2014年2月24日 星期一

IPv6 Access Control List (2)

IPv6 Access Control List (2)

This LAB only permit network prefix 2001:aaaa::/64 access network prefix 2001:bbbb::/64 , deny network prefix 2001:cccc::/64 access network prefix 2001:bbbb::/64 .


**********  IPv6 ACL config **********
==============================================
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 ipv6 address 2001:BBBB::1/64
 ipv6 traffic-filter ipv6acl2 out


ipv6 access-list ipv6acl2
 permit ipv6 2001:AAAA::/64 2001:BBBB::/64
 deny ipv6 2001:CCCC::/64 2001:BBBB::/64
 permit ipv6 any any

!        

==============================================
v6acl#show ipv6 access-list ipv6acl2
IPv6 access list ipv6acl2
    permit ipv6 2001:AAAA::/64 2001:BBBB::/64 (20 matches) sequence 10
    deny ipv6 2001:CCCC::/64 2001:BBBB::/64 (25 matches) sequence 20
    permit ipv6 any any sequence 30
v6acl#
==============================================

VPCS[2]> ping 2001:bbbb::3  

*2001:cccc::1 icmp6_seq=1 ttl=64 time=78.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)
*2001:cccc::1 icmp6_seq=2 ttl=64 time=47.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)
*2001:cccc::1 icmp6_seq=3 ttl=64 time=63.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)
*2001:cccc::1 icmp6_seq=4 ttl=64 time=78.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)
*2001:cccc::1 icmp6_seq=5 ttl=64 time=47.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)

VPCS[2]>
VPCS[2]>
VPCS[2]>
VPCS[2]> ping 2001:bbbb::2

*2001:cccc::1 icmp6_seq=1 ttl=64 time=47.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)
*2001:cccc::1 icmp6_seq=2 ttl=64 time=46.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)
*2001:cccc::1 icmp6_seq=3 ttl=64 time=47.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)
*2001:cccc::1 icmp6_seq=4 ttl=64 time=46.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)
*2001:cccc::1 icmp6_seq=5 ttl=64 time=47.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)




VPCS[1]> ping 2001:bbbb::2

2001:bbbb::2 icmp6_seq=1 ttl=62 time=109.000 ms
2001:bbbb::2 icmp6_seq=2 ttl=62 time=78.000 ms
2001:bbbb::2 icmp6_seq=3 ttl=62 time=78.000 ms
2001:bbbb::2 icmp6_seq=4 ttl=62 time=78.000 ms
2001:bbbb::2 icmp6_seq=5 ttl=62 time=94.000 ms

VPCS[1]> ping 2001:bbbb::3

2001:bbbb::3 icmp6_seq=1 ttl=62 time=109.000 ms
2001:bbbb::3 icmp6_seq=2 ttl=62 time=78.000 ms
2001:bbbb::3 icmp6_seq=3 ttl=62 time=78.000 ms
2001:bbbb::3 icmp6_seq=4 ttl=62 time=78.000 ms
2001:bbbb::3 icmp6_seq=5 ttl=62 time=63.000 ms

VPCS[1]>



IPv6 Access Control List (1)

IPv6 Access Control List (1)

This LAB only permit host C3 (IPv6 address : 2001:aaaa::4/64) access Server S1 user port 80 , deny other host access server S1 use port 80 , and permit any IPv6 traffic.

v6acl#show ipv6 access-list ipv6acl
IPv6 access list ipv6acl
    permit tcp host 2001:AAAA::4 host 2001:BBBB::2 eq www (54 matches) sequence 10
    deny tcp any host 2001:BBBB::2 eq www (30 matches) sequence 20
    permit ipv6 any any (10 matches) sequence 30

v6acl#
v6acl#




================================
!
hostname v6acl
!
!
ipv6 unicast-routing
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 ipv6 address 2001:AAAA::1/64
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 ipv6 address 2001:BBBB::1/64
 ipv6 traffic-filter ipv6acl out
!
!
!
logging alarm informational
!
!
!
!
!
!
ipv6 access-list ipv6acl
 permit tcp host 2001:AAAA::4 host 2001:BBBB::2 eq www
 deny tcp any host 2001:BBBB::2 eq www
 permit ipv6 any any

!
!
end
================================


Time Access Control List

Time Access Control List


This is a Time Access Control List LAB , objective is permit host C1 (IP: 192.168.1.3/24) access Server S1 on Monday and Thursday AM 08:00 - 17:00 user port 80, other hosts can not access S1 on any time.



