Downloaded 16 times
![Standard ACL
[no] access-list acl-num {deny|permit|remark} [source [source-wildcard]] [log]
Router#show access-lists
Standard IP access list 99
10 permit host 192.168.99.0
20 permit host 192.168.98.0
Router#conf t
Router(config)#no access-list 99
Router(config)#end
Router#show access-lists
Router#
Router(config)#access-list 10 remark Acces_to_LAN
Router(config)#access-list 10 permit 192.168.10.0
access-list 2 deny 192.168.10.1
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 deny 192.168.0.0 0.0.255.255
access-list 2 permit 192.0.0.0 0.255.255.255
Router(config-if)#ip access-group {access-list-number | access-list-name} {in | out}
Router(config)#access-list 1 permit ip 192.168.10.0 0.0.0.255
Router(config)#interface FastEthernet0/0
Router(config-if)#ip access-group 1 out](https://image.slidesharecdn.com/aclcisco-200426085614/85/Acl-cisco-6-320.jpg)
![Naming ACL
Router(config)#ip access-list [standart | extended] name
Router(config-std-nacl)#[no] [num] {deny|permit|remark} …
Router(config)#ip access-list standard Bumburum
Router(config-std-nacl)#deny host 192.168.0.1
Router(config-std-nacl)#permit 192.168.0.0 0.0.0.255
Router#sh access-lists
Standard IP access list Bumburum
10 deny host 192.168.0.1
20 permit 192.168.0.0 0.0.0.255
Router(config-if)#ip access-group {access-list-number | access-list-name} {in | out}
Router(config-if)#ip access-group Bumburum out](https://image.slidesharecdn.com/aclcisco-200426085614/85/Acl-cisco-12-320.jpg)
![Edit ACL
Router#show access-lists {acl-num|name}
Router#sh access-lists 99
Standard IP access list 99
10 permit host 192.168.9.9
20 permit host 192.168.9.11
Router(config)#ip access-list {standart | extended} {acl-num|name}
Router(config-std-nacl)#[no] [num] {deny|permit|remark} …
Router#sh access-lists standard 99
Router(config-std-nacl)#15 permit host 192.168.9.10
Router#sh access-lists 99
Standard IP access list 99
10 permit host 192.168.9.9
15 permit host 192.168.9.10
20 permit host 192.168.9.11](https://image.slidesharecdn.com/aclcisco-200426085614/85/Acl-cisco-13-320.jpg)
More Related Content
More from Tapan Khilar
Acl cisco
- 1. Access Control List 2009© Alexander Rybolovlev
- 2. A TCP Conversation SMTP25 POP3 110 IMAP 143 HTTP 80 HTTPS 443 DNS 53 FTP-DATA 20 FTP 21 TFTP 69 SNMP 169 NTP 123
- 3. Packet Filtering ALLOW orDENY •Source IP address •Destination IP address •ICMP message type •TCP/UDP source port •TCP/UDP destination port One ACL per protocol (e.g., IP or IPX) One ACL per interface (e.g., FastEthernet0/0) One ACL per direction (i.e., IN or OUT) IN OUT
- 4. Numbering and NamingACLs Router(config)#access-list ? <1-99> <100-199> IP standard access list IP extended access list <1100-1199> Extended 48-bit MAC address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list <2000-2699> IP extended access list (expanded range) <700-799> 48-bit MAC address access list You assign a number based on which protocol you want filtered: •(1 to 99) and (1300 to 1999): Standard IP ACL •(100 to 199) and (2000 to 2699): Extended IP ACL You assign a name by providing the name of the ACL: •Names can contain alphanumeric characters. •It is suggested that the name be written in CAPITAL LETTERS. •Names cannot contain spaces or punctuation and must begin with a letter. •You can add or delete entries within the ACL.
