SlideShare una empresa de Scribd logo

Access Control List 1

Descargar como PPT, PDF
Kishore Kumar
Kishore Kumar

This study guide is intended to provide those pursuing the CCNA certification with a framework of what concepts need to be studied. This is not a comprehensive document containing all the secrets of the CCNP nor is it a “braindump” of questions and answers. I sincerely hope that this document provides some assistance and clarity in your studies.

EducaciónTecnologíaEmpresariales
1 de 53
1
Rules of Access List • All deny statements have to be given First • There should be at least one Permit statement • An implicit deny blocks all traffic by default when there is no match (an invisible statement). • Can have one access-list per interface per direction. (i.e.) Two access-list per interface, one in inbound direction and one in outbound direction. • Works in Sequential order • Editing of access-lists is not possible (i.e) Selectively adding or removing access-list statements is not possible. 2
Standard ACL - Network Diagram 10.0.0.1/8 S0 HYD 1.2 S1 10.0.0.2/8 1.3 LAN - 192.168.1.0/24 is done Closest is done Closest to the to the 11.0.0.1/8 S0 E0 192.168.1.150/24 1.1 Creation and Creation and Implementation Implementation 2.1 Destination. Destination. CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 1.1 & 1.2 should not communicate with 2.0 network 1.1 & 1.2 should not communicate with 2.0 network 3
How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.1 is accessing 2.1 1.1 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 4
How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 5
How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 6
How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.3 is accessing 2.1 1.3 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 7
How Standard ACL Works ? 1.1 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 8 x
How Standard ACL Works ? 1.1 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 9 x
How Standard ACL Works ? 1.1 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 10
1.1 Source IP 192.168.1.1 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 11
Standard ACL - Network Diagram 10.0.0.1/8 S0 HYD 1.2 S1 10.0.0.2/8 1.3 LAN - 192.168.1.0/24 is done Closest is done Closest to the to the 11.0.0.1/8 S0 E0 192.168.1.150/24 1.1 Creation and Creation and Implementation Implementation 2.1 Destination. Destination. CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 1.1 & 3.0 should not communicate with 2.0 network 1.1 & 3.0 should not communicate with 2.0 network 12
How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.1 is accessing 2.1 1.1 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 13
How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 14
How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 15
How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.3 is accessing 2.1 1.3 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 16
How Standard ACL Works ? 1.3 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 x access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 17
How Standard ACL Works ? 1.3 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 x access-list 5 permit any 18
How Standard ACL Works ? 1.3 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 19
1.3 Source IP 192.168.1.1 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 20
How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 is accessing 2.1 3.1 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 21
How Standard ACL Works ? 3.1 Source IP 192.168.3.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 x access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 22
How Standard ACL Works ? 3.1 Source IP 192.168.3.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 23
How Standard ACL Works ? 3.1 Source IP 192.168.3.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 24
Extended ACL - Network Diagram Creation and Creation and Implementation Implementation 10.0.0.1/8 S0 HYD S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 is done Closest is done Closest to the Source. to the Source. 11.0.0.1/8 S0 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.0 should not access with 3.1 (Web Service) 2.0 should not access with 3.1 (Web Service) 25
How Extended ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.1 is accessing 3.1 -- Web Service 2.1 is accessing 3.1 Web Service 26
How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 80 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 27
How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 80 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 28
How Extended ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.1 is accessing 3.1 – Telnet Service 2.1 is accessing 3.1 – Telnet Service 29
How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 23 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 30 x
How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 23 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 31
How Extended ACL Works ? 2.1 Source IP 192.168.1.1 192.168.2.1 Destination IP 192.168.3.1 Port - 23 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 32
How Extended ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.1 is accessing 1.1 -- Web Service 2.1 is accessing 1.1 Web Service 33
How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.1.1 192.168.1.1 Port - 80 1.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 34 x
How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.1.1 Port - 80 1.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 35
How Extended ACL Works ? 2.1 Source IP 192.168.1.1 192.168.2.1 Destination IP 192.168.1.1 Port - 80 1.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 36
Named Access List • Access-lists are identified using Names rather than Numbers. • Names are Case-Sensitive • No limitation of Numbers here. • One Main Advantage is Editing of ACL is Possible (i.e) Removing a specific statement from the ACL is possible. (IOS version 11.2 or later allows Named ACL) 37
Standard Named Access List Creation of Standard Named Access List Creation of Standard Named Access List Router(config)# ip access-list standard <name> Router(config)# ip access-list standard <name> Router(config-std-nacl)# <permit/deny> <source address> Router(config-std-nacl)# <permit/deny> <source address> <source wildcard mask> <source wildcard mask> Implementation of Standard Named Access List Implementation of Standard Named Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <name> <out/in> Router(config-if)#ip access-group <name> <out/in> 38
