ACL (Access Control List)​

 

Topic:- ACL (Access Control List)​


Introduction of ACL:
  1. Protecting your network is extremely important for any organization. If this is not done, unwanted traffic and unauthorized access can worsen the state of your network.​
  2. For example, anyone can access the network resources of your organization by accessing unauthorized and damage them. Apart from this, there may be so much unwanted traffic flow in your network that it can also affect the working efficiency of your network.​
  3. Therefore it is necessary that you try to keep the network of your organization secure. You can do this by controlling the flow of traffic in your network. It is also called filtering traffic.
  4. Access lists are a list of commands. Any command either allows or denies traffic. If traffic matches with any command of the access list, then traffic is allowed or denied and if traffic does not match then it gets discarded.
  5. Access lists filters traffic based on protocol, interface and direction. You can use only one access list for every protocol,interface and direction.​
  6. ​It is very important to keep in mind that the access lists only control the traffic passed through the router. That is,access lists can only be implemented on router interfaces.​


Operations of Access Control Lists​:
  1) Traffic Classification (Categorization)​
  2) Traffic Filtering (Control)

Working of Access Control Lists (ACL)​:
  1. Deny​
  2. Permit​
  3. Go to any nearest interface of Cisco Router.​
  4. Apply access-group rule.​
Types of Access Control Lists (ACL)​:

There are two types of Access Control Lists.​
  1. Standard Access Control Lists​
  2. Extended Access Control Lists​
Standard ACL:“Only the source IP address of traffic is checked by standard access lists.” Standard access list is created by numbers from 1 to 99.​

Extended ACL:Extended access control lists check the information given before permit or deny any traffic.​
  1. Source IP Address​
  2. Source Protocol​
  3. Source Port​
  4. Destination IP Address​
  5. Destination Protocol​
  6. Destination Port​
Extended access control list provides advanced control over traffic. Such access list is created by numbers ranging from 100 to 199.​

Directions of Access Control Lists​:
“Access lists apply to router interfaces and control the traffic passed through that interface.”It is not necessary to control the traffic coming out of the network in the same way as you control the traffic coming into your network.​

Therefore, it is necessary to implement two types of access lists on a single interface so that incoming and outgoing traffic can be handled differently.​

There are two types of access list depending on the direction.​....

1) Inbound access list - These access lists filter the traffic that comes from other networks.​

​2) Outbound access list - These access lists filter the traffic that goes out of your network.​



Monitoring Access Control Lists​:
  1. Show access-list ​
  2. Show access-list <number ([1-99],[100-199])>​
  3. Show ip access-list​
  4. Show ip interface ​
  5. Show running-config ​
Wild Card Mask:
When specifying the source and destination addresses on an ACL in the Cisco IOS configuration, you use something called a Mask also known as an Inverse mask or Wildcard mask. ​

At the basic level, the wildcard mask is just the subnet mask flipped i.e. 1s become 0 and 0s become 1. For example, the corresponding wildcard mask for the subnet mask 255.255.255.0 is 0.0.0.255.​

 

For the wildcard mask, 0 means “must match” while 1 is a “don’t care” bit. For example, a 10.1.1.0 network with a wildcard mask of 0.0.0.3 will match traffic from IP addresses 10.1.1.1 through to 10.1.1.3.​


​Note: It will also match 10.1.1.0 but since this is a network address, it is not a valid source address on a packet.​


LAB Exercise of ACL: In this topology i created in RIP classfull routing. Remember that you can use any type of routing in topology & every network machine must be communicate to other's network machine.Thereafter you can apply the task of ACL.




Everyone must use this link for Practical of ACL:)
Task-1) Block Host to Host (Number)
You are the network administrator in www.abhishek.com . Your company hire a new employee for account department and give him a pc 192.168.11.2. Your company's critical record remain in 192.168.13.2. So you are asked to block the access of 192.168.11.2 from 192.168.13.2. While 192.168.13.2 must be able connect with other computers of network to perfom his task. ?

