLs work in sequential order
- standard ACLs are applied close to the destination not always.
- extended ACLs are applied close to the source not always.
- We can assign only one ACL per interface per protocol per direction, i.e., only one inbound and outbound ACL is permitted per interface.
- All deny statements have to be given first (best practice)
- you cannot remove a rule from ACLs if you are configuring numbered ACLs. when we try to remove a rule then the whole access list will be removed unless named ACLS then we can delete it.
- An implicit deny blocks all the traffic by default when there is no match (an invisible statement).
- Any time a new entry is added to the access list, it will be placed at the bottom of the list, using a text editor for access lists is highly suggested.
- you cannot remove one line from an access list.
- Standard access lists and extended access lists cannot have the same name.
Wild card mask Tell the router which portion of the bits to match or ignore. 0= must match and 1=ignore. The wild card mask for the network will be an inverse mask, Wild card mask for a host will be always 0.0.0.0.
In this article, we are going to configure standard ACLs, extended ACLs, Named ACLs, Routing ACLs, and Time-based ACLs.
Topology: - Standard ACLs
- configure the topology as per the diagram.
- assign the IP addresses as per the topology including PC
- configure routing (EIGRP) and make sure all the computers can communicate with each other using PING.
- deny the host 10.1.1.2 communicate with 20.1.1.2 but the rest of the 10.0.0.0 network can communicate with the 20.0.0.0 network.
- deny the host 10.1.1.4 communicate with 20.1.1.4 but the rest of the 10.0.0.0 network can communicate with the 20.0.0.0 network.
- deny the network 40.0.0.0 communicate with 20.1.1.0 network
- permit all the remaining traffic.
Router-ONE(config)#interface fastEthernet 0/0
Router-ONE(config-if)#ip address 1.1.1.1 255.0.0.0
Router-ONE(config-if)#no shutdown
Router-ONE(config-if)#exit
Router-ONE(config)#interface fastEthernet 1/0
Router-ONE(config-if)#ip address 10.1.1.1 255.0.0.0
Router-ONE(config-if)#no shutdown
Router-ONE(config-if)#exit
Router-TWO(config)#interface fastEthernet 0/0
Router-TWO(config-if)#ip address 1.1.1.2 255.0.0.0
Router-TWO(config-if)#no shutdown
Router-TWO(config-if)#exit
Router-TWO(config)#interface fastEthernet 1/0
Router-TWO(config-if)#ip address 2.2.2.1 255.0.0.0
Router-TWO(config-if)#no shutdown
Router-TWO(config-if)#exit
Router-TWO(config)#interface fastEthernet 6/0
Router-TWO(config-if)#ip address 20.1.1.1 255.0.0.0
Router-TWO(config-if)#no shutdown
Router-TWO(config-if)#exit
Router-THREE(config)#interface fastEthernet 1/0
Router-THREE(config-if)#ip address 2.2.2.2 255.0.0.0
Router-THREE(config-if)#no shutdown
Router-THREE(config)#interface fastEthernet 8/0
Router-THREE(config-if)#ip address 30.1.1.1 255.0.0.0
Router-THREE(config-if)#no shutdown
Router-THREE(config-if)#exit
Router-THREE(config)#interface fastEthernet 0/0
Router-THREE(config-if)#ip address 3.3.3.1 255.0.0.0
Router-THREE(config-if)#no shutdown
Router-THREE(config)#exit
Router-FOUR(config-if)#ip address 3.3.3.2 255.0.0.0
Router-FOUR(config-if)#no shutdown
Router-FOUR(config-if)#exit
Router-FOUR(config)#interface fastEthernet 1/0
Router-FOUR(config-if)#ip address 40.1.1.1 255.0.0.0
Router-FOUR(config-if)#no shutdown
Router-FOUR(config-if)#exit
2.(configure the IP addresses on PCs too as per the topology)
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 1.1.1.1 YES manual up up
FastEthernet1/0 10.1.1.1 YES manual up up