========================================================
timeacl#sh access-lists 110
Extended IP access list 110
    10 permit tcp host 192.168.1.3 host 172.22.0.10 eq www time-range access-time (active) (50 matches)
    20 deny tcp any host 172.22.0.10 eq www (42 matches)
    30 permit ip any any (102 matches)

timeacl#
timeacl#

========================================================
*****  C3 IP address : 192.168.1.3  ***** 

C3> ping 172.22.0.10 -3 -p 80
Connect   80@172.22.0.10 seq=1 ttl=63 time=78.000 ms
SendData  80@172.22.0.10 seq=1 ttl=63 time=63.000 ms
Close     80@172.22.0.10 seq=1 ttl=63 time=110.000 ms
Connect   80@172.22.0.10 seq=2 ttl=63 time=78.000 ms
SendData  80@172.22.0.10 seq=2 ttl=63 time=62.000 ms
Close     80@172.22.0.10 seq=2 ttl=63 time=109.000 ms
Connect   80@172.22.0.10 seq=3 ttl=63 time=78.000 ms
SendData  80@172.22.0.10 seq=3 ttl=63 time=78.000 ms
Close     80@172.22.0.10 seq=3 ttl=63 time=94.000 ms
Connect   80@172.22.0.10 seq=4 ttl=63 time=93.000 ms
SendData  80@172.22.0.10 seq=4 ttl=63 time=94.000 ms
Close     80@172.22.0.10 seq=4 ttl=63 time=125.000 ms
Connect   80@172.22.0.10 seq=5 ttl=63 time=78.000 ms
SendData  80@172.22.0.10 seq=5 ttl=63 time=78.000 ms
Close     80@172.22.0.10 seq=5 ttl=63 time=109.000 ms

C3>


========================================================

****  C1IP address : 192.168.1.1  ****

C1> ping 172.22.0.10 -3 -p 80
*192.168.1.254 tcp_seq=1 ttl=255 time=63.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)
*192.168.1.254 tcp_seq=3 ttl=255 time=47.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)
*192.168.1.254 tcp_seq=5 ttl=255 time=47.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)

C1>
========================================================



!
!
hostname timeacl
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.22.0.254 255.255.255.0
 ip access-group 110 out
 duplex auto
 speed auto
!
!
!
logging alarm informational
access-list 110 permit tcp host 192.168.1.3 host 172.22.0.10 eq www time-range access-time
access-list 110 deny   tcp any host 172.22.0.10 eq www
access-list 110 permit ip any any

!
time-range access-time
 periodic Monday Thursday 8:00 to 17:00

!
end
========================================================

Name Access Control List

Name Access Control List

This LAB is Name access control list , only permit host C3 (IP : 192.168.1.3/24) to access Server S1(IP : 172.22.0.10/24) user port 80, and other hosts can not access S1 use port 80.




NAME   IP/MASK              GATEWAY           MAC                LPORT  RHOST:PORT
C1  192.168.1.1/24       192.168.1.254     00:50:79:66:68:00  20000  127.0.0.1:30000
       fe80::250:79ff:fe66:6800/64
C2  192.168.1.2/24       192.168.1.254     00:50:79:66:68:01  20001  127.0.0.1:30001
       fe80::250:79ff:fe66:6801/64
C3  192.168.1.3/24       192.168.1.254     00:50:79:66:68:02  20002  127.0.0.1:30002
       fe80::250:79ff:fe66:6802/64
       2001:2::1/64
S1  172.22.0.10/24       172.22.0.254      00:50:79:66:68:03  20003  127.0.0.1:30003
       fe80::250:79ff:fe66:6803/64
       2001:2::2/64
S2  172.22.0.11/24       172.22.0.254      00:50:79:66:68:04  20004  127.0.0.1:30004
       fe80::250:79ff:fe66:6804/64
       2001:3::2/64



C1> ping 172.22.0.10
172.22.0.10 icmp_seq=1 timeout
172.22.0.10 icmp_seq=2 ttl=63 time=62.000 ms
172.22.0.10 icmp_seq=3 ttl=63 time=62.000 ms
172.22.0.10 icmp_seq=4 ttl=63 time=63.000 ms
172.22.0.10 icmp_seq=5 ttl=63 time=63.000 ms



C1> ping 172.22.0.10 -3 -p 80
*192.168.1.254 tcp_seq=1 ttl=255 time=47.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)
*192.168.1.254 tcp_seq=3 ttl=255 time=31.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)
*192.168.1.254 tcp_seq=5 ttl=255 time=46.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)



C2> ping 172.22.0.10
172.22.0.10 icmp_seq=1 ttl=63 time=78.000 ms
172.22.0.10 icmp_seq=2 ttl=63 time=78.000 ms
172.22.0.10 icmp_seq=3 ttl=63 time=78.000 ms
172.22.0.10 icmp_seq=4 ttl=63 time=62.000 ms
172.22.0.10 icmp_seq=5 ttl=63 time=94.000 ms