R-1(config)# access-list 100 deny ip host 192.168.11.3 192.168.13.2 0.0.0.0
R-1(config)# access-list 100 permit ip any any
R-1(config)# interface fastethernet 0/1
R-1(config-if)# ip access-group 100 in

R-1#show access-lists  (Show the status of ACL)      

Extended IP access list 100

10 deny ip host 192.168.11.2 host 192.168.13.2

20 permit ip any any

30 deny ip host 192.168.10.3 host 192.168.12.3


R-1(config)#no access-list 100    (Remove access-list)


Task-1A) Block Host to Host (Name)

R-1(config)#ip access-list extended abhishek

R-1(config-ext-nacl)#deny ip host 192.168.11.3 192.168.13.2 0.0.0.0

R-1(config-ext-nacl)#permit ip any any

R-1(config-ext-nacl)#exit

R-1(config)#interface fastEthernet 0/1

R-1(config-if)#ip access-group abhishek in


R-1#show access-lists    (Show the status of ACL)

Extended IP access list abhishek

10 deny ip host 192.168.11.3 host 192.168.13.2

20 permit ip any any


R-1(config)#no ip access-list extended abhishek    (Remove ACL)

R-1(config)#do show access-list    (Show the status of ACL)

=============================================================


Task-2) Block Host to Network (Number)

You are the network administrator in www.abhishek.com . Your company hire a new employee for account department and give him a pc 192.168.11.2. Your company's critical record remain in Server Room. So you are asked to block the access of 192.168.11.2 from network of Server Room.


R-1(config)# access-list 101 deny ip host 192.168.11.3 192.168.13.0 0.0.0.255
R-1(config)# access-list 101 permit ip any any
R-1(config)# interface fastethernet 0/1
R-1(config-if)# ip access-group 101 in

R-1#show access-lists    (Show the status of ACL)

Extended IP access list 101

10 deny ip host 192.168.11.3 192.168.13.0 0.0.0.255 (3 match(es))

20 permit ip any any


R-1(config)#no access-list 101    (Remove access-list)


Task-2A) Block Host to Network (Name)

R-1(config)#ip access-list extended abhi

R-1(config-ext-nacl)#deny ip host 192.168.11.3 192.168.13.0 0.0.0.255

R-1(config-ext-nacl)#permit ip any any

R-1(config-ext-nacl)#exit

R-1(config)#interface fastEthernet 0/1

R-1(config-if)#ip access-group abhi in


R-1#show access-lists    (Show the status of ACL)

Extended IP access list abhi

10 deny ip host 192.168.11.3 192.168.13.0 0.0.0.255

20 permit ip any any


R-1(config)#no ip access-list extended abhi    (Remove ACL)

R-1(config)#do show access-list    (Show the status of ACL)

=============================================================


Task-3) Block Network to Network (Number)

You are the network administrator in www.abhishek.com . Manufacturing Department is configured on the network of 192.168.10.0/24. While IT Department system remain in the network of 192.168.12.0/24. You are asked to stop the Manufacturing Department from gaining access in IT Department system Now we will block the network of 192.168.10.0/24 from gaining access on the network 192.168.12.0/24.


R-1(config)# access-list 150 deny ip host 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
R-1(config)# access-list 150 permit ip any any
R-1(config)# interface fastethernet 0/0
R-1(config-if)# ip access-group 150 in

R-1#show access-lists    (Show the status of ACL)

Extended IP access list 150

10 deny ip 192.168.10.3 0.0.0.255 192.168.12.0 0.0.0.255 

20 permit ip any any


R-1(config)#no access-list 150    (Remove access-list)


Task-3A) Block Network to Network (Name)

R-1(config)#ip access-list extended Pathak

R-1(config-ext-nacl)#deny ip host 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255

R-1(config-ext-nacl)#permit ip any any

R-1(config-ext-nacl)#exit

R-1(config)#interface fastEthernet 0/0

R-1(config-if)#ip access-group Pathak in


R-1#show access-lists    (Show the status of ACL)

Extended IP access list Pathak

10 deny ip host 192.168.10.3 0.0.0.255 192.168.12.0 0.0.0.255

20 permit ip any any


R-1(config)#no ip access-list extended Pathak   (Remove ACL)

R-1(config)#do show access-list    (Show the status of ACL)


=============================================================


Task-4) Block Network to Host (Number)

You are the network administrator in www.abhishek.com . Manufacturing Department is configured on the network of 192.168.10.0/24. While IT Department system remain in the network of 192.168.12.0/24. You are asked to stop the Manufacturing Department from gaining access in IT Department system's of 192.168.12.3. Now we will block the network of 192.168.10.0/24 from gaining access on the network 192.168.12.3/24.