Router-TWO#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 1.1.1.2 YES manual up up
FastEthernet1/0 2.2.2.1 YES manual up up n
FastEthernet6/0 20.1.1.1 YES manual up up
Router-THREE#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 3.3.3.1 YES manual up up
FastEthernet1/0 2.2.2.2 YES manual up up
FastEthernet8/0 30.1.1.1 YES manual up up
Router-FOUR#show ip interface BRief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 3.3.3.2 YES manual up up
FastEthernet1/0 40.1.1.1 YES manual up up
Router-ONE(config)#router eigrp 100
Router-ONE(config-router)#network 1.0.0.0
Router-ONE(config-router)#network 10.0.0.0
Router-ONE(config-router)#no auto-summary
Router-ONE(config-router)#exit
from router 1 |
Router-TWO(config)#router eigrp 100
Router-TWO(config-router)#network 2.0.0.0
Router-TWO(config-router)#network 20.0.0.0
Router-TWO(config-router)#network 1.0.0.0
Router-TWO(config-router)#no auto-summary
%DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 1.1.1.1 (FastEthernet0/0) is up: new adjacency
%DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 1.1.1.1 (FastEthernet0/0) resync: summary configured
Router-THREE(config)#router eigrp 100
Router-THREE(config-router)#network 3.0.0.0
Router-THREE(config-router)#network 30.0.0.0
Router-THREE(config-router)#network 2.0.0.0
Router-THREE(config-router)#exit
Router-FOUR(config)#router eigrp 100
Router-FOUR(config-router)#network 40.0.0.0
Router-FOUR(config-router)#network 3.0.0.0
Router-FOUR(config-router)#exit
%DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 3.3.3.1 (FastEthernet0/0) is up: new adjacency
(Now we try to ping from all ends to make sure our network works smoothly)
from PC host 10.1.1.2
C:\>ipconfig
IP Address......................: 10.1.1.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.1.1.1
C:\>ping 20.1.1.4
Pinging 20.1.1.4 with 32 bytes of data:
Request timed out.
Reply from 20.1.1.4: bytes=32 time<1ms TTL=126
Reply from 20.1.1.4: bytes=32 time<1ms TTL=126
Reply from 20.1.1.4: bytes=32 time<1ms TTL=126
Ping statistics for 20.1.1.4:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>ping 30.1.1.4
Pinging 30.1.1.4 with 32 bytes of data:
Request timed out.
Reply from 30.1.1.4: bytes=32 time=6ms TTL=125
Reply from 30.1.1.4: bytes=32 time<1ms TTL=125
Reply from 30.1.1.4: bytes=32 time<1ms TTL=125
Ping statistics for 30.1.1.4:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 6ms, Average = 2ms
C:\>ping 40.1.1.4
Pinging 40.1.1.4 with 32 bytes of data:
Request timed out.
Reply from 40.1.1.4: bytes=32 time=2ms TTL=124
Reply from 40.1.1.4: bytes=32 time=1ms TTL=124
Reply from 40.1.1.4: bytes=32 time<1ms TTL=124
Ping statistics for 40.1.1.4:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 1ms
from PC host 40.1.1.4
C:\>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::201:97FF:FE19:CAE9
IP Address......................: 40.1.1.4
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 40.1.1.1
C:\>ping 20.1.1.4
Pinging 20.1.1.4 with 32 bytes of data:
Reply from 20.1.1.4: bytes=32 time=5ms TTL=125
Reply from 20.1.1.4: bytes=32 time=1ms TTL=125
Reply from 20.1.1.4: bytes=32 time=2ms TTL=125
Reply from 20.1.1.4: bytes=32 time<1ms TTL=125
Ping statistics for 20.1.1.4:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 5ms, Average = 2ms
C:\>ping 20.1.1.2
Pinging 20.1.1.2 with 32 bytes of data:
Request timed out.
Reply from 20.1.1.2: bytes=32 time<1ms TTL=125
Reply from 20.1.1.2: bytes=32 time<1ms TTL=125
Reply from 20.1.1.2: bytes=32 time<1ms TTL=125
Ping statistics for 20.1.1.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
from this end 40.0.0.0 network, everything is working well.
