多试试:多试试-计算机技术与软件
ConfigureExtended Access Lists
An extended ACLgives you much more power than just a standard ACL. Extended IP ACLs check both the source anddestination packet addresses. They can also check for specific protocols, port numbers, andother parameters, which allow administrators more flexibility and control.
access-list access-list-number {permit |deny}
protocol source source-wildcard [operator port]
destination destination-wildcard [operatorport]
[established][log]
Command Parameters | Descriptions |
access-list | Main command |
access-list-number | Identifies the list using a number in the ranges of 100�199 or 2000� 2699. |
permit | deny | Indicates whether this entry allows or blocks the specified address. |
protocol | IP, TCP, UDP, ICMP, GRE, or IGRP. |
source and destination | Identifies source and destination IP addresses. |
source-wildcard and destination-wildcard | The operator can be lt (less than), gt (greater than), eq (equal to), or neq (not equal to). The port number referenced can be either the source port or the destination port, depending on where in the ACL theport number is configured. As an alternative to the port number, well-known application names can be used, such as Telnet, FTP, and SMTP. |
established | For inbound TCP only. Allows TCP traffic to pass if the packet is a response to an outbound-initiated session. This type of traffic has the acknowledgement (ACK) bits set. (See the Extended ACL with the Established Parameter example.) |
log | Sends a logging message to the console. |
Before we configure Extended Accesslist youshould cram up some important port number
Well-KnownPort Numbers and IP Protocols
Port Number | IP Protocol |
20 (TCP) | FTP data |
21 (TCP) | FTP control |
23 (TCP) | Telnet |
25 (TCP) | Simple Mail Transfer Protocol (SMTP) |
53 (TCP/UDP) | Domain Name System (DNS) |
69 (UDP) | TFTP |
80 (TCP) | HTTP |
In thisarticle we will configure Extended access list. If you want to read the feature andcharacteristic of access list reads this previous article.
In thisarticle we will use a RIP running topology. Which we created in RIP routingpractical.
Downloadthis RIP routing topology and open it in packet tracer
Rip Routing
If youwant to learn how we created this topology then read this article
Configure Rip Routing
Three basicsteps to configure Extended Access List
- Use the access-list global configuration command to create an entry in a Extended ACL.
- Use the interface configuration command to select an interface to which to apply the ACL.
- Use the ip access-group interface configuration command to activate the existing ACL on an interface.
WithAccess Lists you will have a variety of uses for the wild card masks, buttypically For CCNA exam prospective you should be able to do following:
- Block host to host
- Block host to network
- Block Network to network
- Block telnet access for critical resources of company
- Limited ftp access for user
- Stop exploring of private network form ping
- Limited web access
- Configure established keyword
Block hostto host
Task
You are the network administrator at ComputerNetworkingNotes.com. Yourcompany hire a new employee and give him a pc 10.0.0.3.your company's critical record remain in 40.0.0.3. so you are asked to blockthe access of 40.0.0.3 from 10.0.0.3. while 10.0.0.3 must be able connect withother computers of network to perfom his task.
Decide where to apply ACL and in which directions.
As weare configuring Extended access list. With extended access list we can filter the packed as soon as itgenrate. So we will place our access list on F0/0 of Router1841 the nearest port of 10.0.0.3
To configure Router1841 (HostnameR1) double click on it and select CLI
R1>enable
R1#configure terminal
Enter configuration commands, one perline. End with CNTL/Z.
R1(config)#access-list 101 deny ip host 10.0.0.340.0.0.3 0.0.0.0
R1(config)#access-list 101 permit ip anyany
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip access-group 101 in
R1(config-if)#exit
R1(config)#
Verifyby doing ping from 10.0.0.3 to40.0.0.3. It should be reqest time out. Also ping other computers of networkincluding 40.0.0.2. ping shuld be sucessfully.
Block hostto network
Task
Now we will block the 10.0.0.3from gaining access on the network 40.0.0.0. ( if you are doing this practicalafter configuring pervious example don't forget to remove the last accesslist 101. With no access-list command. Or just close the packet tracerwithout saving and reopen it to be continue with this example.)
R1(config)#access-list 102 deny ip host 10.0.0.340.0.0.0 0.255.255.255
R1(config)#access-list 102 permit ip anyany
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip access-group 102 in
R1(config-if)#exit
R1(config)#
Verifyby doing ping from 10.0.0.3 to40.0.0.3. and 40.0.0.2.It should be reqest time out. Also ping computers ofother network. ping shuld be sucessfully.
Once youhave calculated the wild card mask rest is same as we did in pervious example
R2>enable
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 2 deny 10.0.0.00.255.255.255
R2(config)#access-list 2 permit any
R2(config)#interface fastethernet 0/1
R2(config-if)#ip access-group 2 out
R2(config-if)#
To testfirst do ping from 10.0.0.3 to40.0.0.3 it should be request time out as this packet will filter by ACL. Thenping 30.0.0.3 it should be successfully replay.
