tech:network:cisco:named-acl:named-acl
Table of Contents
ACL: Named ACL
Exercise
R2(config)#ip access-list standard SALES-DENY R2(config-std-nacl)#den R2(config-std-nacl)#deny hos R2(config-std-nacl)#1 per R2(config-std-nacl)#1 permit den R2(config-std-nacl)#1 permit deny R2(config-std-nacl)#1 permit 192.168.0.1 0.0.0.0 R2(config-std-nacl)#2 per R2(config-std-nacl)#2 de R2(config-std-nacl)#2 deny host 192.168.0.2 ? log Log matches against this entry <cr> R2(config-std-nacl)#2 deny host 192.168.0.2 log R2(config-std-nacl)#exit R2(config-std-nacl)#int gig0/2 R2(config-if)#ip access R2(config-if)#ip access-group ? <1-199> IP access list (standard or extended) <1300-2699> IP expanded access list (standard or extended) WORD Access-list name R2(config-if)#ip access-group SALES-DENY out
R2(config)#ip access-list ex
R2(config)#ip access-list extended nam
R2(config)#ip access-list extended WEB-FILTER
R2(config-ext-nacl)#
R2(config-ext-nacl)#$0.1 0.0.0.0 eq 21 host 192.168.4.1 eq 80 log-input
R2(config-ext-nacl)#2 deny ip 192.168.0.0 0.0.0.255 any log-input
R2(config-ext-nacl)#exit
R2(config)#ing gig0/2
^
% Invalid input detected at '^' marker.
R2(config)#int gig0/2
R2(config-if)#ip access-g
R2(config-if)#ip access-group WEB-FILTER out
ip access-list extended WEB-FILTER
1 permit tcp 192.168.0.1 0.0.0.0 eq 21 host 192.168.4.1 eq 80 log-input
2 deny ip 192.168.0.0 0.0.0.255 any log-input
int gig0/2
ip access-group WEB-FILTER out
ifconfig eth0 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255 route add default gw 192.168.0.254 eth0 ifconfig eth0 192.168.0.2 netmask 255.255.255.0 broadcast 192.168.0.255 route add default gw 192.168.0.254 eth0 ifconfig eth0 192.168.0.3 netmask 255.255.255.0 broadcast 192.168.0.255 route add default gw 192.168.0.254 eth0 ifconfig eth0 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255 route add default gw 192.168.2.254 eth0 ifconfig eth0 192.168.4.1 netmask 255.255.255.0 broadcast 192.168.4.255 route add default gw 192.168.4.254 eth0 echo hello>index.html php -S 0.0.0.0:80
Standard ACL
- R2
ip access-list standard ONE-DROP deny host 192.168.0.1 permit 192.168.0.0 0.0.0.255 exit int gig0/2 ip access-group ONE-DROP out exit
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip acce
R2(config)#ip access-list stand
R2(config)#ip access-list standard ONE-DROp
R2(config-std-nacl)#den
R2(config-std-nacl)#deny hos
R2(config-std-nacl)#deny host 192.168.0.1
R2(config-std-nacl)#permi
R2(config-std-nacl)#permit 192.168.0 0.0.0.255
^
% Invalid input detected at '^' marker.
R2(config-std-nacl)#permi
R2(config-std-nacl)#permit 192
R2(config-std-nacl)#permit 192.168.0.0 0.0.0.255
R2(config-std-nacl)#exit
R2(config)#int gig0/2
R2(config-if)#ip acce
R2(config-if)#ip access-group ONE-DROP out
R2(config-if)#exit
icmp successful… something wrong.
root@Python,Go,Perl,PHP-1:~# ping 192.168.4.1 -c2 PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data. 64 bytes from 192.168.4.1: icmp_seq=1 ttl=61 time=5.47 ms 64 bytes from 192.168.4.1: icmp_seq=2 ttl=61 time=7.57 ms --- 192.168.4.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 5.474/6.522/7.570/1.048 ms
case wrong. ONE-DROp
no ip access-list standard ONE-DROp ip access-list standard ONE-DROP deny host 192.168.0.1 permit 192.168.0.0 0.0.0.255 exit
R2(config)#no ip access-list standard ONE-DROp R2(config)#ip access-list standard ONE-DROP R2(config-std-nacl)#deny host 192.168.0.1 R2(config-std-nacl)#permit 192.168.0.0 0.0.0.255 R2(config-std-nacl)#exit
1-4
ping 192.168.4.1 -c2
works fine.