- deny the host 10.1.1.2 communicate with 20.1.1.2 but the rest of the 10.0.0.0 network can communicate with the 20.0.0.0 network.
- deny the host 10.1.1.4 communicate with 20.1.1.4 but the rest of the 10.0.0.0 network can communicate with the 20.0.0.0 network.
- deny the network 40.0.0.0 communicate with the 20.1.1.0 network and make sure the rest of the hosts can ping
(ON ROUTER 2)
Router(config)#access-list 20 deny host 10.1.1.2
Router(config)#access-list 20 deny host 10.1.1.4
Router(config)#access-list 20 deny 40.0.0.0 0.255.255.255
Router(config)#access-list 20 permit any
Router(config)#interface fastEthernet 6/0
Router(config-if)#ip access-group 20 out
Router(config-if)#exit
(Verify from host 10.1.1.2, 10.1.1.4)
(Make sure the rest of the hosts 10.1.1.3, and 10.1.1.5 can ping 20.0.0.0 network.)
C:\>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::209:7CFF:FE04:47BA
IP Address......................: 10.1.1.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.1.1.1
C:\>ping 20.1.1.2
Pinging 20.1.1.2 with 32 bytes of data:
Reply from 1.1.1.2: Destination host unreachable.
Reply from 1.1.1.2: Destination host unreachable.
Reply from 1.1.1.2: Destination host unreachable.
Reply from 1.1.1.2: Destination host unreachable.
Ping statistics for 20.1.1.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ping 20.1.1.4
Pinging 20.1.1.4 with 32 bytes of data:
Reply from 1.1.1.2: Destination host unreachable.
Reply from 1.1.1.2: Destination host unreachable.
Reply from 1.1.1.2: Destination host unreachable.
Reply from 1.1.1.2: Destination host unreachable.
Ping statistics for 20.1.1.4:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::201:C7FF:FE94:D928
IP Address......................: 10.1.1.3
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.1.1.1
Bluetooth Connection:
Link-local IPv6 Address.........: ::
IP Address......................: 0.0.0.0
Subnet Mask.....................: 0.0.0.0
Default Gateway.................: 0.0.0.0
C:\>ping 20.1.1.2
Pinging 20.1.1.2 with 32 bytes of data:
Reply from 20.1.1.2: bytes=32 time=1ms TTL=126
Reply from 20.1.1.2: bytes=32 time=1ms TTL=126
Reply from 20.1.1.2: bytes=32 time<1ms TTL=126
Reply from 20.1.1.2: bytes=32 time=1ms TTL=126
Ping statistics for 20.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
C:\>ping 20.1.1.4
Pinging 20.1.1.4 with 32 bytes of data:
Reply from 20.1.1.4: bytes=32 time=8ms TTL=126
Reply from 20.1.1.4: bytes=32 time<1ms TTL=126
Reply from 20.1.1.4: bytes=32 time<1ms TTL=126
Reply from 20.1.1.4: bytes=32 time<1ms TTL=126
Ping statistics for 20.1.1.4:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 8ms, Average = 2ms
Next lab Extended Access List
Topology: -
- We are continuing our previous lab.
- deny host 10.1.1.2, not access 30.1.1.12 server HTTP but make sure 10.1.1.2 should access all devices in 30.0.0.0 network except 30.1.1.12.
- deny host 20.1.1.2, not access 30.1.1.13 server FTP, but make sure 20.1.1.2 should access all devices in 30.0.0.0 network except 30.1.1.13.
- deny host 20.1.1.2, not access 30.1.1.13 server FTP, but make sure 40.1.1.2 should access all devices in 30.0.0.0 network except 30.1.1.14.