C2>ping 172.22.0.10 -3 -p 80
*192.168.1.254 tcp_seq=1 ttl=255 time=93.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)
*192.168.1.254 tcp_seq=3 ttl=255 time=47.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)
*192.168.1.254 tcp_seq=5 ttl=255 time=47.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)




C3> ping 172.22.0.10
172.22.0.10 icmp_seq=1 ttl=63 time=78.000 ms
172.22.0.10 icmp_seq=2 ttl=63 time=63.000 ms
172.22.0.10 icmp_seq=3 ttl=63 time=63.000 ms
172.22.0.10 icmp_seq=4 ttl=63 time=62.000 ms
172.22.0.10 icmp_seq=5 ttl=63 time=109.000 ms



C3> ping 172.22.0.10 -3 -p 80
Connect   80@172.22.0.10 seq=1 ttl=63 time=93.000 ms
SendData  80@172.22.0.10 seq=1 ttl=63 time=78.000 ms
Close     80@172.22.0.10 seq=1 ttl=63 time=94.000 ms
Connect   80@172.22.0.10 seq=2 ttl=63 time=78.000 ms
SendData  80@172.22.0.10 seq=2 ttl=63 time=79.000 ms
Close     80@172.22.0.10 seq=2 ttl=63 time=94.000 ms
Connect   80@172.22.0.10 seq=3 ttl=63 time=79.000 ms
SendData  80@172.22.0.10 seq=3 ttl=63 time=94.000 ms
Close     80@172.22.0.10 seq=3 ttl=63 time=110.000 ms
Connect   80@172.22.0.10 seq=4 ttl=63 time=78.000 ms
SendData  80@172.22.0.10 seq=4 ttl=63 time=62.000 ms
Close     80@172.22.0.10 seq=4 ttl=63 time=125.000 ms
Connect   80@172.22.0.10 seq=5 ttl=63 time=62.000 ms
SendData  80@172.22.0.10 seq=5 ttl=63 time=62.000 ms
Close     80@172.22.0.10 seq=5 ttl=63 time=110.000 ms





nameacl#show access-lists acl-out
Extended IP access list acl-out
    10 permit tcp host 192.168.1.3 host 172.22.0.10 eq www (25 matches)
    20 deny tcp any host 172.22.0.10 eq www (12 matches)
    30 permit ip any any (15 matches)

nameacl#


================================
!
hostname nameacl
!
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.22.0.254 255.255.255.0
 ip access-group acl-out out
 ip virtual-reassembly
 duplex auto
 speed auto
!
no ip http server
no ip http secure-server
!
!
!
ip access-list extended acl-out
 permit tcp host 192.168.1.3 host 172.22.0.10 eq www
 deny   tcp any host 172.22.0.10 eq www
 permit ip any any

!
logging alarm informational
!
!
end
================================

2014年2月23日 星期日

Extended Access Control List

Extended Access Control List

This LAB is extended access control list , only permit host C3 (IP : 192.168.1.3/24) to access Server S1(IP : 172.22.0.10/24) user port 80, and other hosts can not access S1 use port 80.


C1> ping 172.22.0.10
172.22.0.10 icmp_seq=1 timeout
172.22.0.10 icmp_seq=2 ttl=63 time=78.000 ms
172.22.0.10 icmp_seq=3 ttl=63 time=62.000 ms
172.22.0.10 icmp_seq=4 ttl=63 time=63.000 ms
172.22.0.10 icmp_seq=5 ttl=63 time=79.000 ms


C1> ping 172.22.0.10 -3 -p 80
*192.168.1.254 tcp_seq=1 ttl=255 time=63.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)
*192.168.1.254 tcp_seq=3 ttl=255 time=79.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)
*192.168.1.254 tcp_seq=5 ttl=255 time=63.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)



C3> ping 172.22.0.10
172.22.0.10 icmp_seq=1 timeout
172.22.0.10 icmp_seq=2 ttl=63 time=78.000 ms
172.22.0.10 icmp_seq=3 ttl=63 time=62.000 ms
172.22.0.10 icmp_seq=4 ttl=63 time=63.000 ms
172.22.0.10 icmp_seq=5 ttl=63 time=79.000 ms



