Lab 12: ACL


ACL:

  1. Standard ACL (1-99)
  2. Extended ACL (100 -199)

Standard ACL (1 - 99)

  1. Number ACL
  2. Name ACL

Network : 1.1.1.0/24


------f0/0----Router
--->in
<----out

1. Number ACL :

  • Write ACL
  • Apply to interface
! 1. Write ACL

 
Router(config)#access-list 1 	  permit  1.1.1.0        0.0.0.255   
         		               ( source  IP ) (wildcard mask)
                                  deny
              #access-list 1      permit any

Router(config)#no access-list 1  -- > delete acl 1
 
! 2. Apply to interface

Router(config)#inter f0/0
Router(config-if)#ip access-group 1 in 
				    out

2. Name ACL :

  • Write ACL
  • Apply to interface
# 1. Write ACL

R(config)#ip access-list standard abc
R(config-std-nacl)#deny host 1.1.1.1
R(config-std-nacl)#permit any
R(config-std-nacl)# 15 deny host 2.2.2.2
R(config-std-nacl)# no 15

# 2. Apply to interface

R(config)#inter f0/0
R(config-if)#ip access-group abc in
				 out
R(config)#no ip access-list standard abc  --> delete acl

Extended ACL (1 - 99)

  1. Number ACL
  2. Name ACL

1. Number ACL :

  • Write ACL
  • Apply to interface

# Write ACL

R(config)#access-list 	100     permit  tcp  host 1.1.1.1 eq ? host 2.2.2.2 eq ?
                (100-199)	deny    udp   (Source IP)(SPort) (Des IP)  (DPort)
     					icmp
     					ip
     			            (protocol) 

R(config)#access-list   100 	permit 	 ip 	any   	any


# Apply to interface

inter f0/0
ip access-group 100 in
   	           out

2. Name ACL :

  • Write ACL
  • Apply to interface

# Write ACL

R(config)#ip access-list extended abc
R(config-ext-nacl)#permit tcp	host 1.1.1.1 eq ? host 2.2.2.2 eq ?
      		   deny   udp
     			  icmp
   			  ip

R(config-ext-nacl)#permit ip any any

# Apply to interface

inter f0/0
ip access-group abc in
     		    out

Show

show ip access-list
show ip access-list 1
clear ip access-list counters

Example 1 : Deny source 12.0.0.1 telnet to R2

        .1               .2
---------- f0/1      f0/0 ---------    │
| Router 1 |─────────────| Router 2 |───│ lo1: 2.2.2.2/24
----------                ---------    │
             12.0.0.0/24

R2(config)#access-list 1 deny host 12.0.0.1
R2(config)#access-list 1 permit any
R2(config)#line vty 0 4
R2(config-line)#access-class 1 in

! Test
R1#telnet 12.0.0.2
R1#telnet 2.2.2.2

Example 2: Deny: 1.1.1.1 access to web server 2.2.2.2 using tcp port 80


            12.1.1.0/24

----------  .1       f0/1 ----------
| Router 1 |───────────── | Router 2 |
----------   f0/1     .2  ----------
f0/0 │  .254              .254 │ f0/0
     │                         │
     │     1.1.1.0/24          │     2.2.2.0/24
  .1 │                      .2 │
    __  _                     --
   [__]|=|                   |==|  Web Server
   /++/|_|                   |  |
                              --
# Deny PC1 access to Web Server

Write extended ACL on R1 :

--->in f0/0 :	
SIP : 1.1.1.1 : 1025
DIP : 2.2.2.2 : 80	

R1(config)#access-list 100 deny tcp host 1.1.1.1 host 2.2.2.2 eq 80
R1(config)#access-list 100 permit ip any any
R1(config)#inter f0/0
R1(config-if)#ip access-group 100 in

! or 
<---out--f0/0
SIP : 2.2.2.2 : 80
DIP : 1.1.1.1 : 1025

R1(config)#access-list 100 deny tcp  host 2.2.2.2 eq 80 host 1.1.1.1 
R1(config)#access-list 100 permit ip any any
R1(config)#inter f0/0
R1(config-if)#ip access-group 100 out
R1#show access-list 100