- Permit all
Before
C:\>ipconfig
FastEthernet0 Connection:(default
port)
Link-local IPv6 Address.........:
FE80::201:C7FF:FE94:D928
IP Address......................:
10.1.1.2
Subnet Mask.....................:
255.0.0.0
Default Gateway.................:
10.1.1.1
Bluetooth Connection:
Link-local IPv6 Address.........: ::
IP Address......................:
0.0.0.0
Subnet Mask.....................:
0.0.0.0
Default Gateway.................:
0.0.0.0
C:\>ping 30.1.1.12
Pinging 30.1.1.12 with 32 bytes of
data:
Reply from 30.1.1.12: bytes=32
time=1ms TTL=125
Reply from 30.1.1.12: bytes=32
time<1ms TTL=125
Reply from 30.1.1.12: bytes=32
time<1ms TTL=125
Reply from 30.1.1.12: bytes=32
time=1ms TTL=125
Ping statistics for 30.1.1.12:
Packets: Sent = 4, Received = 4, Lost
= 0 (0% loss),
Approximate round trip times in
milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
C:\>ipconfig
FastEthernet0 Connection:(default
port)
Link-local IPv6 Address.........:
FE80::2E0:F9FF:FE3A:3251
IP Address......................:
20.1.1.2
Subnet Mask.....................:
255.0.0.0
Default Gateway.................:
20.1.1.1
Bluetooth Connection:
Link-local IPv6 Address.........: ::
IP Address......................:
0.0.0.0
Subnet Mask.....................:
0.0.0.0
Default Gateway.................:
0.0.0.0
C:\>ping 30.1.1.13
Pinging 30.1.1.13 with 32 bytes of
data:
Request timed out.
Reply from 30.1.1.13: bytes=32
time=6ms TTL=126
Reply from 30.1.1.13: bytes=32
time=1ms TTL=126
Reply from 30.1.1.13: bytes=32
time<1ms TTL=126
Ping statistics for 30.1.1.13:
Packets: Sent = 4, Received = 3, Lost
= 1 (25% loss),
Approximate round trip times in
milli-seconds:
Minimum = 0ms, Maximum = 6ms,
Average = 2ms
C:\>ipconfig
FastEthernet0 Connection:(default
port)
Link-local IPv6 Address.........:
FE80::205:5EFF:FEA1:C2B6
IP Address......................:
40.1.1.2
Subnet Mask.....................:
255.0.0.0
Default Gateway.................:
40.1.1.1
Bluetooth Connection:
Link-local IPv6 Address.........: ::
IP Address......................:
0.0.0.0
Subnet Mask.....................:
0.0.0.0
Default Gateway.................:
0.0.0.0
C:\>ping 30.1.1.14
Pinging 30.1.1.14 with 32 bytes of
data:
Request timed out.
Reply from 30.1.1.14: bytes=32
time=1ms TTL=126
Reply from 30.1.1.14: bytes=32
time=1ms TTL=126
Reply from 30.1.1.14: bytes=32 time<1ms
TTL=126
Ping statistics for 30.1.1.14:
Packets: Sent = 4, Received = 3, Lost
= 1 (25% loss),
Approximate round trip times in
milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average
= 0ms
Router-THREE(config)#ip access-list extended 160
Router-THREE(config-ext-nacl)#deny ip 10.1.1.2 0.255.255.255 host 30.1.1.12
Router-THREE(config-ext-nacl)#deny ip 20.1.1.2 0.255.255.255 host 30.1.1.13
Router-THREE(config-ext-nacl)#deny ip 40.1.1.2 0.255.255.255 host 30.1.1.14
Router-THREE(config-ext-nacl)#permit ip any any
Router-THREE(config-ext-nacl)#exit
Router-THREE(config)#interface fastEthernet 9/0
Router-THREE(config-if)#ip access-group 160 out
Router-THREE(config-if)#exit
Router-THREE(config)#exit
Router-THREE#show access-lists
Extended IP access list 160
10 deny ip 10.0.0.0 0.255.255.255 host 30.1.1.12
20 deny ip 20.0.0.0 0.255.255.255 host 30.1.1.13
30 deny ip 40.0.0.0 0.255.255.255 host 30.1.1.14
40 permit ip any any
(Now let's verify from 10.1.1.2, 20.1.1.2, and 40.1.1.2)
C:\>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::209:7CFF:FE04:47BA
IP Address......................: 10.1.1.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.1.1.1
C:\>ping 30.1.1.2
Pinging 30.1.1.2 with 32 bytes of data:
Reply from 30.1.1.2: bytes=32 time=1ms TTL=125
Reply from 30.1.1.2: bytes=32 time<1ms TTL=125
Reply from 30.1.1.2: bytes=32 time<1ms TTL=125
Reply from 30.1.1.2: bytes=32 time<1ms TTL=125
C:\>ping 30.1.1.12
Pinging 30.1.1.12 with 32 bytes of data:
Reply from 2.2.2.2: Destination host unreachable.
