Showing posts with label ACL. Show all posts
Showing posts with label ACL. Show all posts

Monday, 27 March 2023

What Access List? What is standard ACL, extended ACL, named ACL, and what is routing protocol ACL? What is a time-based ACL? How to configure ACL?

What is Access-List?


Access-List or ACL is a set of rules which will allow or deny the specific traffic moving through the router. ACL is defined as controlling network traffic and reducing network attacks. ACLs are used to filter traffic based on the set of rules defined for the IN to the router or OUT to the router of the network. An ACL would be your tool of choice for decision-making for example you can set them to allow certain hosts to access web resources on the internet while others are restricted.










 Access-list is to filter unwanted packets when implementing security policies. ACL is a layer 3 security that controls the flow of traffic from one router to another. it is also called a packet-filtering firewall. 

How access-list works. 

The packet is always compared with each line of the access list in sequential order. This means the set of rules defined are matched serial wise i.e. matching starts with the first line of the access list, then move to 2nd line, then 3rd, and so on.

The packet is compared with lines of the given access list only until a match is made. Once it matches the condition on the line of the access list or rules are matched then no further comparison takes place and that rule will be performed.

There is an implicit deny at the end of each access list because if no condition or rules matches then the packet will be discarded.


Types of Access- List

Mainly there are two types of access lists:

Standard access lists These ACLs use only the source IP address in an IP packet as the condition test. All decision is made based on the source IP address. This means that a standard access list basically permits or denies an entire suite of protocols. They do not distinguish between any of the many types of IP traffic such as web, talent, UDP, HTTP, and so on. By using numbers 1-99 or 1300-1999, the router will understand it as a standard ACL and the specified address as the source IP address.

Key: -

  • All decision is made based on the source IP address.
  • The access list number is 1-99 or 1300-1999
  • Can block a network, host, and subnet
  •  All services are blocked.
  • Implemented closet to the destination.
  • do not distinguish between any of the many types of IP traffic.

 

Standard ACL

Router(config)# access-list <acl no>  <permit/deny> <source address>  <source WCM>


 An extended access list can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. These are the ACLs that use source IP, Destination IP, source port, and Destination port. we can also mention which IP traffic should be allowed or denied. This gives the extended access list the ability to make much more granular decisions when controlling traffic. These uses range from 100-199 and 2000-2699.


key: -

  • The access-list number range is 100-199 and 2000-2699. 
  • We can allow or deny a network, host, subnet, and service
  • Selected services can be blocked
  • Implemented closest to the source.
  • Filtering is done based on source IP, destination IP, Protocol, and port no.


extended ACL


Router(config)# access-list <acl no> <permit/deny> <protocol> <source address> <source WCM> <destination address> <destination WCM> <operator> <service>



The access list also has two categories: -

Named access list a name is assigned for the identification. Named access lists are either standard or extended and not actually a distinct type. we can delete a named access list, unlike a number.  


key: - 

  • Access-list are identified using names rather than numbers.
  • Names are case-sensitive.
  • No limitation of numbers here.
  • One main advantage is the editing of ACL is possible (i,e) removing a specific statement from the ACL is possible.
  • IOS version 11.2 or later allows names ACL

 



Number ACL

Router(config)# ip access-list standard <name>

Router(config-std-nacl)# <permit/deny> <source address> <source WCM>



Numbered access-list – These are the access list that cannot be deleted specifically once created i.e if we want to remove any rule from an Access-list then this is not permitted in the case of the numbered access list. 


when we create an access list on the router. it is not going to do anything until you apply it on the interface, sure it's on the router but inactive. we have to tell the router what to do with these ACLs. To use the access list as a packet filter, you need to apply it to an interface on the router where you want the traffic filter. And you have got to specify which direction of traffic you want the access list applied to. Once we create the access list, then it should be applied to the inbound or outbound of the interface.


Inbound ACLs- When an access list is applied on inbound packets of the interface. First, those packets are processed through the ACLs before being routed to the outbound interface. Any packet denial will not be routed or discarded.

Outbound ACLs- When an access list is applied to outbound packets on the interface, packets are routed to the outbound interface and then processed through the access list before being queued.
 

How to write an ACL statement

First understand the situation what we want to do and on which router we are going to implement ACls, and identify the source address and destination. Traffic direction Inbound or outbound. Make sure the router we implementing ACLs must be the transit router.

What is a time-based ACL?

The time-based access list is a type of access list that allows network access on the basis of a given time period. It is useful when you want to place restrictions on outbound or inbound traffic on the basis of particular days and time periods.

Sometimes it may be useful if you want to block particular traffic on specific days or during business hours. 

 

 Access-list rules

 

  • ACLs work in sequential order
  • standard ACLs are applied close to the destination not always.
  • extended ACLs are applied close to the source not always.
  • We can assign only one ACL per interface per protocol per direction, i.e., only one inbound and outbound ACL is permitted per interface.
  • All deny statements have to be given first (best practice)
  • you cannot remove a rule from ACLs if you are configuring numbered ACLs. when we try to remove a rule then the whole access list will be removed unless named ACLS then we can delete it.
  • An implicit deny blocks all the traffic by default when there is no match (an invisible statement).
  • Any time a new entry is added to the access list, it will be placed at the bottom of the list, using a text editor for access lists is highly suggested.
  • you cannot remove one line from an access list.
  • Standard access lists and extended access lists cannot have the same name.


