Exercise Access Control List

From NesevoWiki
Jump to navigationJump to search

Exercise

Following network is given

Übungsbeispiel ACL.JPG

  • Each device from the network 192.168.1.0/24 should have access to the two computer in the network 192.168.3.0/24
  • Each device from the network 192.168.2.0/24 should have access to every computer in the network 192.168.3.0/24

Jedes Gerät aus dem Netzwerk 192.168.2.0/24 soll auf die beiden Computer in Netzwerk 192.168.3.0/24 zugreifen können except device 192.168.2.2.

  • From the network 192.168.5.0/24 have only the device 192.168.5.1/24 access to the two PCs in the network 192.168.3.0/24.

Aus Netzwerk 192.168.5.0/24 soll nur Gerät 192.168.5.1 auf die beiden PCs in Netzwerk 192.168.3.0/24 zugreifen können.

  • Convert the standard access list in an extended access list.
  • Adding the expanded access list so that all the above access rights but access to PC1 generally prohibited.






Solution:

  • Each device from the network 192.168.1.0/24 should have access to the two computer in the network 192.168.3.0/24

access-list 1 permit 192.168.1.0 0.0.0.255

  • Each device from the network 192.168.2.0/24 should have access to every computer in the network 192.168.3.0/24

access-list 1 deny 192.168.2.2 access-list 1 permit 192.168.2.0 0.0.0.255

  • From the network 192.168.5.0/24 have only the device 192.168.5.1/24 access to the two PCs in the network 192.168.3.0/24.

access-list 1 permit 192.168.5.1 access-list 1 deny 192.168.5.0 0.0.0.255 -> By default, when ACL always all IP addresses blocked, about this line is superfluous (default: access-list 1 deny 0.0.0.0 255.255.255.255)

Router(config)#int fa1/0

Router(config-if)#ip access-group 1 OUT

  • Convert the standard access list in an extended access list.

access-list 101 permit ip 192.168.1.0 0.0.0.255 0.0.0.0 255.255.255.255

access-list 101 permit ip host 192.168.5.1 0.0.0.0 255.255.255.255

access-list 101 deny ip 192.168.5.0 0.0.0.255 0.0.0.0 255.255.255.255

access-list 101 deny ip host 192.168.2.2 0.0.0.0 255.255.255.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 0.0.0.0 255.255.255.255

Instead of the syntax '0 .0.0.0 255,255,255,255 "can also be used any To no distinction between the protocols to make " 'IP'". IP stands for "any Protocolls"

  • Adding the expanded access list so that all the above access rights but access to PC1 generally prohibited.

access-list 101 deny any hosts 192.168.3.102

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit ip host 192.168.5.1 any

access-list 101 deny ip 192.168.5.0 0.0.0.255 any

access-list 101 deny ip host 192.168.2.2 any

access-list 101 permit ip 192.168.2.2 0.0.0.255 any

Router(config)# int fa 1/0

Router(config-if)#ip access-group 101 out