In the following example we will create an Named extended ACL that will permit the 192.168.2.0/24 telnet and FTP access only to R2 Serial 0/0 interface. S 0/0 on R2 has an IP of 10.3.1.2, we still want traffic to pass through this interface to any other adjacent network.
Create named ACL: IP access-list extended telnet
Create rule to allow telnet and FTP to S 0/0 interface: 6 permit tcp 192.168.2.0 0.0.0.255 host 10.3.1.2 range 21 23
Note: you can leave rule number out and let the IOS automatically assign this number, in this example I chose 6.
Note: Direction - All direction originates from the routers point of view IN/OUT
Next we will deny all other traffic from the 192.168.2.0/24 network
Note: by default the last rule will be a explicit deny all, but we set an allow all as last rule so we need to deny all for the 192.168.2.0/24 network
Finally we will add the last rule that will allow all other traffic
Now we are ready to apply our newly created ACL to an interface
Note: we want to place this ACL as close to the source as possible network 192.168.2.0/24 is attached to interface fas 0/0 with traffic flowing into this interface
Now lets test
First lets see if we can send ICMP traffic to 10.3.1.2 from 192.168.2.2
We can not because only FTP and telnet traffic are allowed to S 0/0 from 192.168.2.0/24
Now Lets try to telnet to 10.3.1.2
We are successful but I did not set a VTY password
Lets try to send traffic through that interface
We are successful because the ICMP traffic matches rule 100 allow all
We can take a look at the amount of hits each rule received
No comments:
Post a Comment