Reply from 2.2.2.2: Destination host unreachable.
Reply from 2.2.2.2: Destination host unreachable.
Reply from 2.2.2.2: Destination host unreachable.
Ping statistics for 30.1.1.12:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::20D:BDFF:FE60:4383
IP Address......................: 20.1.1.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 20.1.1.1
C:\>ping 30.1.1.2
Pinging 30.1.1.2 with 32 bytes of data:
Reply from 30.1.1.2: bytes=32 time<1ms TTL=126
Reply from 30.1.1.2: bytes=32 time=16ms TTL=126
Reply from 30.1.1.2: bytes=32 time<1ms TTL=126
Reply from 30.1.1.2: bytes=32 time<1ms TTL=126
Ping statistics for 30.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 16ms, Average = 4ms
C:\>
C:\>ping 30.1.1.13
Reply from 2.2.2.2: Destination host unreachable.
Reply from 2.2.2.2: Destination host unreachable.
Reply from 2.2.2.2: Destination host unreachable.
Reply from 2.2.2.2: Destination host unreachable.
Ping statistics for 30.1.1.13:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::2E0:F9FF:FE66:C33C
IP Address......................: 40.1.1.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 40.1.1.1
C:\>ping 30.1.1.2
Pinging 30.1.1.2 with 32 bytes of data:
Reply from 30.1.1.2: bytes=32 time=1ms TTL=126
Reply from 30.1.1.2: bytes=32 time=1ms TTL=126
Reply from 30.1.1.2: bytes=32 time<1ms TTL=126
Reply from 30.1.1.2: bytes=32 time<1ms TTL=126
Ping statistics for 30.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
C:\>ping 30.1.1.14
Pingig 30.1.1.14 with 32 bytes of data:
Reply from 3.3.3.1: Destination host unreachable.
Reply from 3.3.3.1: Destination host unreachable.
Reply from 3.3.3.1: Destination host unreachable.
Reply from 3.3.3.1: Destination host unreachable.
Ping statistics for 30.1.1.14:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
-----------------------------------------------------------------------------------------------------------------------
Next lab Named Access List
Lab: -
Topology
- We are continuing our previous lab.
- deny host 30.1.1.2, not access 10.1.1.4 host, but make sure 30.1.1.2 should access all devices in 10.0.0.0 network except 10.1.1.4.
- deny host 40.1.1.2, not access 10.1.1.4 host, but make sure 40.1.1.2 should access all devices in 10.0.0.0 network except 10.1.1.4.
- Permit all
before
C:\>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::2E0:F9FF:FE66:C33C
IP Address......................: 40.1.1.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 40.1.1.1
Bluetooth Connection:
Link-local IPv6 Address.........: ::
IP Address......................: 0.0.0.0
Subnet Mask.....................: 0.0.0.0
Default Gateway.................: 0.0.0.0
C:\>ping 10.1.1.4
Pinging 10.1.1.4 with 32 bytes of data:
Request timed out.
