Uploaded byNetProtocol Xpert
Standard Access List
The document discusses configuring a standard access control list (ACL) on router R1 to filter traffic from router R2's loopback interfaces. The ACL denies traffic from R2's 192.168.0.0 network and permits traffic from 192.168.1.0. Applying the ACL to R1's interface confirms that pings are dropped from 192.168.0.1 but allowed from 192.168.1.1.
More Related Content
![Access control list [2]](https://cdn.slidesharecdn.com/ss_thumbnails/accesscontrollist2-180206052643-thumbnail.jpg?width=640&height=640&fit=bounds)
![Access control list [1]](https://cdn.slidesharecdn.com/ss_thumbnails/accesscontrollist1-180206052429-thumbnail.jpg?width=640&height=640&fit=bounds)
More from NetProtocol Xpert
Standard Access List
- 1.
- 2. With standardACLs you can permit or deny traffic from source IP addresses. The destination of the packet and the port doesn’t matter. They can be named or numbered. The ranges used by numbered ACLs are from 1 to 99 and from 1300 to 1999.
- 3. we have R1and R2. On R1’s fa0/0 interface will apply an Inbound ACL to filter some of R2’s loopback interfaces networks
- 4. configure on R1and R2 interfaces, without ACL R1 interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip route 192.168.0.0 255.255.255.0 FastEthernet0/0 ip route 192.168.1.0 255.255.255.0 FastEthernet0/0 ip route 192.168.2.0 255.255.255.0 FastEthernet0/0 R2 interface Loopback0 ip address 192.168.0.1 255.255.255.0 interface Loopback1 ip address 192.168.1.1 255.255.255.0 interface Loopback2 ip address 192.168.2.1 255.255.255.0 interface FastEthernet0/0 ip address 10.0.0.2 255.255.255.0
- 5. On R1we’ve added 3 static routes to reach R2’s loopback interfaces. Now, we’ll configure a numbered Access List on R1. access-list 1 deny 192.168.0.0 0.0.0.255 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 remark Manage Traffic From R2
- 6. ACL’s statements NUMBER “1” This is the number used by this ACL “DENY” KEYWORD With this keyword will be denied network matched by this statement “PERMIT” KEYWORD With this keyword will be permitted network matched by this statement “192.168.0.0” This is network that will be matched by the statement “REMARK” KEYWORD The string that comes after this keyword represents a description which can help you at a later time what is the purpose of the ACL At the end of every ACL there is an “implicit deny” which will deny all packets that aren’t matched in ACL.
- 7. “0.0.0.255” This iswildcard mask that tells the router which parts of the subnet number to look at. With Wildcard mask bit 0 – will match the corresponding bit value in the address; With Wildcard mask bit 1 – will ignore the corresponding bit value in the address. If we take this in binary we will get: 00000000.00000000.00000000.11111111. Results that first 24 positions in IP address will be matched and last 8 will be ignored. If we take first statement from ACL we get that all packets with source IP address which start with 192.168.0 will be matched, and will be denied, the last 8 bits don’t matter.
- 8. Next stepis to bound Standard Access List to an interface as inbound or outbound. ACL doesn’t act on packets generated by itself, that’s why there is no reason to use it here as outbound ACL. We’ll bound it to R1’s fa0/0 as inbound Access List. R1 interface FastEthernet0/0 ip access-group 1 in
- 9. We have gotthe next result: Packets with R2’s Loopback 0 source IP address (192.168.0.1) will be denied by first statement; Packets with R2’s Loopback 1 source IP address(192.168.1.1) will be permitted by second statement; Packets with R2’s Loopback 2 source IP address (192.168.2.1) will be denied by “implicit deny” because it is not matched by any of the other statements.
- 10. R2#ping 10.0.0.1source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: Packet sent with a source address of 192.168.0.1 U.U.U Success rate is 0 percent (0/5) R2# R2#ping 10.0.0.1 source loopback 1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: Packet sent with a source address of 192.168.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/23/36 ms R2# R2#ping 10.0.0.1 source loopback 2
- 11. Type escapesequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: Packet sent with a source address of 192.168.2.1 U.U.U Success rate is 0 percent (0/5) R2# From the output you can see that only ping from Loopback 1 succeeded. You can check ACL’s statements with one of these commands show access-lists show ip access-lists
- 12. To deletean this Access List use this command no access-list 1 The named version of this Access List will look like this ip access-list standard FIRST deny 192.168.0.0 0.0.0.255 permit 192.168.1.0 0.0.0.255 remark Manage Traffic From R2
- 13.