- 5. Where To PlaceACLs Router1 Router2 Host2 Host1 Host3 Fa0/1Fa0/1 Router0 Standart ACLExtended ACL 192.168.2.0/24 192.168.2.0/24
- 6. Standard ACL [no] access-listacl-num {deny|permit|remark} [source [source-wildcard]] [log] Router#show access-lists Standard IP access list 99 10 permit host 192.168.99.0 20 permit host 192.168.98.0 Router#conf t Router(config)#no access-list 99 Router(config)#end Router#show access-lists Router# Router(config)#access-list 10 remark Acces_to_LAN Router(config)#access-list 10 permit 192.168.10.0 access-list 2 deny 192.168.10.1 access-list 2 permit 192.168.10.0 0.0.0.255 access-list 2 deny 192.168.0.0 0.0.255.255 access-list 2 permit 192.0.0.0 0.255.255.255 Router(config-if)#ip access-group {access-list-number | access-list-name} {in | out} Router(config)#access-list 1 permit ip 192.168.10.0 0.0.0.255 Router(config)#interface FastEthernet0/0 Router(config-if)#ip access-group 1 out
- 7.
- 8.
- 9.
- 10.
- 11. Edit Standard ACL #1 R1#showrunning-config | include access-list access-list 20 permit 192.168.10.100 access-list 20 deny 192.168.10.0 0.0.0.255 #2 access-list 20 permit 192.168.10.11 access-list 20 deny 192.168.10.0 0.0.0.255 #3 R1#conf t R1(config)#no access-list 20 R1(config)#access-list 20 remark Access for permit host 10.11 R1(config)#access-list 20 permit 192.168.10.11 R1(config)#access-list 20 deny 192.168.10.0 0.0.0.255
- 12. Naming ACL Router(config)#ip access-list[standart | extended] name Router(config-std-nacl)#[no] [num] {deny|permit|remark} … Router(config)#ip access-list standard Bumburum Router(config-std-nacl)#deny host 192.168.0.1 Router(config-std-nacl)#permit 192.168.0.0 0.0.0.255 Router#sh access-lists Standard IP access list Bumburum 10 deny host 192.168.0.1 20 permit 192.168.0.0 0.0.0.255 Router(config-if)#ip access-group {access-list-number | access-list-name} {in | out} Router(config-if)#ip access-group Bumburum out
- 13. Edit ACL Router#show access-lists{acl-num|name} Router#sh access-lists 99 Standard IP access list 99 10 permit host 192.168.9.9 20 permit host 192.168.9.11 Router(config)#ip access-list {standart | extended} {acl-num|name} Router(config-std-nacl)#[no] [num] {deny|permit|remark} … Router#sh access-lists standard 99 Router(config-std-nacl)#15 permit host 192.168.9.10 Router#sh access-lists 99 Standard IP access list 99 10 permit host 192.168.9.9 15 permit host 192.168.9.10 20 permit host 192.168.9.11
- 14. Extended ACL R1(config)#access-list 101permit tcp any eq ?
- 15.
- 16.
- 17.
- 18. Difference between STDand EXT ACL STANDARD EXTENDED The access-list number range from1 to 99 The access-list number range from100 to 199 Can block a host, network and subnet Can block a host, network ,subnet and service Two way communication is stopped One way communication is stopped Implemented closest to the destination Implemented closest to the source Filtering is done based on only source IP address Checks source,destination,protocol, port no.
- 19. 1. Create accesslist (std or extnd) 2. Apply access-list to an interface(inbound/outbound) R0(config)#access-list 1 deny 192.168.2.101 0.0.0.0 R0(config)#access-list 1 permit any R0(config)#int gi0/0 R0(config)#ip access-group 1 out
- 20. R0(config)#no access-list 1 R0(config)#access-list2 deny 192.168.2.100 R0(config)#access-list 2 deny 192.168.2.101 R0(config)#access-list 2 permit any R0(config)#int gi0/0 R0(config)#no ip access-group 1 out R0(config)# ip access-group 2 out R0(config)#no access-list 2 R0(config)#access-list 3 deny 192.168.2.0 0.0.0.255 R0(config)#int gi0/0 R0(config)#no ip access-group 2 out R0(config)# ip access-group 3 out
- 21.
- 22. R0(config)#access-list 100 denytcp host 192.168.1.10 host 192.168.4.100 eq www R0(config)#access-list 100 deny tcp host 192.168.1.11 host 192.168.4.100 eq ftp R0(config)#access-list 100 deny icmp host 192.168.1.12 host 192.168.4.100 R0(config)#access-list 100 permit ip any any R0(config)# int se0/0/0 R0(config-if)# ip access-group 100 out R0# show access-list source server