Conguration Examples: ACLs 279

TIP: You can use the remark command in any of the IP numbered standard, IP
numbered extended, or named IP ACLs.
TIP: You can use the remark command either before or after a permit or deny
statement. Therefore, be consistent in your placement to avoid any confusion as
to which line the remark statement is referring.
Restricting Virtual Terminal Access
TIP: When restricting access through Telnet, use the access-class command
rather than the access-group command, which is used when applying an ACL to a
physical interface.
Conguration Examples: ACLs
Figure 28-1 illustrates the network topology for the conguration that follows, which shows
ve ACL examples using the commands covered in this chapter.
Router(config)#aaa accc cccc ceee esss ssss s--- -lll liii isss sttt t 222 2 ppp peee errr rmmm miii ittt t hhh hooo osss sttt t
111 1777 7222 2... .111 1666 6... .111 1000 0... .222 2
Permits host
172.16.10.2 to Telnet
into this router based
on where this ACL is
applied.
Router(config)#aaa accc cccc ceee esss ssss s--- -lll liii isss sttt t 222 2 ppp peee errr rmmm miii ittt t 111 1777 7222 2... .111 1666 6... .222 2000 0... .000 0
000 0... .000 0... .000 0... .222 2555 5555 5
Permits anyone from
the 172.16.20.x
address range to
Telnet into this router
based on where this
ACL is applied.
The implicit deny
statement restricts
anyone else from
being permitted to
Telnet.
Router(config)#lll liii innn neee e vvv vttt tyyy y 000 0 444 4
Moves to vty line
conguration mode.
Router(config-line)aaa accc cccc ceee esss ssss s--- -ccc clll laaa asss ssss s 222 2 iii innn n
Applies this ACL to
all 5 vty virtual
interfaces in an
inbound direction.
280 Conguration Examples: ACLs
Figure 28-3 Network Topology for ACL Conguration
Example 1: Write an ACL that prevents the 10.0 network from accessing the 40.0
network but allows everyone else to.
RedDeer(config)#aaa accc cccc ceee esss ssss s--- -lll liii isss sttt t 111 1000 0 ddd deee ennn nyyy y 111 1777 7222 2... .111 1666 6... .111 1000 0... .000 0
000 0... .000 0... .000 0... .222 2555 5555 5
The standard ACL
denies complete
network for complete
TCP/IP suite of
protocols.
RedDeer(config)#aaa accc cccc ceee esss ssss s--- -lll liii isss sttt t 111 1000 0 ppp peee errr rmmm miii ittt t aaa annn nyyy y
Defeats the implicit
deny.
RedDeer(config)#iii innn nttt teee errr rfff faaa accc ceee e fff faaa asss sttt teee ettt thhh heee errr rnnn neee ettt t 000 0/// /000 0
Moves to interface
conguration mode.
RedDeer(config)#iii ippp p aaa accc cccc ceee esss ssss s--- -ggg grrr rooo ouuu uppp p 111 1000 0 ooo ouuu uttt t
Applies ACL in an
outbound direction.
fa0/0 10.1
fa0/1 20.1
Workstation
20.163
Workstation
10.5
Edmonton
Server
70.2
fa0/0 40.1
Workstation
40.89
Red Deer
fa0/0
s0/0/0
s0/0/1
60.2
60.1
s0/0/0
s0/0/0
30.2
30.1
70.1
fa0/1 80.1
Workstation
80.16
Workstation
70.5
Calgary
fa0/1 50.1
Workstation
50.75
Workstation
50.7
Conguration Examples: ACLs 281
Example 2: Write an ACL that states that 10.5 cannot access 50.7. Everyone else can.
Example 3: Write an ACL that states that 10.5 can Telnet to the Red Deer router. No
one else can.
Example 4: Write a named ACL that states that 20.163 can Telnet to 70.2. No one else
from 20.0 can Telnet to 70.2. Any other host from any other subnet can connect to
70.2 using anything that is available.
Edmonton(config)#aaa accc cccc ceee esss ssss s lll liii isss sttt t 111 1111 1555 5 ddd deee ennn nyyy y iii ippp p hhh hooo osss sttt t
111 1777 7222 2... .111 1666 6... .111 1000 0... .555 5 hhh hooo osss sttt t 111 1777 7222 2... .111 1666 6... .555 5000 0... .777 7
The extended ACL
denies specic host for
entire TCP/IP suite.
Edmonton(config)#aaa accc cccc ceee esss ssss s lll liii isss sttt t 111 1111 1555 5 ppp peee errr rmmm miii ittt t iii ippp p aaa annn nyyy y aaa annn nyyy y
All others are
permitted through.