Extended Named Access List Creation of Extended Named Access List Creation of Extended Named Access List Router(config)# ip access-list extended <name> Router(config)# ip access-list extended <name> Router(config-ext-nacl)# <permit/deny> <protocol> Router(config-ext-nacl)# <permit/deny> <protocol> <source address> <source wildcard mask> <destination <source address> <source wildcard mask> <destination address> < destination wildcard mask> <operator> address> < destination wildcard mask> <operator> <service> <service> Implementation of Extended Named Access List Implementation of Extended Named Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <name> <out/in> Router(config-if)#ip access-group <name> <out/in> 39
40
Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.1.150 Connecting ..... ================================ Welcome to Hyderabad Router ================================ User Access Verification password : **** Hyderabad> enable password : **** Hyderabad# show ip route Gateway of last resort is not set C 10.0.0.0/8 is directly connected, Serial0 R 11.0.0.0/8 [120/1] via 10.0.0.2, 00:00:25, Serial0 C 192.168.1.0/24 is directly connected, Ethernet0 R 192.168.2.0/24 [120/1] via 10.0.0.2, 00:00:25, Serial0 R 192.168.3.0/24 [120/2] via 10.0.0.2, 00:00:25, Serial0 Hyderabad# 41
Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.2.150 Connecting ..... ================================ Welcome to Chennai Router ================================ User Access Verification password : **** Chennai> enable password : **** Chennai# show ip route Gateway of last resort is not set C 10.0.0.0/8 is directly connected, Serial1 C 11.0.0.0/8 is directly connected, Serial0 R 192.168.1.0/24 [120/1] via 10.0.0.1, 00:00:01, Serial1 C 192.168.2.0/24 is directly connected, Ethernet0 R 192.168.3.0/24 [120/1] via 11.0.0.2, 00:00:12, Serial0 Chennai# 42
Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.3.150 Connecting ..... ================================ Welcome to Banglore Router ================================ User Access Verification password : **** Banglore> enable password : **** Banglore# show ip route Gateway of last resort is not set R 10.0.0.0/8 [120/1] via 11.0.0.1, 00:00:04, Serial1 C 11.0.0.0/8 is directly connected, Serial1 R 192.168.1.0/24 [120/2] via 11.0.0.1, 00:00:04, Serial1 R 192.168.2.0/24 [120/1] via 11.0.0.1, 00:00:04, Serial1 C 192.168.3.0/24 is directly connected, Ethernet0 Banglore# 43
Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.2.150 Connecting ..... ================================ Welcome to Chennai Router ================================ User Access Verification password : **** Chennai> enable password : **** Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# interface serial 1 Chennai(config-if)# ip address 10.0.0.2 255.0.0.0 Chennai(config-if)# no shut Chennai(config-if)# encapsulation hdlc Chennai(config-if)# interface serial 0 Chennai(config-if)# ip address 11.0.0.1 255.0.0.0 Chennai(config-if)# no shut Chennai(config-if)# encapsulation hdlc 44
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 1 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 1 deny 192.168.1.2 0.0.0.0 Chennai(config)# access-list 1 permit any Creation of Standard Access List Creation of Standard Access List Chennai(config)# interface ethernet 0 Router(config)# access-list out Chennai(config-if)# ip access-group 1 <acl no> <permit/deny> Router(config)# access-list <acl no> <permit/deny> <source address> <source wildcard mask> <source address> <source wildcard mask> Chennai(config-if)# Implementation of Standard Access List Implementation of Standard Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Router(config-if)#ip access-group <number> <out/in> 45
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 1 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 1 deny 192.168.1.2 0.0.0.0 Chennai(config)# access-list 1 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 1 out Chennai(config-if)# ^Z Chennai# show ip access-list Standard IP access list 1 deny 192.168.1.1 deny 192.168.1.2 permit any Chennai# 46
Chennai# show ip int e0 Ethernet0 is up, line protocol is up Internet address is 192.168.2.150/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is 1 Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Chennai# 47
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 5 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 5 deny 192.168.3.0 0.0.0.255 Chennai(config)# access-list 5 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 5 out Chennai(config-if)# ^Z Chennai# show ip access-list Standard deny deny permit Chennai# IP access list 5 192.168.1.1 192.168.3.0 any 48
Chennai# show ip int e0 Ethernet0 is up, line protocol is up Internet address is 192.168.2.150/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is 5 Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Chennai# 49
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 5 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 5 deny 192.168.3.0 0.0.0.255 Chennai(config)# access-list 5 permit any Creation of Standard Access List Creation of Standard Access List Chennai(config)# interface ethernet 0 Router(config)# access-list out Chennai(config-if)# ip access-group 5 <acl no> <permit/deny> Router(config)# access-list <acl no> <permit/deny> <source address> <source wildcard mask> <source address> <source wildcard mask> Chennai(config-if)# Implementation of Standard Access List Implementation of Standard Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Router(config-if)#ip access-group <number> <out/in> 50
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 Chennai(config)# access-list 101 Extended Access List permit ip any any Creation of Extended Access List Creation of Chennai(config)# interface ethernet 0 Router(config)# access-list <acl no> <permit/deny> Router(config)# access-list <acl no> <permit/deny> Chennai(config-if)# ip access-group 101 <source wildcard mask> <protocol> <source address> in <protocol> <source address> <source wildcard mask> Chennai(config-if)# <destination address> < destination wildcard mask> <destination address> < destination wildcard mask> <operator> <service> Implementation of Extended Access List <operator> <service> of Extended Access List Implementation Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Router(config-if)#ip access-group <number> <out/in> 51
Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 Chennai(config)# access-list 101 permit ip any any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 101 in Chennai(config-if)# ^Z Chennai# show ip access-list Extended IP access list 101 deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.1 eq www permit ip any any Chennai# 52
Chennai# show ip int e0 Ethernet0 is up, line protocol is up Internet address is 192.168.2.150/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is not set Inbound access list is 101 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Chennai# 53