Wild card mask Tell the router which portion of the bits to match or ignore. 0= must match and 1=ignore. The wild card mask for the network will be an inverse mask, Wild card mask for a host will be always 0.0.0.0.


In this article, we are going to configure standard ACLs, extended ACLs, Named ACLs, Routing ACLs, and Time-based ACLs. 


Topology: - Standard ACLs








Goal:
  • configure the topology as per the diagram. 
  • assign the IP addresses as per the topology including PC
  • configure routing (EIGRP) and make sure all the computers can communicate with each other using PING.
  • deny the host 10.1.1.2 communicate with 20.1.1.2 but the rest of the 10.0.0.0 network can communicate with the 20.0.0.0 network.
  • deny the host 10.1.1.4 communicate with 20.1.1.4 but the rest of the 10.0.0.0 network can communicate with the 20.0.0.0 network.
  • deny the network 40.0.0.0 communicate with 20.1.1.0 network
  • permit all the remaining traffic.



  • (Starting from configuring IP addresses as per the topology)




  • Router-ONE(config)#interface fastEthernet 0/0

    Router-ONE(config-if)#ip address 1.1.1.1 255.0.0.0

    Router-ONE(config-if)#no shutdown

    Router-ONE(config-if)#exit


    Router-ONE(config)#interface fastEthernet 1/0

    Router-ONE(config-if)#ip address 10.1.1.1 255.0.0.0

    Router-ONE(config-if)#no shutdown

    Router-ONE(config-if)#exit

     

    Router-TWO(config)#interface fastEthernet 0/0

    Router-TWO(config-if)#ip address 1.1.1.2 255.0.0.0

    Router-TWO(config-if)#no shutdown

    Router-TWO(config-if)#exit


    Router-TWO(config)#interface fastEthernet 1/0

    Router-TWO(config-if)#ip address 2.2.2.1 255.0.0.0

    Router-TWO(config-if)#no shutdown

    Router-TWO(config-if)#exit


    Router-TWO(config)#interface fastEthernet 6/0

    Router-TWO(config-if)#ip address 20.1.1.1 255.0.0.0

    Router-TWO(config-if)#no shutdown

    Router-TWO(config-if)#exit

     

    Router-THREE(config)#interface fastEthernet 1/0

    Router-THREE(config-if)#ip address 2.2.2.2 255.0.0.0

    Router-THREE(config-if)#no shutdown

     Router-THREE(config-if)#exit


    Router-THREE(config)#interface fastEthernet 8/0

    Router-THREE(config-if)#ip address 30.1.1.1 255.0.0.0

    Router-THREE(config-if)#no shutdown

    Router-THREE(config-if)#exit


    Router-THREE(config)#interface fastEthernet 0/0

    Router-THREE(config-if)#ip address 3.3.3.1 255.0.0.0

    Router-THREE(config-if)#no shutdown

    Router-THREE(config)#exit

     

     Router-FOUR(config)#interface fastEthernet 0/0

    Router-FOUR(config-if)#ip address 3.3.3.2 255.0.0.0

    Router-FOUR(config-if)#no shutdown

    Router-FOUR(config-if)#exit


    Router-FOUR(config)#interface fastEthernet 1/0

    Router-FOUR(config-if)#ip address 40.1.1.1 255.0.0.0

    Router-FOUR(config-if)#no shutdown

    Router-FOUR(config-if)#exit

        

      2.(configure the IP addresses on PCs too as per the topology)


     Router-ONE#show ip interface brief

    Interface IP-Address OK? Method Status Protocol

    FastEthernet0/0 1.1.1.1 YES manual up up

    FastEthernet1/0 10.1.1.1 YES manual up up

     

     

    Router-TWO#show ip interface brief

    Interface IP-Address OK? Method Status Protocol

    FastEthernet0/0 1.1.1.2 YES manual up up

    FastEthernet1/0 2.2.2.1 YES manual up up n

    FastEthernet6/0 20.1.1.1 YES manual up up

     

     

    Router-THREE#show ip interface brief

    Interface IP-Address OK? Method Status Protocol

    FastEthernet0/0 3.3.3.1 YES manual up up

    FastEthernet1/0 2.2.2.2 YES manual up up

    FastEthernet8/0 30.1.1.1 YES manual up up

     

     

    Router-FOUR#show ip interface BRief

    Interface IP-Address OK? Method Status Protocol

    FastEthernet0/0 3.3.3.2 YES manual up up

    FastEthernet1/0 40.1.1.1 YES manual up up

     



    Router-ONE(config)#router eigrp 100

    Router-ONE(config-router)#network 1.0.0.0

    Router-ONE(config-router)#network 10.0.0.0

    Router-ONE(config-router)#no auto-summary

    Router-ONE(config-router)#exit

     

     

    from router 1

     






    Router-TWO(config)#router eigrp 100

    Router-TWO(config-router)#network 2.0.0.0

    Router-TWO(config-router)#network 20.0.0.0

    Router-TWO(config-router)#network 1.0.0.0

    Router-TWO(config-router)#no auto-summary

    %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 1.1.1.1 (FastEthernet0/0) is up: new adjacency

    %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 1.1.1.1 (FastEthernet0/0) resync: summary configured 

     







     

