Access Control List Rules

1731

 

Access Control List: –  ACL is a set of rules that is usually used to filter the network traffic.

Access Control List Rules: –

  • Write deny statement on top.
  • There should be at least one permit statement.
  • An implicit deny blocks all the traffic by default when there is no match found.
  • Works in sequential order.
  • Editing of access list is not possible, selectively adding or removing Access-List is not possible.

Access List Terminology: –

  • Deny: Blocking a Network/Host/Subnet/Services.
  • Permit: Allowing a Network/Host/Subnet/Services.
  • Source Address: The address of the host from where the request start.
  • Destination Address: The address of the host from where the request end.
  • In: Traffic coming into interface.
  • Out: Traffic leaving from interface.

Types of Access List.

  • Standard Access List
  • Extended Access List
  • Named Access List
  • Time Base Access List
  • Dynamic Access List
  • Reflexive Access List
  • TCP Established Access List

Standard Access List: – With this type of ACL, an administrator can permit or deny packets based on their source IP address only.

  • It used to allow or deny entire IP packet.
  • Mostly used for route filtering
  • if you are using standard access list for traffic filtering, applied its closest to the destination, if you applied closest to the source might be all traffic are blocked.
  • Standard Access List range- {1-99}, {1300-1999}.

Standard Access List Syntax :- 

Router(config)#access-list access-list-number {permit|deny} {host|source source-wildcard|any}
Router(config)#interface <interface>
Router(config-if)#ip access-group <acl-number> in|out

Standard Access List Lab: –

 

For Adding and configuring host in gns3, please find below url.

How to add host in GNS3

 We have just configured basic ip addressing as per above scratch, also advertise the network in EIGRP.

On Router R1

Access Control List Rules

On Router R2

Access Control List Rules

On Router R3

Access Control List Rules

Now let’s check reachability from PC-1 to PC-2 and PC-3.

Access Control List Rules

Yes, reachability is ok.

Now, let’s create a task, the host – 192.168.1.10 deny to using the host 192.168.3.30, using Standard Access List.

In the Standard Access list, we will write the statement closest to the destination, but it’s not mandatory, it’s all about your understanding and requirement, but best practice to write closest to the destination, if you write closest to the source might be its deny some useful traffic or all your traffic.

I want to deny the traffic of the host- 192.168.1.10 to access host- 192.168.2.30,

so, in our scenario we will apply the Access List on Router R3 in out direction, because its closest to the destination.

Let’s see configuration

Access Control List Rules

Mentioned above configuration, we have used Access List number 10 {Standard Access List Range-  1-99}, so the ios will treat as standard access list, by default.

After deny statement we write the permit statement.

If you forgot to write the permit statement, the traffic which is unclassified will automatically deny.

Standard Access List Troubleshoot

Now, in which direction you want to deny the traffic {in or out}, its depend on your requirement

Here I am going to deny the traffic in, out direction on Router R3.

Access Control List Rules

Now it’s time for verification, so let’s verify.

Access Control List Rules

See above snap, the PC-1 is unable to reach the PC-3, while its reachable to PC-2.

6 COMMENTS

  1. Great post. Ι useɗ to be checking continuously thіs blog аnd Ι am inspired!
    Very uѕeful info particularly tһe lаst sеction 🙂 I care for sᥙch info a lot.
    I used to be seeking tһis сertain іnformation for a lоng
    time. Thaank you and bеst ߋf luck.

  2. Pretty nice post. I juѕt stumbled ᥙpon your weblog аnd wished
    too ѕay that I hаve reaⅼly enjoyed surfing ɑround
    yⲟur blog posts. After аll I wilⅼ bbe subscribing to your
    rss feed and I hhope you ᴡrite ɑgain ѕoon!

LEAVE A REPLY

Please enter your comment!
Please enter your name here