ACL-Access Control List (Named Access List and Number Access List).If we use numbers to refer access list it is numbered access list.If we use Name to refer access list it is named access list.
we are using access list to permit or deny ip packets based on our requirements.There are two types,
1.Standard Access List
2.Extended Access List
Here we are going to see how to configure standard access list with a simple topology in a packet tracer,
Step 1:Create a topology like this,
Step 2:Configure router with ip address that i have given in topolgy.Assign ip address to all PC and server like in topology.
In Router,global configuration
Router(config)#interface fastethernet0/0
Router(config-if)#ip address 10.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastethernet1/0
Router(config-if)#ip address 20.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Step 3:Three steps to configure access list on router,
1) Creating Standard Access List
2) Choosing an Interface for Binding
3) Choosing In/Out
Step 4:Create an Standard Ip access list to deny a host 10.0.0.3 to server.
In standard access list, it filters based on source ip address.we can't deny of permit packets to destination or particular ports for that we have use extended access list later we see this,Now lets we create a standard access list based on above statement i have given.
Create Access List:
Router(config)#access-list 1 deny host 10.0.0.3 (or)
Router(config)#access-list 1 deny 10.0.0.3 0.0.0.0
Router(config)#access-list 1 permit any
where '1' is a number.It refers, this as a Standard accesss control list.It can be '1 to 99' and '1300 to 1999'.
'Deny' Allows router to deny the packet that matches this statement.
'Host 10.0.0.3' when we configure like this it refers 'Only this host will be permitted or denied' or we should configure with wild card mask '0.0.0.0' it means router checks for entire four octets if matched then it will process based on access list.
'Implict deny' at bottom of all access list so we have to give permit any command at last otherwise ip addres that doesn't match above statement will be denied.Access list always proccesed from top to bottom so we should configure access list in order.we should not configure 'permit any' statement first and then deny,If we configure permit any statement first, access list will check first statement if matches it will forward the packet and it won't go for next statement that 'deny'.Always we should configure 'deny' statement first.
Choose Interface for Binding whether In or Out:
Always we have to choose an interface near to the source as much as possible.Sometime based on some access list statement we need to choose interface that packets go out of the router.we should try to use router interface that receives a packet from PC in a LAN.
So,I am going to choose 'interface fastethernet0/0' .Before that i am going to check access list status for this interface.
In Privileged Mode,
Router#show ip interface fastethernet0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 10.0.0.1/8
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
In global configuration,
Router(config)#interface fastethernet0/0
Router(config-if)#ip access-group 1 in
Router(config-if)#exit
where '1' refers access list 1 and packets that comes into the router will be filtered based on access list.
Now,Check the access list status on this interface.
In Privileged Mode,
Router#show ip interface fastethernet0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 10.0.0.1/8
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Now , go to the host that configured with ip address 10.0.0.3 and try to ping 20.0.0.2.This is the response i have got before and after configure access list.
This is the response for other host.
To deny whole network,
Router(config)#access-list 1 deny 10.0.0.0 0.255.255.255
Here we are permitting whole network that 1,67,77,216 ip address
To permit one host others should be denied,i am going to pemit 10.0.0.2
Router(config)#access-list 1 permit 10.0.0.2 0.0.0.0
(or)
Router(config)#access-list 1 permit host 10.0.0.2
Here,Implicit deny in all access list will deny other host.
To permit a series of ip address,i am going permit 10.0.0.0 to 10.0.0.3 other ip address others should be blocked.
Router(config)#access-list 1 permit 10.0.0.0 0.0.0.3
'0.0.0.3' by this router knows that the next ip address from 10.0.0.0 should be pemitted others blocked.Total ip address 4.
Some more example for subnetted Networks,
Router(config)#access-list 1 permit 10.0.0.0 0.0.0.255
Here, From 10.0.0.0-10.0.0.255 will be permitted,Total ip address 256
Network 10.0.0.0/24 Range of ip's 10.0.0.0 -10.0.0.255
Router(config)#access-list 1 permit 10.0.0.0 0.0.1.255
Network 10.0.0.0/23 Range of ip's 10.0.0.0 -10.0.1.255
Here,From 10.0.0.0-10.0.1.255 will be permitted,Total ip address 512
Router(config)#access-list 1 permit 10.0.32.0 0.0.15.255
Here , From 10.0.0.0 -10.0.15.255 will be permitted,Total ip address 4096.This is the network subnetted from Class A network.
Network 10.0.32.0/20, Range of Ip's 10.0.32.0-10.0.47.255
So, from 10.0.32.0- 10.0.47.255 ip address are belongs to this network.Here we are permitting whole subnetted network.Now, we see how to pemit or deny some of the network ip address from this subnet.
Router(config)#access-list 1 deny 10.0.32.0 0.0.3.255
Router(config)#access-list 1 permit any
Here ,Ip from 10.0.32.0 - 10.0.35.255 will be denied other ip address will be permitted.i.e from 10.0.36.0-10.0.47.255 will be permitted.
Trouble Shooting Commands,
Router#show ip access-lists 1
Standard IP access list 1
deny host 10.0.0.3
permit any
Router#show access-lists , 'To see all access list'.
