Access Control List (ACL) Configuration: (Example)
(all of those are just example, please configure as your requirement )
ACL types (Any types of ACL sequentially check each condition)
Standard ACL (ACL number 1 to 99), Standard ACL configured closest to destination network. Standard ACL check only source network traffic
Extended ACL (ACL number 100 to 199), Extended ACL configured closest to source network. Extended ACL check source, destination, protocol, and source destination port or have many features.
Named ACL (instead of number ACL) explain soon
Time ACL (Time base ACL) explain soon
Standard ACL configuration:
Router>enable
Router#configure terminal
Router(config)#access-list 10 deny/permit any/host/address
Router(config)#access-list 10 deny/permit any >> Any source host
Or Router(config)#access-list 10 deny/permit host 192.168.110.5 >> for a single host address
Or Router(config)#access-list 10 deny/permit 192.168.110.0 >> for network Address
If you want to delete any ACL just add no begin command:
Exeample-Router(config)#no access-list 10 deny/permit any
Extended ACL configuration:
Router>enable
Router#configure terminal
Router(config)#access-list 100 deny/permit service/protocol type any/host/address (source) any/host/address (destination) service type
Router(config)#access-list 100 permit icmp any any echo >> allow ping any network to any network
Router(config)#access-list 100 permit icmp host 192.168.110.5 192.168.130.0 0.0.0.255 echo-reply >> allow ping reply from host 192.168.110.5 to 192.168.130.0 network
Named ACL configuration:
Router>enable
Router#configure terminal
Standard Named:
Router(config)#ip access-list standard close_echo >> close_echo is mentioned name
Router(config-std-nacl)#deny 192.168.110.0 0.0.0.255 >> deny this network
Extended Named:
Router(config)#ip access-list extended close_echo >> close_echo is mentioned name
Router(config-ext-nacl)#deny icmp any host 192.168.110.6 echo-reply >> deny ping from any network to destination host 192.168.110.6
All of those above are example. Apply ACL as requirement of your network policy.
Most Important for any ACL:
Any types of ACL sequentially check each condition, but at the end of ACL by default ON explicitly deny. So you need to permit your configuration as your requirement.
Standard ACL: Router(config)#access-list 10 permit any
Extended ACL: Router(config)#access-list 100 permit ip any any
Apply ACL:
Remember two things in bound and out bound when you apply ACL in any interface (serial or fast Ethernet) of router:
In bound – when traffic come to router and also depends on your network flow
Out bound – when traffic out of router and also depends on your network flow
Router>enable
Router#configure terminal
Router(config-if)#ip access-group 10 in/out >> number (Standard) ACL OR
Router(config-if)#ip access-group 100 in/out >> number (Extended) ACL OR
Router(config-if)#ip access-group close_echo in/out >> Named ACL
Please as your network policy.
No comments:
Post a Comment