    Router-THREE(config)#router eigrp 100

    Router-THREE(config-router)#network 3.0.0.0

    Router-THREE(config-router)#network 30.0.0.0

    Router-THREE(config-router)#network 2.0.0.0

    Router-THREE(config-router)#exit


     %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 2.2.2.1 (FastEthernet1/0) is up: new adjacency

     





     

    Router-FOUR(config)#router eigrp 100

    Router-FOUR(config-router)#network 40.0.0.0

    Router-FOUR(config-router)#network 3.0.0.0

    Router-FOUR(config-router)#exit

    %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 3.3.3.1 (FastEthernet0/0) is up: new adjacency

     


     

     




    (Now we try to ping from all ends to make sure our network works smoothly)

    from PC host 10.1.1.2


    C:\>ipconfig


    IP Address......................: 10.1.1.2

    Subnet Mask.....................: 255.0.0.0

    Default Gateway.................: 10.1.1.1

     


    C:\>ping 20.1.1.4

     

    Pinging 20.1.1.4 with 32 bytes of data:

     

    Request timed out.

    Reply from 20.1.1.4: bytes=32 time<1ms TTL=126

    Reply from 20.1.1.4: bytes=32 time<1ms TTL=126

    Reply from 20.1.1.4: bytes=32 time<1ms TTL=126

     

    Ping statistics for 20.1.1.4:

    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

     

    C:\>ping 30.1.1.4

     

    Pinging 30.1.1.4 with 32 bytes of data:

     

    Request timed out.

    Reply from 30.1.1.4: bytes=32 time=6ms TTL=125

    Reply from 30.1.1.4: bytes=32 time<1ms TTL=125

    Reply from 30.1.1.4: bytes=32 time<1ms TTL=125

     

    Ping statistics for 30.1.1.4:

    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 6ms, Average = 2ms

     

    C:\>ping 40.1.1.4

     

    Pinging 40.1.1.4 with 32 bytes of data:

     

    Request timed out.

    Reply from 40.1.1.4: bytes=32 time=2ms TTL=124

    Reply from 40.1.1.4: bytes=32 time=1ms TTL=124

    Reply from 40.1.1.4: bytes=32 time<1ms TTL=124

     

    Ping statistics for 40.1.1.4:

    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 2ms, Average = 1ms

     

    from this end 10.0.0.0 everything working great. 


    from PC host 40.1.1.4


    C:\>ipconfig

     

    FastEthernet0 Connection:(default port)

     

    Link-local IPv6 Address.........: FE80::201:97FF:FE19:CAE9

    IP Address......................: 40.1.1.4

    Subnet Mask.....................: 255.0.0.0

    Default Gateway.................: 40.1.1.1


    C:\>ping 20.1.1.4

     

    Pinging 20.1.1.4 with 32 bytes of data:

     

    Reply from 20.1.1.4: bytes=32 time=5ms TTL=125

    Reply from 20.1.1.4: bytes=32 time=1ms TTL=125

    Reply from 20.1.1.4: bytes=32 time=2ms TTL=125

    Reply from 20.1.1.4: bytes=32 time<1ms TTL=125

     

    Ping statistics for 20.1.1.4:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 5ms, Average = 2ms

     

    C:\>ping 20.1.1.2

     

    Pinging 20.1.1.2 with 32 bytes of data:

     

    Request timed out.

    Reply from 20.1.1.2: bytes=32 time<1ms TTL=125

    Reply from 20.1.1.2: bytes=32 time<1ms TTL=125

    Reply from 20.1.1.2: bytes=32 time<1ms TTL=125

     

    Ping statistics for 20.1.1.2:

    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

    from this end 40.0.0.0 network, everything is working well.


    • deny the host 10.1.1.2 communicate with 20.1.1.2 but the rest of the 10.0.0.0 network can communicate with the 20.0.0.0 network.

    • deny the host 10.1.1.4 communicate with 20.1.1.4 but the rest of the 10.0.0.0 network can communicate with the 20.0.0.0 network.

    • deny the network 40.0.0.0 communicate with the 20.1.1.0 network and make sure the rest of the hosts can ping 

    (ON ROUTER 2)

    Router(config)#access-list 20 deny host 10.1.1.2

    Router(config)#access-list 20 deny host 10.1.1.4

    Router(config)#access-list 20 deny 40.0.0.0 0.255.255.255

    Router(config)#access-list 20 permit any



    Router(config)#interface fastEthernet 6/0

    Router(config-if)#ip access-group 20 out

    Router(config-if)#exit



    (Verify from host 10.1.1.2, 10.1.1.4)

    (Make sure the rest of the hosts 10.1.1.3, and 10.1.1.5 can ping 20.0.0.0 network.) 



     

     

    C:\>ipconfig

     

    FastEthernet0 Connection:(default port)

     

    Link-local IPv6 Address.........: FE80::209:7CFF:FE04:47BA

    IP Address......................: 10.1.1.2

    Subnet Mask.....................: 255.0.0.0

    Default Gateway.................: 10.1.1.1

     


    C:\>ping 20.1.1.2

     

    Pinging 20.1.1.2 with 32 bytes of data:

     

    Reply from 1.1.1.2: Destination host unreachable.

    Reply from 1.1.1.2: Destination host unreachable.

    Reply from 1.1.1.2: Destination host unreachable.

    Reply from 1.1.1.2: Destination host unreachable.

     

    Ping statistics for 20.1.1.2:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

     

    C:\>ping 20.1.1.4

     

    Pinging 20.1.1.4 with 32 bytes of data:

     

    Reply from 1.1.1.2: Destination host unreachable.

