Uncategories Router Standard Access-List

Router Standard Access-List

2:18 AM
1./ Router HQ

hostname ROUTER-HQ

interface fa0/0
 ip address 10.0.1.1 255.255.255.0
 no shutdown
 exit

interface fa0/1
 ip address 192.168.12.1 255.255.255.0
 no shutdown
 exit

interface serial0/1/0
 ip address 192.168.11.1 255.255.255.0
 clock rate 2000000
 no shutdown
 exit


ip route 10.1.1.0 255.255.255.0 192.168.11.2
ip route 10.2.1.0 255.255.255.0 192.168.12.2
ip route 10.3.1.0 255.255.255.0 192.168.12.3


2./ Router KCM


hostname ROUTER-KCM

interface fa0/0
 ip address 10.1.1.1 255.255.255.0
 no shutdown
 exit

interface s0/0
 ip address 192.168.11.2 255.255.255.0
 no shutdown
ip route 10.0.1.0 255.255.255.0 192.168.11.1
ip route 10.2.1.0 255.255.255.0 192.168.11.1
ip route 10.3.1.0 255.255.255.0 192.168.11.1


3./ Router BTB


hostname ROUTER-BTB

interface fa0/0
 ip address 10.2.1.1 255.255.255.0
 no shutdown
 exit

interface fa0/1
 ip address 192.168.12.2 255.255.255.0
 no shutdown
 exit

ip route 10.0.1.0 255.255.255.0 192.168.12.1
ip route 10.1.1.0 255.255.255.0 192.168.12.1
ip route 10.3.1.0 255.255.255.0 192.168.12.3


4./ Router SRP


hostname ROUTER-SRP

interface fa0/0
 ip address 10.3.1.1 255.255.255.0
 no shutdown
 exit

interface fa0/1
 ip address 192.168.12.3 255.255.255.0
 no shutdown
 exit

ip route 10.0.1.0 255.255.255.0 192.168.12.1
ip route 10.1.1.0 255.255.255.0 192.168.12.1
ip route 10.2.1.0 255.255.255.0 192.168.12.2


5./ Standard Access Control List (ACL):

===============================================

Excercise 1:

Block laptop 1 (10.0.1.2) in LAN HQ from accessing other
laptops at other networks.
But allow other laptops and server in this LAN HQ.

ROUTER HQ:

access-list 20 deny host 10.0.1.2
access-list 20 permit any
access-list 20 deny any

interface fa0/0
 ip access-group 20 in


1. remove standard acl 20

no access-list 20 deny host 10.0.1.2


2. remove  filter inbound from fa0/0

interface fa0/0
 no ip access-group 20 in



3./ apply to filter outbound of access-list 20

interface serial0/1/0
 ip access-group 20 out

interface fa0/1
 ip access-group 20 out


===============================================

Excercise 2:

Block laptop 6 (10.3.1.2) in LAN SRP from access all hosts in LAN HQ.
Block all laptop in LAN KCM from access all hosts in LAN HQ.
But other laptops allowed. Must apply ACL into ROUTER HQ.


ROUTER HQ:

access-list 99 deny host 10.3.1.2
access-list 99 deny 10.1.1.0 0.0.0.255
access-list 99 permit any

interface f0/0
 ip access-group 99 out

--------split access list statement into the existing access list number.
Block laptop 4 (10.2.1.2) in LAN BTB from access all hosts in LAN HQ.

--------check the ACL sequence number:

# show access-list

ip access-list standard 99
 25 deny host 10.2.1.2


===============================================

REQUIREMENT 3:

Allow web server (10.0.1.3) & LAN KCM (10.1.1.0/24) to access LAN BTB (10.2.1.0/24)
But other laptops denied.
Must apply ACL into ROUTER BTB.