Recomendados

Acl
AclAcl
Acl
Raghu Kiran
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its Types
Netwax Lab
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)
ISMT College
 
Ospf
OspfOspf
Ospf
Joshua Fonseca
 
ospf routing protocol
ospf routing protocolospf routing protocol
ospf routing protocol
Ameer Agel
 
Access control list [1]
Access control list [1]Access control list [1]
Access control list [1]
Summit Bisht
 
What is Network Address Translation (NAT)
What is Network Address Translation (NAT)What is Network Address Translation (NAT)
What is Network Address Translation (NAT)
Amit Kumar , Jaipur Engineers
 
DHCP
DHCPDHCP
DHCP
selvakumar_b1985
 

Recomendados

Acl
AclAcl
Acl
Raghu Kiran
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its Types
Netwax Lab
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)
ISMT College
 
Ospf
OspfOspf
Ospf
Joshua Fonseca
 
ospf routing protocol
ospf routing protocolospf routing protocol
ospf routing protocol
Ameer Agel
 
Access control list [1]
Access control list [1]Access control list [1]
Access control list [1]
Summit Bisht
 
What is Network Address Translation (NAT)
What is Network Address Translation (NAT)What is Network Address Translation (NAT)
What is Network Address Translation (NAT)
Amit Kumar , Jaipur Engineers
 
DHCP
DHCPDHCP
DHCP
selvakumar_b1985
 
OSPF Basics
OSPF BasicsOSPF Basics
OSPF Basics
Martin Bratina
 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACL
faust0
 
ccna networking ppt
ccna networking pptccna networking ppt
ccna networking ppt
Er. Anmol Bhagat
 
bgp(border gateway protocol)
bgp(border gateway protocol)bgp(border gateway protocol)
bgp(border gateway protocol)
Noor Ul Hudda Memon
 
OSPF
OSPF OSPF
OSPF
NetProtocol Xpert
 
Acl cisco
Acl ciscoAcl cisco
Acl cisco
Tapan Khilar
 
Open Shortest Path First
Open Shortest Path FirstOpen Shortest Path First
Open Shortest Path First
Kashif Latif
 
Cisco CCNA- DHCP Server
Cisco CCNA- DHCP ServerCisco CCNA- DHCP Server
Cisco CCNA- DHCP Server
Hamed Moghaddam
 
Address resolution protocol (ARP)
Address resolution protocol (ARP)Address resolution protocol (ARP)
Address resolution protocol (ARP)
NetProtocol Xpert
 
What is Ping
What is PingWhat is Ping
What is Ping
Disha Dudhal
 
Access control list 2
Access control list 2Access control list 2
Access control list 2
Kishore Kumar
 