root@Python,Go,Perl,PHP-1:~# ping 192.168.4.1 -c2 PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data. From 192.168.3.1 icmp_seq=1 Packet filtered From 192.168.3.1 icmp_seq=2 Packet filtered --- 192.168.4.1 ping statistics --- 2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1001ms
root@Python,Go,Perl,PHP-2:~# ping 192.168.4.1 -c2 PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data. 64 bytes from 192.168.4.1: icmp_seq=1 ttl=61 time=8.05 ms 64 bytes from 192.168.4.1: icmp_seq=2 ttl=61 time=7.80 ms --- 192.168.4.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 7.805/7.929/8.053/0.124 ms
root@Python,Go,Perl,PHP-3:~# ping 192.168.4.1 -c2 PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data. 64 bytes from 192.168.4.1: icmp_seq=1 ttl=61 time=15.5 ms 64 bytes from 192.168.4.1: icmp_seq=2 ttl=61 time=7.85 ms --- 192.168.4.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 7.858/11.704/15.551/3.848 ms
root@Python,Go,Perl,PHP-4:~# ping 192.168.4.1 -c2 PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data. From 192.168.3.1 icmp_seq=1 Packet filtered From 192.168.3.1 icmp_seq=2 Packet filtered --- 192.168.4.1 ping statistics --- 2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1002ms
Extended ACL
- R1
ip access-list extended WEB-FILTER deny tcp host 192.168.0.1 host 192.168.4.1 eq 80 log-input deny tcp host 192.168.0.2 host 192.168.4.1 eq 80 log-input permit ip any any exit int gig0/2 ip access-group WEB-FILTER in exit
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ip acce R1(config)#ip access-list exte R1(config)#ip access-list extended WEB-FILTER R1(config-ext-nacl)#deny R1(config-ext-nacl)#deny tcp host 192.168.0.1 host 192.168.4.1 eq 80 log-in R1(config-ext-nacl)#$st 192.168.0.1 host 192.168.4.1 eq 80 log-input R1(config-ext-nacl)#deny R1(config-ext-nacl)#$st 192.168.0.2 host 192.168.4.1 eq 80 log-input R1(config-ext-nacl)#permi R1(config-ext-nacl)#permit ip an R1(config-ext-nacl)#permit ip any an R1(config-ext-nacl)#permit ip any any R1(config-ext-nacl)#exit R1(config)#int gig0/2 R1(config-if)#ip acc R1(config-if)#ip acce R1(config-if)#ip access-group WEB-FILTER in R1(config-if)#exit R1(config)#^Z R1# *Apr 1 04:07:12.370: %SYS-5-CONFIG_I: Configured from console by console
1-4
telnet 192.168.4.1 80 GET / ping 192.168.4.1 -c2
root@Python,Go,Perl,PHP-1:~# telnet 192.168.4.1 80 Trying 192.168.4.1... telnet: Unable to connect to remote host: No route to host root@Python,Go,Perl,PHP-1:~# ping 192.168.4.1 -c2 PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data. 64 bytes from 192.168.4.1: icmp_seq=1 ttl=61 time=7.29 ms 64 bytes from 192.168.4.1: icmp_seq=2 ttl=61 time=9.87 ms --- 192.168.4.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 7.297/8.587/9.877/1.290 ms
root@Python,Go,Perl,PHP-2:~# telnet 192.168.4.1 80 Trying 192.168.4.1... telnet: Unable to connect to remote host: No route to host root@Python,Go,Perl,PHP-2:~# ping 192.168.4.1 -c2 PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data. 64 bytes from 192.168.4.1: icmp_seq=1 ttl=61 time=8.40 ms 64 bytes from 192.168.4.1: icmp_seq=2 ttl=61 time=4.92 ms --- 192.168.4.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 4.924/6.666/8.408/1.742 ms
root@Python,Go,Perl,PHP-3:~# telnet 192.168.4.1 80 Trying 192.168.4.1... Connected to 192.168.4.1. Escape character is '^]'. GET / HTTP/0.9 200 OK Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 6 hello Connection closed by foreign host. root@Python,Go,Perl,PHP-3:~# ping 192.168.4.1 -c2 PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data. 64 bytes from 192.168.4.1: icmp_seq=1 ttl=61 time=12.5 ms 64 bytes from 192.168.4.1: icmp_seq=2 ttl=61 time=8.23 ms --- 192.168.4.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 8.233/10.376/12.519/2.143 ms
root@Python,Go,Perl,PHP-4:~# telnet 192.168.4.1 80 Trying 192.168.4.1... Connected to 192.168.4.1. Escape character is '^]'. GET / HTTP/0.9 200 OK Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 6 hello Connection closed by foreign host. root@Python,Go,Perl,PHP-4:~# ping 192.168.4.1 -c2 PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data. 64 bytes from 192.168.4.1: icmp_seq=1 ttl=62 time=8.39 ms 64 bytes from 192.168.4.1: icmp_seq=2 ttl=62 time=9.54 ms --- 192.168.4.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 8.397/8.972/9.547/0.575 ms
logs are
R1# *Apr 1 04:07:12.370: %SYS-5-CONFIG_I: Configured from console by console R1# *Apr 1 04:07:56.095: %SEC-6-IPACCESSLOGP: list WEB-FILTER denied tcp 192.168.0.1(46460) (GigabitEthernet0/2 9e6f.48fe.1ab1) -> 192.168.4.1(80), 1 packet R1# *Apr 1 04:08:19.710: %SEC-6-IPACCESSLOGP: list WEB-FILTER denied tcp 192.168.0.1(46462) (GigabitEthernet0/2 9e6f.48fe.1ab1) -> 192.168.4.1(80), 1 packet R1# *Apr 1 04:08:21.747: %SEC-6-IPACCESSLOGP: list WEB-FILTER denied tcp 192.168.0.2(36658) (GigabitEthernet0/2 6e81.fadf.4d10) -> 192.168.4.1(80), 1 packet R1# *Apr 1 04:08:31.991: %SEC-6-IPACCESSLOGP: list WEB-FILTER denied tcp 192.168.0.2(36660) (GigabitEthernet0/2 6e81.fadf.4d10) -> 192.168.4.1(80), 1 packet
works fine. ok.
References
tech/network/cisco/named-acl/named-acl.txt · Last modified: 2018/04/02 02:51 by 5.9.98.130
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
