Your SlideShare is downloading. ×
Access Control List 1
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Access Control List 1

909

Published on

This study guide is intended to provide those pursuing the CCNA certification with a framework of what concepts need to be studied. This is not a comprehensive document containing all the secrets of …

This study guide is intended to provide those pursuing the CCNA certification with a framework of what concepts need to be studied. This is not a comprehensive document containing all the secrets of the CCNP nor is it a “braindump” of questions and answers.

I sincerely hope that this document provides some assistance and clarity in your studies.

Published in: Education, Technology, Business
1 Comment
3 Likes
Statistics
Notes
No Downloads
Views
Total Views
909
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
155
Comments
1
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 1
  • 2. Rules of Access List • All deny statements have to be given First • There should be at least one Permit statement • An implicit deny blocks all traffic by default when there is no match (an invisible statement). • Can have one access-list per interface per direction. (i.e.) Two access-list per interface, one in inbound direction and one in outbound direction. • Works in Sequential order • Editing of access-lists is not possible (i.e) Selectively adding or removing access-list statements is not possible. 2
  • 3. Standard ACL - Network Diagram 10.0.0.1/8 S0 HYD 1.2 S1 10.0.0.2/8 1.3 LAN - 192.168.1.0/24 is done Closest is done Closest to the to the 11.0.0.1/8 S0 E0 192.168.1.150/24 1.1 Creation and Creation and Implementation Implementation 2.1 Destination. Destination. CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 1.1 & 1.2 should not communicate with 2.0 network 1.1 & 1.2 should not communicate with 2.0 network 3
  • 4. How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.1 is accessing 2.1 1.1 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 4
  • 5. How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 5
  • 6. How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 6
  • 7. How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.3 is accessing 2.1 1.3 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 7
  • 8. How Standard ACL Works ? 1.1 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 8 x
  • 9. How Standard ACL Works ? 1.1 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 9 x
  • 10. How Standard ACL Works ? 1.1 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 10
  • 11. 1.1 Source IP 192.168.1.1 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 11
  • 12. Standard ACL - Network Diagram 10.0.0.1/8 S0 HYD 1.2 S1 10.0.0.2/8 1.3 LAN - 192.168.1.0/24 is done Closest is done Closest to the to the 11.0.0.1/8 S0 E0 192.168.1.150/24 1.1 Creation and Creation and Implementation Implementation 2.1 Destination. Destination. CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 1.1 & 3.0 should not communicate with 2.0 network 1.1 & 3.0 should not communicate with 2.0 network 12
  • 13. How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.1 is accessing 2.1 1.1 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 13
  • 14. How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 14
  • 15. How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 15
  • 16. How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.3 is accessing 2.1 1.3 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 16
  • 17. How Standard ACL Works ? 1.3 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 x access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 17
  • 18. How Standard ACL Works ? 1.3 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 x access-list 5 permit any 18
  • 19. How Standard ACL Works ? 1.3 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 19
  • 20. 1.3 Source IP 192.168.1.1 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 20
  • 21. How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 is accessing 2.1 3.1 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 21
  • 22. How Standard ACL Works ? 3.1 Source IP 192.168.3.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 x access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 22
  • 23. How Standard ACL Works ? 3.1 Source IP 192.168.3.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 23
  • 24. How Standard ACL Works ? 3.1 Source IP 192.168.3.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 24
  • 25. Extended ACL - Network Diagram Creation and Creation and Implementation Implementation 10.0.0.1/8 S0 HYD S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 is done Closest is done Closest to the Source. to the Source. 11.0.0.1/8 S0 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.0 should not access with 3.1 (Web Service) 2.0 should not access with 3.1 (Web Service) 25
