Here,we are going to see how to configure Extended Access List with a simple network topology.
Extended Access List(100-199,2000-2699)
Extended access list filters packets using (protocols,Source Address,Destination Address,Ports).Lets we see how to configure extended access list,
Step 1:Create a topology like this,
Step 2:Configure router and Host with ip address like i have given in a topology.
Router(config)#interface fastethernet0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastethernet1/0
Router(config-if)#ip address 192.168.2.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Before,we go to access list configuration lets we see some well known protocols,port numbers this will help to configure extended access list.
20 TCP UDP FTP data transfer
21 TCP FTP control (command)
23 TCP UDP Telnet protocol
25 TCP Simple Mail Transfer Protocol (SMTP)
53 TCP UDP Domain Name System (DNS)
67 UDP Dynamic Host Configuration Protocol (DHCP)
68 UDP Dynamic Host Configuration Protocol (DHCP)
69 UDP Trivial File Transfer Protocol (TFTP)
80 TCP Hypertext Transfer Protocol (http)
109 TCP Post Office Protocol v2 (POP2)
110 TCP Post Office Protocol v3 (POP3)
161 UDP Simple Network Management Protocol (SNMP)
Step 3:Now,we configure access list to deny ip 192.168.1.2 and 192.168.1.3 to stop communicating with 192.168.2.0. And other host can be communicate with 192.168.2.0.
Router(config)#access-list 100 deny ip host 192.168.1.2 192.168.2.0 0.0.0.255
Router(config)#access-list 100 deny ip host 192.168.1.3 192.168.2.0 0.0.0.255
Router(config)#access-list 100 permit ip any any
Router(config)#exit
(or)
Router(config)#access-list 100 deny ip 192.168.1.2 0.0.0.0 192.168.2.0 0.0.0.255
Router(config)#access-list 100 deny ip 192.168.1.3 0.0.0.0 192.168.2.0 0.0.0.255
Router(config)#access-list 100 permit ip any any
Router(config)#exit
Both are same ,it will deny two host and it will allow other host to communicate with 192.168.2.0.
First line will deny ip packets from the host 192.168.1.2 to 192.168.2.0 '
Second line will deny ip packets from the host 192.168.1.3 to 192.168.2.0
Third line will permit ip packets from any host to any network.
Step 4:Now,Choose right interface to bind this access list.we should always choose an interface closer to host.In case, we configure single access list for multiple network we need to configure interface that common to that networks.
Here,I am going to choose interface fastethernet 0/0 to filter a packets that coming in to router.i.e. i am going to configure inbound access list.
Before binding access list to interface,
Router#show ip interface fastethernet0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 192.168.1.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Router(config)#interface fastethernet 0/0
Router(config-if)#ip access-group 100 in
Router(config-if)#exit
After i have configured inbound access list,
Router#show ip interface fastethernet0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 192.168.1.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 100
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Step 5:To check whether it is working fine,just ping ip '192.168.2.2' .Responses i got,
Router#show access-lists 100
Extended IP access list 100
deny ip host 192.168.1.2 192.168.2.0 0.0.0.255 (12 match(es))
deny ip host 192.168.1.3 192.168.2.0 0.0.0.255 (12 match(es))
permit ip any any (32 match(es))
Router#show ip access-lists 100
Router#show ip interface fastethernet0/0
Lets we see some configuration with some changes,
To deny entire network 192.168.1.0 to 192.168.2.0
Router(config)#access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
To allow entire network 192.168.1.0 192.168.2.0
Router(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
To Allow only http access to all host and deny other service to all host
Router(config)#access-list 100 permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq www
To check,Click on PC->Desktop->Browser->enter ip 192.168.2.2 in address bar.
To deny only http access to all host and all other service are allowed.
Router(config)#access-list 100 permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 neq www
Here, ('neq' not equal) this will permit all servies other than http(www,80).
To deny the range of port numbers
Router(config)#access-list 100 deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 range 0 80
Packets with this range of port numbers will be blocked to the network 192.168.1.0 to
192.168.2.0.
