User Tools

Site Tools


tech:network:cisco:named-acl:named-acl

ACL: Named ACL

Exercise

R2(config)#ip access-list standard SALES-DENY
R2(config-std-nacl)#den
R2(config-std-nacl)#deny hos
R2(config-std-nacl)#1 per
R2(config-std-nacl)#1 permit den
R2(config-std-nacl)#1 permit deny
R2(config-std-nacl)#1 permit 192.168.0.1 0.0.0.0
R2(config-std-nacl)#2 per
R2(config-std-nacl)#2 de
R2(config-std-nacl)#2 deny host 192.168.0.2 ?
  log  Log matches against this entry
  <cr>

R2(config-std-nacl)#2 deny host 192.168.0.2 log
R2(config-std-nacl)#exit
R2(config-std-nacl)#int gig0/2
R2(config-if)#ip access
R2(config-if)#ip access-group ?
  <1-199>      IP access list (standard or extended)
  <1300-2699>  IP expanded access list (standard or extended)
  WORD         Access-list name

R2(config-if)#ip access-group SALES-DENY out
R2(config)#ip access-list ex
R2(config)#ip access-list extended nam
R2(config)#ip access-list extended WEB-FILTER
R2(config-ext-nacl)#
R2(config-ext-nacl)#$0.1 0.0.0.0 eq 21 host 192.168.4.1 eq 80 log-input
R2(config-ext-nacl)#2 deny ip 192.168.0.0 0.0.0.255 any log-input
R2(config-ext-nacl)#exit
R2(config)#ing gig0/2
             ^
% Invalid input detected at '^' marker.

R2(config)#int gig0/2
R2(config-if)#ip access-g
R2(config-if)#ip access-group WEB-FILTER out

ip access-list extended WEB-FILTER
1 permit tcp 192.168.0.1 0.0.0.0 eq 21 host 192.168.4.1 eq 80 log-input
2 deny ip 192.168.0.0 0.0.0.255 any log-input
int gig0/2
ip access-group WEB-FILTER out
ifconfig eth0 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255
route add default gw 192.168.0.254 eth0

ifconfig eth0 192.168.0.2 netmask 255.255.255.0 broadcast 192.168.0.255
route add default gw 192.168.0.254 eth0

ifconfig eth0 192.168.0.3 netmask 255.255.255.0 broadcast 192.168.0.255
route add default gw 192.168.0.254 eth0

ifconfig eth0 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255
route add default gw 192.168.2.254 eth0

ifconfig eth0 192.168.4.1 netmask 255.255.255.0 broadcast 192.168.4.255
route add default gw 192.168.4.254 eth0
echo hello>index.html
php -S 0.0.0.0:80

Standard ACL

  • R2
ip access-list standard ONE-DROP
deny host 192.168.0.1
permit 192.168.0.0 0.0.0.255
exit
int gig0/2
ip access-group ONE-DROP out
exit
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip acce
R2(config)#ip access-list stand
R2(config)#ip access-list standard ONE-DROp
R2(config-std-nacl)#den
R2(config-std-nacl)#deny hos
R2(config-std-nacl)#deny host 192.168.0.1
R2(config-std-nacl)#permi
R2(config-std-nacl)#permit 192.168.0 0.0.0.255
                           ^
% Invalid input detected at '^' marker.

R2(config-std-nacl)#permi
R2(config-std-nacl)#permit 192
R2(config-std-nacl)#permit 192.168.0.0 0.0.0.255
R2(config-std-nacl)#exit
R2(config)#int gig0/2
R2(config-if)#ip acce
R2(config-if)#ip access-group ONE-DROP out
R2(config-if)#exit

icmp successful… something wrong.

root@Python,Go,Perl,PHP-1:~# ping 192.168.4.1 -c2
PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data.
64 bytes from 192.168.4.1: icmp_seq=1 ttl=61 time=5.47 ms
64 bytes from 192.168.4.1: icmp_seq=2 ttl=61 time=7.57 ms

--- 192.168.4.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 5.474/6.522/7.570/1.048 ms

case wrong. ONE-DROp

no ip access-list standard ONE-DROp
ip access-list standard ONE-DROP
deny host 192.168.0.1
permit 192.168.0.0 0.0.0.255
exit
R2(config)#no ip access-list standard ONE-DROp
R2(config)#ip access-list standard ONE-DROP
R2(config-std-nacl)#deny host 192.168.0.1
R2(config-std-nacl)#permit 192.168.0.0 0.0.0.255
R2(config-std-nacl)#exit

1-4

ping 192.168.4.1 -c2

works fine.

root@Python,Go,Perl,PHP-1:~# ping 192.168.4.1 -c2
PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data.
From 192.168.3.1 icmp_seq=1 Packet filtered
From 192.168.3.1 icmp_seq=2 Packet filtered

--- 192.168.4.1 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1001ms
root@Python,Go,Perl,PHP-2:~# ping 192.168.4.1 -c2
PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data.
64 bytes from 192.168.4.1: icmp_seq=1 ttl=61 time=8.05 ms
64 bytes from 192.168.4.1: icmp_seq=2 ttl=61 time=7.80 ms

--- 192.168.4.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 7.805/7.929/8.053/0.124 ms
root@Python,Go,Perl,PHP-3:~# ping 192.168.4.1 -c2
PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data.
64 bytes from 192.168.4.1: icmp_seq=1 ttl=61 time=15.5 ms
64 bytes from 192.168.4.1: icmp_seq=2 ttl=61 time=7.85 ms

