Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 5: STANDARD ACL CONFIGURATION FOR IPV4, image, image, image, image,…
Module 5: STANDARD ACL CONFIGURATION FOR IPV4
5.1 STANDARD ACL CONFIGURATION FOR IPv4
2.- Standard ACL Types for IPv4
Numbered ACLs: They are configured with a number (1-99, 1300-1999).
Example: access-list 10 permit host 192.168.10.10
Named ACLs: They facilitate understanding and maintenance.
Example: ip access-list standard PERMIT-ACCESS
3.- Applying ACLs to Interfaces
Using the command: ip access-group {access-list-number | access-list-name} {in | out}
To remove an ACL from the interface: no ip access-group
1.- Importance of Planning ACLs
Use a text editor to document the policy before implementing it.
Test ACLs thoroughly to avoid network errors.
4.- Implementation Examples
Numbered ACL (Example with ACL 10)
Allows only 192.168.10.10 and 192.168.20.0/24 to access the Internet.
Applied on the outbound interface (Serial 0/1/0).
Named ACL (Example with PERMIT-ACCESS)
Configured similarly to the numbered ACL, but with a name instead of a number.
Applied on the same Serial 0/1/0 interface.
5.3 PROTECTING VTY PORTS WITH A STANDARD ACL FOR IPV4
5.3.1 The access-class Command
The access-class command is used to associate an ACL with VTY ports. The function of this command is to limit the IP addresses that can access the device through the VTY ports. Only IP addresses that match the associated ACL will be allowed access.
5.3.2 Example of secure VTY access
An example of a secure configuration of VTY ports is to restrict access to only specific IP addresses, such as IP addresses on a trusted internal network.
5.3.3 Verifying VTY Port Security
Once secure access to VTY ports has been configured, it is important to verify that security is correctly implemented.
5.3.4 Syntax Checker - Protect VTY Ports
It is recommended to use simulation mode or syntax testing to ensure that the configuration is correctly applied before enabling it.
5.4 Configure Extended IPv4 ACLs
Numbered extended ACL - Created using the access-list access-list-number global configuration command.
Named extended ACL - Created using ip access-list extended access-list-name .
Named extended ACLs are created in essentially the same way that standard named ACLs are created.
The topology in the figure is used to demonstrate the configuration and application of two named extended IPv4 ACLs to an interface:
NAVIGATION - This will allow internal HTTP and HTTPS traffic to go out to the Internet.
NAVIGATION - This will only allow web traffic back to internal hosts while all other traffic going out the R1 G0/0/0 interface is implicitly denied.
PERMIT-PC1 - This will only allow TCP access from PC1 to the Internet and deny all other hosts on the private network.
REPLY-PC1 - This will only allow specified TCP traffic back to PC1 and implicitly deny all other traffic.
Edit Extended ACLs
R1# show access-lists
Extended IP access list BROWSING
10 permit tcp any 192.168.10.0 0.0.0.255 established
Extended IP access list SURFING
10 permit tcp 19.168.10.0 0.0.0.255 any eq www
20 permit tcp 192.168.10.0 0.0.0.255 any eq 443
5.2 MODIFICATION OF ACL FOR IPV4
5.2.3 Sequence number method
The sequence number method allows adding or removing ACEs in an ACL, with numbers automatically assigned when an ACE is entered, which can be viewed using the show access-lists command, but not with show running-config.
5.2.2 Text editor method
The text editor method allows planning, creating, and correcting ACLs with multiple ACEs before applying them to the router, simplifying editing and preventing configuration errors.
5.2.5 ACL Statistics
The show access-lists command displays ACL match statistics, and clear access-list counters clears them. To track implicit denials, the deny any command must be added at the end of the ACL.
5.2.1 Two methods to modify an ACL.
ACLs may require adjustments due to their complexity and potential configuration errors; they can be modified using a text editor or sequence numbers.
