CCNA Access List Configuration Example on GNS3


What Is Access Control List?
An access control list (ACL), in datacom Networks is used to assign different permissions e.g deny/permit to an object.

ACL Rules:
  • List is applied from Top statement to bottom, order is important if first statement is matched then other are neglected ,
  • Defalt Invisible deny at bottom of every access list, it mean that if you have different hosts in network lets say 192.16.1.1, 192.16.1.2, 192.16.1.100 etc and you have create a access list in which you have only deny 192.16.1.100 to access internet. In this case all other host are also block because of this rule, you have whrite aother statement to permit any other host to correct this.
  • ACL is applied to an interfaces that may be inbound or outbound direction
Types of Access Control List:
There are two main types of ACL
  1. Standard ACL
  2. Extened ACL
Standard ACL:
  • ACL Number range is from 1-99
  • Always apply near to destination 
  • Lower process utilization

Standard ACL Syntax:
Router(config)#access-list <1-99> deny/permit host/network

Access-list practice lab diagram is as follow:

Objective:
  1. Block Qemu5 host  to accessing Qemu3 Host
  2. Use standard ACL to block Qemu5 Host  to telnetting R1

Lab Configuration:
For basic IP and RIP configuration you can visit RIP on GNS3 and Qemu host configuration.

R3 ACL Configuration (objective-1) :
R3(config)#access-list 1 deny host 172.16.2.10
R3(config)#access-list 1 permit any
R3(config)#int f1/0
R3(config-if)#ip access-group 1 out
R1 ACL Configuration (objective-2) :
R1(config)#line vty 0 4
R1(config-line)#password cisco
R1(config-line)#^Z

R1#conf t
R1(config)#access-list 2 deny 172.16.2.10
R1(config)#access-list 2 permit any
R1(config)#line vty 0 4
R1(config-line)#access-class 2 in

Access Control List Verification Commands:

  • Ping from 172.16.2.10 to 10.2.2.20 & 10.2.2.50 is unsuccessful
  • Telnet from 172.16.2.10 to R1 is failed





1 comment:

  1. you can use access-class in the vty line to deny telnet but be able to use the ping

    ReplyDelete