Day9-2 Access Control List

1
Rules of Access List

All deny statements have to be given First
There should be at least one Permit statement
An implicit deny blocks all traffic by default when
there is no match (an invisible statement).
Can have one access-list per interface per direction.
(i.e.) Two access-list per interface, one in inbound
direction and one in outbound direction.
Works in Sequential order
Editing of access-lists is not possible (i.e) Selectively
adding or removing access-list statements is not
possible.
2
Standard ACL - Network Diagram
Creation and
Implementation
is done Closest
10.0.0.1/8
S0
HYD
11.0.0.1/8
S0
S1
10.0.0.2/8
E0
192.168.1.150/24
1.1
1.2
1.3
LAN - 192.168.1.0/24
2.1
CHE
to the
Destination.
S1
11.0.0.2/8
E0
192.168.2.150/24
2.2
2.3
LAN - 192.168.2.0/24
3.1
BAN
E0
192.168.3.150/2
3.2
3.3
LAN - 192.168.3.0/24
1.1 & 1.2 should not communicate with 2.0 network
How Standard ACL Works ?
10.0.0.1/8
S0
HYD
11.0.0.1/8
S0
S1
10.0.0.2/8
E0
192.168.1.150/24
1.1
1.2
1.3
LAN - 192.168.1.0/24
2.1
CHE
S1
11.0.0.2/8
E0
192.168.2.150/24
2.2
2.3
LAN - 192.168.2.0/24
1.1 is accessing 2.1
3.1
BAN
E0
192.168.3.150/2
3.2
3.3
LAN - 192.168.3.0/24
4
1.1
Source IP
192.168.1.1
2.1
Destination IP
192.168.2.1
access-list 1 deny 192.168.1.1 0.0.0.0

access-list 1 deny 192.168.1.2 0.0.0.0
access-list 1 permit any
5
1.1
Source IP
192.168.1.1
2.1
Destination IP
192.168.2.1
access-list 1 deny 192.168.1.1 0.0.0.0

access-list 1 deny 192.168.1.2 0.0.0.0
6
10.0.0.1/8
S0
HYD
11.0.0.1/8
S0
S1
10.0.0.2/8
E0
192.168.1.150/24
1.1
1.2
1.3
1.3
LAN - 192.168.1.0/24
2.1
CHE
S1
11.0.0.2/8
E0
192.168.2.150/24
2.2
2.3
LAN - 192.168.2.0/24
3.1
BAN
E0
192.168.3.150/2
3.2
3.3
LAN - 192.168.3.0/24
7
1.1
Source IP
192.168.1.3
2.1
Destination IP
192.168.1.2
access-list 1 deny 192.168.1.1 0.0.0.0
access-list 1 deny 192.168.1.2 0.0.0.0

8
1.1
Source IP
192.168.1.3
2.1
Destination IP
192.168.1.2
access-list 1 deny 192.168.1.1 0.0.0.0

access-list 1 deny 192.168.1.2 0.0.0.0

9
1.1
Source IP
192.168.1.3
2.1
Destination IP
192.168.1.2
access-list 1 deny 192.168.1.1 0.0.0.0

access-list 1 deny 192.168.1.2 0.0.0.0
10
1.1
Source IP
192.168.1.1
2.1
Destination IP
192.168.2.1
access-list 1 deny 192.168.1.1 0.0.0.0

access-list 1 deny 192.168.1.2 0.0.0.0
11
Standard ACL - Network Diagram
Creation and
Implementation
is done Closest
10.0.0.1/8
S0
HYD
11.0.0.1/8
S0
S1
10.0.0.2/8
E0
192.168.1.150/24
1.1
1.2
1.3
LAN - 192.168.1.0/24
2.1
CHE
to the
Destination.
S1
11.0.0.2/8
E0
192.168.2.150/24
2.2
2.3
LAN - 192.168.2.0/24
3.1
BAN
E0
192.168.3.150/2
3.2
3.3
LAN - 192.168.3.0/24
1.1 & 3.0 should not communicate with 2.0 network
12
10.0.0.1/8
S0
HYD
11.0.0.1/8
S0
S1
10.0.0.2/8
E0
192.168.1.150/24
1.1
1.2
1.3
LAN - 192.168.1.0/24
2.1
CHE
S1
11.0.0.2/8
E0
192.168.2.150/24
2.2
2.3
LAN - 192.168.2.0/24
3.1
BAN
E0
192.168.3.150/2
3.2
3.3
LAN - 192.168.3.0/24
13
1.1
Source IP
192.168.1.1
2.1
Destination IP
192.168.2.1
access-list 5 deny 192.168.1.1 0.0.0.0

access-list 5 deny 192.168.3.0 0.0.0.255
14
1.1
Source IP
192.168.1.1
2.1
Destination IP
192.168.2.1
access-list 5 deny 192.168.1.1 0.0.0.0