    Reply from 1.1.1.2: Destination host unreachable.

    Reply from 1.1.1.2: Destination host unreachable.

    Reply from 1.1.1.2: Destination host unreachable.

     

    Ping statistics for 20.1.1.4:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

     

     


    C:\>ipconfig

     

    FastEthernet0 Connection:(default port)

     

    Link-local IPv6 Address.........: FE80::201:C7FF:FE94:D928

    IP Address......................: 10.1.1.3

    Subnet Mask.....................: 255.0.0.0

    Default Gateway.................: 10.1.1.1

     

    Bluetooth Connection:

     

    Link-local IPv6 Address.........: ::

    IP Address......................: 0.0.0.0

    Subnet Mask.....................: 0.0.0.0

    Default Gateway.................: 0.0.0.0

     

    C:\>ping 20.1.1.2

     

    Pinging 20.1.1.2 with 32 bytes of data:

     

    Reply from 20.1.1.2: bytes=32 time=1ms TTL=126

    Reply from 20.1.1.2: bytes=32 time=1ms TTL=126

    Reply from 20.1.1.2: bytes=32 time<1ms TTL=126

    Reply from 20.1.1.2: bytes=32 time=1ms TTL=126

     

    Ping statistics for 20.1.1.2:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 1ms, Average = 0ms

     

    C:\>ping 20.1.1.4

     

    Pinging 20.1.1.4 with 32 bytes of data:

     

    Reply from 20.1.1.4: bytes=32 time=8ms TTL=126

    Reply from 20.1.1.4: bytes=32 time<1ms TTL=126

    Reply from 20.1.1.4: bytes=32 time<1ms TTL=126

    Reply from 20.1.1.4: bytes=32 time<1ms TTL=126

     

    Ping statistics for 20.1.1.4:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 8ms, Average = 2ms

     

     


     (As you can see from the above output ACL is working great. the same way you can deny the 30.0.0.0 network.)

     

    -----------------------------------------------------------------------------------------------------------


     Next lab Extended Access List

    Topology: -


    • We are continuing our previous lab.
    • deny host 10.1.1.2, not access 30.1.1.12 server HTTP but make sure 10.1.1.2 should access all devices in 30.0.0.0 network except 30.1.1.12.
    • deny host 20.1.1.2, not access 30.1.1.13 server FTP, but make sure 20.1.1.2 should access all devices in 30.0.0.0 network except 30.1.1.13.
    • deny host 20.1.1.2, not access 30.1.1.13 server FTP, but make sure 40.1.1.2 should access all devices in 30.0.0.0 network except 30.1.1.14.
    • Permit all 

    Before

    C:\>ipconfig

     

    FastEthernet0 Connection:(default port)

     

    Link-local IPv6 Address.........: FE80::201:C7FF:FE94:D928

    IP Address......................: 10.1.1.2

    Subnet Mask.....................: 255.0.0.0

    Default Gateway.................: 10.1.1.1

     

    Bluetooth Connection:

     

    Link-local IPv6 Address.........: ::

    IP Address......................: 0.0.0.0

    Subnet Mask.....................: 0.0.0.0

    Default Gateway.................: 0.0.0.0

     

    C:\>ping 30.1.1.12

     

    Pinging 30.1.1.12 with 32 bytes of data:

     

    Reply from 30.1.1.12: bytes=32 time=1ms TTL=125

    Reply from 30.1.1.12: bytes=32 time<1ms TTL=125

    Reply from 30.1.1.12: bytes=32 time<1ms TTL=125

    Reply from 30.1.1.12: bytes=32 time=1ms TTL=125

     

    Ping statistics for 30.1.1.12:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 1ms, Average = 0ms

     

    C:\>ipconfig

     

    FastEthernet0 Connection:(default port)

     

    Link-local IPv6 Address.........: FE80::2E0:F9FF:FE3A:3251

    IP Address......................: 20.1.1.2

    Subnet Mask.....................: 255.0.0.0

    Default Gateway.................: 20.1.1.1

     

    Bluetooth Connection:

     

    Link-local IPv6 Address.........: ::

    IP Address......................: 0.0.0.0

    Subnet Mask.....................: 0.0.0.0

    Default Gateway.................: 0.0.0.0

     

    C:\>ping 30.1.1.13

     

    Pinging 30.1.1.13 with 32 bytes of data:

     

    Request timed out.

    Reply from 30.1.1.13: bytes=32 time=6ms TTL=126

    Reply from 30.1.1.13: bytes=32 time=1ms TTL=126

    Reply from 30.1.1.13: bytes=32 time<1ms TTL=126

     

    Ping statistics for 30.1.1.13:

    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 6ms, Average = 2ms

     

     

    C:\>ipconfig

     

    FastEthernet0 Connection:(default port)

     

    Link-local IPv6 Address.........: FE80::205:5EFF:FEA1:C2B6

    IP Address......................: 40.1.1.2

    Subnet Mask.....................: 255.0.0.0

    Default Gateway.................: 40.1.1.1

     

    Bluetooth Connection:

     

    Link-local IPv6 Address.........: ::

    IP Address......................: 0.0.0.0

    Subnet Mask.....................: 0.0.0.0

    Default Gateway.................: 0.0.0.0

     

    C:\>ping 30.1.1.14

     

    Pinging 30.1.1.14 with 32 bytes of data:

     

    Request timed out.

