EXTENDED ACCESS CONTROL LIST
Configure Extended ACL as follows
Syntax:
Router(config)#access-list <no.> permit/deny <protocol> <source ip> <source wildcard mask>
Syntax:
Router(config)#access-list <no.> permit/deny <protocol> <source ip> <source wildcard mask>
To
implement ACL on a Interface
Syntax:
Router(config)#interface <type> <no.>
Router(config-if)#ip
access-group <no.> in/out
On
Kolkata:
SCENARIO
Configuration
of an access-list on KOLKATA such that Deny Kolkata LAN from accessing HTTP Server in LAN of Mumbai LAN i.e 192.168.2.0 and also deny ping to Delhi LAN i.e 192.168.1.0 .
ON KOLKATA:
KOLKATA#configure terminal
KOLKATA(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 192.168.2.4 0.0.0.0 eq www
KOLKATA(config)#access-list 101 deny icmp 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255 echo
KOLKATA(config)#access-list 101 permit any any
KOLKATA(config)#interface fastethernet 0/0
KOLKATA(config-if)#ip access-group 101 in
KOLKATA(config-if)#exit
KOLKATA#sh ip access-list
Kolkata#sh ip interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 10.0.0.1/8
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 101
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
KOLKATA(config)#access-list 101 permit any any
KOLKATA(config)#interface fastethernet 0/0
KOLKATA(config-if)#ip access-group 101 in
KOLKATA(config-if)#exit
KOLKATA(config)#
KOLKATA#sh ip access-list
Test: Check by accessing web server of Mumbai LAN and ping to Delhi LAN.
To Verify the Output using following commands:
To Verify the Output of access-list
Syntax:
Router#sh ip access-list
OUTPUT:
Kolkata#sh ip access-lists
Extended IP access list 101
deny tcp 10.0.0.0 0.255.255.255 host 192.168.2.5 eq www
deny icmp 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255 echo
permit ip any any
To Verify the implementation of access-list
Syntax:
Router#sh ip interface <type> <No>
OUTPUT:
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 10.0.0.1/8
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 101
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
--More--
--More--
No comments:
Post a Comment