Edmonton(config)#iii innn nttt teee errr rfff faaa accc ceee e fff faaa asss sttt teee ettt thhh heee errr rnnn neee ettt t 000 0/// /000 0
Moves to interface
conguration mode.
Edmonton(config)#iii ippp p aaa accc cccc ceee esss ssss s--- -ggg grrr rooo ouuu uppp p 111 1111 1555 5 iii innn n
Applies the ACL in an
inbound direction.
RedDeer(config)#aaa accc cccc ceee esss ssss s--- -lll liii isss sttt t 222 2000 0 ppp peee errr rmmm miii ittt t hhh hooo osss sttt t
111 1777 7222 2... .111 1666 6... .111 1000 0... .555 5
The standard ACL
allows a specic host
access. The implicit
deny statement lters
everyone else out.
RedDeer(config)#lll liii innn neee e vvv vttt tyyy y 000 0 444 4
Moves to virtual
terminal lines
conguration mode.
RedDeer(config-line)#aaa accc cccc ceee esss ssss s--- -ccc clll laaa asss ssss s 222 2000 0 iii innn n
Applies ACL 20 in an
inbound direction.
Remember to use
access-class, not
access-group.
Calgary(config)#iii ippp p aaa accc cccc ceee esss ssss s--- -lll liii isss sttt t eee exxx xttt teee ennn nddd deee eddd d
sss seee errr rvvv veee errr raaa accc cccc ceee esss ssss s
Creates a named ACL
and moves to named
ACL conguration
mode.
Calgary(config-ext-nacl)#111 1000 0 ppp peee errr rmmm miii ittt t ttt tccc cppp p hhh hooo osss sttt t
111 1777 7222 2... .111 1666 6... .222 2000 0... .111 1666 6333 3 hhh hooo osss sttt t 111 1777 7222 2... .111 1666 6... .777 7000 0... .222 2 eee eqqq q ttt teee elll lnnn neee ettt t
The specic host is
permitted Telnet access
to a specic
destination.
282 Conguration Examples: ACLs
Example 5: Write an ACL that states that hosts 50.150.63 are not allowed web access
to 80.16. Hosts 50.6450.254 are. Everyone can do everything else.
Calgary(config-ext-nacl)#222 2000 0 ddd deee ennn nyyy y ttt tccc cppp p 111 1777 7222 2... .111 1666 6... .222 2000 0... .000 0
000 0... .000 0... .000 0... .222 2555 5555 5 hhh hooo osss sttt t 111 1777 7222 2... .111 1666 6... .777 7000 0... .222 2 eee eqqq q ttt teee elll lnnn neee ettt t
No other hosts are
allowed to Telnet to the
server.
Calgary(config-ext-nacl)#333 3000 0 ppp peee errr rmmm miii ittt t iii ippp p aaa annn nyyy y aaa annn nyyy y
Defeats the implicit
deny statement and
allows all other trafc
to pass through.
Calgary(config-ext-nacl)#eee exxx xiii ittt t
Returns to global
conguration mode.
Calgary(config)#iii innn nttt teee errr rfff faaa accc ceee e fff faaa asss sttt teee ettt thhh heee errr rnnn neee ettt t 000 0/// /000 0
Moves to interface
conguration mode.
Calgary(config)#iii ippp p aaa accc cccc ceee esss ssss s--- -ggg grrr rooo ouuu uppp p sss seee errr rvvv veee errr raaa accc cccc ceee esss ssss s ooo ouuu uttt t
Sets the ACL named
serveraccess in an
outbound direction on
the interface.
RedDeer(config)#aaa accc cccc ceee esss ssss s--- -lll liii isss sttt t 111 1000 0111 1 ddd deee ennn nyyy y ttt tccc cppp p
111 1777 7222 2... .111 1666 6... .555 5000 0... .000 0 000 0... .000 0... .000 0... .666 6333 3 hhh hooo osss sttt t 111 1777 7222 2... .111 1666 6... .888 8000 0... .111 1666 6 eee eqqq q 888 8000 0
Creates an ACL that
denies HTTP trafc
from a range of hosts to
a specic destination
RedDeer(config)#aaa accc cccc ceee esss ssss s--- -lll liii isss sttt t 111 1000 0111 1 ppp peee errr rmmm miii ittt t iii ippp p aaa annn nyyy y aaa annn nyyy y
Defeats the implicit
deny statement and
allows all other trafc
to pass through
RedDeer(config)#iii innn nttt teee errr rfff faaa accc ceee e fff faaa asss sttt teee ettt thhh heee errr rnnn neee ettt t 000 0/// /000 0
Moves to interface
conguration mode
RedDeer(config)#iii ippp p aaa accc cccc ceee esss ssss s--- -ggg grrr rooo ouuu uppp p 111 1000 0111 1 iii innn n
Applies the ACL in an
inbound direction