--- 192.168.4.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 7.858/11.704/15.551/3.848 ms
root@Python,Go,Perl,PHP-4:~# ping 192.168.4.1 -c2
PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data.
From 192.168.3.1 icmp_seq=1 Packet filtered
From 192.168.3.1 icmp_seq=2 Packet filtered

--- 192.168.4.1 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1002ms

Extended ACL

  • R1
ip access-list extended WEB-FILTER
deny tcp host 192.168.0.1 host 192.168.4.1 eq 80 log-input
deny tcp host 192.168.0.2 host 192.168.4.1 eq 80 log-input
permit ip any any
exit
int gig0/2
ip access-group WEB-FILTER in
exit
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip acce
R1(config)#ip access-list exte
R1(config)#ip access-list extended WEB-FILTER
R1(config-ext-nacl)#deny
R1(config-ext-nacl)#deny tcp host 192.168.0.1 host 192.168.4.1 eq 80 log-in
R1(config-ext-nacl)#$st 192.168.0.1 host 192.168.4.1 eq 80 log-input
R1(config-ext-nacl)#deny
R1(config-ext-nacl)#$st 192.168.0.2 host 192.168.4.1 eq 80 log-input
R1(config-ext-nacl)#permi
R1(config-ext-nacl)#permit ip an
R1(config-ext-nacl)#permit ip any an
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#exit
R1(config)#int gig0/2
R1(config-if)#ip acc
R1(config-if)#ip acce
R1(config-if)#ip access-group WEB-FILTER in
R1(config-if)#exit
R1(config)#^Z
R1#
*Apr  1 04:07:12.370: %SYS-5-CONFIG_I: Configured from console by console

1-4

telnet 192.168.4.1 80
GET /


ping 192.168.4.1 -c2
root@Python,Go,Perl,PHP-1:~# telnet 192.168.4.1 80
Trying 192.168.4.1...
telnet: Unable to connect to remote host: No route to host
root@Python,Go,Perl,PHP-1:~# ping 192.168.4.1 -c2
PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data.
64 bytes from 192.168.4.1: icmp_seq=1 ttl=61 time=7.29 ms
64 bytes from 192.168.4.1: icmp_seq=2 ttl=61 time=9.87 ms

--- 192.168.4.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 7.297/8.587/9.877/1.290 ms
root@Python,Go,Perl,PHP-2:~# telnet 192.168.4.1 80
Trying 192.168.4.1...
telnet: Unable to connect to remote host: No route to host
root@Python,Go,Perl,PHP-2:~# ping 192.168.4.1 -c2
PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data.
64 bytes from 192.168.4.1: icmp_seq=1 ttl=61 time=8.40 ms
64 bytes from 192.168.4.1: icmp_seq=2 ttl=61 time=4.92 ms

--- 192.168.4.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 4.924/6.666/8.408/1.742 ms
root@Python,Go,Perl,PHP-3:~# telnet 192.168.4.1 80
Trying 192.168.4.1...
Connected to 192.168.4.1.
Escape character is '^]'.
GET /

HTTP/0.9 200 OK
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 6

hello
Connection closed by foreign host.
root@Python,Go,Perl,PHP-3:~# ping 192.168.4.1 -c2
PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data.
64 bytes from 192.168.4.1: icmp_seq=1 ttl=61 time=12.5 ms
64 bytes from 192.168.4.1: icmp_seq=2 ttl=61 time=8.23 ms

--- 192.168.4.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 8.233/10.376/12.519/2.143 ms
root@Python,Go,Perl,PHP-4:~# telnet 192.168.4.1 80
Trying 192.168.4.1...
Connected to 192.168.4.1.
Escape character is '^]'.
GET /

HTTP/0.9 200 OK
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 6

hello
Connection closed by foreign host.
root@Python,Go,Perl,PHP-4:~# ping 192.168.4.1 -c2
PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data.
64 bytes from 192.168.4.1: icmp_seq=1 ttl=62 time=8.39 ms
64 bytes from 192.168.4.1: icmp_seq=2 ttl=62 time=9.54 ms

--- 192.168.4.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 8.397/8.972/9.547/0.575 ms

logs are

R1#
*Apr  1 04:07:12.370: %SYS-5-CONFIG_I: Configured from console by console
R1#
*Apr  1 04:07:56.095: %SEC-6-IPACCESSLOGP: list WEB-FILTER denied tcp 192.168.0.1(46460) (GigabitEthernet0/2 9e6f.48fe.1ab1) -> 192.168.4.1(80), 1 packet
R1#
*Apr  1 04:08:19.710: %SEC-6-IPACCESSLOGP: list WEB-FILTER denied tcp 192.168.0.1(46462) (GigabitEthernet0/2 9e6f.48fe.1ab1) -> 192.168.4.1(80), 1 packet
R1#
*Apr  1 04:08:21.747: %SEC-6-IPACCESSLOGP: list WEB-FILTER denied tcp 192.168.0.2(36658) (GigabitEthernet0/2 6e81.fadf.4d10) -> 192.168.4.1(80), 1 packet
R1#
*Apr  1 04:08:31.991: %SEC-6-IPACCESSLOGP: list WEB-FILTER denied tcp 192.168.0.2(36660) (GigabitEthernet0/2 6e81.fadf.4d10) -> 192.168.4.1(80), 1 packet

works fine. ok.

References

tech/network/cisco/named-acl/named-acl.txt · Last modified: 2018/04/02 02:51 by 5.9.98.130