    Reply from 30.1.1.14: bytes=32 time=1ms TTL=126

    Reply from 30.1.1.14: bytes=32 time=1ms TTL=126

    Reply from 30.1.1.14: bytes=32 time<1ms TTL=126

     

    Ping statistics for 30.1.1.14:

    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 1ms, Average = 0ms



    Router-THREE(config)#ip access-list extended 160

    Router-THREE(config-ext-nacl)#deny ip 10.1.1.2 0.255.255.255 host 30.1.1.12

    Router-THREE(config-ext-nacl)#deny ip 20.1.1.2 0.255.255.255 host 30.1.1.13

    Router-THREE(config-ext-nacl)#deny ip 40.1.1.2 0.255.255.255 host 30.1.1.14

    Router-THREE(config-ext-nacl)#permit ip any any

    Router-THREE(config-ext-nacl)#exit


    Router-THREE(config)#interface fastEthernet 9/0

    Router-THREE(config-if)#ip access-group 160 out

    Router-THREE(config-if)#exit

    Router-THREE(config)#exit


    Router-THREE#show access-lists

    Extended IP access list 160

    10 deny ip 10.0.0.0 0.255.255.255 host 30.1.1.12

    20 deny ip 20.0.0.0 0.255.255.255 host 30.1.1.13

    30 deny ip 40.0.0.0 0.255.255.255 host 30.1.1.14

    40 permit ip any any



    (Now let's verify from 10.1.1.2, 20.1.1.2, and 40.1.1.2)



    C:\>ipconfig


    FastEthernet0 Connection:(default port)


       Link-local IPv6 Address.........: FE80::209:7CFF:FE04:47BA

       IP Address......................: 10.1.1.2

       Subnet Mask.....................: 255.0.0.0

       Default Gateway.................: 10.1.1.1


    C:\>ping 30.1.1.2

    Pinging 30.1.1.2 with 32 bytes of data:

    Reply from 30.1.1.2: bytes=32 time=1ms TTL=125

    Reply from 30.1.1.2: bytes=32 time<1ms TTL=125

    Reply from 30.1.1.2: bytes=32 time<1ms TTL=125

    Reply from 30.1.1.2: bytes=32 time<1ms TTL=125


    C:\>ping 30.1.1.12


    Pinging 30.1.1.12 with 32 bytes of data:


    Reply from 2.2.2.2: Destination host unreachable.

    Reply from 2.2.2.2: Destination host unreachable.

    Reply from 2.2.2.2: Destination host unreachable.

    Reply from 2.2.2.2: Destination host unreachable.

    Ping statistics for 30.1.1.12:

        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


    C:\>ipconfig

    FastEthernet0 Connection:(default port)

       Link-local IPv6 Address.........: FE80::20D:BDFF:FE60:4383

       IP Address......................: 20.1.1.2

       Subnet Mask.....................: 255.0.0.0

       Default Gateway.................: 20.1.1.1



    C:\>ping 30.1.1.2


    Pinging 30.1.1.2 with 32 bytes of data:


    Reply from 30.1.1.2: bytes=32 time<1ms TTL=126

    Reply from 30.1.1.2: bytes=32 time=16ms TTL=126

    Reply from 30.1.1.2: bytes=32 time<1ms TTL=126

    Reply from 30.1.1.2: bytes=32 time<1ms TTL=126


    Ping statistics for 30.1.1.2:

        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

        Minimum = 0ms, Maximum = 16ms, Average = 4ms


    C:\>

    C:\>ping 30.1.1.13

    Reply from 2.2.2.2: Destination host unreachable.

    Reply from 2.2.2.2: Destination host unreachable.

    Reply from 2.2.2.2: Destination host unreachable.

    Reply from 2.2.2.2: Destination host unreachable.


    Ping statistics for 30.1.1.13:

        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


    C:\>ipconfig

    FastEthernet0 Connection:(default port)

       Link-local IPv6 Address.........: FE80::2E0:F9FF:FE66:C33C

       IP Address......................: 40.1.1.2

       Subnet Mask.....................: 255.0.0.0

       Default Gateway.................: 40.1.1.1


    C:\>ping 30.1.1.2

    Pinging 30.1.1.2 with 32 bytes of data:

    Reply from 30.1.1.2: bytes=32 time=1ms TTL=126

    Reply from 30.1.1.2: bytes=32 time=1ms TTL=126

    Reply from 30.1.1.2: bytes=32 time<1ms TTL=126

    Reply from 30.1.1.2: bytes=32 time<1ms TTL=126


    Ping statistics for 30.1.1.2:

        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

        Minimum = 0ms, Maximum = 1ms, Average = 0ms


    C:\>ping 30.1.1.14

    Pingig 30.1.1.14 with 32 bytes of data:

    Reply from 3.3.3.1: Destination host unreachable.

    Reply from 3.3.3.1: Destination host unreachable.

    Reply from 3.3.3.1: Destination host unreachable.

    Reply from 3.3.3.1: Destination host unreachable.