Reply from 10.1.1.4: bytes=32 time<1ms TTL=124
Reply from 10.1.1.4: bytes=32 time=1ms TTL=124
Reply from 10.1.1.4: bytes=32 time<1ms TTL=124
Ping statistics for 10.1.1.4:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
(From the above output host 40.1.1.2 can ping 10.1.1.4)
Router-ONE(config)#ip access-list extended cisco
Router-ONE(config-ext-nacl)#deny ip 30.1.1.2 0.255.255.255 host 10.1.1.4
Router-ONE(config-ext-nacl)#deny ip 40.1.1.2 0.255.255.255 host 10.1.1.4
Router-ONE(config-ext-nacl)#permit ip any any
Router-ONE(config-ext-nacl)#exit
Router-ONE(config)#interface fastEthernet 1/0
Router-ONE(config-if)#ip access-group cisco out
Router-ONE(config-if)#exit
Router-ONE#show access-lists cisco
Extended IP access list cisco
deny ip 30.0.0.0 0.255.255.255 host 10.1.1.4 (4 match(es))
deny ip 40.0.0.0 0.255.255.255 host 10.1.1.4 (4 match(es))
permit ip any any (8 match(es))
(Now we try to ping from 40.1.1.2 to 10.1.1.4 and 10.1.1.2)
C:\>ping 30.1.1.2
Pinging 30.1.1.2 with 32 bytes of data:
Reply from 30.1.1.2: bytes=32 time=1ms TTL=126
Reply from 30.1.1.2: bytes=32 time=1ms TTL=126
Reply from 30.1.1.2: bytes=32 time<1ms TTL=126
Reply from 30.1.1.2: bytes=32 time<1ms TTL=126
C:\>ping 30.1.1.14
Pinging 30.1.1.14 with 32 bytes of data:
Reply from 3.3.3.1: Destination host unreachable.
Reply from 3.3.3.1: Destination host unreachable.
Reply from 3.3.3.1: Destination host unreachable.
Reply from 3.3.3.1: Destination host unreachable.
Ping statistics for 30.1.1.14:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
(From the above output you can see when we try to ping the 30.1.1.2 host from the 40.1.1.2, the communication is smooth but when we try to ping the 30.1.1.4, the result is destination host unreachable because of Named ACLs)
(Now we try to ping from 30.1.1.2 to 10.1.1.4 and 10.1.1.2)
C:\>ipconfig
IP Address......................: 30.1.1.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 30.1.1.1
C:\>ping 10.1.1.4
Pinging 10.1.1.4 with 32 bytes of data:
Reply from 1.1.1.1: Destination host unreachable.
Reply from 1.1.1.1: Destination host unreachable.
Reply from 1.1.1.1: Destination host unreachable.
Reply from 1.1.1.1: Destination host unreachable.
Ping statistics for 10.1.1.4:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 10.1.1.2: bytes=32 time=1ms TTL=125
Reply from 10.1.1.2: bytes=32 time=2ms TTL=125
Reply from 10.1.1.2: bytes=32 time<1ms TTL=125
Reply from 10.1.1.2: bytes=32 time<1ms TTL=125
_______________________________________________________________________
Next lab Routing Protocol Access List
- We are continuing our previous lab.
- configure routing protocol OSPF between routers 3 and 4
- Deny EIGRP on router 4 and make sure router 4 gets routes in the OSPF routing table.
- permit rest.
Router-THREE#show ip route eigrp
D 1.0.0.0/8 [90/30720] via 2.2.2.1, 00:07:40, FastEthernet1/0
D 10.0.0.0/8 [90/33280] via 2.2.2.1, 00:07:39, FastEthernet1/0
D 20.0.0.0/8 [90/30720] via 2.2.2.1, 00:07:40, FastEthernet1/0
D 40.0.0.0/8 [90/30720] via 3.3.3.2, 00:07:40, FastEthernet0/0
Router-THREE#show ip route ospf
Router-THREE#
- Deny EIGRP on router 4 and make sure router 4 gets routes in the OSPF routing table.
Router-FOUR(config)#ip access-list extended 180
Router-FOUR(config-ext-nacl)#deny eigrp any any
Router-FOUR(config-ext-nacl)#permit ip any any
Router-FOUR(config-ext-nacl)#exit
Router-FOUR(config)#interface fastEthernet 0/0
Router-FOUR(config-if)#ip access-group 180 in
Router-FOUR(config-if)#exit
Router-FOUR#show ip route ospf
O 30.0.0.0 [110/2] via 3.3.3.1, 00:00:14, FastEthernet0/0
---------------------------------------------------------------------------------------------------------------