Ccna routing and Switching Complete Study Guide

Configuring and Verifying Extended Access Lists

Download 28,65 Mb.

1 ... 1128 1129 1130 1131 1132 1133 1134 1135 ... 1268

Bog'liq
Todd Lammle-CCNA Routing and Switching Complete Study Guide Exam 100-105, Exam 200-105, Exam 200-125-Sybex (2016)

Configuring and Verifying Extended Access Lists

Even though I went through some very basic troubleshooting with ACLs earlier in this

chapter, let’s dig a little deeper to make sure we really understand extended named ACLs

before hitting IPv6.

First off, you should be familiar with ACLs from your ICND1 studies; if not, head

back and read that chapter, including the standard and extended ACLs section. I’m going

to focus solely on extended named ACLs, since that is what the ICND2 objectives are all

about.

As you know, standard access lists focus only on IP or IPv6 source addresses.

Extended ACLs, however, filter based on the source and destination layer 3 addresses

at a minimum, but in addition can filter using the protocol field in the IP header (Next

Header field in IPv6), as well as the source and destination port numbers at layer 4, all

shown in Figure 20.3

f I g u r e 2 0 . 3 Extended ACLs

An Example from a TCP/IP Packet

Port Number

Packet

(IP Header)

Segment

(e.g. TCP Header)

Data

Frame Header

(e.g. HDLC)

Protocol

Source Address

Destination Address

Deny

Permit

ACL to Test

the Packet

Using the network layout in Figure 20.1, let’s create an extended named ACL that blocks

Telnet to the 172.16.20.254 server from 10.1.1.10. It’s an extended list, so we’ll place it

closest to the source address as possible.

Step 1: Test that you can telnet to the remote host.

R1#

Download 28,65 Mb.

Do'stlaringiz bilan baham:

1 ... 1128 1129 1130 1131 1132 1133 1134 1135 ... 1268