access-list 5 deny 192.168.3.0 0.0.0.255
15
10.0.0.1/8
S0
HYD
11.0.0.1/8
S0
S1
10.0.0.2/8
E0
192.168.1.150/24
1.1
1.2
1.3
1.3
LAN - 192.168.1.0/24
2.1
CHE
S1
11.0.0.2/8
E0
192.168.2.150/24
2.2
2.3
LAN - 192.168.2.0/24
3.1
BAN
E0
192.168.3.150/2
3.2
3.3
LAN - 192.168.3.0/24
16
1.3
Source IP
192.168.1.3
2.1
Destination IP
192.168.1.2
access-list 5 deny 192.168.1.1 0.0.0.0
access-list 5 deny 192.168.3.0 0.0.0.255

17
1.3
Source IP
192.168.1.3
2.1
Destination IP
192.168.1.2
access-list 5 deny 192.168.1.1 0.0.0.0

access-list 5 deny 192.168.3.0 0.0.0.255 x
18
1.3
Source IP
192.168.1.3
2.1
Destination IP
192.168.1.2
access-list 5 deny 192.168.1.1 0.0.0.0

access-list 5 deny 192.168.3.0 0.0.0.255
19
1.3
Source IP
192.168.1.1
2.1
Destination IP
192.168.2.1
access-list 5 deny 192.168.1.1 0.0.0.0

access-list 5 deny 192.168.3.0 0.0.0.255
20
10.0.0.1/8
S0
HYD
11.0.0.1/8
S0
S1
10.0.0.2/8
E0
192.168.1.150/24
1.1
1.2
1.3
LAN - 192.168.1.0/24
2.1
CHE
S1
11.0.0.2/8
E0
192.168.2.150/24
2.2
2.3
LAN - 192.168.2.0/24
3.1
BAN
E0
192.168.3.150/2
3.2
3.3
LAN - 192.168.3.0/24
21
3.1
Source IP
192.168.3.1
2.1
Destination IP
192.168.2.1
access-list 5 deny 192.168.1.1 0.0.0.0
access-list 5 deny 192.168.3.0 0.0.0.255

22
3.1
Source IP
192.168.3.1
2.1
Destination IP
192.168.2.1
access-list 5 deny 192.168.1.1 0.0.0.0

access-list 5 deny 192.168.3.0 0.0.0.255
23
3.1
Source IP
192.168.3.1
2.1
Destination IP
192.168.2.1
access-list 5 deny 192.168.1.1 0.0.0.0

access-list 5 deny 192.168.3.0 0.0.0.255
24
Extended ACL - Network Diagram

Creation and
Implementation
10.0.0.1/8
S0
HYD
S1
10.0.0.2/8
E0
192.168.1.150/24
1.1
1.2
1.3
LAN - 192.168.1.0/24
is done Closest
11.0.0.1/8
S0
2.1
CHE
to the Source.
S1
11.0.0.2/8
E0
192.168.2.150/24
2.2
2.3
LAN - 192.168.2.0/24
3.1
BAN
E0
192.168.3.150/2
3.2
3.3
LAN - 192.168.3.0/24
2.0 should not access with 3.1 (Web Service)
25
How Extended ACL Works ?
10.0.0.1/8
S0
HYD
11.0.0.1/8
S0
S1
10.0.0.2/8
E0
192.168.1.150/24
1.1
1.2
1.3
LAN - 192.168.1.0/24
2.1
CHE
S1
11.0.0.2/8
E0
192.168.2.150/24
2.2
2.3
LAN - 192.168.2.0/24
3.1
BAN
E0
192.168.3.150/2
3.2
3.3
LAN - 192.168.3.0/24
2.1 is accessing 3.1 - Web Service
26
2.1
Source IP
192.168.2.1
Destination IP
192.168.3.1
Port - 80
3.1
access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80

access-list 101 permit ip any any
27
2.1
Source IP
192.168.2.1
Destination IP
192.168.3.1
Port - 80
3.1

28
10.0.0.1/8
S0
HYD
11.0.0.1/8
S0
S1
10.0.0.2/8
E0
192.168.1.150/24
1.1
1.2
1.3
LAN - 192.168.1.0/24
2.1
CHE
S1
11.0.0.2/8
E0
192.168.2.150/24
2.2
2.3
LAN - 192.168.2.0/24
3.1
BAN
E0
192.168.3.150/2
3.2
3.3
LAN - 192.168.3.0/24
2.1 is accessing 3.1 Telnet Service
29
2.1
Source IP
192.168.2.1
Destination IP
192.168.3.1
Port - 23
3.1