C3> ping 172.22.0.10 -3 -p 80
Connect   80@172.22.0.10 seq=1 ttl=63 time=94.000 ms
SendData  80@172.22.0.10 seq=1 ttl=63 time=63.000 ms
Close     80@172.22.0.10 seq=1 ttl=63 time=94.000 ms
Connect   80@172.22.0.10 seq=2 ttl=63 time=93.000 ms
SendData  80@172.22.0.10 seq=2 ttl=63 time=62.000 ms
Close     80@172.22.0.10 seq=2 ttl=63 time=78.000 ms
Connect   80@172.22.0.10 seq=3 ttl=63 time=78.000 ms
SendData  80@172.22.0.10 seq=3 ttl=63 time=78.000 ms
Close     80@172.22.0.10 seq=3 ttl=63 time=94.000 ms
Connect   80@172.22.0.10 seq=4 ttl=63 time=94.000 ms
SendData  80@172.22.0.10 seq=4 ttl=63 time=63.000 ms
Close     80@172.22.0.10 seq=4 ttl=63 time=94.000 ms
Connect   80@172.22.0.10 seq=5 ttl=63 time=78.000 ms
SendData  80@172.22.0.10 seq=5 ttl=63 time=79.000 ms
Close     80@172.22.0.10 seq=5 ttl=63 time=125.000 ms



=======================================

extacl#
extacl#sh access-lists 100
Extended IP access list 100
    10 permit tcp host 192.168.1.3 host 172.22.0.10 eq www (25 matches)
    20 deny tcp any host 172.22.0.10 eq www (6 matches)
    30 permit ip any any (5 matches)

extacl#

=======================================
 !
hostname extacl
!

!
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.22.0.254 255.255.255.0
 ip access-group 100 out
 ip virtual-reassembly
 duplex auto
 speed auto
!
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
access-list 100 permit tcp host 192.168.1.3 host 172.22.0.10 eq www
access-list 100 deny   tcp any host 172.22.0.10 eq www
access-list 100 permit ip any any

!
!
!
end
=======================================


Standard Access Control List

Standard Access Control List
This LAB objective is permit host C3 (IP address : 192.168.1.3/24) to access the network prefix 172.22.0.0/24 , other hosts are denied.


NAME   IP/MASK              GATEWAY           MAC                LPORT  RHOST:PORT
C1  192.168.1.1/24       192.168.1.254     00:50:79:66:68:00  20000  127.0.0.1:30000
       fe80::250:79ff:fe66:6800/64
C2  192.168.1.2/24       192.168.1.254     00:50:79:66:68:01  20001  127.0.0.1:30001
       fe80::250:79ff:fe66:6801/64
C3  192.168.1.3/24       192.168.1.254     00:50:79:66:68:02  20002  127.0.0.1:30002
       fe80::250:79ff:fe66:6802/64
       2001:2::1/64
S1  172.22.0.10/24       172.22.0.254      00:50:79:66:68:03  20003  127.0.0.1:30003
       fe80::250:79ff:fe66:6803/64
       2001:2::2/64
S2  172.22.0.11/24       172.22.0.254      00:50:79:66:68:04  20004  127.0.0.1:30004
       fe80::250:79ff:fe66:6804/64
       2001:3::2/64

C1> ping 172.22.0.10
*192.168.1.254 icmp_seq=1 ttl=255 time=48.000 ms (ICMP type:3, code:13, Communic
ation administratively prohibited)
*192.168.1.254 icmp_seq=2 ttl=255 time=42.000 ms (ICMP type:3, code:13, Communic
ation administratively prohibited)
*192.168.1.254 icmp_seq=3 ttl=255 time=31.000 ms (ICMP type:3, code:13, Communic
ation administratively prohibited)
*192.168.1.254 icmp_seq=4 ttl=255 time=41.000 ms (ICMP type:3, code:13, Communic
ation administratively prohibited)
*192.168.1.254 icmp_seq=5 ttl=255 time=33.000 ms (ICMP type:3, code:13, Communic
ation administratively prohibited)


C3> ping 172.22.0.10
172.22.0.10 icmp_seq=1 ttl=63 time=32.000 ms
172.22.0.10 icmp_seq=2 ttl=63 time=56.000 ms
172.22.0.10 icmp_seq=3 ttl=63 time=36.000 ms
172.22.0.10 icmp_seq=4 ttl=63 time=59.000 ms
172.22.0.10 icmp_seq=5 ttl=63 time=32.000 ms

VPCS[3]>



stacl#
stacl#sh access-list 10
Standard IP access list 10
    10 permit 192.168.1.3 (5 matches)
stacl#
stacl#


=====================================
!
!
hostname stacl
!
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.22.0.254 255.255.255.0
 ip access-group 10 out
 ip virtual-reassembly
 duplex auto
 speed auto
!
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
access-list 10 permit 192.168.1.3
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!

!
webvpn cef
!
end


=====================================