    Ping statistics for 30.1.1.14:

        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


    -----------------------------------------------------------------------------------------------------------------------

     Next lab Named Access List


    Lab: - 


    Topology 





    • We are continuing our previous lab.
    • deny host 30.1.1.2, not access 10.1.1.4 host, but make sure 30.1.1.2 should access all devices in 10.0.0.0 network except 10.1.1.4.
    • deny host 40.1.1.2, not access 10.1.1.4 host, but make sure 40.1.1.2 should access all devices in 10.0.0.0 network except 10.1.1.4.
    • Permit all 



    before 

    C:\>ipconfig


    FastEthernet0 Connection:(default port)


    Link-local IPv6 Address.........: FE80::2E0:F9FF:FE66:C33C

    IP Address......................: 40.1.1.2

    Subnet Mask.....................: 255.0.0.0

    Default Gateway.................: 40.1.1.1


    Bluetooth Connection:


    Link-local IPv6 Address.........: ::

    IP Address......................: 0.0.0.0

    Subnet Mask.....................: 0.0.0.0

    Default Gateway.................: 0.0.0.0


    C:\>ping 10.1.1.4


    Pinging 10.1.1.4 with 32 bytes of data:


    Request timed out.

    Reply from 10.1.1.4: bytes=32 time<1ms TTL=124

    Reply from 10.1.1.4: bytes=32 time=1ms TTL=124

    Reply from 10.1.1.4: bytes=32 time<1ms TTL=124


    Ping statistics for 10.1.1.4:

    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 1ms, Average = 0ms


    (From the above output host 40.1.1.2 can ping 10.1.1.4)


    Router-ONE(config)#ip access-list extended cisco

    Router-ONE(config-ext-nacl)#deny ip 30.1.1.2 0.255.255.255 host 10.1.1.4

    Router-ONE(config-ext-nacl)#deny ip 40.1.1.2 0.255.255.255 host 10.1.1.4

    Router-ONE(config-ext-nacl)#permit ip any any

    Router-ONE(config-ext-nacl)#exit


    Router-ONE(config)#interface fastEthernet 1/0

    Router-ONE(config-if)#ip access-group cisco out

    Router-ONE(config-if)#exit


    Router-ONE#show access-lists cisco

    Extended IP access list cisco

    deny ip 30.0.0.0 0.255.255.255 host 10.1.1.4 (4 match(es))

    deny ip 40.0.0.0 0.255.255.255 host 10.1.1.4 (4 match(es))

    permit ip any any (8 match(es))


    (Now we try to ping from 40.1.1.2 to 10.1.1.4 and 10.1.1.2)



    C:\>ipconfig

       IP Address......................: 40.1.1.2
       Subnet Mask.....................: 255.0.0.0
       Default Gateway.................: 40.1.1.1

    C:\>ping 30.1.1.2

    Pinging 30.1.1.2 with 32 bytes of data:

    Reply from 30.1.1.2: bytes=32 time=1ms TTL=126

    Reply from 30.1.1.2: bytes=32 time=1ms TTL=126

    Reply from 30.1.1.2: bytes=32 time<1ms TTL=126

    Reply from 30.1.1.2: bytes=32 time<1ms TTL=126


    C:\>ping 30.1.1.14

    Pinging 30.1.1.14 with 32 bytes of data:

    Reply from 3.3.3.1: Destination host unreachable.

    Reply from 3.3.3.1: Destination host unreachable.

    Reply from 3.3.3.1: Destination host unreachable.

    Reply from 3.3.3.1: Destination host unreachable.


    Ping statistics for 30.1.1.14:

        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


    (From the above output you can see when we try to ping the 30.1.1.2 host from the 40.1.1.2, the communication is smooth but when we try to ping the 30.1.1.4, the result is destination host unreachable because of Named ACLs)


    (Now we try to ping from 30.1.1.2 to 10.1.1.4 and 10.1.1.2)


    C:\>ipconfig


    IP Address......................: 30.1.1.2

    Subnet Mask.....................: 255.0.0.0

    Default Gateway.................: 30.1.1.1


    C:\>ping 10.1.1.4


    Pinging 10.1.1.4 with 32 bytes of data:


    Reply from 1.1.1.1: Destination host unreachable.

    Reply from 1.1.1.1: Destination host unreachable.

    Reply from 1.1.1.1: Destination host unreachable.

    Reply from 1.1.1.1: Destination host unreachable.


    Ping statistics for 10.1.1.4:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


    C:\>ping 10.1.1.2


    Pinging 10.1.1.2 with 32 bytes of data:


    Reply from 10.1.1.2: bytes=32 time=1ms TTL=125

    Reply from 10.1.1.2: bytes=32 time=2ms TTL=125

    Reply from 10.1.1.2: bytes=32 time<1ms TTL=125

    Reply from 10.1.1.2: bytes=32 time<1ms TTL=125



    _______________________________________________________________________




     Next lab Routing Protocol Access List

    Lab: -

    topology 



    • We are continuing our previous lab.
    • configure routing protocol OSPF between routers 3 and 4
    • Deny EIGRP on router 4 and make sure router 4 gets routes in the OSPF routing table.
    • permit rest.