To deny ports greater than a particular port number,
Router(config)#access-list 100 deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 gt 80
Extended Access List(100-199,2000-2699)
Extended access list filters packets using (protocols,Source Address,Destination Address,Ports).Lets we see how to configure extended access list,
Step 1:Create a topology like this,
Step 2:Configure router and Host with ip address like i have given in a topology.
Router(config)#interface fastethernet0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastethernet1/0
Router(config-if)#ip address 192.168.2.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Before,we go to access list configuration lets we see some well known protocols,port numbers this will help to configure extended access list.
20 TCP UDP FTP data transfer
21 TCP FTP control (command)
23 TCP UDP Telnet protocol
25 TCP Simple Mail Transfer Protocol (SMTP)
53 TCP UDP Domain Name System (DNS)
67 UDP Dynamic Host Configuration Protocol (DHCP)
68 UDP Dynamic Host Configuration Protocol (DHCP)
69 UDP Trivial File Transfer Protocol (TFTP)
80 TCP Hypertext Transfer Protocol (http)
109 TCP Post Office Protocol v2 (POP2)
110 TCP Post Office Protocol v3 (POP3)
161 UDP Simple Network Management Protocol (SNMP)
Step 3:Now,we configure access list to deny ip 192.168.1.2 and 192.168.1.3 to stop communicating with 192.168.2.0. And other host can be communicate with 192.168.2.0.
Router(config)#access-list 100 deny ip host 192.168.1.2 192.168.2.0 0.0.0.255
Router(config)#access-list 100 deny ip host 192.168.1.3 192.168.2.0 0.0.0.255
Router(config)#access-list 100 permit ip any any
Router(config)#exit
(or)
Router(config)#access-list 100 deny ip 192.168.1.2 0.0.0.0 192.168.2.0 0.0.0.255
Router(config)#access-list 100 deny ip 192.168.1.3 0.0.0.0 192.168.2.0 0.0.0.255
Router(config)#access-list 100 permit ip any any
Router(config)#exit
Both are same ,it will deny two host and it will allow other host to communicate with 192.168.2.0.
First line will deny ip packets from the host 192.168.1.2 to 192.168.2.0 '
Second line will deny ip packets from the host 192.168.1.3 to 192.168.2.0
Third line will permit ip packets from any host to any network.
Step 4:Now,Choose right interface to bind this access list.we should always choose an interface closer to host.In case, we configure single access list for multiple network we need to configure interface that common to that networks.
Here,I am going to choose interface fastethernet 0/0 to filter a packets that coming in to router.i.e. i am going to configure inbound access list.
Before binding access list to interface,
Router#show ip interface fastethernet0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 192.168.1.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Router(config)#interface fastethernet 0/0
Router(config-if)#ip access-group 100 in
Router(config-if)#exit
After i have configured inbound access list,
Router#show ip interface fastethernet0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 192.168.1.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 100
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Step 5:To check whether it is working fine,just ping ip '192.168.2.2' .Responses i got,
Router#show access-lists 100
Extended IP access list 100
deny ip host 192.168.1.2 192.168.2.0 0.0.0.255 (12 match(es))
deny ip host 192.168.1.3 192.168.2.0 0.0.0.255 (12 match(es))
permit ip any any (32 match(es))
Router#show ip access-lists 100
Router#show ip interface fastethernet0/0
Lets we see some configuration with some changes,
To deny entire network 192.168.1.0 to 192.168.2.0
Router(config)#access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
To allow entire network 192.168.1.0 192.168.2.0
Router(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
To Allow only http access to all host and deny other service to all host
Router(config)#access-list 100 permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq www
To check,Click on PC->Desktop->Browser->enter ip 192.168.2.2 in address bar.
To deny only http access to all host and all other service are allowed.
Router(config)#access-list 100 permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 neq www
Here, ('neq' not equal) this will permit all servies other than http(www,80).
To deny the range of port numbers
Router(config)#access-list 100 deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 range 0 80
Packets with this range of port numbers will be blocked to the network 192.168.1.0 to
192.168.2.0.
To deny ports greater than a particular port number,
Router(config)#access-list 100 deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 gt 80
Wow thnks
ReplyDeleteThis is really helpful. Thanks!
ReplyDelete