  • 26. How Extended ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.1 is accessing 3.1 -- Web Service 2.1 is accessing 3.1 Web Service 26
  • 27. How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 80 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 27
  • 28. How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 80 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 28
  • 29. How Extended ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.1 is accessing 3.1 – Telnet Service 2.1 is accessing 3.1 – Telnet Service 29
  • 30. How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 23 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 30 x
  • 31. How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 23 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 31
  • 32. How Extended ACL Works ? 2.1 Source IP 192.168.1.1 192.168.2.1 Destination IP 192.168.3.1 Port - 23 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 32
  • 33. How Extended ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.1 is accessing 1.1 -- Web Service 2.1 is accessing 1.1 Web Service 33
  • 34. How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.1.1 192.168.1.1 Port - 80 1.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 34 x
  • 35. How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.1.1 Port - 80 1.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 35
  • 36. How Extended ACL Works ? 2.1 Source IP 192.168.1.1 192.168.2.1 Destination IP 192.168.1.1 Port - 80 1.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 36
  • 37. Named Access List • Access-lists are identified using Names rather than Numbers. • Names are Case-Sensitive • No limitation of Numbers here. • One Main Advantage is Editing of ACL is Possible (i.e) Removing a specific statement from the ACL is possible. (IOS version 11.2 or later allows Named ACL) 37
  • 38. Standard Named Access List Creation of Standard Named Access List Creation of Standard Named Access List Router(config)# ip access-list standard <name> Router(config)# ip access-list standard <name> Router(config-std-nacl)# <permit/deny> <source address> Router(config-std-nacl)# <permit/deny> <source address> <source wildcard mask> <source wildcard mask> Implementation of Standard Named Access List Implementation of Standard Named Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <name> <out/in> Router(config-if)#ip access-group <name> <out/in> 38
  • 39. Extended Named Access List Creation of Extended Named Access List Creation of Extended Named Access List Router(config)# ip access-list extended <name> Router(config)# ip access-list extended <name> Router(config-ext-nacl)# <permit/deny> <protocol> Router(config-ext-nacl)# <permit/deny> <protocol> <source address> <source wildcard mask> <destination <source address> <source wildcard mask> <destination address> < destination wildcard mask> <operator> address> < destination wildcard mask> <operator> <service> <service> Implementation of Extended Named Access List Implementation of Extended Named Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <name> <out/in> Router(config-if)#ip access-group <name> <out/in> 39
  • 40. 40
  • 41. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.1.150 Connecting ..... ================================ Welcome to Hyderabad Router ================================ User Access Verification password : **** Hyderabad> enable password : **** Hyderabad# show ip route Gateway of last resort is not set C 10.0.0.0/8 is directly connected, Serial0 R 11.0.0.0/8 [120/1] via 10.0.0.2, 00:00:25, Serial0 C 192.168.1.0/24 is directly connected, Ethernet0 R 192.168.2.0/24 [120/1] via 10.0.0.2, 00:00:25, Serial0 R 192.168.3.0/24 [120/2] via 10.0.0.2, 00:00:25, Serial0 Hyderabad# 41
  • 42. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.2.150 Connecting ..... ================================ Welcome to Chennai Router ================================ User Access Verification password : **** Chennai> enable password : **** Chennai# show ip route Gateway of last resort is not set C 10.0.0.0/8 is directly connected, Serial1 C 11.0.0.0/8 is directly connected, Serial0 R 192.168.1.0/24 [120/1] via 10.0.0.1, 00:00:01, Serial1 C 192.168.2.0/24 is directly connected, Ethernet0 R 192.168.3.0/24 [120/1] via 11.0.0.2, 00:00:12, Serial0 Chennai# 42
  • 43. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.3.150 Connecting ..... ================================ Welcome to Banglore Router ================================ User Access Verification password : **** Banglore> enable password : **** Banglore# show ip route Gateway of last resort is not set R 10.0.0.0/8 [120/1] via 11.0.0.1, 00:00:04, Serial1 C 11.0.0.0/8 is directly connected, Serial1 R 192.168.1.0/24 [120/2] via 11.0.0.1, 00:00:04, Serial1 R 192.168.2.0/24 [120/1] via 11.0.0.1, 00:00:04, Serial1 C 192.168.3.0/24 is directly connected, Ethernet0 Banglore# 43