    Router-THREE(config)#router ospf 1 
    Router-THREE(config-router)#network 3.0.0.0 0.255.255.255 area 0
    Router-THREE(config-router)#network 30.0.0.0 0.255.255.255 area 0
    Router-THREE(config-router)#exit

    02:21:23: %OSPF-5-ADJCHG: Process 1, Nbr 40.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loading Done


    Router-FOUR(config)#router ospf 1
    Router-FOUR(config-router)#network 3.0.0.0 0.255.255.255 area 0
    Router-FOUR(config-router)#network 4.0.0.0 0.255.255.255 area 0
    Router-FOUR(config-router)#exit

    02:21:23: %OSPF-5-ADJCHG: Process 1, Nbr 30.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loading Done


    Router-THREE#show ip route eigrp

    D 1.0.0.0/8 [90/30720] via 2.2.2.1, 00:07:40, FastEthernet1/0

    D 10.0.0.0/8 [90/33280] via 2.2.2.1, 00:07:39, FastEthernet1/0

    D 20.0.0.0/8 [90/30720] via 2.2.2.1, 00:07:40, FastEthernet1/0

    D 40.0.0.0/8 [90/30720] via 3.3.3.2, 00:07:40, FastEthernet0/0



    Router-THREE#show ip route ospf

    Router-THREE#



    (As you can see from the above output OSPF is not installing routes in their routing table because of EIGRP)



    SAME FROM ROUTER FOUR.

    • Deny EIGRP on router 4 and make sure router 4 gets routes in the OSPF routing table.

    Router-FOUR(config)#ip access-list extended 180

    Router-FOUR(config-ext-nacl)#deny eigrp any any

    Router-FOUR(config-ext-nacl)#permit ip any any

    Router-FOUR(config-ext-nacl)#exit


    Router-FOUR(config)#interface fastEthernet 0/0

    Router-FOUR(config-if)#ip access-group 180 in

    Router-FOUR(config-if)#exit



    Router-FOUR#show ip route ospf

    O 30.0.0.0 [110/2] via 3.3.3.1, 00:00:14, FastEthernet0/0




    ---------------------------------------------------------------------------------------------------------------


     Next lab Time-based Access List


    please click the link for Time-Based ACL. 



    IF YOU LIKE THIS BLOG, PLEASE VISIT TO OUR YOUTUBE CHANNEL AND CLICK THE LINK https://youtu.be/D0t29ZdO09I


    THANK YOU SO MUCH 

    Tuesday, 15 February 2022

    What is Time-based access-list? How to configure Time-based access-list?


    Time-based access-list is type of access-list which allows network access on the basis of given time period. It is useful when you want to place restrictions on outbound or inbound traffic on the basis of particular day and time periods.

    Sometimes it may be useful if you want to block particular traffic on specific days or during business hours.


     

    Time-based access-list
    Time-based access-list
    Time-based access-list is Easy to implement and Its provides good control over the network traffic to an admin as the traffic can be denied or permitted on the basis of time.

    lets configure Time-based access-list 

    Topology:




    • configure the topology as per the diagram
    • configure IP addresses to their ports 
    • configure EIGRP AS 65100 for routing
    • make sure PC communicate loopback 0 172.16.1.1 network before configure Time-based access-list .
    • configure Time-based access-list  on router 1 and block PC ICMP msg for 172.16.1.1 network.


    R1(config)#interface fastEthernet 0/0

    R1(config-if)#ip address 192.168.1.1 255.255.255.0

    R1(config-if)#no shutdown

    R1(config-if)#exit


    R1(config)#interface ethernet 6/0

    R1(config-if)#ip address 10.1.1.1 255.0.0.0

    R1(config-if)#no shutdown



    R1#show ip interface brief

    Interface              IP-Address      OK? Method Status                Protocol

    FastEthernet0/0        192.168.1.1     YES manual up                    up

    Ethernet6/0            10.1.1.1        YES manual up                    up



    R2(config)#interface fastEthernet 0/0
    R2(config-if)#ip address 192.168.1.2 255.255.255.0
    R2(config-if)#no shutdown
    R2(config-if)#exit

    R2(config)#interface serial 4/0
    R2(config-if)#ip address 1.1.1.1 255.0.0.0
    R2(config-if)#no shutdown
    R2(config-if)#exit



    R3(config)#interface serial 4/0
    R3(config-if)#ip address 1.1.1.2 255.0.0.0
    R3(config-if)#no shutdown
    R3(config-if)#exit

    R3(config)#interface loopback 0
    R3(config-if)#ip address 172.16.1.1 255.255.0.0

    R3(config-if)#do show ip int br
    Interface              IP-Address      OK? Method Status                Protocol
    Serial4/0              1.1.1.2         YES manual up                    up
    Loopback0              172.16.1.1      YES manual up                    up


    {CONFIGURE PC IP ADDRESS WITH DEFAULT GATEWAY}

    IP 10.1.1.2 255.0.0.0 10.1.1.1




    R1(config)#router eigrp 65100

    R1(config-router)#network 192.168.1.0

    R1(config-router)#network 10.0.0.0

    R1(config-router)#no auto-summary

    R1(config-router)#exit


    *Feb 15 12:47:49.483: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65100: Neighbor 192.168.1.2 (FastEthernet0/0) is up: new adjacency




    R2(config)#router eigrp 65100
    R2(config-router)#network 1.0.0.0
    R2(config-router)#network 192.168.1.0
    R2(config-router)#no auto-summary

    *Feb 15 12:47:13.891: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65100: Neighbor 192.168.1.1 (FastEthernet0/0) is up: new adjacency

    R2(config-router)#no auto-summary
    R2(config-router)#exit






    R3(config)#router eigrp 65100
    R3(config-router)#network 172.16.0.0
    R3(config-router)#network 1.0.0.0
    R3(config-router)#no auto-summary

