Showing posts with label ACL. Show all posts
Showing posts with label ACL. Show all posts

Thursday, June 9, 2011

Access Control List (ACL) Configuration


Access Control List (ACL) Configuration: (Example)
(all of those are just example, please configure as your requirement )


ACL types (Any types of ACL sequentially check each condition)

Standard ACL (ACL number 1 to 99), Standard ACL configured closest to destination network. Standard ACL check only source network traffic

Extended ACL (ACL number 100 to 199), Extended ACL configured closest to source network. Extended ACL check source, destination, protocol, and source destination port or have many features.

Named ACL (instead of number ACL) explain soon

Time ACL (Time base ACL) explain soon


Standard ACL configuration:
Router>enable
Router#configure terminal

Router(config)#access-list 10 deny/permit  any/host/address
Router(config)#access-list 10 deny/permit any  >> Any source host
Or Router(config)#access-list 10 deny/permit host 192.168.110.5 >> for a single host address
Or Router(config)#access-list 10 deny/permit 192.168.110.0 >> for network Address

If you want to delete any ACL just add no begin command:
Exeample-Router(config)#no access-list 10 deny/permit any


Extended ACL configuration:
Router>enable
Router#configure terminal

Router(config)#access-list 100 deny/permit  service/protocol type  any/host/address (source)  any/host/address (destination)  service type

Router(config)#access-list 100 permit icmp any any echo  >> allow ping any network to any network
Router(config)#access-list 100 permit icmp host 192.168.110.5 192.168.130.0 0.0.0.255 echo-reply  >> allow ping reply from host 192.168.110.5 to 192.168.130.0 network

 
Named ACL configuration:
Router>enable
Router#configure terminal

Standard Named:
Router(config)#ip access-list standard close_echo   >> close_echo is mentioned name
Router(config-std-nacl)#deny 192.168.110.0 0.0.0.255  >> deny this network

Extended Named:
Router(config)#ip access-list extended close_echo >> close_echo is mentioned name
Router(config-ext-nacl)#deny icmp any host 192.168.110.6 echo-reply >> deny ping from any network to destination host 192.168.110.6

All of those above are example. Apply ACL as requirement of your network policy.


Most Important for any ACL:
Any types of ACL sequentially check each condition, but at the end of ACL by default ON explicitly deny. So you need to permit your configuration as your requirement.

Standard ACL: Router(config)#access-list 10 permit any  
Extended ACL: Router(config)#access-list 100 permit ip any any


Apply ACL:

Remember two things in bound and out bound when you apply ACL in any interface (serial or fast Ethernet) of router:
In bound – when traffic come to router and also depends on your network flow
Out bound – when traffic out of router and also depends on your network flow

Router>enable
Router#configure terminal

Router(config-if)#ip access-group 10 in/out  >> number (Standard) ACL OR
Router(config-if)#ip access-group 100 in/out >>  number (Extended) ACL OR
Router(config-if)#ip access-group close_echo in/out  >> Named ACL

Please as your network policy.