Bgp
BgpBgp
Bgp
Febrian ‎
 
Dynamic Routing IGRP
Dynamic Routing IGRPDynamic Routing IGRP
Dynamic Routing IGRP
Kishore Kumar
 
IP Multicasting
IP MulticastingIP Multicasting
IP Multicasting
Chamin Nalinda Loku Gam Hewage
 
OSPF Fundamental
OSPF FundamentalOSPF Fundamental
OSPF Fundamental
Reza Farahani
 
An Overview of Border Gateway Protocol (BGP)
An Overview of Border Gateway Protocol (BGP)An Overview of Border Gateway Protocol (BGP)
An Overview of Border Gateway Protocol (BGP)
Jasim Alam
 
Routing and OSPF
Routing and OSPFRouting and OSPF
Routing and OSPF
arpit
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Digicomp Academy AG
 
Routing protocols
Routing protocolsRouting protocols
Routing protocols
Sourabh Goyal
 
MPLS VPN
MPLS VPNMPLS VPN
MPLS VPN
Shahzaib Mahesar
 
Modul 5 access control list
Modul 5 access control listModul 5 access control list
Modul 5 access control list
diah risqiwati
 
Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.
igede tirtanata
 

Más contenido relacionado

La actualidad más candente

Open Shortest Path First
Open Shortest Path FirstOpen Shortest Path First
Open Shortest Path First
Kashif Latif
 
Access control list 2
Access control list 2Access control list 2
Access control list 2
Kishore Kumar
 
Dynamic Routing IGRP
Dynamic Routing IGRPDynamic Routing IGRP
Dynamic Routing IGRP
Kishore Kumar
 
An Overview of Border Gateway Protocol (BGP)
An Overview of Border Gateway Protocol (BGP)An Overview of Border Gateway Protocol (BGP)
An Overview of Border Gateway Protocol (BGP)
Jasim Alam
 
Routing and OSPF
Routing and OSPFRouting and OSPF
Routing and OSPF
arpit
 

La actualidad más candente (20)

OSPF Basics
OSPF BasicsOSPF Basics
OSPF Basics
 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACL
 
ccna networking ppt
ccna networking pptccna networking ppt
ccna networking ppt
 
bgp(border gateway protocol)
bgp(border gateway protocol)bgp(border gateway protocol)
bgp(border gateway protocol)
 
OSPF
OSPF OSPF
OSPF
 
Acl cisco
Acl ciscoAcl cisco
Acl cisco
 
Open Shortest Path First
Open Shortest Path FirstOpen Shortest Path First
Open Shortest Path First
 
Cisco CCNA- DHCP Server
Cisco CCNA- DHCP ServerCisco CCNA- DHCP Server
Cisco CCNA- DHCP Server
 
Address resolution protocol (ARP)
Address resolution protocol (ARP)Address resolution protocol (ARP)
Address resolution protocol (ARP)
 
What is Ping
What is PingWhat is Ping
What is Ping
 
Access control list 2
Access control list 2Access control list 2
Access control list 2
 
Bgp
BgpBgp
Bgp
 
Dynamic Routing IGRP
Dynamic Routing IGRPDynamic Routing IGRP
Dynamic Routing IGRP
 
IP Multicasting
IP MulticastingIP Multicasting
IP Multicasting
 
OSPF Fundamental
OSPF FundamentalOSPF Fundamental
OSPF Fundamental
 
An Overview of Border Gateway Protocol (BGP)
An Overview of Border Gateway Protocol (BGP)An Overview of Border Gateway Protocol (BGP)
An Overview of Border Gateway Protocol (BGP)
 
Routing and OSPF
Routing and OSPFRouting and OSPF
Routing and OSPF
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
 
Routing protocols
Routing protocolsRouting protocols
Routing protocols
 
MPLS VPN
MPLS VPNMPLS VPN
MPLS VPN
 

Similar a Access Control List 1

Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.
igede tirtanata
 
Lab8 Controlling traffic using Extended ACL Objectives Per.pdf
Lab8 Controlling traffic using Extended ACL Objectives Per.pdfLab8 Controlling traffic using Extended ACL Objectives Per.pdf
Lab8 Controlling traffic using Extended ACL Objectives Per.pdf
adityacommunication1
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Shu Shin
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Shu Shin
 
Ccna 3-discovery-4-0-module-8-100-
Ccna 3-discovery-4-0-module-8-100-Ccna 3-discovery-4-0-module-8-100-
Ccna 3-discovery-4-0-module-8-100-
junkut3
 
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
Salem Trabelsi
 
Tri aoi training-supplementary_2011.01
Tri aoi training-supplementary_2011.01Tri aoi training-supplementary_2011.01
Tri aoi training-supplementary_2011.01
Ralph Nguyen
 
Lab 9 instructions
Lab 9 instructionsLab 9 instructions
Lab 9 instructions
trayyoo
 

Similar a Access Control List 1 (20)

Modul 5 access control list
Modul 5 access control listModul 5 access control list
Modul 5 access control list
 
Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.
 