    *Feb 15 12:48:24.771: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65100: Neighbor 1.1.1.1 (Serial4/0) is up: new adjacency
    R3(config-router)#exit



    PC1> ping 10.1.1.1
    84 bytes from 10.1.1.1 icmp_seq=1 ttl=255 time=96.577 ms
    84 bytes from 10.1.1.1 icmp_seq=2 ttl=255 time=35.450 ms
    84 bytes from 10.1.1.1 icmp_seq=3 ttl=255 time=9.170 ms
    84 bytes from 10.1.1.1 icmp_seq=4 ttl=255 time=5.948 ms
    84 bytes from 10.1.1.1 icmp_seq=5 ttl=255 time=5.712 ms

    PC1> ping 192.168.1.1
    84 bytes from 192.168.1.1 icmp_seq=1 ttl=255 time=12.731 ms
    84 bytes from 192.168.1.1 icmp_seq=2 ttl=255 time=5.809 ms
    84 bytes from 192.168.1.1 icmp_seq=3 ttl=255 time=7.586 ms
    84 bytes from 192.168.1.1 icmp_seq=4 ttl=255 time=14.573 ms
    84 bytes from 192.168.1.1 icmp_seq=5 ttl=255 time=14.912 ms

    PC1> ping 1.1.1.1
    84 bytes from 1.1.1.1 icmp_seq=1 ttl=254 time=32.289 ms
    84 bytes from 1.1.1.1 icmp_seq=2 ttl=254 time=26.462 ms
    84 bytes from 1.1.1.1 icmp_seq=3 ttl=254 time=28.834 ms
    84 bytes from 1.1.1.1 icmp_seq=4 ttl=254 time=32.267 ms
    84 bytes from 1.1.1.1 icmp_seq=5 ttl=254 time=27.565 ms

    PC1> ping 172.16.1.1
    84 bytes from 172.16.1.1 icmp_seq=1 ttl=253 time=86.535 ms
    84 bytes from 172.16.1.1 icmp_seq=2 ttl=253 time=44.981 ms
    84 bytes from 172.16.1.1 icmp_seq=3 ttl=253 time=39.510 ms
    84 bytes from 172.16.1.1 icmp_seq=4 ttl=253 time=49.432 ms
    84 bytes from 172.16.1.1 icmp_seq=5 ttl=253 time=52.414 ms

    PC1> ping 172.16.1.1
    84 bytes from 172.16.1.1 icmp_seq=1 ttl=253 time=50.518 ms
    84 bytes from 172.16.1.1 icmp_seq=2 ttl=253 time=49.394 ms
    84 bytes from 172.16.1.1 icmp_seq=3 ttl=253 time=39.684 ms
    84 bytes from 172.16.1.1 icmp_seq=4 ttl=253 time=50.800 ms
    84 bytes from 172.16.1.1 icmp_seq=5 ttl=253 time=52.605 ms




    R1#clock set 0:10:0 1 july 2021


    *Jul  1 00:10:00.003: %SYS-6-CLOCKUPDATE: System clock has been updated from 13:01:35 UTC Tue Feb 15 2022 to00:10:00 UTC Thu Jul 1 2021, 


    R1(config)#time-range Work_Hours

    R1(config-time-range)#absolute start 00:15 1 july 2021

    R1(config-time-range)#absolute start 00:15 1 july 2021 end 00:20 1 july 2021

    R1(config-time-range)#exit



    R1(config)#time-range NO_ICMP

    R1(config-time-range)#periodic ?

      Friday     Friday

      Monday     Monday

      Saturday   Saturday

      Sunday     Sunday

      Thursday   Thursday

      Tuesday    Tuesday

      Wednesday  Wednesday

      daily      Every day of the week

      weekdays   Monday thru Friday

      weekend    Saturday and Sunday


    R1(config-time-range)#periodic weekdays 0:15 to 0:20

    R1(config-time-range)#exit


    R1(config)#ip access-list extended Work_Hours

    R1(config-ext-nacl)#$ost 10.1.1.2 host 172.16.1.1 time-range N0_ICMP

    R1(config-ext-nacl)#permit ip any any

    R1(config-ext-nacl)#end


    R1(config)#interface fastEthernet 0/0

    R1(config-if)#ip access-group Work_Hours out

    R1(config-if)#exit



    PC1> ping 172.16.1.1
    *10.1.1.1 icmp_seq=1 ttl=255 time=22.213 ms (ICMP type:3, code:13, Communication administratively prohibited                                                            )
    *10.1.1.1 icmp_seq=2 ttl=255 time=12.513 ms (ICMP type:3, code:13, Communication administratively prohibited                                                            )
    *10.1.1.1 icmp_seq=3 ttl=255 time=9.375 ms (ICMP type:3, code:13, Communication administratively prohibited)
    *10.1.1.1 icmp_seq=4 ttl=255 time=9.523 ms (ICMP type:3, code:13, Communication administratively prohibited)
    *10.1.1.1 icmp_seq=5 ttl=255 time=3.403 ms (ICMP type:3, code:13, Communication administratively prohibited)








    Facebook



    Twitter




    LINKEDIN








     


     


    Instagram

    Facebook


    Twitter



    LINKEDIN








    What is layer 3 etherchannel? How to configure layer 3 etherchannel?

    EtherChannel technology allows us to bundle multiple physical links into one logical link. It is used to increase the bandwidth and provide ...