CiscoFreeLabs: 2月 2014

2014年2月24日星期一

IPv6 Access Control List (2)

This LAB only permit network prefix 2001:aaaa::/64 access network prefix 2001:bbbb::/64 , deny network prefix 2001:cccc::/64 access network prefix 2001:bbbb::/64 .

********** IPv6 ACL config **********
==============================================
interface FastEthernet0/1
no ip address
duplex auto
speed auto
ipv6 address 2001:BBBB::1/64
ipv6 traffic-filter ipv6acl2 out

ipv6 access-list ipv6acl2
permit ipv6 2001:AAAA::/64 2001:BBBB::/64
deny ipv6 2001:CCCC::/64 2001:BBBB::/64
permit ipv6 any any
!

==============================================
v6acl#show ipv6 access-list ipv6acl2
IPv6 access list ipv6acl2
    permit ipv6 2001:AAAA::/64 2001:BBBB::/64 (20 matches) sequence 10
    deny ipv6 2001:CCCC::/64 2001:BBBB::/64 (25 matches) sequence 20
    permit ipv6 any any sequence 30
v6acl#
==============================================

VPCS[2]> ping 2001:bbbb::3

*2001:cccc::1 icmp6_seq=1 ttl=64 time=78.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)
*2001:cccc::1 icmp6_seq=2 ttl=64 time=47.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)
*2001:cccc::1 icmp6_seq=3 ttl=64 time=63.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)
*2001:cccc::1 icmp6_seq=4 ttl=64 time=78.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)
*2001:cccc::1 icmp6_seq=5 ttl=64 time=47.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)

VPCS[2]>
VPCS[2]>
VPCS[2]>
VPCS[2]> ping 2001:bbbb::2

*2001:cccc::1 icmp6_seq=1 ttl=64 time=47.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)
*2001:cccc::1 icmp6_seq=2 ttl=64 time=46.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)
*2001:cccc::1 icmp6_seq=3 ttl=64 time=47.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)
*2001:cccc::1 icmp6_seq=4 ttl=64 time=46.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)
*2001:cccc::1 icmp6_seq=5 ttl=64 time=47.000 ms (ICMP type:1, code:1, Communicat
ion with destination administratively prohibited)

VPCS[1]> ping 2001:bbbb::2

2001:bbbb::2 icmp6_seq=1 ttl=62 time=109.000 ms
2001:bbbb::2 icmp6_seq=2 ttl=62 time=78.000 ms
2001:bbbb::2 icmp6_seq=3 ttl=62 time=78.000 ms
2001:bbbb::2 icmp6_seq=4 ttl=62 time=78.000 ms
2001:bbbb::2 icmp6_seq=5 ttl=62 time=94.000 ms

VPCS[1]> ping 2001:bbbb::3

2001:bbbb::3 icmp6_seq=1 ttl=62 time=109.000 ms
2001:bbbb::3 icmp6_seq=2 ttl=62 time=78.000 ms
2001:bbbb::3 icmp6_seq=3 ttl=62 time=78.000 ms
2001:bbbb::3 icmp6_seq=4 ttl=62 time=78.000 ms
2001:bbbb::3 icmp6_seq=5 ttl=62 time=63.000 ms

VPCS[1]>

IPv6 Access Control List (1)

This LAB only permit host C3 (IPv6 address : 2001:aaaa::4/64) access Server S1 user port 80 , deny other host access server S1 use port 80 , and permit any IPv6 traffic.

v6acl#show ipv6 access-list ipv6acl
IPv6 access list ipv6acl
    permit tcp host 2001:AAAA::4 host 2001:BBBB::2 eq www (54 matches) sequence 10
    deny tcp any host 2001:BBBB::2 eq www (30 matches) sequence 20
    permit ipv6 any any (10 matches) sequence 30
v6acl#
v6acl#

================================
!
hostname v6acl
!
!
ipv6 unicast-routing
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
ipv6 address 2001:AAAA::1/64
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
ipv6 address 2001:BBBB::1/64
ipv6 traffic-filter ipv6acl out
!
!
!
logging alarm informational
!
!
!
!
!
!
ipv6 access-list ipv6acl
permit tcp host 2001:AAAA::4 host 2001:BBBB::2 eq www
deny tcp any host 2001:BBBB::2 eq www
permit ipv6 any any
!
!
end
================================

Time Access Control List

This is a Time Access Control List LAB , objective is permit host C1 (IP: 192.168.1.3/24) access Server S1 on Monday and Thursday AM 08:00 - 17:00 user port 80, other hosts can not access S1 on any time.

