Cisco ACL

3,837
-1

Published on

Slide about ACL on Cisco Routers.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,837
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
300
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Cisco ACL

  1. 1. Access Control List 2009 © Alexander Rybolovlev
  2. 2. A TCP Conversation SMTP 25 POP3 110 IMAP 143 HTTP 80 HTTPS 443 DNS 53 FTP-DATA 20 FTP 21 TFTP 69 SNMP 169 NTP 123
  3. 3. Packet Filtering <ul><li>ALLOW or DENY </li></ul><ul><li>Source IP address </li></ul><ul><li>Destination IP address </li></ul><ul><li>ICMP message type </li></ul><ul><li>TCP/UDP source port </li></ul><ul><li>TCP/UDP destination port </li></ul>One ACL per protocol (e.g., IP or IPX) One ACL per interface (e.g., FastEthernet0/0) One ACL per direction (i.e., IN or OUT)
  4. 4. Numbering and Naming ACLs Router (config)# access-list ? <1-99> IP standard access list <100-199> IP extended access list <1100-1199> Extended 48-bit MAC address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list <2000-2699> I P extended access list (expanded range) <700-799> 48-bit MAC address access list <ul><li>You assign a number based on which protocol you want filtered: </li></ul><ul><li>(1 to 99) and (1300 to 1999): Standard IP ACL </li></ul><ul><li>(100 to 199) and (2000 to 2699): Extended IP ACL </li></ul><ul><li>You assign a name by providing the name of the ACL: </li></ul><ul><li>Names can contain alphanumeric characters. </li></ul><ul><li>It is suggested that the name be written in CAPITAL LETTERS. </li></ul><ul><li>Names cannot contain spaces or punctuation and must begin with a letter. </li></ul><ul><li>You can add or delete entries within the ACL. </li></ul>
  5. 5. Where To Place ACLs
  6. 6. Standard ACL [no] access-list acl-num {deny|permit|remark} [ source [source-wildcard]] [log] access-list 2 deny 192.168.10.1 access-list 2 permit 192.168.10.0 0.0.0.255 access-list 2 deny 192.168.0.0 0.0.255.255 access-list 2 permit 192.0.0.0 0.255.255.255 Router# show access-lists Standard IP access list 99 10 permit host 192.168.99.0 20 permit host 192.168.98.0 Router#conf t Router(config)#no access-list 99 Router(config)#end Router#show access-lists Router# Router(config)#access-list 10 remark Acces_to_LAN Router(config)#access-list 10 permit 192.168.10.0 Router(config-if)# ip access-group {access-list-number | access-list-name} {in | out} Router(config)#access-list 1 permit ip 192.168.10.0 0.0.0.255 Router(config)#interface FastEthernet0/0 Router(config-if)#ip access-group 1 out
  7. 7. Example
  8. 8. Example
  9. 9. Example
  10. 10. Example
  11. 11. Edit Standard ACL #1 R1# show running-config | include access-list access-list 20 permit 192.168.10.100 access-list 20 deny 192.168.10.0 0.0.0.255 #2 access-list 20 permit 192.168.10.11 access-list 20 deny 192.168.10.0 0.0.0.255 #3 R1# conf t R1(config)# no access-list 20 R1(config)#access-list 20 remark Access for permit host 10.11 R1(config)# access-list 20 permit 192.168.10.11 R1(config)# access-list 20 deny 192.168.10.0 0.0.0.255
  12. 12. Naming ACL Router(config)# ip access-list [standart | extended] name Router(config-std-nacl)# [no] [num] {deny|permit|remark} … Router(config)#ip access-list standard Bumburum Router(config-std-nacl)#deny host 192.168.0.1 Router(config-std-nacl)#permit 192.168.0.0 0.0.0.255 Router#sh access-lists Standard IP access list Bumburum 10 deny host 192.168.0.1 20 permit 192.168.0.0 0.0.0.255 Router(config-if)# ip access-group {access-list-number | access-list-name} {in | out} Router(config-if)#ip access-group Bumburum out
  13. 13. Edit ACL Router# show access-lists {acl-num|name} Router#sh access-lists 99 Standard IP access list 99 10 permit host 192.168.9.9 20 permit host 192.168.9.11 Router(config)# ip access-list {standart | extended} {acl-num|name} Router(config-std-nacl)# [no] [num] {deny|permit|remark} … Router#sh access-lists standard 99 Router(config-std-nacl)#15 permit host 192.168.9.10 Router#sh access-lists 99 Standard IP access list 99 10 permit host 192.168.9.9 15 permit host 192.168.9.10 20 permit host 192.168.9.11
  14. 14. Extended ACL R1(config)# access-list 101 permit tcp any eq ?
  15. 15. Example
  16. 16. Example
  17. 17. Example
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×