Network toNetwork Access List
Task
Student抯 lab is configured on the network of 10.0.0.0.While management's system remain in the network of 40.0.0.0. You are asked tostop the lab system from gaining access in management systems
Now wewill block the network of 10.0.0.0 fromgaining access on the network 40.0.0.0. ( if you are doing this practical afterconfiguring pervious example don't forget to remove the last access list 101. With noaccess-list command. Or just close the packet tracer without saving and reopenit to be continue with this example.)
R1(config)#access-list 103 deny ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255
R1(config)#access-list 103 permit ip anyany
R1(config)#interface fastethernet 0/0
R1(config-if)#ip access-group 103 in
R1(config-if)#exit
R1(config)#
Verifyby doing ping from 10.0.0.3 and10.0.0.2 to 40.0.0.3. and 40.0.0.2.It should be reqest time out. Also pingcomputers of other network. ping shuld be sucessfully.
Network tohost
Task
For thefinal scenario you will block all traffic to 40.0.0.3 from the Network of 10.0.0.0To accomplish this write anextended access list. The access list should look something like the following.
R1(config)#interface fastethernet 0/0
R1(config-if)#no ip access-group 103 in
R1(config-if)#exit
R1(config)#no access-list 103 deny ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255
R1(config)#access-list 104 deny ip 10.0.0.0 0.255.255.255 40.0.0.3 0.0.0.0
R1(config)#access-list 104 permit ip anyany
R1(config)#interface fastethernet 0/0
R1(config-if)#ip access-group 104 in
R1(config-if)#exit
R1(config)#
Verifyby doing ping from 10.0.0.3 and10.0.0.2 to 40.0.0.3.It should be reqest time out. Also ping computers of othernetwork. ping shuld be sucessfully.
Applicationbased Extended Access list
Inpervoius example we filter ip base traffic. Now we will filter applicaion basetraffic. To do this practical either create a topology as shown in figure andenable telnet and http and ftp service on server or download this preconfigured topology and load it in packet tracer.
Theestablished keyword
The established keyword is aadvanced feature that will allow traffic through only if it sees that a TCPsession is already established. A TCP session is considered established if thethree-way handshake is initiated first. This keyword is added only to the endof extended ACLs that arefiltering TCP traffic.
You can use TCP established to deny all traffic into your networkexcept for incoming traffic that was first initiated from inside your network.This is commonly used to block all originating traffic from the Internet into acompany's network except for Internet traffic that was first initiated fromusers inside the company. The following configuration would accomplish this forall TCP-based traffic coming in to interface serial 0/0/0 on the router:
R1(config)#access-list 101 permit tcp anyany established
R1(config)#interface serial 0/0/0
R1(config-if)#ip access-group 101 in
R1(config-if)#exit
Althoughthe access list is using a permit statement, all traffic isdenied unless it is first established from the inside network. If the router seesthat the three-way TCP handshake is successful, it will then begin to allowtraffic through.
To testthis access list double click on any pc from the network 10.0.0.0and select web brower. Now give the ip of 30.0.0.2 web server. It should getsucessfully access the web page. Now go 30.0.0.2 and open command prompt. Anddo ping to 10.0.0.2 or any pc from the network the 10.0.0.0. it will requesttime out.
Stop pingbut can access web server
We hostour web server on 30.0.0.2. But we do not want to allow external user to pingour server as it could be used as denial of services. Create an access listthat will filter all ping requests inbound on the serial 0/0/0 interface ofrouter2.
R2(config)#access-list 102 deny icmp any any echo
R2(config)#access-list 102 permit ip anyany
R2(config)#interface serial 0/0/0
R2(config-if)#ip access-group 102 in
To testthis access list ping from 10.0.0.2 to30.0.0.2 it should be request time out. Now open the web browser and access30.0.0.2 it should be successfully retrieve
Grant FTPaccess to limited user
You wantto grant ftp access only to 10.0.0.2. noother user need to provide ftp access on server. So you want to create a listto prevent FTP traffic that originates from the subnet 10.0.0.0/8, going to the30.0.0.2 server, from traveling in on Ethernet interface E0/1 on R1.
R1(config)#access-list 103 permit tcp host 10.0.0.230.0.0.2 0.0.0.0 eq 20
R1(config)#access-list 103 permit tcp host 10.0.0.230.0.0.2 0.0.0.0 eq 21
R1(config)#access-list 103 deny tcp any anyeq 20
R1(config)#access-list 103 deny tcp any anyeq 21
R1(config)#access-list 103 permit ip anyany
R1(config)#interface fastethernet 0/1
R1(config-if)#ip access-group 103 in
R1(config-if)#exit
GrantTelnet access to limited user
Forsecurity purpose you don抰 want toprovide telnet access on server despite your own system. Your system is 10.0.0.4.create a extended access list to prevent telnet traffic that originates fromthe subnet of 10.0.0.0 to server.
R1(config)#access-list 104 permit tcp host 10.0.0.430.0.0.2 0.0.0.0 eq 23
R1(config)#access-list 104 deny tcp 10.0.0.0 0.255.255.255 30.0.0.2 0.0.0.0 eq 23
R1(config)#access-list 104 permit ip anyany
R1(config)#interface fast 0/1
R1(config-if)#ip access-group 104 in
R1(config-if)#exit
移步至个人小站:www.very321.com