========================================================
timeacl#sh access-lists 110
Extended IP access list 110
    10 permit tcp host 192.168.1.3 host 172.22.0.10 eq www time-range access-time (active) (50 matches)
    20 deny tcp any host 172.22.0.10 eq www (42 matches)
    30 permit ip any any (102 matches)
timeacl#
timeacl#

========================================================
***** C3 IP address : 192.168.1.3 *****

C3> ping 172.22.0.10 -3 -p 80
Connect   80@172.22.0.10 seq=1 ttl=63 time=78.000 ms
SendData 80@172.22.0.10 seq=1 ttl=63 time=63.000 ms
Close     80@172.22.0.10 seq=1 ttl=63 time=110.000 ms
Connect   80@172.22.0.10 seq=2 ttl=63 time=78.000 ms
SendData 80@172.22.0.10 seq=2 ttl=63 time=62.000 ms
Close     80@172.22.0.10 seq=2 ttl=63 time=109.000 ms
Connect   80@172.22.0.10 seq=3 ttl=63 time=78.000 ms
SendData 80@172.22.0.10 seq=3 ttl=63 time=78.000 ms
Close     80@172.22.0.10 seq=3 ttl=63 time=94.000 ms
Connect   80@172.22.0.10 seq=4 ttl=63 time=93.000 ms
SendData 80@172.22.0.10 seq=4 ttl=63 time=94.000 ms
Close     80@172.22.0.10 seq=4 ttl=63 time=125.000 ms
Connect   80@172.22.0.10 seq=5 ttl=63 time=78.000 ms
SendData 80@172.22.0.10 seq=5 ttl=63 time=78.000 ms
Close     80@172.22.0.10 seq=5 ttl=63 time=109.000 ms

C3>

========================================================

**** C1IP address : 192.168.1.1 ****

C1> ping 172.22.0.10 -3 -p 80
*192.168.1.254 tcp_seq=1 ttl=255 time=63.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)
*192.168.1.254 tcp_seq=3 ttl=255 time=47.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)
*192.168.1.254 tcp_seq=5 ttl=255 time=47.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)

C1>
========================================================

!
!
hostname timeacl
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.22.0.254 255.255.255.0
ip access-group 110 out
duplex auto
speed auto
!
!
!
logging alarm informational
access-list 110 permit tcp host 192.168.1.3 host 172.22.0.10 eq www time-range access-time
access-list 110 deny   tcp any host 172.22.0.10 eq www
access-list 110 permit ip any any
!
time-range access-time
periodic Monday Thursday 8:00 to 17:00
!
end
========================================================

Name Access Control List

This LAB is Name access control list , only permit host C3 (IP : 192.168.1.3/24) to access Server S1(IP : 172.22.0.10/24) user port 80, and other hosts can not access S1 use port 80.

NAME   IP/MASK              GATEWAY           MAC                LPORT RHOST:PORT
C1 192.168.1.1/24       192.168.1.254     00:50:79:66:68:00 20000 127.0.0.1:30000
       fe80::250:79ff:fe66:6800/64
C2 192.168.1.2/24       192.168.1.254     00:50:79:66:68:01 20001 127.0.0.1:30001
       fe80::250:79ff:fe66:6801/64
C3 192.168.1.3/24       192.168.1.254     00:50:79:66:68:02 20002 127.0.0.1:30002
       fe80::250:79ff:fe66:6802/64
       2001:2::1/64
S1 172.22.0.10/24       172.22.0.254      00:50:79:66:68:03 20003 127.0.0.1:30003
       fe80::250:79ff:fe66:6803/64
       2001:2::2/64
S2 172.22.0.11/24       172.22.0.254      00:50:79:66:68:04 20004 127.0.0.1:30004
       fe80::250:79ff:fe66:6804/64
       2001:3::2/64

C1> ping 172.22.0.10
172.22.0.10 icmp_seq=1 timeout
172.22.0.10 icmp_seq=2 ttl=63 time=62.000 ms
172.22.0.10 icmp_seq=3 ttl=63 time=62.000 ms
172.22.0.10 icmp_seq=4 ttl=63 time=63.000 ms
172.22.0.10 icmp_seq=5 ttl=63 time=63.000 ms

C1> ping 172.22.0.10 -3 -p 80
*192.168.1.254 tcp_seq=1 ttl=255 time=47.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)
*192.168.1.254 tcp_seq=3 ttl=255 time=31.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)
*192.168.1.254 tcp_seq=5 ttl=255 time=46.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)

C2> ping 172.22.0.10
172.22.0.10 icmp_seq=1 ttl=63 time=78.000 ms
172.22.0.10 icmp_seq=2 ttl=63 time=78.000 ms
172.22.0.10 icmp_seq=3 ttl=63 time=78.000 ms
172.22.0.10 icmp_seq=4 ttl=63 time=62.000 ms
172.22.0.10 icmp_seq=5 ttl=63 time=94.000 ms

