티스토리 뷰
ACL denies anything other than the list.
Standard ACL only checks source IP address
wildcards: 0 for specific number, 1 for anything. Opposite to the subnet mask. wildcard mask eg. 0.0.0.255
sec14.1.pktRouter(config)#access-list 1 deny 3.3.3.3 0.0.0.255
Router(config)#access-list 1 permit any
Router#show ip access
Standard IP access list 1
10 deny 3.3.3.0 0.0.0.255
20 permit any
Router(config-if)#ip access-group 1 in
Router#ping
Protocol [ip]:
Target IP address: 1.1.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 3.3.3.3
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
UUUUU
Success rate is 0 percent (0/5)
Router(config)#access-list 100 deny ip 3.3.3.0 0.0.0.255 11.11.11.0 0.0.0.255
access-list 17 deny 172.18.18.0 0.0.0.255
access-list 17 permit any
Because ACL will look for exact match.
Router(config)#ip access extended BLOCK11
Router(config-ext-nacl)#per ip any any
For named ACLs
R1#sho acc
Extended IP access list 101
10 permit tcp host 172.12.123.2 any eq telnet
20 deny ip any any
R2#telnet 172.12.123.1
Trying 172.12.123.1 ...Open
R3#telnet 172.12.123.1
Trying 172.12.123.1 ...
% Connection refused by remote host
time-range TELNET-ALLOWED
periodic weekdays 09:00 to 17:00
10 permit tcp host 172.12.123.2 any eq telnet
20 deny ip any any
30 permit tcp host 172.12.123.3 any time-range TELNET-ALLOWED
The third line won't allow to the R3 to connect .
no access-list 101 permit tcp host 172.12.123.3 any time-range TELNET-ALLOWED
will delete entire access-list 101.
R1(config)#ip acc ex 101
R1(config-ext-nacl)#no 30
will delete sequence number 30 in access-list 101
R1(config-ext-nacl)#15 172.12.123.3 any time-range TELNET-ALLOWED
will add a line between 10 and 20.
The final result will be like:
10 permit tcp host 172.12.123.2 any eq telnet
15 permit tcp host 172.12.123.3 any time-range TELNET-ALLOWED
20 deny ip any any
time-range ABAOLUTE
absolute start 10:00 3 Nov 2019
Extended ACL is applied to closest router to the source (generally)
Standard ACL is applied to closest router to the destination (generally)
'IT > CCNA: Udemy' 카테고리의 다른 글
| Sec16 NAT (0) | 2019.02.26 |
|---|---|
| Sec 15 NTP (0) | 2019.02.12 |
| Subnrting (0) | 2018.07.20 |
| Sec13: Decimal to Binary (0) | 2018.04.11 |
| Sec12: floting static route (0) | 2018.04.07 |