Lab8 Controlling traffic using Extended ACL Objectives Per.pdf
Lab8 Controlling traffic using Extended ACL Objectives Per.pdfLab8 Controlling traffic using Extended ACL Objectives Per.pdf
Lab8 Controlling traffic using Extended ACL Objectives Per.pdf
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
 
Lab 3.5.1 basic frame relay
Lab 3.5.1 basic frame relayLab 3.5.1 basic frame relay
Lab 3.5.1 basic frame relay
 
Ccna 3-discovery-4-0-module-8-100-
Ccna 3-discovery-4-0-module-8-100-Ccna 3-discovery-4-0-module-8-100-
Ccna 3-discovery-4-0-module-8-100-
 
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
 
Configuracion EIGRP
Configuracion EIGRPConfiguracion EIGRP
Configuracion EIGRP
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUIC
 
Multi Static Routng & Default Routing
Multi Static Routng & Default RoutingMulti Static Routng & Default Routing
Multi Static Routng & Default Routing
 
Linux router
Linux routerLinux router
Linux router
 
CCNP 642-732 Training
CCNP 642-732 TrainingCCNP 642-732 Training
CCNP 642-732 Training
 
ACIT - CCNA Training Course Topic - Switch Stp ACIT
ACIT - CCNA Training Course Topic - Switch Stp ACITACIT - CCNA Training Course Topic - Switch Stp ACIT
ACIT - CCNA Training Course Topic - Switch Stp ACIT
 
Tri aoi training-supplementary_2011.01
Tri aoi training-supplementary_2011.01Tri aoi training-supplementary_2011.01
Tri aoi training-supplementary_2011.01
 
Day 13.1..1 catalyst switch
Day 13.1..1 catalyst switchDay 13.1..1 catalyst switch
Day 13.1..1 catalyst switch
 
Icnd210 s06l01
Icnd210 s06l01Icnd210 s06l01
Icnd210 s06l01
 
Lab 9 instructions
Lab 9 instructionsLab 9 instructions
Lab 9 instructions
 
Aruba mobility access switch useful commands v2
Aruba mobility access switch useful commands v2Aruba mobility access switch useful commands v2
Aruba mobility access switch useful commands v2
 
PROYECTO VLANS
PROYECTO VLANSPROYECTO VLANS
PROYECTO VLANS
 

Más de Kishore Kumar

Route Authentication
Route AuthenticationRoute Authentication
Route Authentication
Kishore Kumar
 
Recognizing security threats
Recognizing security threatsRecognizing security threats
Recognizing security threats
Kishore Kumar
 
Ccna simulation exam practice guide
Ccna simulation exam practice guideCcna simulation exam practice guide
Ccna simulation exam practice guide
Kishore Kumar
 
Integrated Service Digital Network
Integrated Service Digital NetworkIntegrated Service Digital Network
Integrated Service Digital Network
Kishore Kumar
 

Más de Kishore Kumar (20)

Switching Types
Switching TypesSwitching Types
Switching Types
 
Switching Types
Switching TypesSwitching Types
Switching Types
 
Route Authentication
Route AuthenticationRoute Authentication
Route Authentication
 
Recognizing security threats
Recognizing security threatsRecognizing security threats
Recognizing security threats
 
Ccna simulation exam practice guide
Ccna simulation exam practice guideCcna simulation exam practice guide
Ccna simulation exam practice guide
 
RIP Update Timers
RIP Update TimersRIP Update Timers
RIP Update Timers
 
Password Recovery
Password RecoveryPassword Recovery
Password Recovery
 
OSPF 3
OSPF 3OSPF 3
OSPF 3
 
OSPF 2
OSPF 2OSPF 2
OSPF 2
 
Ip addressing
Ip addressingIp addressing
Ip addressing
 
Internal & External of Routers
Internal & External of RoutersInternal & External of Routers
Internal & External of Routers
 