R-1(config)# access-list 155 deny ip 192.168.10.0 0.0.0.255 192.168.12.3 0.0.0.0
R-1(config)# access-list 155 permit ip any any
R-1(config)# interface fastethernet 0/0
R-1(config-if)# ip access-group 155 in

R-1#show access-lists    (Show the status of ACL)

Extended IP access list 155

10 deny ip 192.168.10.0 0.0.0.255 host 192.168.12.3  

20 permit ip any any


R-1(config)#no access-list 155   (Remove access-list)


Task-4A) Block Network to Host (Name)

R-1(config)#ip access-list extended RHEL

R-1(config-ext-nacl)#deny ip 192.168.10.0 0.0.0.255 192.168.12.3 0.0.0.0

R-1(config-ext-nacl)#permit ip any any

R-1(config-ext-nacl)#exit

R-1(config)#interface fastEthernet 0/0

R-1(config-if)#ip access-group RHEL in


R-1#show access-lists    (Show the status of ACL)

Extended IP access list RHEL

10 deny ip 192.168.10.0 0.0.0.255 192.168.12.3 

20 permit ip any any


R-1(config)#no ip access-list extended RHEL   (Remove ACL)

R-1(config)#do show access-list    (Show the status of ACL)


=============================================================

Standard ACL always works on Source network only. So, we are going to block the computer machine of Account Department (192.168.11.2/24) from all department.


        Standard ACL (Use by Number)


R-1(config)#access-list 1 deny host 192.168.11.2

R-1(config)#access-list 1 permit any

R-1(config)#interface f 0/1

R-1(config-if)#ip access-group 1 in


R-1#show access-lists    (Show the status of ACL)

Standard IP access list 1

10 deny host 192.168.11.2

20 permit any


R-1(config)#no access-list 1    (Remove ACL)


         Standard ACL (Use by Name)


R-1(config)#ip access-list standard abhishek

R-1(config-std-nacl)#deny host 192.168.11.2

R-1(config-std-nacl)#permit any

R-1(config-std-nacl)#exit

R-1(config)#interface fastEthernet 0/1

R-1(config-if)#ip access-group abhishek in


R-1#show access-lists    (Show the status of ACL)

Standard IP access list abhishek

    10 deny host 192.168.11.2

    20 permit any


R-1(config)#no ip access-list standard abhishek    (Remove ACL)


=============================================================

Now,we are going to block the computer Network of Account Department (192.168.11.0/24) from all department.


Standard ACL (Use by Number)


R-1(config)#access-list 1 deny 192.168.11.0 0.0.0.255

R-1(config)#access-list 1 permit any

R-1(config)#interface f 0/1

R-1(config-if)#ip access-group 1 in


R-1#show access-lists    (Show the status of ACL)

Standard IP access list 1

10 deny 192.168.11.2 0.0.0.255

20 permit any


R-1(config)#no access-list 1    (Remove ACL)


         Standard ACL (Use by Name)


R-1(config)#ip access-list standard abhishek

R-1(config-std-nacl)#deny 192.168.11.0 0.0.0.255

R-1(config-std-nacl)#permit any

R-1(config-std-nacl)#exit

R-1(config)#interface fastEthernet 0/1

R-1(config-if)#ip access-group abhishek in


R-1#show access-lists    (Show the status of ACL)

Standard IP access list abhishek

    10 deny 192.168.11.0 0.0.0.255

    20 permit any


R-1(config)#no ip access-list standard abhishek    (Remove ACL)


=============================================================

Now, in this scenario first of all you must connect 3rd computer machine in account department and assign the ip address of 192.168.11.4/24. The task is that you block the two computer machine of account department from all network and 3rd computer machine of account department must be ping to every network. The ip address of block computer machine of account department is 192.168.11.2/24 & 192.168.11.3/24. The ip address of computer machine that must be ping to every computer is 192.168.11.4/24.


R-1(config)#access-list 1 deny host 192.168.11.2

R-1(config)#access-list 1 deny host 192.168.11.3

R-1(config)#access-list 1 permit host 192.168.11.4

R-1(config)#interface fastEthernet 0/1

R-1(config-if)#ip access-group 1 in


R-1#show access-lists    (Show the status of ACL)

Standard IP access list 1

10 deny host 192.168.11.3 (2 match(es))

20 permit host 192.168.11.4 (4 match(es))



Thanks & Regards
Abhishek Pathak
+91-9621134014
abhishek9621134014@outlook.com













No comments:

Post a Comment

Subscribe to: Posts (Atom)

Computer Hardware_(A+) & Operating System with Networking

Microprocessor Motherboard About Operating System Create Bootable Pen Drive via Command Map Network Drive File Transfer Protocol in Windows ...

  • CCNA 200 - 301
    Theory Part of CCNA 200-301 Password Management of Cisco Router Access Control List (ACL) - Extended ACL Block Telnet via ACL in Cisco Packe...
  • Computer Hardware_(A+) & Operating System with Networking
    Microprocessor Motherboard About Operating System Create Bootable Pen Drive via Command Map Network Drive File Transfer Protocol in Windows ...
  • Microsoft Windows Server
    Windows Server 2019 Installation GUI Mode. Windows Server 2019 Core Installation. Installation of ADDS Roles in Server 2019 via GUI. Config...