ROUTER BTB:

access-list 3 permit host 10.0.1.3
access-list 3 permit 10.1.1.0 0.0.0.255
access-list 3 deny any

interface fa0/1
 ip access-group 3 in

===============================================

REQUIREMENT 4:

Allow only LaptopX (10.0.1.10) in LAN HQ to remote telnet ROUTER HQ.
But other laptops denied. Must apply ACL into ROUTER HQ.

line vty 0 4
 password telnetpass
 login
 exit

enable secret secretpass

access-list 66 permit host 10.0.1.10
line vty 0 4
 access-class 66 in


************ Lesson ****************

Access Control List (ACL)

Standard ACL characteristic:
- Permit or deny traffic of data flow
- check source ip address
- apply entire protocols
- Cisco recommend to apply standard ACL into the router near to the destination

Sample config:

Step 1: create standard acl statements:

(config)# access-list acl-id permit/deny src-ip-address

acl-id = 1 ---> 99 or 1300 --->1999

src-ip-address:
 1) host ip address: 10.0.1.2/32     (host is class full 32 bit mask bit)
     /32 --> subnet mask: 255.255.255.255
         --> wildcard mask= 255.255.255.255 - subnet mask=
                          =  0.0.0.0

---> src-ip-address:     host 10.0.1.2 OR 10.0.1.2 0.0.0.0
(config)# access-list acl-id permit/deny host 10.0.1.2
(config)# access-list acl-id permit/deny 10.0.1.2 0.0.0.0

src-ip-address:
 2) network address: 10.0.1.0/24           (network block)
     /24 --> subnet mask: 255.255.255.0
         --> wildcard mask= 255.255.255.255 - subnet mask=
                          =  0.0.0.255

---> src-ip-address: 10.0.1.0 0.0.0.255
(config)# access-list acl-id permit/deny 10.0.1.0 0.0.0.255

src-ip-address:
 3) unspecified: 0.0.0.0/0
     /0 --> subnet mask: 0.0.0.0
         --> wildcard mask= 255.255.255.255 - subnet mask=
                          =  255.255.255.255

---> src-ip-address: 0.0.0.0 255.255.255.255 OR any
(config)# access-list acl-id permit/deny 0.0.0.0 255.255.255.255
(config)# access-list acl-id permit/deny any



Step 2: apply standard acl into interface

(config)# interface name
(config-if)# ip access-group acl-id in/out


************* Exercise *******************


REQUIREMENT 1:

Block Web Server (10.0.1.3) in LAN HQ from accessing other
laptops at other networks.
But allow other laptops and server in this LAN HQ.

ROUTER HQ:

???

access-list 10 deny host 10.0.1.3
access-list 10 permit any

======= filter outbound (apply)
???

int se0/1/0
ip access-group 10 out
exit
int f0/1
ip access-group 10 out

======= remove from interface
???


int se0/1/0
no ip access-group 10 out
exit

int f0/1
no ip access-group 10 out
exit

no access-list 10

######################################################

REQUIREMENT 2:

Block laptop 7 (10.3.1.3) in LAN SRP from access all hosts in LAN HQ.
Block all laptop in LAN BTB(10.2.1.0/24) from access all hosts in LAN HQ.
But other laptops allowed. Must apply ACL into ROUTER HQ.


ROUTER HQ:

???

access-list 20 deny host 10.3.1.3
access-list 20 deny 10.2.1.0 0.0.0.255
access-list 20 permit any

int f0/0
ip access-group 20 out



--------split access list statement into the existing access list number.
Block laptop 6 (10.3.1.2) in LAN SRP from access all hosts in LAN HQ.

???


ip access-list standard 20
15 deny host 10.3.1.2


######################################################

REQUIREMENT 3:

Allow only Laptop3 (10.1.1.3) in LAN KCM to remote telnet ROUTER HQ.
But other laptops denied. Must apply ACL into ROUTER HQ.
set telnet password: telnetpwd
set enable secret password : secretpwd


Router HQ

???


line vty 0 4
password telnetpwd
login
exit

enable secret secretpwd

access-list 30 permit host 10.1.1.3
line vty 0
access-class 30 in


Related Posts


EmoticonEmoticon

:)
:(
=(
^_^
:D
=D
=)D
|o|
@@,
;)
:-bd
:-d
:p
:ng
:lv
Subscribe to: Post Comments (Atom)