Router#show access-lists <WORD> , '<WORD> name we use for access list'.
we are using access list to permit or deny ip packets based on our requirements.There are two types,
1.Standard Access List
2.Extended Access List
Here we are going to see how to configure standard access list with a simple topology in a packet tracer,
Step 1:Create a topology like this,
Step 2:Configure router with ip address that i have given in topolgy.Assign ip address to all PC and server like in topology.
In Router,global configuration
Router(config)#interface fastethernet0/0
Router(config-if)#ip address 10.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastethernet1/0
Router(config-if)#ip address 20.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Step 3:Three steps to configure access list on router,
1) Creating Standard Access List
2) Choosing an Interface for Binding
3) Choosing In/Out
Step 4:Create an Standard Ip access list to deny a host 10.0.0.3 to server.
In standard access list, it filters based on source ip address.we can't deny of permit packets to destination or particular ports for that we have use extended access list later we see this,Now lets we create a standard access list based on above statement i have given.
Create Access List:
Router(config)#access-list 1 deny host 10.0.0.3 (or)
Router(config)#access-list 1 deny 10.0.0.3 0.0.0.0
Router(config)#access-list 1 permit any
where '1' is a number.It refers, this as a Standard accesss control list.It can be '1 to 99' and '1300 to 1999'.
'Deny' Allows router to deny the packet that matches this statement.
'Host 10.0.0.3' when we configure like this it refers 'Only this host will be permitted or denied' or we should configure with wild card mask '0.0.0.0' it means router checks for entire four octets if matched then it will process based on access list.
'Implict deny' at bottom of all access list so we have to give permit any command at last otherwise ip addres that doesn't match above statement will be denied.Access list always proccesed from top to bottom so we should configure access list in order.we should not configure 'permit any' statement first and then deny,If we configure permit any statement first, access list will check first statement if matches it will forward the packet and it won't go for next statement that 'deny'.Always we should configure 'deny' statement first.
Choose Interface for Binding whether In or Out:
Always we have to choose an interface near to the source as much as possible.Sometime based on some access list statement we need to choose interface that packets go out of the router.we should try to use router interface that receives a packet from PC in a LAN.
So,I am going to choose 'interface fastethernet0/0' .Before that i am going to check access list status for this interface.
In Privileged Mode,
Router#show ip interface fastethernet0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 10.0.0.1/8
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
In global configuration,
Router(config)#interface fastethernet0/0
Router(config-if)#ip access-group 1 in
Router(config-if)#exit
where '1' refers access list 1 and packets that comes into the router will be filtered based on access list.
Now,Check the access list status on this interface.
In Privileged Mode,
Router#show ip interface fastethernet0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 10.0.0.1/8
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Now , go to the host that configured with ip address 10.0.0.3 and try to ping 20.0.0.2.This is the response i have got before and after configure access list.
This is the response for other host.
To deny whole network,
Router(config)#access-list 1 deny 10.0.0.0 0.255.255.255
Here we are permitting whole network that 1,67,77,216 ip address
To permit one host others should be denied,i am going to pemit 10.0.0.2
Router(config)#access-list 1 permit 10.0.0.2 0.0.0.0
(or)
Router(config)#access-list 1 permit host 10.0.0.2
Here,Implicit deny in all access list will deny other host.
To permit a series of ip address,i am going permit 10.0.0.0 to 10.0.0.3 other ip address others should be blocked.
Router(config)#access-list 1 permit 10.0.0.0 0.0.0.3
'0.0.0.3' by this router knows that the next ip address from 10.0.0.0 should be pemitted others blocked.Total ip address 4.
Some more example for subnetted Networks,
Router(config)#access-list 1 permit 10.0.0.0 0.0.0.255
Here, From 10.0.0.0-10.0.0.255 will be permitted,Total ip address 256
Network 10.0.0.0/24 Range of ip's 10.0.0.0 -10.0.0.255
Router(config)#access-list 1 permit 10.0.0.0 0.0.1.255
Network 10.0.0.0/23 Range of ip's 10.0.0.0 -10.0.1.255
Here,From 10.0.0.0-10.0.1.255 will be permitted,Total ip address 512
Router(config)#access-list 1 permit 10.0.32.0 0.0.15.255
Here , From 10.0.0.0 -10.0.15.255 will be permitted,Total ip address 4096.This is the network subnetted from Class A network.
Network 10.0.32.0/20, Range of Ip's 10.0.32.0-10.0.47.255
So, from 10.0.32.0- 10.0.47.255 ip address are belongs to this network.Here we are permitting whole subnetted network.Now, we see how to pemit or deny some of the network ip address from this subnet.
Router(config)#access-list 1 deny 10.0.32.0 0.0.3.255
Router(config)#access-list 1 permit any
Here ,Ip from 10.0.32.0 - 10.0.35.255 will be denied other ip address will be permitted.i.e from 10.0.36.0-10.0.47.255 will be permitted.
Trouble Shooting Commands,
Router#show ip access-lists 1
Standard IP access list 1
deny host 10.0.0.3
permit any
Router#show access-lists , 'To see all access list'.
Router#show access-lists <WORD> , '<WORD> name we use for access list'.
Post a Comment