C2>ping 172.22.0.10 -3 -p 80
*192.168.1.254 tcp_seq=1 ttl=255 time=93.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)
*192.168.1.254 tcp_seq=3 ttl=255 time=47.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)
*192.168.1.254 tcp_seq=5 ttl=255 time=47.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)

C3> ping 172.22.0.10
172.22.0.10 icmp_seq=1 ttl=63 time=78.000 ms
172.22.0.10 icmp_seq=2 ttl=63 time=63.000 ms
172.22.0.10 icmp_seq=3 ttl=63 time=63.000 ms
172.22.0.10 icmp_seq=4 ttl=63 time=62.000 ms
172.22.0.10 icmp_seq=5 ttl=63 time=109.000 ms

C3> ping 172.22.0.10 -3 -p 80
Connect   80@172.22.0.10 seq=1 ttl=63 time=93.000 ms
SendData 80@172.22.0.10 seq=1 ttl=63 time=78.000 ms
Close     80@172.22.0.10 seq=1 ttl=63 time=94.000 ms
Connect   80@172.22.0.10 seq=2 ttl=63 time=78.000 ms
SendData 80@172.22.0.10 seq=2 ttl=63 time=79.000 ms
Close     80@172.22.0.10 seq=2 ttl=63 time=94.000 ms
Connect   80@172.22.0.10 seq=3 ttl=63 time=79.000 ms
SendData 80@172.22.0.10 seq=3 ttl=63 time=94.000 ms
Close     80@172.22.0.10 seq=3 ttl=63 time=110.000 ms
Connect   80@172.22.0.10 seq=4 ttl=63 time=78.000 ms
SendData 80@172.22.0.10 seq=4 ttl=63 time=62.000 ms
Close     80@172.22.0.10 seq=4 ttl=63 time=125.000 ms
Connect   80@172.22.0.10 seq=5 ttl=63 time=62.000 ms
SendData 80@172.22.0.10 seq=5 ttl=63 time=62.000 ms
Close     80@172.22.0.10 seq=5 ttl=63 time=110.000 ms

nameacl#show access-lists acl-out
Extended IP access list acl-out
    10 permit tcp host 192.168.1.3 host 172.22.0.10 eq www (25 matches)
    20 deny tcp any host 172.22.0.10 eq www (12 matches)
    30 permit ip any any (15 matches)
nameacl#

================================
!
hostname nameacl
!
!
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.22.0.254 255.255.255.0
ip access-group acl-out out
ip virtual-reassembly
duplex auto
speed auto
!
no ip http server
no ip http secure-server
!
!
!
ip access-list extended acl-out
permit tcp host 192.168.1.3 host 172.22.0.10 eq www
deny   tcp any host 172.22.0.10 eq www
permit ip any any
!
logging alarm informational
!
!
end
================================

2014年2月23日星期日

Extended Access Control List

This LAB is extended access control list , only permit host C3 (IP : 192.168.1.3/24) to access Server S1(IP : 172.22.0.10/24) user port 80, and other hosts can not access S1 use port 80.

C1> ping 172.22.0.10
172.22.0.10 icmp_seq=1 timeout
172.22.0.10 icmp_seq=2 ttl=63 time=78.000 ms
172.22.0.10 icmp_seq=3 ttl=63 time=62.000 ms
172.22.0.10 icmp_seq=4 ttl=63 time=63.000 ms
172.22.0.10 icmp_seq=5 ttl=63 time=79.000 ms

C1> ping 172.22.0.10 -3 -p 80
*192.168.1.254 tcp_seq=1 ttl=255 time=63.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)
*192.168.1.254 tcp_seq=3 ttl=255 time=79.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)
*192.168.1.254 tcp_seq=5 ttl=255 time=63.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)

C3> ping 172.22.0.10
172.22.0.10 icmp_seq=1 timeout
172.22.0.10 icmp_seq=2 ttl=63 time=78.000 ms
172.22.0.10 icmp_seq=3 ttl=63 time=62.000 ms
172.22.0.10 icmp_seq=4 ttl=63 time=63.000 ms
172.22.0.10 icmp_seq=5 ttl=63 time=79.000 ms

