Configuration Example: Access Control Lists


Figure 28-1 shows the network topology for the configuration that follows, which shows five ACL examples using the commands covered in this chapter.

Figure 28-1. Network Topology for ACL Configuration


Example 1. Write an ACL that prevents the 10.0 network from accessing the 40.0 network, but everyone else can.

RedDeer(config)#access-list 10 deny 172.16.10.0 0.0.0.255

Standard ACL denies complete network for complete TCP/IP suite of protocols

RedDeer(config)#access-list 10 permit any

Defeats the implicit deny

RedDeer(config)#int e0

 

RedDeer(config)#ip access-group 10 out

Applies ACL in an outbound direction


Example 2. Write an ACL which states that 10.5 cannot access 50.7. Everyone else can.

Edmonton(config)#access list 115 deny ip host 172.16.10.5 host 172.16.50.7

Extended ACL denies specific host for entire TCP/IP suite

Edmonton(config)#access list 115 permit ip any any

All others permitted through

Edmonton(config)#int e0

 

Edmonton(config)#ip access-group 115 in

Applies ACL in an inbound direction


Example 3. Write an ACL which states that 10.5 can Telnet to the Red Deer router. No one else can.

RedDeer(config)#access-list 20 permit host 172.16.10.5

 

RedDeer(config)#line vty 0 4

Go to virtual terminal lines

RedDeer(config-line)#access-class 20 in

Use access-class, not access-group


Example 4. Write an ACL which states that 20.163 can Telnet to 70.2. No one else from 20.0 can Telnet to 70.2. Any other host from any other subnet can connect to 70.2 using anything that is available.

Calgary(config)#access list 150 permit tcp host 172.16.20.163 host 172.16.70.2 eq 23

 

Calgary(config)#access list 150 deny tcp 172.16.20.0 0.0.0.255 host 172.16.70.2 eq 23

 

Calgary(config)#access list 150 permit ip any any

Defeats the implicit deny

Calgary(config)#int e0

 

Calgary(config)#ip access-group 150 out

 


Example 5. Write an ACL which states that 50.150.63 are not allowed web access to 80.16. Hosts 50.6450.254 are. Everyone can do everything else.

RedDeer(config)#access-list 101 deny tcp 172.16.50.0 0.0.0.63 host 172.16.80.16 eq 80

 

RedDeer(config)#access-list 101 permit ip any any

Allows device to do everything, including Telnet

RedDeer(config)#int e1

 

RedDeer(config)#ip access-group 101 in

 





CCNA Self-Study(c) CCNA Portable Command Guide
CCNA Portable Command Guide
ISBN: 1587201585
EAN: 2147483647
Year: 2006
Pages: 261
Authors: Scott Empson

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net