Integrated Service Digital Network
Integrated Service Digital NetworkIntegrated Service Digital Network
Integrated Service Digital Network
 
Initial Configuration of Router
Initial Configuration of RouterInitial Configuration of Router
Initial Configuration of Router
 
Frame Relay
Frame RelayFrame Relay
Frame Relay
 
Dynamic Routing RIP
Dynamic Routing RIPDynamic Routing RIP
Dynamic Routing RIP
 
OSI Layers
OSI LayersOSI Layers
OSI Layers
 
Password Recovery
Password RecoveryPassword Recovery
Password Recovery
 
OSPF 3
OSPF 3OSPF 3
OSPF 3
 
OSPF 2
OSPF 2OSPF 2
OSPF 2
 
IP Addressing
IP AddressingIP Addressing
IP Addressing
 

Último

1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
fonyou31
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 

Último (20)

1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 

Access Control List 1

  • 1. 1
  • 2. Rules of Access List • All deny statements have to be given First • There should be at least one Permit statement • An implicit deny blocks all traffic by default when there is no match (an invisible statement). • Can have one access-list per interface per direction. (i.e.) Two access-list per interface, one in inbound direction and one in outbound direction. • Works in Sequential order • Editing of access-lists is not possible (i.e) Selectively adding or removing access-list statements is not possible. 2
  • 3. Standard ACL - Network Diagram 10.0.0.1/8 S0 HYD 1.2 S1 10.0.0.2/8 1.3 LAN - 192.168.1.0/24 is done Closest is done Closest to the to the 11.0.0.1/8 S0 E0 192.168.1.150/24 1.1 Creation and Creation and Implementation Implementation 2.1 Destination. Destination. CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 1.1 & 1.2 should not communicate with 2.0 network 1.1 & 1.2 should not communicate with 2.0 network 3
  • 4. How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.1 is accessing 2.1 1.1 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 4
  • 5. How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 5
  • 6. How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 6
  • 7. How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.3 is accessing 2.1 1.3 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 7
  • 8. How Standard ACL Works ? 1.1 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 8 x
  • 9. How Standard ACL Works ? 1.1 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 9 x
  • 10. How Standard ACL Works ? 1.1 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 10
  • 11. 1.1 Source IP 192.168.1.1 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 1 deny 192.168.1.1 0.0.0.0 access-list 1 deny 192.168.1.2 0.0.0.0 access-list 1 permit any 11
  • 12. Standard ACL - Network Diagram 10.0.0.1/8 S0 HYD 1.2 S1 10.0.0.2/8 1.3 LAN - 192.168.1.0/24 is done Closest is done Closest to the to the 11.0.0.1/8 S0 E0 192.168.1.150/24 1.1 Creation and Creation and Implementation Implementation 2.1 Destination. Destination. CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 1.1 & 3.0 should not communicate with 2.0 network 1.1 & 3.0 should not communicate with 2.0 network 12
  • 13. How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.1 is accessing 2.1 1.1 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 13
  • 14. How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 14
  • 15. How Standard ACL Works ? 1.1 Source IP 192.168.1.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 15
  • 16. How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 1.3 is accessing 2.1 1.3 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 16
  • 17. How Standard ACL Works ? 1.3 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 x access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 17
  • 18. How Standard ACL Works ? 1.3 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 x access-list 5 permit any 18
  • 19. How Standard ACL Works ? 1.3 Source IP 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 19
  • 20. 1.3 Source IP 192.168.1.1 192.168.1.3 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 20
  • 21. How Standard ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 is accessing 2.1 3.1 is accessing 2.1 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 21
  • 22. How Standard ACL Works ? 3.1 Source IP 192.168.3.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 x access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 22
  • 23. How Standard ACL Works ? 3.1 Source IP 192.168.3.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 23
  • 24. How Standard ACL Works ? 3.1 Source IP 192.168.3.1 2.1 Destination IP 192.168.2.1 access-list 5 deny 192.168.1.1 0.0.0.0 access-list 5 deny 192.168.3.0 0.0.0.255 access-list 5 permit any 24
  • 25. Extended ACL - Network Diagram Creation and Creation and Implementation Implementation 10.0.0.1/8 S0 HYD S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 is done Closest is done Closest to the Source. to the Source. 11.0.0.1/8 S0 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.0 should not access with 3.1 (Web Service) 2.0 should not access with 3.1 (Web Service) 25