C3> ping 172.22.0.10 -3 -p 80
Connect   80@172.22.0.10 seq=1 ttl=63 time=94.000 ms
SendData 80@172.22.0.10 seq=1 ttl=63 time=63.000 ms
Close     80@172.22.0.10 seq=1 ttl=63 time=94.000 ms
Connect   80@172.22.0.10 seq=2 ttl=63 time=93.000 ms
SendData 80@172.22.0.10 seq=2 ttl=63 time=62.000 ms
Close     80@172.22.0.10 seq=2 ttl=63 time=78.000 ms
Connect   80@172.22.0.10 seq=3 ttl=63 time=78.000 ms
SendData 80@172.22.0.10 seq=3 ttl=63 time=78.000 ms
Close     80@172.22.0.10 seq=3 ttl=63 time=94.000 ms
Connect   80@172.22.0.10 seq=4 ttl=63 time=94.000 ms
SendData 80@172.22.0.10 seq=4 ttl=63 time=63.000 ms
Close     80@172.22.0.10 seq=4 ttl=63 time=94.000 ms
Connect   80@172.22.0.10 seq=5 ttl=63 time=78.000 ms
SendData 80@172.22.0.10 seq=5 ttl=63 time=79.000 ms
Close     80@172.22.0.10 seq=5 ttl=63 time=125.000 ms

=======================================

extacl#
extacl#sh access-lists 100
Extended IP access list 100
    10 permit tcp host 192.168.1.3 host 172.22.0.10 eq www (25 matches)
    20 deny tcp any host 172.22.0.10 eq www (6 matches)
    30 permit ip any any (5 matches)
extacl#

=======================================
!
hostname extacl
!

!
!
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.22.0.254 255.255.255.0
ip access-group 100 out
ip virtual-reassembly
duplex auto
speed auto
!
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
access-list 100 permit tcp host 192.168.1.3 host 172.22.0.10 eq www
access-list 100 deny   tcp any host 172.22.0.10 eq www
access-list 100 permit ip any any
!
!
!
end
=======================================

Standard Access Control List

This LAB objective is permit host C3 (IP address : 192.168.1.3/24) to access the network prefix 172.22.0.0/24 , other hosts are denied.

NAME   IP/MASK              GATEWAY           MAC                LPORT RHOST:PORT
C1 192.168.1.1/24       192.168.1.254     00:50:79:66:68:00 20000 127.0.0.1:30000
       fe80::250:79ff:fe66:6800/64
C2 192.168.1.2/24       192.168.1.254     00:50:79:66:68:01 20001 127.0.0.1:30001
       fe80::250:79ff:fe66:6801/64
C3 192.168.1.3/24       192.168.1.254     00:50:79:66:68:02 20002 127.0.0.1:30002
       fe80::250:79ff:fe66:6802/64
       2001:2::1/64
S1 172.22.0.10/24       172.22.0.254      00:50:79:66:68:03 20003 127.0.0.1:30003
       fe80::250:79ff:fe66:6803/64
       2001:2::2/64
S2 172.22.0.11/24       172.22.0.254      00:50:79:66:68:04 20004 127.0.0.1:30004
       fe80::250:79ff:fe66:6804/64
       2001:3::2/64

C1> ping 172.22.0.10
*192.168.1.254 icmp_seq=1 ttl=255 time=48.000 ms (ICMP type:3, code:13, Communic
ation administratively prohibited)
*192.168.1.254 icmp_seq=2 ttl=255 time=42.000 ms (ICMP type:3, code:13, Communic
ation administratively prohibited)
*192.168.1.254 icmp_seq=3 ttl=255 time=31.000 ms (ICMP type:3, code:13, Communic
ation administratively prohibited)
*192.168.1.254 icmp_seq=4 ttl=255 time=41.000 ms (ICMP type:3, code:13, Communic
ation administratively prohibited)
*192.168.1.254 icmp_seq=5 ttl=255 time=33.000 ms (ICMP type:3, code:13, Communic
ation administratively prohibited)

C3> ping 172.22.0.10
172.22.0.10 icmp_seq=1 ttl=63 time=32.000 ms
172.22.0.10 icmp_seq=2 ttl=63 time=56.000 ms
172.22.0.10 icmp_seq=3 ttl=63 time=36.000 ms
172.22.0.10 icmp_seq=4 ttl=63 time=59.000 ms
172.22.0.10 icmp_seq=5 ttl=63 time=32.000 ms

VPCS[3]>

stacl#
stacl#sh access-list 10
Standard IP access list 10
    10 permit 192.168.1.3 (5 matches)
stacl#
stacl#

=====================================
!
!
hostname stacl
!
!
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.22.0.254 255.255.255.0
ip access-group 10 out
ip virtual-reassembly
duplex auto
speed auto
!
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
access-list 10 permit 192.168.1.3
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!

!
webvpn cef
!
end

=====================================

訂閱：文章 (Atom)

2014年2月24日 星期一