Difference between revisions of "Exercise Access Control List"

From NesevoWiki
Jump to navigationJump to search
(New page: '''Exercise''' <br/><br/> Following network is given <br/><br/> Image:Übungsbeispiel ACL.JPG <br/><br/> * Each device from the network 192.168.1.0/24 should have access to the two com...)
 
 
Line 16: Line 16:
 
<br/><br/>  
 
<br/><br/>  
 
'''Solution:'''
 
'''Solution:'''
* Each device from the network 192.168.1.0/24 should have access to the two computer in the network 192.168.3.0/24  
+
* '''Each device from the network 192.168.1.0/24 should have access to the two computer in the network 192.168.3.0/24'''
 
access-list 1 permit 192.168.1.0 0.0.0.255
 
access-list 1 permit 192.168.1.0 0.0.0.255
 
<br/><br/>
 
<br/><br/>
* Each device from the network 192.168.2.0/24 should have access to every computer in the network 192.168.3.0/24  
+
* '''Each device from the network 192.168.2.0/24 should have access to every computer in the network 192.168.3.0/24 '''
 
access-list 1 deny 192.168.2.2
 
access-list 1 deny 192.168.2.2
 
access-list 1 permit 192.168.2.0 0.0.0.255
 
access-list 1 permit 192.168.2.0 0.0.0.255
 
<br/><br/>
 
<br/><br/>
* From the network 192.168.5.0/24 have only the device 192.168.5.1/24 access to the two PCs in the network 192.168.3.0/24.
+
* '''From the network 192.168.5.0/24 have only the device 192.168.5.1/24 access to the two PCs in the network 192.168.3.0/24.'''
 
access-list 1 permit 192.168.5.1
 
access-list 1 permit 192.168.5.1
 
access-list 1 deny 192.168.5.0 0.0.0.255 -> '''By default, when ACL always all IP addresses blocked,'''
 
access-list 1 deny 192.168.5.0 0.0.0.255 -> '''By default, when ACL always all IP addresses blocked,'''
Line 32: Line 32:
 
Router(config-if)<nowiki>#</nowiki>ip access-group 1 OUT
 
Router(config-if)<nowiki>#</nowiki>ip access-group 1 OUT
 
<br/><br/>
 
<br/><br/>
* Convert the standard access list in an extended access list.
+
* '''Convert the standard access list in an extended access list.'''
 
access-list 101 permit ip 192.168.1.0 0.0.0.255 0.0.0.0 255.255.255.255
 
access-list 101 permit ip 192.168.1.0 0.0.0.255 0.0.0.0 255.255.255.255
 
<br/><br/>
 
<br/><br/>
Line 46: Line 46:
 
To no distinction between the protocols to make "'' 'IP'''". IP stands for "any Protocolls"
 
To no distinction between the protocols to make "'' 'IP'''". IP stands for "any Protocolls"
 
<br/><br/>
 
<br/><br/>
* Adding the expanded access list so that all the above access rights but access to PC1 generally prohibited.  
+
* '''Adding the expanded access list so that all the above access rights but access to PC1 generally prohibited.'''
 
access-list 101 deny any hosts 192.168.3.102
 
access-list 101 deny any hosts 192.168.3.102
 
<br/><br/>
 
<br/><br/>

Latest revision as of 09:58, 26 August 2008

Exercise

Following network is given

Übungsbeispiel ACL.JPG

  • Each device from the network 192.168.1.0/24 should have access to the two computer in the network 192.168.3.0/24
  • Each device from the network 192.168.2.0/24 should have access to every computer in the network 192.168.3.0/24

Jedes Gerät aus dem Netzwerk 192.168.2.0/24 soll auf die beiden Computer in Netzwerk 192.168.3.0/24 zugreifen können except device 192.168.2.2.

  • From the network 192.168.5.0/24 have only the device 192.168.5.1/24 access to the two PCs in the network 192.168.3.0/24.

Aus Netzwerk 192.168.5.0/24 soll nur Gerät 192.168.5.1 auf die beiden PCs in Netzwerk 192.168.3.0/24 zugreifen können.

  • Convert the standard access list in an extended access list.
  • Adding the expanded access list so that all the above access rights but access to PC1 generally prohibited.






Solution:

  • Each device from the network 192.168.1.0/24 should have access to the two computer in the network 192.168.3.0/24

access-list 1 permit 192.168.1.0 0.0.0.255

  • Each device from the network 192.168.2.0/24 should have access to every computer in the network 192.168.3.0/24

access-list 1 deny 192.168.2.2 access-list 1 permit 192.168.2.0 0.0.0.255

  • From the network 192.168.5.0/24 have only the device 192.168.5.1/24 access to the two PCs in the network 192.168.3.0/24.

access-list 1 permit 192.168.5.1 access-list 1 deny 192.168.5.0 0.0.0.255 -> By default, when ACL always all IP addresses blocked, about this line is superfluous (default: access-list 1 deny 0.0.0.0 255.255.255.255)

Router(config)#int fa1/0

Router(config-if)#ip access-group 1 OUT

  • Convert the standard access list in an extended access list.

access-list 101 permit ip 192.168.1.0 0.0.0.255 0.0.0.0 255.255.255.255

access-list 101 permit ip host 192.168.5.1 0.0.0.0 255.255.255.255

access-list 101 deny ip 192.168.5.0 0.0.0.255 0.0.0.0 255.255.255.255

access-list 101 deny ip host 192.168.2.2 0.0.0.0 255.255.255.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 0.0.0.0 255.255.255.255

Instead of the syntax '0 .0.0.0 255,255,255,255 "can also be used any To no distinction between the protocols to make " 'IP'". IP stands for "any Protocolls"

  • Adding the expanded access list so that all the above access rights but access to PC1 generally prohibited.

access-list 101 deny any hosts 192.168.3.102

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit ip host 192.168.5.1 any

access-list 101 deny ip 192.168.5.0 0.0.0.255 any

access-list 101 deny ip host 192.168.2.2 any

access-list 101 permit ip 192.168.2.2 0.0.0.255 any

Router(config)# int fa 1/0

Router(config-if)#ip access-group 101 out