Sunday 31 March 2013

Access List

In this article we will configure standard access list. In this article we will use a RIP running topology. Whichwe have created in RIP routing practical




Because a standard access list filters only traffic based on source traffic, all you need is the IP address of the host or subnet you want to permit or deny. ACLs are created in global configuration mode and then applied on an interface. 
The syntax for creating a standard ACL is 

access-list {1-99 | 1300-1999} {permit | deny} source-address [wildcard mask] 

Three basic steps to configure Standard Access List 

  • Use the access-list global configuration command to create an entry in a standard ACL. 
  • Use the interface configuration command to select an interface to which to apply the ACL. 
  • Use the ip access-group interface configuration command to activate the existing ACL on an interface. 

With Access Lists you will have a variety of uses for the wild card masks, but typically For CCNA exam prospective you should be able to do following: 

  • Match a specific host
  • Match an entire subnet
  • Match an IP range
  • Match Everyone and anyone
Decide where to apply ACL and in which directions.
Our host must be able to communicate with other host except 40.0.0.0 so we will place this access list on FastEthernet 0/1 of R2 (2811) connected to the network of 40.0.0.0. Direction will be outside as packet will be filter while its leaving the interface. If you place this list on R1(1841) then host 10.0.0.3 will not be able to communicate with any other hosts including 40.0.0.0.
To configure R2 double click on it and select CLI (Choose only one method result will be same)
R2>enable
R2#configure terminal Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 1 deny host 10.0.0.3
R2(config)#access-list 1 permit any
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group 1 out

OR

R2>enable
R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#access-list 1 deny 10.0.0.3 0.0.0.0
R2(config)#access-list 1 permit any
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group 1 out
To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as this packet will filter by ACL. Then ping 30.0.0.3 it should be successfully replay.
PC>ping 40.0.0.3

Pinging 40.0.0.3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 40.0.0.3:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PC>ping 30.0.0.3

Pinging 30.0.0.3 with 32 bytes of data:

Request timed out.
Reply from 30.0.0.3: bytes=32 time=140ms TTL=126
Reply from 30.0.0.3: bytes=32 time=156ms TTL=126
Reply from 30.0.0.3: bytes=32 time=112ms TTL=126

Ping statistics for 30.0.0.3:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 112ms, Maximum = 156ms, Average = 136ms
As we applied access list only on specific host so other computer from the network of 10.0.0.0 must be able to connect with the network of 40.0.0.0. To test do ping from 10.0.0.2 to 40.0.0.3
PC>ipconfig

IP Address......................: 10.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.0.0.1

PC>ping 40.0.0.3

Pinging 40.0.0.3 with 32 bytes of data:

Request timed out.
Reply from 40.0.0.3: bytes=32 time=141ms TTL=126
Reply from 40.0.0.3: bytes=32 time=140ms TTL=126
Reply from 40.0.0.3: bytes=32 time=125ms TTL=126

Ping statistics for 40.0.0.3:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 125ms, Maximum = 141ms, Average = 135ms

No comments:

Post a Comment