  • 26. How Extended ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.1 is accessing 3.1 -- Web Service 2.1 is accessing 3.1 Web Service 26
  • 27. How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 80 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 27
  • 28. How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 80 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 28
  • 29. How Extended ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.1 is accessing 3.1 – Telnet Service 2.1 is accessing 3.1 – Telnet Service 29
  • 30. How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 23 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 30 x
  • 31. How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.3.1 Port - 23 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 31
  • 32. How Extended ACL Works ? 2.1 Source IP 192.168.1.1 192.168.2.1 Destination IP 192.168.3.1 Port - 23 3.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 32
  • 33. How Extended ACL Works ? 10.0.0.1/8 S0 HYD 11.0.0.1/8 S0 S1 10.0.0.2/8 E0 192.168.1.150/24 1.1 1.2 1.3 LAN - 192.168.1.0/24 2.1 CHE S1 11.0.0.2/8 E0 192.168.2.150/24 2.2 2.3 LAN - 192.168.2.0/24 3.1 BAN E0 192.168.3.150/2 3.2 3.3 LAN - 192.168.3.0/24 2.1 is accessing 1.1 -- Web Service 2.1 is accessing 1.1 Web Service 33
  • 34. How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.1.1 192.168.1.1 Port - 80 1.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 34 x
  • 35. How Extended ACL Works ? 2.1 Source IP 192.168.2.1 Destination IP 192.168.1.1 Port - 80 1.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 35
  • 36. How Extended ACL Works ? 2.1 Source IP 192.168.1.1 192.168.2.1 Destination IP 192.168.1.1 Port - 80 1.1 access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 access-list 101 permit ip any any 36
  • 37. Named Access List • Access-lists are identified using Names rather than Numbers. • Names are Case-Sensitive • No limitation of Numbers here. • One Main Advantage is Editing of ACL is Possible (i.e) Removing a specific statement from the ACL is possible. (IOS version 11.2 or later allows Named ACL) 37
  • 38. Standard Named Access List Creation of Standard Named Access List Creation of Standard Named Access List Router(config)# ip access-list standard <name> Router(config)# ip access-list standard <name> Router(config-std-nacl)# <permit/deny> <source address> Router(config-std-nacl)# <permit/deny> <source address> <source wildcard mask> <source wildcard mask> Implementation of Standard Named Access List Implementation of Standard Named Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <name> <out/in> Router(config-if)#ip access-group <name> <out/in> 38
  • 39. Extended Named Access List Creation of Extended Named Access List Creation of Extended Named Access List Router(config)# ip access-list extended <name> Router(config)# ip access-list extended <name> Router(config-ext-nacl)# <permit/deny> <protocol> Router(config-ext-nacl)# <permit/deny> <protocol> <source address> <source wildcard mask> <destination <source address> <source wildcard mask> <destination address> < destination wildcard mask> <operator> address> < destination wildcard mask> <operator> <service> <service> Implementation of Extended Named Access List Implementation of Extended Named Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <name> <out/in> Router(config-if)#ip access-group <name> <out/in> 39
  • 40. 40
  • 41. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.1.150 Connecting ..... ================================ Welcome to Hyderabad Router ================================ User Access Verification password : **** Hyderabad> enable password : **** Hyderabad# show ip route Gateway of last resort is not set C 10.0.0.0/8 is directly connected, Serial0 R 11.0.0.0/8 [120/1] via 10.0.0.2, 00:00:25, Serial0 C 192.168.1.0/24 is directly connected, Ethernet0 R 192.168.2.0/24 [120/1] via 10.0.0.2, 00:00:25, Serial0 R 192.168.3.0/24 [120/2] via 10.0.0.2, 00:00:25, Serial0 Hyderabad# 41
  • 42. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.2.150 Connecting ..... ================================ Welcome to Chennai Router ================================ User Access Verification password : **** Chennai> enable password : **** Chennai# show ip route Gateway of last resort is not set C 10.0.0.0/8 is directly connected, Serial1 C 11.0.0.0/8 is directly connected, Serial0 R 192.168.1.0/24 [120/1] via 10.0.0.1, 00:00:01, Serial1 C 192.168.2.0/24 is directly connected, Ethernet0 R 192.168.3.0/24 [120/1] via 11.0.0.2, 00:00:12, Serial0 Chennai# 42
  • 43. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.3.150 Connecting ..... ================================ Welcome to Banglore Router ================================ User Access Verification password : **** Banglore> enable password : **** Banglore# show ip route Gateway of last resort is not set R 10.0.0.0/8 [120/1] via 11.0.0.1, 00:00:04, Serial1 C 11.0.0.0/8 is directly connected, Serial1 R 192.168.1.0/24 [120/2] via 11.0.0.1, 00:00:04, Serial1 R 192.168.2.0/24 [120/1] via 11.0.0.1, 00:00:04, Serial1 C 192.168.3.0/24 is directly connected, Ethernet0 Banglore# 43
