Right now we'll make use of access lists to do some access control. We'll have four requirements as follows:
1) Standard - Prevent Host B from accessing Host C.
2) Standard - Prevent Host B from using Telnet or SSH protocols to communicate with R1.
3) Extended - Prevent Host B from accessing R2 WAN link.
4) Extended - Prevent Host B from accessing www.google.com
To set up an access-list, there are two ways. The old way is the numbered access-list. The syntax is as follows:
access-list 1 permit deny 192.169.20.20
For numbered lists, 1-99 are standard and 100-199 are extended.
Another newer method is the IP access list, which is created through:
ip access-l standard LIST
deny 192.169.20.20
To see existing access lists:
show access-l
A rule of thumb is that standard ACLs are to be placed as near to the destination as possible, while extended should be placed nearer to the source.
For scenario 1, we actually need to put the access-list in R3's F0/0 interface going outbound. We'll need to first make this access-list:
access-l 1 deny 192.169.20.20
access-l 1 permit any
Now we'll need to apply it outbound:
conf t
in f0/0
ip access-g 1 out
Now the pings between Host B and C should be failing. Everything else should be able to ping C.
Now we'll work to deny Host B from Telnetting or SSHing into R1. To do this, we use the access-list in the VTY lines instead. Go onto R1, and create the same access-list:
access-l 1 deny 192.169.20.20
access-l 1 permit any
Go into the line and apply it:
line vty 0 4
access-class 1 in
Everything should be able to telnet into R1 except Host B.
No comments :
Post a Comment