0
Here,we are going to see how to configure Extended Access List with a simple network topology.

Extended Access List(100-199,2000-2699)

Extended access list filters packets using (protocols,Source Address,Destination Address,Ports).Lets we see how to configure extended access list,


Step 1:Create a topology like this,








Step 2:Configure router and Host with ip address like i have given in a topology.


Router(config)#interface fastethernet0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit


Router(config)#interface fastethernet1/0
Router(config-if)#ip address 192.168.2.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit



Before,we go to access list configuration lets we see some well known protocols,port numbers this will help to configure extended access list.



20 TCP  UDP          FTP data transfer

21 TCP                    FTP control (command)

23 TCP  UDP          Telnet protocol

25 TCP                  Simple Mail Transfer Protocol (SMTP)

53 TCP  UDP          Domain Name System (DNS)

67  UDP          Dynamic Host Configuration Protocol (DHCP)
68  UDP          Dynamic Host Configuration Protocol (DHCP)

69  UDP          Trivial File Transfer Protocol (TFTP)

80 TCP                     Hypertext Transfer Protocol (HTTP)

109 TCP                    Post Office Protocol v2 (POP2)
110 TCP                    Post Office Protocol v3 (POP3)

161  UDP          Simple Network Management Protocol (SNMP)




Step 3:Now,we configure access list to deny ip 192.168.1.2 and 192.168.1.3 to stop communicating with 192.168.2.0. And other host can be communicate with 192.168.2.0.



Router(config)#access-list 100 deny ip host 192.168.1.2 192.168.2.0 0.0.0.255
Router(config)#access-list 100 deny ip host 192.168.1.3 192.168.2.0 0.0.0.255
Router(config)#access-list 100 permit ip any any
Router(config)#exit

                               (or)

Router(config)#access-list 100 deny ip 192.168.1.2 0.0.0.0 192.168.2.0 0.0.0.255
Router(config)#access-list 100 deny ip 192.168.1.3 0.0.0.0 192.168.2.0 0.0.0.255
Router(config)#access-list 100 permit ip any any
Router(config)#exit



 Both are same ,it will deny two host and it will allow other host to communicate with 192.168.2.0.


 First line will deny ip packets from the host 192.168.1.2 to 192.168.2.0 '

 Second line will deny ip packets from the host 192.168.1.3 to 192.168.2.0

 Third line will permit ip packets from any host to any network.


Step 4:Now,Choose right interface to bind this access list.we should always choose an interface closer to host.In case, we configure single access list for multiple network we need to configure interface that common to that networks.

  Here,I am going to choose interface fastethernet 0/0 to filter a packets that coming in to router.i.e. i am going to configure inbound access list.


Before binding access list to interface,

Router#show ip interface fastethernet0/0
FastEthernet0/0 is up, line protocol is up (connected)
  Internet address is 192.168.1.1/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is disabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP Fast switching turbo vector
  IP multicast fast switching is disabled
  IP multicast distributed fast switching is disabled
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is disabled
  WCCP Redirect outbound is disabled
  WCCP Redirect exclude is disabled
  BGP Policy Mapping is disabled





Router(config)#interface fastethernet 0/0
Router(config-if)#ip access-group 100 in
Router(config-if)#exit




After i have configured inbound access list,



Router#show ip interface fastethernet0/0
FastEthernet0/0 is up, line protocol is up (connected)
  Internet address is 192.168.1.1/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is 100
  Proxy ARP is enabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is disabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP Fast switching turbo vector
  IP multicast fast switching is disabled
  IP multicast distributed fast switching is disabled
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is disabled
  WCCP Redirect outbound is disabled
  WCCP Redirect exclude is disabled
  BGP Policy Mapping is disabled




Step 5:To check whether it is working fine,just ping ip '192.168.2.2' .Responses i got,






Router#show access-lists 100
Extended IP access list 100
    deny ip host 192.168.1.2 192.168.2.0 0.0.0.255 (12 match(es))
    deny ip host 192.168.1.3 192.168.2.0 0.0.0.255 (12 match(es))
    permit ip any any (32 match(es))


Router#show ip access-lists 100
Router#show ip interface fastethernet0/0



Lets we see some configuration with some changes,



To deny entire network 192.168.1.0 to 192.168.2.0


Router(config)#access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255



To allow entire network 192.168.1.0 192.168.2.0

Router(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255





To Allow only http access to all host and deny other service to all host

Router(config)#access-list 100 permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq www

     To check,Click on PC->Desktop->Browser->enter ip 192.168.2.2 in address bar.





To deny only http access to all host and all other service are allowed.

Router(config)#access-list 100 permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 neq www

  Here, ('neq' not equal) this will permit all servies other than http(www,80).




To deny the range of port numbers

Router(config)#access-list 100 deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 range 0 80

  Packets with this range of port numbers will be blocked to the network 192.168.1.0 to

192.168.2.0.



To deny ports greater than a particular port number,

Router(config)#access-list 100 deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 gt 80







Post a Comment

 
Top