  • 44. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:> telnet 192.168.2.150 Connecting ..... ================================ Welcome to Chennai Router ================================ User Access Verification password : **** Chennai> enable password : **** Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# interface serial 1 Chennai(config-if)# ip address 10.0.0.2 255.0.0.0 Chennai(config-if)# no shut Chennai(config-if)# encapsulation hdlc Chennai(config-if)# interface serial 0 Chennai(config-if)# ip address 11.0.0.1 255.0.0.0 Chennai(config-if)# no shut Chennai(config-if)# encapsulation hdlc 44
  • 45. Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 1 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 1 deny 192.168.1.2 0.0.0.0 Chennai(config)# access-list 1 permit any Creation of Standard Access List Creation of Standard Access List Chennai(config)# interface ethernet 0 Router(config)# access-list out Chennai(config-if)# ip access-group 1 <acl no> <permit/deny> Router(config)# access-list <acl no> <permit/deny> <source address> <source wildcard mask> <source address> <source wildcard mask> Chennai(config-if)# Implementation of Standard Access List Implementation of Standard Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Router(config-if)#ip access-group <number> <out/in> 45
  • 46. Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 1 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 1 deny 192.168.1.2 0.0.0.0 Chennai(config)# access-list 1 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 1 out Chennai(config-if)# ^Z Chennai# show ip access-list Standard IP access list 1 deny 192.168.1.1 deny 192.168.1.2 permit any Chennai# 46
  • 47. Chennai# show ip int e0 Ethernet0 is up, line protocol is up Internet address is 192.168.2.150/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is 1 Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Chennai# 47
  • 48. Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 5 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 5 deny 192.168.3.0 0.0.0.255 Chennai(config)# access-list 5 permit any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 5 out Chennai(config-if)# ^Z Chennai# show ip access-list Standard deny deny permit Chennai# IP access list 5 192.168.1.1 192.168.3.0 any 48
  • 49. Chennai# show ip int e0 Ethernet0 is up, line protocol is up Internet address is 192.168.2.150/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is 5 Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Chennai# 49
  • 50. Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 5 deny 192.168.1.1 0.0.0.0 Chennai(config)# access-list 5 deny 192.168.3.0 0.0.0.255 Chennai(config)# access-list 5 permit any Creation of Standard Access List Creation of Standard Access List Chennai(config)# interface ethernet 0 Router(config)# access-list out Chennai(config-if)# ip access-group 5 <acl no> <permit/deny> Router(config)# access-list <acl no> <permit/deny> <source address> <source wildcard mask> <source address> <source wildcard mask> Chennai(config-if)# Implementation of Standard Access List Implementation of Standard Access List Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Router(config-if)#ip access-group <number> <out/in> 50
  • 51. Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 Chennai(config)# access-list 101 Extended Access List permit ip any any Creation of Extended Access List Creation of Chennai(config)# interface ethernet 0 Router(config)# access-list <acl no> <permit/deny> Router(config)# access-list <acl no> <permit/deny> Chennai(config-if)# ip access-group 101 <source wildcard mask> <protocol> <source address> in <protocol> <source address> <source wildcard mask> Chennai(config-if)# <destination address> < destination wildcard mask> <destination address> < destination wildcard mask> <operator> <service> Implementation of Extended Access List <operator> <service> of Extended Access List Implementation Router(config)#interface <interface type><interface no> Router(config)#interface <interface type><interface no> Router(config-if)#ip access-group <number> <out/in> Router(config-if)#ip access-group <number> <out/in> 51
  • 52. Chennai# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Chennai(config)# access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80 Chennai(config)# access-list 101 permit ip any any Chennai(config)# interface ethernet 0 Chennai(config-if)# ip access-group 101 in Chennai(config-if)# ^Z Chennai# show ip access-list Extended IP access list 101 deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.1 eq www permit ip any any Chennai# 52
  • 53. Chennai# show ip int e0 Ethernet0 is up, line protocol is up Internet address is 192.168.2.150/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is not set Inbound access list is 101 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled Chennai# 53