Your SlideShare is downloading. ×
0
Cisco ACL
Cisco ACL
Cisco ACL
Cisco ACL
Cisco ACL
Cisco ACL
Cisco ACL
Cisco ACL
Cisco ACL
Cisco ACL
Cisco ACL
Cisco ACL
Cisco ACL
Cisco ACL
Cisco ACL
Cisco ACL
Cisco ACL
Cisco ACL
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cisco ACL

3,116

Published on

Slide about ACL on Cisco Routers.

Slide about ACL on Cisco Routers.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,116
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
217
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Access Control List 2009 © Alexander Rybolovlev
  • 2. A TCP Conversation SMTP 25 POP3 110 IMAP 143 HTTP 80 HTTPS 443 DNS 53 FTP-DATA 20 FTP 21 TFTP 69 SNMP 169 NTP 123
  • 3. Packet Filtering <ul><li>ALLOW or DENY </li></ul><ul><li>Source IP address </li></ul><ul><li>Destination IP address </li></ul><ul><li>ICMP message type </li></ul><ul><li>TCP/UDP source port </li></ul><ul><li>TCP/UDP destination port </li></ul>One ACL per protocol (e.g., IP or IPX) One ACL per interface (e.g., FastEthernet0/0) One ACL per direction (i.e., IN or OUT)
  • 4. Numbering and Naming ACLs Router (config)# access-list ? <1-99> IP standard access list <100-199> IP extended access list <1100-1199> Extended 48-bit MAC address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list <2000-2699> I P extended access list (expanded range) <700-799> 48-bit MAC address access list <ul><li>You assign a number based on which protocol you want filtered: </li></ul><ul><li>(1 to 99) and (1300 to 1999): Standard IP ACL </li></ul><ul><li>(100 to 199) and (2000 to 2699): Extended IP ACL </li></ul><ul><li>You assign a name by providing the name of the ACL: </li></ul><ul><li>Names can contain alphanumeric characters. </li></ul><ul><li>It is suggested that the name be written in CAPITAL LETTERS. </li></ul><ul><li>Names cannot contain spaces or punctuation and must begin with a letter. </li></ul><ul><li>You can add or delete entries within the ACL. </li></ul>
  • 5. Where To Place ACLs
  • 6. Standard ACL [no] access-list acl-num {deny|permit|remark} [ source [source-wildcard]] [log] access-list 2 deny 192.168.10.1 access-list 2 permit 192.168.10.0 0.0.0.255 access-list 2 deny 192.168.0.0 0.0.255.255 access-list 2 permit 192.0.0.0 0.255.255.255 Router# show access-lists Standard IP access list 99 10 permit host 192.168.99.0 20 permit host 192.168.98.0 Router#conf t Router(config)#no access-list 99 Router(config)#end Router#show access-lists Router# Router(config)#access-list 10 remark Acces_to_LAN Router(config)#access-list 10 permit 192.168.10.0 Router(config-if)# ip access-group {access-list-number | access-list-name} {in | out} Router(config)#access-list 1 permit ip 192.168.10.0 0.0.0.255 Router(config)#interface FastEthernet0/0 Router(config-if)#ip access-group 1 out
  • 7. Example
  • 8. Example
  • 9. Example
  • 10. Example
  • 11. Edit Standard ACL #1 R1# show running-config | include access-list access-list 20 permit 192.168.10.100 access-list 20 deny 192.168.10.0 0.0.0.255 #2 access-list 20 permit 192.168.10.11 access-list 20 deny 192.168.10.0 0.0.0.255 #3 R1# conf t R1(config)# no access-list 20 R1(config)#access-list 20 remark Access for permit host 10.11 R1(config)# access-list 20 permit 192.168.10.11 R1(config)# access-list 20 deny 192.168.10.0 0.0.0.255
  • 12. Naming ACL Router(config)# ip access-list [standart | extended] name Router(config-std-nacl)# [no] [num] {deny|permit|remark} … Router(config)#ip access-list standard Bumburum Router(config-std-nacl)#deny host 192.168.0.1 Router(config-std-nacl)#permit 192.168.0.0 0.0.0.255 Router#sh access-lists Standard IP access list Bumburum 10 deny host 192.168.0.1 20 permit 192.168.0.0 0.0.0.255 Router(config-if)# ip access-group {access-list-number | access-list-name} {in | out} Router(config-if)#ip access-group Bumburum out
  • 13. Edit ACL Router# show access-lists {acl-num|name} Router#sh access-lists 99 Standard IP access list 99 10 permit host 192.168.9.9 20 permit host 192.168.9.11 Router(config)# ip access-list {standart | extended} {acl-num|name} Router(config-std-nacl)# [no] [num] {deny|permit|remark} … Router#sh access-lists standard 99 Router(config-std-nacl)#15 permit host 192.168.9.10 Router#sh access-lists 99 Standard IP access list 99 10 permit host 192.168.9.9 15 permit host 192.168.9.10 20 permit host 192.168.9.11
  • 14. Extended ACL R1(config)# access-list 101 permit tcp any eq ?
  • 15. Example
  • 16. Example
  • 17. Example
  • 18.  

×