Access Control List Part – 2

We discussed the standard ACL but there is a big limitation in this list that it can only work on source IP address. This can only work on layer 3.
The numbers for Standard ACL are 1 – 99 and 1300 – 1999.

Extended ACL can work on source and destination IP address, sessions, ports, and protocols. This list an work on layer 3, 4, and 5. Extended ACL could work on more detailed rules.
The numbers for Extended ACL are 100 – 199 and 2000 – 2699.
A good advice is try to make the control that can fit into standard ACL to ease the complexity and increase the performance.

image002

Configuration

We want to allow the access to R4 from R1 using SSH not telnet.

image004

Case – 1

First let’s block the telnet connection using source and destination IP address but before that let’s make sure we can ping, telnet, and SSH to R4.

image006

We are going to create the ACL on R2 because it sits between our targets and hence best choice to filter the rules.

image008image010image012image014image016

Now we have configured to block the traffic from 192.168.1.1 to 192.168.2.4 this rule will block all the traffic. Keep in mind that there is a implicit deny rule and we have block all the traffic from R1 to R4. We need to allow other traffic and we also need to allow EIGRP traffic explicitly because our routers are using this protocol to run the routes and we also have to punch the rule to the interface.

image018

Now it is time to test the ACL, let’s do ping, telnet, and SSH again and see the response.

image020

We have successfully blocked the traffic we wanted to and here is the proof.

Case – 2

Allow all traffic from R1 to R4 and just block telnet connection because it is insecure.

image022

There are options eq, lt, neq, and gt first let’s discuss them.
eq means equal to this is the option for port as if we want to block port 443 we can use this switch.
gt is greater than we define the port and greater than that ports are affected, for instance we want to block all the ports above 49000 so we can use this switch.
lt is less than it works on lower ports.
neq is not equal to.

All of the above options are for source IP not for destination IP so we do not know that what port will be used for the telnet on source IP but we know the port that must be denied on the destination IP and the above options are for source so we have to move further and then pick the option.

image024

Now after entering the destination IP we can pick the port number and we did using eq switch. We need to apply this on interface and as soon as we apply this on interface the previous ACL will be overridden and this ACL will take effect.

image026

Now it is time to test the ACL and for this purpose we move to R1.

Note: ICMP does not use any port.

image028

Look at the result ICMP, and SSH are working perfectly but telnet in not working this is all because ACL.

 

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo

Proudly powered by WordPress   Premium Style Theme by www.gopiplus.com