30
2.1
Source IP
192.168.2.1
Destination IP
192.168.3.1
Port - 23
3.1

31
2.1
Source IP
192.168.2.1
192.168.1.1
Destination IP
192.168.3.1
Port - 23
3.1

32
10.0.0.1/8
S0
HYD
11.0.0.1/8
S0
S1
10.0.0.2/8
E0
192.168.1.150/24
1.1
1.2
1.3
LAN - 192.168.1.0/24
2.1
CHE
S1
11.0.0.2/8
E0
192.168.2.150/24
2.2
2.3
LAN - 192.168.2.0/24
3.1
BAN
E0
192.168.3.150/2
3.2
3.3
LAN - 192.168.3.0/24
2.1 is accessing 1.1 - Web Service
33
2.1
Source IP
192.168.2.1
Destination IP
192.168.1.1
192.168.1.1
Port - 80
1.1

34
2.1
Source IP
192.168.2.1
Destination IP
192.168.1.1
Port - 80
1.1

35
2.1
Source IP
192.168.2.1
192.168.1.1
Destination IP
192.168.1.1
Port - 80
1.1

36
Named Access List
Access-lists are identified using Names

rather than Numbers.
Names are Case-Sensitive
No limitation of Numbers here.
One Main Advantage is Editing of ACL is Possible (i.e)
Removing a specific statement from the ACL is
possible.
(IOS version 11.2 or later allows Named ACL)
37
Standard Named Access List
Creation of Standard Named Access List

Router(config)# ip access-list standard <name>
Router(config-std-nacl)# <permit/deny> <source address>
<source wildcard mask>
Implementation of Standard Named Access List
Router(config)#interface <interface type><interface no>

Router(config-if)#ip access-group <name> <out/in>
38
Extended Named Access List
Creation of Extended Named Access List

Router(config)# ip access-list extended <name>
Router(config-ext-nacl)# <permit/deny> <protocol>
<source address> <source wildcard mask> <destination
address> < destination wildcard mask> <operator>
<service>
Implementation of Extended Named Access List
Router(config-if)#ip access-group <name> <out/in>
39
40
Microsoft Windows 2000 [Version 5.00.2195]

(C) Copyright 1985-2000 Microsoft Corp.
C:\> telnet 192.168.1.150
Connecting .....
================================
Welcome to Hyderabad Router
================================
User Access Verification
password : ****
Hyderabad> enable
password : ****
Hyderabad# show ip route
Gateway of last resort is not set
C
10.0.0.0/8 is directly connected, Serial0
R
11.0.0.0/8 [120/1] via 10.0.0.2, 00:00:25, Serial0
C
192.168.1.0/24 is directly connected, Ethernet0
R
192.168.2.0/24 [120/1] via 10.0.0.2, 00:00:25, Serial0
R
192.168.3.0/24 [120/2] via 10.0.0.2, 00:00:25, Serial0
Hyderabad#
41

C:\> telnet 192.168.2.150
Connecting .....
================================
Welcome to Chennai Router
================================
password : ****
Chennai> enable
password : ****
Chennai# show ip route
C
C
R
192.168.1.0/24 [120/1] via 10.0.0.1, 00:00:01, Serial1
C
R
192.168.3.0/24 [120/1] via 11.0.0.2, 00:00:12, Serial0
Chennai#
42

C:\> telnet 192.168.3.150
Connecting .....
================================
Welcome to Banglore Router
================================
password : ****
Banglore> enable
password : ****
Banglore# show ip route
R
10.0.0.0/8 [120/1] via 11.0.0.1, 00:00:04, Serial1
C
R
192.168.1.0/24 [120/2] via 11.0.0.1, 00:00:04, Serial1
R
192.168.2.0/24 [120/1] via 11.0.0.1, 00:00:04, Serial1
C
Banglore#
43

C:\> telnet 192.168.2.150
Connecting .....
================================
Welcome to Chennai Router
================================
password : ****
Chennai> enable
password : ****
Chennai# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Chennai(config)# interface serial 1
Chennai(config-if)# ip address 10.0.0.2 255.0.0.0
Chennai(config-if)# no shut
Chennai(config-if)# encapsulation hdlc
Chennai(config-if)# interface serial 0
Chennai(config-if)# ip address 11.0.0.1 255.0.0.0
Chennai(config-if)# no shut
Chennai(config-if)# encapsulation hdlc
44

Chennai(config)# access-list 1 deny 192.168.1.1 0.0.0.0
Chennai(config)# access-list 1 permit any
Creation
of Standard
Access List
Chennai(config)# interface
ethernet
0
Router(config)#
access-list 1 <acl
no>
<permit/deny>
Chennai(config-if)#
ip access-group
out
<source address> <source wildcard mask>
Chennai(config-if)#
Implementation of Standard Access List
Router(config-if)#ip access-group <number> <out/in>
45

