An Extended Access Control List (ACL) allows you to filter traffic based on source IP, destination IP, protocol type (TCP, UDP, ICMP), source/destination port numbers.
+Numbered Extended ACL Ranges -
100–199
2000–2699
+ We can also use named ACLs
+ Placed close to Source - Since in extended ACLs we can filter on bases of Source IP , Destination IP ,port number so placing them near the source gives precise control over who can access what and how.
Lets block - port 80 http of server 20.1.1.1 for laptop 10.1.1.100
Source IP - 10.1.1.100
Destination IP - 20.1.1.1
Destination port number - 80
Step 1 - Creating Extended ACL
access-list 100 deny tcp 10.1.1.0 0.0.0.0 20.1.1.0 0.0.0.0 eq 80
access-list 100 permit ip any any
Router#show ip access-lists
Extended IP access list 100
10 deny tcp 10.1.1.0 0.0.0.0 20.1.1.0 0.0.0.0 eq www
20 permit ip any any
Step 2 - Apply the Extended ACL
We would need to apply it close to the source and that will be in in direction
interface GigabitEthernet0/0/0
ip access-group 100 in
Lets try from laptop to access port 80 and port 443 of server 20.1.1.100
Port 80 is not accessible
Port 443 is accessible
Now check the hits on the acl entry
Router#show ip access-lists
Extended IP access list 100
10 deny tcp 10.1.1.0 0.0.0.0 20.1.1.0 0.0.0.0 eq www (36 match(es))
20 permit ip any any
============================================
Complete configuration Router -
Router#show run
Building configuration...
Current configuration : 854 bytes
!
version 15.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address 10.1.1.1 255.255.255.0
ip access-group 100 in
duplex auto
speed auto
!
interface GigabitEthernet0/0/1
ip address 20.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
!
access-list 100 deny tcp 10.1.1.0 0.0.0.0 20.1.1.0 0.0.0.0 eq www
access-list 100 permit ip any any
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Happy Learning !!
Network Engineer Stuff
No comments:
Post a Comment