  • 44. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.2.150 Connecting ..... ================================ Welcome to Chennai Router ================================ User Access Verification password : **** Chennai> enable password : **** Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# interface serial 1 Chennai(config-if)# ip address 10.0.0.2 255.0.0.0 Chennai(config-if)# no shut Chennai(config-if)# encapsulation hdlc Chennai(config-if)# interface serial 0 Chennai(config-if)# ip address 11.0.0.1 255.0.0.0 Chennai(config-if)# no shut Chennai(config-if)# encapsulation hdlc 44
  • 45. Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 1 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 1 deny 192.168.1.2 0.0.0.0 Chennai(config)# access-list 1 permit any Creation of Standard Access List Creation of Standard Access List Chennai(config)# interface ethernet 0 Router(config)# access-list out Chennai(config-if)# ip access-group 1 <acl no> <permit/deny> Router(config)# access-list <acl no> <permit/deny> <source address> <source wildcard mask> <source address> <source wildcard mask> Chennai(config-if)# Implementation of Standard Access List Implementation of Standard Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Router(config-if)#ip access-group <number> <out/in> 45
  • 46. Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 1 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 1 deny 192.168.1.2 0.0.0.0 Chennai(config)# access-list 1 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 1 out Chennai(config-if)# ^Z Chennai# show ip access-list Standard IP access list 1 deny 192.168.1.1 deny 192.168.1.2 permit any Chennai# 46
  • 47. Chennai# show ip int e0 Ethernet0 is up, line protocol is up Internet address is 192.168.2.150/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is 1 Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Chennai# 47
  • 48. Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 5 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 5 deny 192.168.3.0 0.0.0.255 Chennai(config)# access-list 5 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 5 out Chennai(config-if)# ^Z Chennai# show ip access-list Standard deny deny permit Chennai# IP access list 5 192.168.1.1 192.168.3.0 any 48
  • 49. Chennai# show ip int e0 Ethernet0 is up, line protocol is up Internet address is 192.168.2.150/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is 5 Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Chennai# 49
  • 50. Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 5 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 5 deny 192.168.3.0 0.0.0.255 Chennai(config)# access-list 5 permit any Creation of Standard Access List Creation of Standard Access List Chennai(config)# interface ethernet 0 Router(config)# access-list out Chennai(config-if)# ip access-group 5 <acl no> <permit/deny> Router(config)# access-list <acl no> <permit/deny> <source address> <source wildcard mask> <source address> <source wildcard mask> Chennai(config-if)# Implementation of Standard Access List Implementation of Standard Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Router(config-if)#ip access-group <number> <out/in> 50
  • 51. Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 Chennai(config)# access-list 101 Extended Access List permit ip any any Creation of Extended Access List Creation of Chennai(config)# interface ethernet 0 Router(config)# access-list <acl no> <permit/deny> Router(config)# access-list <acl no> <permit/deny> Chennai(config-if)# ip access-group 101 <source wildcard mask> <protocol> <source address> in <protocol> <source address> <source wildcard mask> Chennai(config-if)# <destination address> < destination wildcard mask> <destination address> < destination wildcard mask> <operator> <service> Implementation of Extended Access List <operator> <service> of Extended Access List Implementation Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Router(config-if)#ip access-group <number> <out/in> 51
  • 52. Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 Chennai(config)# access-list 101 permit ip any any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 101 in Chennai(config-if)# ^Z Chennai# show ip access-list Extended IP access list 101 deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.1 eq www permit ip any any Chennai# 52
  • 53. Chennai# show ip int e0 Ethernet0 is up, line protocol is up Internet address is 192.168.2.150/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is not set Inbound access list is 101 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Chennai# 53

×