top of page

Extended Access-list

  • Writer: Malik Zaib
    Malik Zaib
  • Apr 1, 2018
  • 1 min read

Creation of Extended Access-list Syntax:

Router(config)#

access-list <acl no> <permit/deny> <protocol> <source address> <source wildcard mask>

<destination address> <destination wildcard mask> <operator> <service>

Implementation Syntax:

Router(config)#interface <interface type> <interface no.>

R2(config-if)#ip access-group <access-list no.> <in/out>

configure the appropriate router as per the below given rules:

  1. Deny the users on LAN 192.168.2.0 should not access 192.168.1.3 http service

  2. Deny the users on LAN 192.168.3.0 should not access 192.168.1.4 ftp service

  3. Deny the users on LAN 192.168.3.1 should not access 192.168.1.3 http service

  4. Deny the users on LAN 192.168.2.0 should not get DNS service from DNS server 192.168.1.4

  5. Deny the users from the host between 192.168.3.2 and 192.168.1.2 should not be able to send ICMP (ping/trace) messages

  6. Remaining hosts and services should be permitted

Configuration of Extended Access-list:

R1(config)#access-list 101 deny tcp 192.168.2.0 0.0.0.255 host 192.168.1.3 eq www

R1(config)#access-list 101 deny tcp 192.168.3.0 0.0.0.255 host 192.168.1.4 eq ftp

R1(config)#access-list 101 deny tcp host 192.168.3.1 host 192.168.1.3 eq www

R1(config)#access-list 101 deny udp 192.168.2.0 0.0.0.255 host 192.168.1.4 eq domain

R1(config)#Access-list 101 deny icmp host 192.168.3.2 host 192.168.1.2 echo

R1(config)#Access-list 101 deny icmp host 192.168.3.2 host 192.168.1.2 echo-reply

R1(config)#Access-list 101 permit ip any any

OR

R1(config)#access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.1.3 0.0.0.0 eq www

R1(config)#access-list 101 deny tcp 192.168.3.0 0.0.0.255 192.168.1.4 0.0.0.0 eq ftp

R1(config)#access-list 101 deny tcp 192.168.3.1 0.0.0.0 192.168.1.3 0.0.0.0 eq www

R1(config)#access-list 101 deny udp 192.168.2.0 0.0.0.255 192.168.1.4 0.0.0.0 eq domain

R1(config)#Access-list 101 deny icmp 192.168.3.2 0.0.0.0 192.168.1.2 0.0.0.0 echo

R1(config)#Access-list 101 deny icmp 192.168.3.2 0.0.0.0 192.168.1.2 0.0.0.0 echo-reply

R1(config)#Access-list 101 permit ip any any

Implementation:

R1(config)#interface ethernet 0/0

R1(config-if)#ip access-group 101 out

OR

R1(config)#interface serial 1/0

R1(config-if)#ip access-group 101 in

 
 
 

Comments

bottom of page