Embed Size (px)
DESCRIPTION
ACL
Citation preview
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Numbered ACLs
• Standard Use only layer 3 source addresses
• ExtendedCan filter using layer3/4 information and by source/destination addresses
• Limitations? When editing, we can only add statements to the end of the ACL
access-list 10 permit 192.168.146.0 0.0.1.255
access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
• Named ACLs have sequence numbers for each entry
• All ACLs have an implicit, invisible deny statement at the end ONLY if they have at least one statement
• Recommendation: you should always manually write the deny ip any any rule
in order to see if packets matched it
ip access-list extended in_to_out permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet log deny ip any any
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Router(config)#ip access-list extended sequence_xRouter(config-ext-nacl)#permit tcp any host 10.0.0.3 eq 23Router(config-ext-nacl)#permit tcp any host 10.0.0.3 eq 22Router(config-ext-nacl)#deny tcp any host 10.0.0.3Router(config-ext-nacl)#permit udp any any Router(config-ext-nacl)#deny ip any any Router(config-ext-nacl)#do sh access-lExtended IP access list sequence_x 10 permit tcp any host 10.0.0.3 eq telnet 20 permit tcp any host 10.0.0.3 eq 22 30 deny tcp any host 10.0.0.3 40 permit udp any any 50 deny ip any any
• The administrator forgot to permit port 80 for tcp on host 10.0.0.3
• What to do?
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
• http://lms.netacad.net/course/view.php?id=3101
Thank you.