Chennai(config)# interface ethernet 0
Chennai(config-if)# ip access-group 1 out
Chennai(config-if)# ^Z
Chennai# show ip access-list
Standard IP access list 1
deny
192.168.1.1
deny
192.168.1.2
permit any
Chennai#
46
Chennai# show ip int e0

Ethernet0 is up, line protocol is up
Internet address is 192.168.2.150/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is enabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is 1
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP multicast fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
Probe proxy name replies are disabled
Gateway Discovery is disabled
Policy routing is disabled
Network address translation is disabled
Chennai#
47

Chennai(config-if)# ip access-group 5 out
Standard
deny
deny
permit
Chennai#
IP access list 5
192.168.1.1
192.168.3.0
any
48

MTU is 1500 bytes
Outgoing access list is 5
Inbound access list is not set
Chennai#
49

Creation
of Standard
Access List
Chennai(config)# interface
ethernet
0
Router(config)#
access-list 5 <acl
no>
<permit/deny>
Chennai(config-if)#
ip access-group
out
Chennai(config-if)#
Implementation of Standard Access List
50

Chennai(config)# access-list 101 deny tcp 192.168.2.0 0.0.0.0
192.168.3.1 0.0.0.0 eq 80
Chennai(config)# access-list
permit ipAccess
any any
Creation101
of Extended
List
Router(config)#
access-list <acl no>
<permit/deny>
Chennai(config-if)# ip access-group 101 in
<protocol>
Chennai(config-if)#
<destination address> < destination wildcard mask>
<operator>
<service>
Implementation
of Extended Access List
51

Chennai(config)# access-list 101 deny tcp 192.168.2.0 0.0.0.0
192.168.3.1 0.0.0.0 eq 80
Chennai(config)# access-list 101 permit ip any any
Chennai(config-if)# ip access-group 101 in
Extended IP access list 101
deny
tcp 192.168.2.0 0.0.0.255 host 192.168.3.1 eq www
permit ip any any
Chennai#
52

MTU is 1500 bytes
Outgoing access list is not set
Inbound access list is 101
Chennai#
53

Day9-2 Access Control List

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Day9-2 Access Control List

Uploaded by

Copyright:

Available Formats

1

Rules of Access List

Standard ACL - Network Diagram

1.1 & 1.2 should not communicate with 2.0 network

How Standard ACL Works ?

1.1 is accessing 2.1

How Standard ACL Works ?

access-list 1 deny 192.168.1.1 0.0.0.0

How Standard ACL Works ?

access-list 1 deny 192.168.1.1 0.0.0.0

How Standard ACL Works ?

1.3 is accessing 2.1

How Standard ACL Works ?

access-list 1 deny 192.168.1.1 0.0.0.0

access-list 1 deny 192.168.1.2 0.0.0.0

How Standard ACL Works ?

access-list 1 deny 192.168.1.1 0.0.0.0

access-list 1 permit any

How Standard ACL Works ?

access-list 1 deny 192.168.1.1 0.0.0.0

access-list 1 deny 192.168.1.1 0.0.0.0

Standard ACL - Network Diagram

1.1 & 3.0 should not communicate with 2.0 network

How Standard ACL Works ?

1.1 is accessing 2.1

How Standard ACL Works ?

access-list 5 deny 192.168.1.1 0.0.0.0

How Standard ACL Works ?

access-list 5 deny 192.168.1.1 0.0.0.0

How Standard ACL Works ?

1.3 is accessing 2.1

How Standard ACL Works ?

access-list 5 deny 192.168.1.1 0.0.0.0

access-list 5 deny 192.168.3.0 0.0.0.255

How Standard ACL Works ?

access-list 5 deny 192.168.1.1 0.0.0.0

How Standard ACL Works ?

access-list 5 deny 192.168.1.1 0.0.0.0

access-list 5 deny 192.168.1.1 0.0.0.0

How Standard ACL Works ?

3.1 is accessing 2.1

How Standard ACL Works ?

access-list 5 deny 192.168.1.1 0.0.0.0

access-list 5 deny 192.168.3.0 0.0.0.255

How Standard ACL Works ?

access-list 5 deny 192.168.1.1 0.0.0.0

How Standard ACL Works ?

access-list 5 deny 192.168.1.1 0.0.0.0

Extended ACL - Network Diagram

2.0 should not access with 3.1 (Web Service)

How Extended ACL Works ?

2.1 is accessing 3.1 - Web Service

How Extended ACL Works ?

access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80

How Extended ACL Works ?

access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80

How Extended ACL Works ?

2.1 is accessing 3.1 Telnet Service

How Extended ACL Works ?

access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80

How Extended ACL Works ?

access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80

How Extended ACL Works ?

access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eq 80