Day 34 - ACL's + Lab

What are ACL’s

Access Control List → function as a packet filter with allow or deny

ACL can filter traffic based on

Src/Dst Ip → src/dst layer 4 ports

ACL’s are made up of

ACE’s (Access control entries)

You configure ACL in global config but they must be

applied on the interface to take effect

ACL’s are applied either

inbound our outbound

once an ACL has a match

it stops checking other entries in the ACL

a max of

one acl can be applied to a single interface per direction

• inbound one acl

• outbound one acl

What will happen if a packet doesn’t match any entries in an ACL

The router will deny the packet → implicit deny

Standard ACL

Match based on Source IP only

• subtypes →

  • standard numbered ACL

    • standard named ACL

Extended ACL’s

Match based on Src/Dst Ip, Source/destination port etc etc

Standard ACL range

• 1-99

• 1300-1999

Basic Command to configure ACL

access-list # deny|permit 192.168.12.0 0.0.0.3

access-list 1 deny 1.1.1.1 0.0.0.0

k

permit any traffic

access-list 1 permit any

• or

access-list 1 permit 0.0.0.0 255.255.255.255

leave a description for purpose of ACL

access-list 1 remark ##block bob from accounting##

see the access list on router

show access-lists

apply the ACL to an interface

• int g0/0

  • ip access-group # in|out

full ACL configuration

• ip access-list 1 permit 10.0.0.1 0.0.0.3

• int g0/0

• ip access-group 1 in|out

good rule of thumb for standard ACL’s

Apply as close to destination as possible

enter standard named acl config mode

• ip access-list standard {acl-name}

  • ip access-list standard HRaccesslist1

standard named acl full config

• ip access-list standard {acl-name}

• {deny | permit } 10.0.0.0 0.0.0.3

• int g0/0

• ip access-group {acl-name} in | out

configure a standard named acl for block-bob in group 5 deny

• ip access-list standard block-bob

• 5 deny 10.0.0.0 0.0.0.3

• int g0/0

• ip access-group block-bob out

Lab #1 - Configure OSPF on R1 and R2

R1

• Router OSPF 1

• network 172.16.0.0 0.0.0.255 Area 0

• network 203.113.0.0 0.0.0.255 Area 0

• Do show ip ospf interface

R2

• router ospf 1

• network 172.16.0.0 0.0.0.0 Area 0

• Network 203.113.0.0 0.0.0.255 Area 0

• Do show ip ospf neighbor

→ Do show ip route

Serial interfaces are used

to connect to WAN’s

Configure Standard Number ACL’s on R1 - LAB

Do the LAB

Standard ACL use NAMED because it’s simpler

ip access-list standard USER_FILTER

deny host 10.1.20.50

permit any
——————————————————————-

interface g0/2

ip access-group USER_FILTER out

in ACL you don’t have to use sequence numbers

k